Kentico CMS 7.0 Developer's Guide

Configuring Windows authentication (Active Directory)

Configuring Windows authentication (Active Directory)

Previous topic Next topic Mail us feedback on this topic!  

Configuring Windows authentication (Active Directory)

Previous topic Next topic JavaScript is required for the print function Mail us feedback on this topic!  

Kentico CMS supports Windows integrated authentication. It means that when a user signs in to a Windows domain, Kentico CMS automatically recognizes their identity without requiring a user name and password.


Moreover, Kentico CMS is able to automatically import the authenticated users from domain (Active Directory) into the user database, including their roles.




1. Before you configure your project for Windows authentication, you need to create a user account that will be the same as your current domain name and assign this user account with administrator permissions. This will allow you to access all features as an administrator once you sign in using Windows authentication.


2. Sign in as an administrator to Site Manager and go to Administration -> Users. Create a new user with the following values:


User name: your domain user name in format domain-username, example: office-johns

Full name: your full name


Click OK.


3. On the General tab, set the following values:


Is global administrator: yes

Is external user: yes

Is domain user: yes

Click OK.


4. Now you can switch the application to the Windows authentication mode. Edit the web.config file of the web project and change the following line:

<authentication mode="Forms">


<authentication mode="Windows">


5. (Optional) When using Windows authentication, you may also want to have the following settings in your web.config file so that the windows authentication is required for access to the live site. By default, this code is already present in a commented block in your web.config, so you can just uncomment it to achieve the result.


<location path="">



     <deny users="?"/>





6. Save the modified web.config file. Close all browsers with Kentico CMS and open the website in a new browser. Try to go to <web project>\cmssitemanager to make sure you are recognized as a global administrator.


With this configuration, when an authenticated user comes to the site, their user account is created in Kentico CMS database automatically and their domain groups are imported as roles into Kentico CMS database. It means that the users and roles are not imported on a regular basis, but they are imported when the user comes to Kentico CMS website.


If you are experiencing the 401 error on Windows 7 or Windows Server 2008, learn the solution to the problem here.




Sign out button missing with Windows authentication


When Windows authentication is enabled, the Sign out button in the top right corner of CMS Desk or Site Manager is not displayed. The same applies to the live site, where the sign out link is not displayed in all web parts that can be used to sign out.



Forbidden characters replacement on Active Directory import


When importing users and roles, forbidden characters in their names are replaced by the character defined in Site Manager -> Settings -> URLs and SEO -> Forbidden characters replacement.


Dash "-" is the default value and therefore it is used in this example (domain-username instead of domain\username). If you are using a different character, please change the entered user name accordingly.


You can override this setting by using the following keys in the AppSettings section of your web.config file. In both cases, the value must be exactly one character which will be used as the replacement character:


<add key="CMSForbiddenUserNameCharactersReplacement" value="-" />

<add key="CMSForbiddenRoleNameCharactersReplacement" value="-" />


If you want to achieve the same functionality as in older versions of Kentico CMS (office\username), forbidden characters replacement can be turned off completely using the following two keys. This may cause problems when using wildcard URLs with user names in the wildcard part and is therefore not recommended.


<add key="CMSEnsureSafeUserNames" value="false" />

<add key="CMSEnsureSafeRoleNames" value="false" />