Kentico CMS 7.0 Developer's Guide

Configuring mixed mode authentication

Configuring mixed mode authentication

Previous topic Next topic Mail us feedback on this topic!  

Configuring mixed mode authentication

Previous topic Next topic JavaScript is required for the print function Mail us feedback on this topic!  

Mixed mode authentication enables users to sign in to your website using both Windows authentication and standard forms authentication.

 

 

InfoBox_Exclamation

 

Important!

 

During a sign‑in, if an already existing forms user has the same user name as a domain user you want to sign in with, the system signs in the forms user. As a result, an account cannot be created for the domain user. You can avoid this behavior by renaming the existing forms user.

 

 

To enable mixed authentication mode:

 

1. Edit your application's web.config file.

 

2. Add the LDAP connection string of your Active Directory service into the configuration/connectionStrings section:

 

<connectionStrings>

 ...

 

 <add name="CMSADConnectionString" connectionString="<LDAP connection string>" />

</connectionStrings>

 

Replace the <LDAP connection string> text in the code above with the actual connection string. Enter it in according to the following format:

 

LDAP://mydomain.example.com/DC=mydomain,DC=example,DC=com

 

The first part is the full domain. In the second part, the same domain is divided into DC (domain component) units.

 

3. Modify the membership and roleManager elements under the configuration/system.web section according to the following:

 

<membership defaultProvider="CMSProvider" userIsOnlineTimeWindow="30">

 <providers>

   <clear/>

   <add name="CMSProvider" type="CMS.MembershipProvider.CMSMembershipProvider" connectionStringName="CMSConnectionString" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="true" passwordFormat="Hashed"/>

   <add name="CMSADProvider" type="CMS.MembershipProvider.CMSADMembershipProvider" connectionStringName="CMSADConnectionString" connectionUsername="username" connectionPassword="password" />

 </providers>

</membership>

 

<roleManager defaultProvider="CMSRoleProvider" enabled="true" cacheRolesInCookie="true" cookieName=".ASPROLES" cookieTimeout="30" cookiePath="/" cookieRequireSSL="false" cookieSlidingExpiration="true" cookieProtection="All">

 <providers>

   <clear/>

   <add name="CMSRoleProvider" type="CMS.MembershipProvider.CMSRoleProvider" connectionStringName="CMSConnectionString" applicationName="SampleApplication" writeExceptionsToEventLog="false"/>

   <add name="CMSADRoleProvider" type="CMS.MembershipProvider.CMSADRoleProvider" connectionStringName="CMSADConnectionString" connectionUsername="username" connectionPassword="password" />

 </providers>

</roleManager>

 

Replace the following values:

 

username - your own active directory user name, including the fully qualified domain name. For example, office.example.com\johns

password - your active directory password

 

When you have entered this code into your web.config, users can log in using their Active Directory user name (without the domain) and password, or using their standard Kentico CMS user name and password.

 

 

InfoBox_Note

 

Mixed authentication on Windows XP

 

When running the application on Windows XP, users need to enter AD usernames including the domain name: <domain name>\user

 

 

You can also allow users to sign in using their full Active Directory user name (e.g. MyName@office.example.com). For this to work, you have to add the following key to the AppSettings section of your web.config file:

 

<add key="CMSADDefaultMapUserName" value="userPrincipalName" />