Authentication overview

  Previous topic Next topic JavaScript is required for the print function Mail us feedback on this topic! Mail us feedback on this topic!  

The system supports both forms and Windows authentication. The forms authentication stores user names and passwords in the database and requires users to log on. The Windows authentication gets user identity from the network credentials and creates the user automatically in the database, including the user’s roles (if they exist in the CMS database).




Accessing current user information in code


When the user is authenticated, a CMS.CMSHelper.CurrentUserInfo object representing the current user is stored in the session variable CMSCurrentUser and is accessible through the CMSHelper.CMSContext.CurrentUser property. All operations after authentication then use the user profile and user roles from this object.


// getting user name

string userName = CMS.CMSHelper.CMSContext.CurrentUser.UserName;


Configuring forms authentication


The forms authentication is configured by default. It uses the standard ASP.NET forms authentication and its settings. You can find the settings in the web.config file:



<authentication mode="Forms">

  <forms loginUrl="CMSPages/logon.aspx" defaultUrl="Default.aspx" name=".ASPXFORMSAUTH" timeout="60000" slidingExpiration="true" />




Password Encryption


You can also configure the password encryption in Site Manager -> Settings -> Security, in the Password format key. By default, the passwords are stored in plain text. If you want to use SHA1 hash format, please set the value to SHA1. Then, you need to set all password again so that they are stored in the new format - thus, it's recommended that you make the change after the installation, before you create user accounts.


Membership provider and ASP.NET 2.0 Membership support


Kentico CMS contains an ASP.NET 2.0 Membership provider for the Kentico CMS user database. It means you can use ASP.NET 2.0 Membership API and controls, such as Login control. However, Kentico CMS uses its own user information database instead of the ASP.NET 2.0 Membership tables.




Forgotten administrator's password


If you happen to lost your administrator's password, you can still recover from this:


If you're using plain text passwords, you can change the password directly in the CMS_User table.
If you're using hashed passwords, you need to set the password in the CMS_User table to an empty string. Then, you can sign in to Site Manager with an empty password and change the password.


Configuring Windows authentication


Please see the chapter Configuring Windows authentication.


Configuring custom authentication


If you want to use user and role information from an external source (such as a custom database), you need to configure the system as described in chapter Configuring custom authentication.


Page url: