Kentico CMS 7.0 Developer's Guide

Configuring mixed mode authentication

Configuring mixed mode authentication

Previous topic Next topic Mail us feedback on this topic!  

Configuring mixed mode authentication

Previous topic Next topic JavaScript is required for the print function Mail us feedback on this topic!  

Mixed mode authentication enables users to sign in to your website using both Windows authentication and standard forms authentication.







During a sign‑in, if an already existing forms user has the same user name as a domain user you want to sign in with, the system signs in the forms user. As a result, an account cannot be created for the domain user. You can avoid this behavior by renaming the existing forms user.



To enable mixed authentication mode:


1. Edit your application's web.config file.


2. Add the LDAP connection string of your Active Directory service into the configuration/connectionStrings section:





 <add name="CMSADConnectionString" connectionString="<LDAP connection string>" />



Replace the <LDAP connection string> text in the code above with the actual connection string. Enter it in according to the following format:




The first part is the full domain. In the second part, the same domain is divided into DC (domain component) units.


3. Modify the membership and roleManager elements under the configuration/system.web section according to the following:


<membership defaultProvider="CMSProvider" userIsOnlineTimeWindow="30">



   <add name="CMSProvider" type="CMS.MembershipProvider.CMSMembershipProvider" connectionStringName="CMSConnectionString" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="true" passwordFormat="Hashed"/>

   <add name="CMSADProvider" type="CMS.MembershipProvider.CMSADMembershipProvider" connectionStringName="CMSADConnectionString" connectionUsername="username" connectionPassword="password" />




<roleManager defaultProvider="CMSRoleProvider" enabled="true" cacheRolesInCookie="true" cookieName=".ASPROLES" cookieTimeout="30" cookiePath="/" cookieRequireSSL="false" cookieSlidingExpiration="true" cookieProtection="All">



   <add name="CMSRoleProvider" type="CMS.MembershipProvider.CMSRoleProvider" connectionStringName="CMSConnectionString" applicationName="SampleApplication" writeExceptionsToEventLog="false"/>

   <add name="CMSADRoleProvider" type="CMS.MembershipProvider.CMSADRoleProvider" connectionStringName="CMSADConnectionString" connectionUsername="username" connectionPassword="password" />




Replace the following values:


username - your own active directory user name, including the fully qualified domain name. For example,\johns

password - your active directory password


When you have entered this code into your web.config, users can log in using their Active Directory user name (without the domain) and password, or using their standard Kentico CMS user name and password.





Mixed authentication on Windows XP


When running the application on Windows XP, users need to enter AD usernames including the domain name: <domain name>\user



You can also allow users to sign in using their full Active Directory user name (e.g. For this to work, you have to add the following key to the AppSettings section of your web.config file:


<add key="CMSADDefaultMapUserName" value="userPrincipalName" />