Lately I have seen more and more of our partners using Windows Authentication in their EPiServer Community and EPiServer Mail solutions. I guess the reason is the products are being more and more used within an intranet environment, which is really cool.
However I have noticed that a lot of developers are having difficulties configuring this type of environment. I’m sad to say that the documentation about this type of setup is sparse at best – so I can’t blame the developers who comes asking for help. I decided to write this blog post instead of sending the same mail to everyone who needs help.
In an environment where you use Forms Authentication you are fine using the instructions in my previous post, EPiServer Community role and membership providers. But if you are using Windows Authentication the EPiServerCommonIntegrationProvider will not be able to do the syncing of the users and roles. The reason is because the ValidateUser(username, password) method in EPiServerCommonIntegrationProvider is not called, since the WindowsAuthentication ticket stores everything needed to validate the user. This causes the user to be authenticated, but not synchronized (Identity of the request is set, but the Name of the Identity is not present in the EPiServerCommon database).
The rescue is a HTTP Module that is part of the EPiServer Common. Simply add the following module to your list of HTTP Modules in the web.config:
<add name="EPiServerCommonWindowsAuthenticationIntegration" type="EPiServer.Common.Web.Authorization.IntegrationHttpModule, EPiServer.Common.Web.Authorization" preCondition="managedHandler" />
What this module will do, is to first make sure that there’s a MembershipUser for the current request. This object would originate from the configured MembershipProvider. If it is set, but there’s no user in EPiServer.Common, it will synchronize the user using EPiServer.Common.Web.Authorization.Integrator.SynchronizeUser(MembershipUser, Password, createNew).
(Remember to remove the preCondition="managedHandler" attribute if you're not using IIS7 – thanks Erik)
3 comments:
Excellent post, that did the trick! :) Thanks!
(Remember to remove the preCondition="managedHandler" attribute if you're not using IIS7)
One more question. Do you know if it's possible to store anything else (e-mail) as username but your computer login? I've noticed that the ActiveDirectory-providers have a attributeMapUsername-attribut, but the WindowsProviders doesn't. Thanks.
Erik
Maybe if you make your own implementation of the Windows Provider, that is inherit from the existing one and override some methods. But I'm not sure of what problems you may run into.
Post a Comment