From various sources I have found out that a lot of people are having trouble with the configuration of role providers and membership providers for EPiServer Community and EPiServer Mail. In this blog post I will try to describe the different setups that are available.
The basic facts
The first thing you need to know is that both Community and Mail has to have the users and groups in the database, independent of which membership provider and role provider you are using. The reason is the the user is such a central concept in the Community case, and Mail is using the same user management as Community. Ok, now we got this settled – let’s move on!
The most basic configuration
In the default installation for Community and Mail, the system will be configured to use the role provider named EPiServerCommonRoleProvider and the membership provider EPiServerCommonMembershipProvider. This means that the system will authenticate against the EPiServer Common tables, which is used by both Mail and Community. The system will also get the user roles, or groups, from the EPiServer Common tables. I.e. the user/group management and access rights is entirely managed by EPiServer Common.
<roleManager enabled="true" defaultProvider="EPiServerCommonRoleProvider" cacheRolesInCookie="true">
<providers>
<clear/>
<add name="EPiServerCommonRoleProvider" applicationName="EPiServerCommonApplication" type="EPiServer.Common.Web.Authorization.RoleProvider, EPiServer.Common.Web.Authorization"/>
</providers>
</roleManager>
<membership defaultProvider="EPiServerCommonMembershipProvider" userIsOnlineTimeWindow="10">
<providers>
<clear/>
<add name="EPiServerCommonMembershipProvider" applicationName="EPiServerCommonApplication" type="EPiServer.Common.Web.Authorization.MembershipProvider, EPiServer.Common.Web.Authorization"/>
</providers>
</membership>
A little bit more advanced configuration
In this case we want to use external membership provider and role provider. In my example I’m going to use Windows providers, but these could easily be substituted with SQL providers or something else.
We start off by setting the WindowsRoleProvider as default role provider, nothing tricky here. However when specifying the membership provider we will not set the WindowsMembershipProvider as default. Remember that every user/group needs to exist in the EPiServer Common tables. To solve this we use the EPiServerCommonIntegrationMembershipProvider and set it as default membership provider. This provider has an attribute called “provider”, here you specify your underlying provider – in this case the WindowsMembershipProvider.
You will also specify the attributes “roleToSynchronizeX” where X is a number (has to be in sequence and start with 1). If a user logs in and gets authenticated the system will look at the user’s groups – if the user is member of any of the groups specified in the “roleToSynchronize” attributes, then the user and all of its groups will be copied to the EPiServer Common tables. Note that only the user’s groups will be copied, not the other users in these groups.
If you use the notation roleToSynchronize1=”*”, the user will be copied independent of the group memberships it has. Note that you have to have EPiServer Common 2.3 Hotfix 1 for this to work.
<roleManager enabled="true" defaultProvider="WindowsRoleProvider" cacheRolesInCookie="true">
<providers>
<clear/>
<add name="WindowsRoleProvider" applicationName="EPiServerSample" type="EPiServer.Security.WindowsRoleProvider, EPiServer"/>
</providers>
</roleManager>
<membership defaultProvider="EPiServerCommonIntegrationMembershipProvider" userIsOnlineTimeWindow="10">
<providers>
<clear/>
<add name="WindowsMembershipProvider" type="EPiServer.Security.WindowsMembershipProvider, EPiServer" deletePrefix="BUILTIN\" searchByEmail="true"/>
<add name="EPiServerCommonIntegrationMembershipProvider" applicationName="EPiServerCommonApplication" type="EPiServer.Common.Web.Authorization.IntegrationMembershipProvider, EPiServer.Common.Web.Authorization" provider="WindowsMembershipProvider" roleToSynchronize1="Group1" roleToSynchronize2="Group2" />
</providers>
</membership>
Advanced configuration
The last type of configuration is where you want to use a series of providers, something we at EPiServer would call a multiplexing scenario. In this case will make us of the IntegrationMultiplexingMembershipProvider which can be found in EPiServer Common 2.3 Hotfix 1. This is actually a combination of the multiplexing provider found in EPiServer CMS and the integration provider mentioned above. This will be used in combination with the MultiplexingRoleProvider in EPiServer CMS.
When using this provider you will be able to specify several underlying providers. The system will try the providers one after another until either the user is authenticated or the the list of providers runs out.
In my example below I’m using the Windows provider as primary provider and SQL provider as secondary.
<roleManager enabled="true" defaultProvider="MultiplexingRoleProvider" cacheRolesInCookie="true">
<providers>
<clear/>
<add name="MultiplexingRoleProvider" type="EPiServer.Security.MultiplexingRoleProvider, EPiServer" provider1="WindowsServerRoleProvider" provider2="SqlRoleProvider" providerMap1="WindowsServermembershipProvider" providerMap2="SqlMembershipProvider"/>
<add name="WindowsRoleProvider" applicationName="EPiServerSample" type="EPiServer.Security.WindowsRoleProvider, EPiServer"/>
<add name="SqlServerRoleProvider" connectionStringName="EPiServerDB" applicationName="EPiServerSample" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
</providers>
</roleManager>
<membership defaultProvider="MultiplexingMembershipProvider" userIsOnlineTimeWindow="10">
<providers>
<clear/>
<add name="MultiplexingMembershipProvider" type="EPiServer.Common.Web.Authorization.Multiplexing.IntegrationMultiplexingMembershipProvider, EPiServer.Common.Web.Authorization.Multiplexing" provider1="WindowsServerMembershipProvider" provider2="SqlMembershipProvider" roleToSynchronize1="*" />
<add name="WindowsMembershipProvider" type="EPiServer.Security.WindowsMembershipProvider, EPiServer" deletePrefix="BUILTIN\" searchByEmail="true"/>
<add name="SqlServerMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="EPiServerDB" requiresQuestionAndAnswer="false" applicationName="EPiServerSample" requiresUniqueEmail="true" passwordFormat="Hashed" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" passwordStrengthRegularExpression=""/>
</providers>
</membership>
