Portal Engine Questions on portal engine and web parts.
Version 7.x > Portal Engine > Is two-layer authentication possible? View modes: 
User avatar
Member
Member
markcoatsworth - 11/11/2013 12:44:17 PM
   
Is two-layer authentication possible?
Hi everyone,

I have a question about Kentico authentication modes. I'm sure this has come up before but I can't find any information on it!

We regularly set up staging sites alongside our main Kentico sites. This allows us to do development work and manage content without disrupting the production sites.

I would like to put a password prompt on these staging sites so that public users cannot access them. The standard way of doing this is to disable Anonymous Authentication and then use either Forms or Windows Authentication to allow people into the site. However, this method also immediately authenticates users within the Kentico CMS system. So if we're doing development work that involves different public/private functionality, we can't test it.

Here's how I would like it to work:

1) User browses to Kentico staging site. They are immediately prompted for a username/password. User enters their credentials.

2) Now user can access + browse the staging site. However they are not authenticated within Kentico. So if they want to access CMSDesk, they need to log in via regular Forms Authentication.

Is this possible? I'm sure there are other people running staging sites who have wanted to do this also.

Please let me know. Thanks,

Mark

User avatar
Kentico Support
Kentico Support
kentico_jurajo - 11/13/2013 2:32:19 AM
   
RE:Is two-layer authentication possible?
Hello,

I am afraid but I have not heard about this before. Correct me if I am wrong: for the live site you want to use Windows authentication and for the administration interface Forms authentication?
This does not make much sense.

Anyway, you can set the secured web site area for the root document - so, entire web will be secured and if somebody browses to the web, the visitor is redirected to logon page at first. then, if the user account is granted with pemrissions for administration interface, she can enter it. Otherwise, access is denied, user has to log out and log in using appropriate credentials.

Best regards,
Juraj Ondrus

User avatar
Member
Member
markcoatsworth - 11/14/2013 10:15:21 AM
   
RE:Is two-layer authentication possible?
Thanks Juraj!

The suggestion you made above (securing the root document) is a good one. This will work for us in the majority of cases.

However I'm hoping there is some way we can protect the site with an additional password scheme that is separate from Forms Authentication. So the user needs to enter a username/password to access the site, then they need to enter another username/password to log in to Kentico. Does this make sense?

I don't even know if this is possible under the IIS/Windows security model. Just thought I would ask. Thanks again!

Mark

User avatar
Member
Member
markcoatsworth - 11/14/2013 11:13:50 AM
   
RE:Is two-layer authentication possible?
Hi Juraj,

I just did some testing with the method you mentioned above (secured web site area). Unfortunately it turns out there is a problem with this method.

I tried going to my root node document > Properties > Security and set "Requires authentication" to Yes. This works fine. Visitors are redirected to the logon page before they can view the site.

The problem is, if I later make a content change to the root node document (let's say I change some text) and then I synchronize this document to the live site, it synchronizes ALL document content. Including the security settings. So now the live site is forcing users to log in.

So this isn't going to work for us. I think we need a solution that can work at the IIS level. If you have any ideas please let me know.

Mark

User avatar
Kentico Support
Kentico Support
kentico_jurajo - 11/18/2013 1:05:11 AM
   
RE:Is two-layer authentication possible?
Hello,

this was demanded and required by other customers - to synchronize the document's ACLs within the staging.
So, in this case you will have to add a separate authentication before Kentico's application. At the IIS level. I have never done or seen anything like that so my suggestions would be just link found on Google.

I am sorry for the inconvenience.

Best regards,
Juraj Ondrus

User avatar
Member
Member
markcoatsworth - 11/19/2013 11:12:23 AM
   
RE:Is two-layer authentication possible?
Hi Juraj, thanks for letting me know!

Like I said before, I don't actually know if this is possible within the IIS security model. If I'm able to find a solution, I'll post it here.

Mark