AD user login problems

Hi!

I was asked to use the Active Directory for authorization of our intranet site. I'd done this before so I figured that it wouldn't take much to make it work. But aparently it does...

We are running an old intranet website with EpiServer v6, or something, and it's working with ldap/SSO, I'm creating a new intranet with EpiServer v11 where I want to use AD too. So I followed the documentation "Configuring Active Directory membership provider".

• The firewall has the ports 389 and 445 open.
• I used the AD account that was listed in the old intranet site, but this gave me an error so I used my own account instead. I testet my account in the application "Softerra LDAP Browser" and I can see the users and groups.
• I added my user to the "ActiveDirectoryMembershipProvider->connectionUsername" without the domain and got an error that it couldn't login. So with the domain I assume it works.
• I configured web.config -> membership and roleManager with MultiplexingRoleProvider
  
  

  <membership defaultProvider="MultiplexingMembershipProvider" userIsOnlineTimeWindow="10"><providers><clear /><add name="MultiplexingMembershipProvider"
              type="EPiServer.Security.MultiplexingMembershipProvider, EPiServer.Framework.AspNet"
              provider1="SqlServerMembershipProvider"
              provider2="ActiveDirectoryMembershipProvider" /><add name="SqlServerMembershipProvider"
              type="System.Web.Security.SqlMembershipProvider, System.Web, Version=4.0.0.0, Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a"
              connectionStringName="EPiServerDB"
              requiresQuestionAndAnswer="false"
              applicationName="Intranett"
              requiresUniqueEmail="true"
              passwordFormat="Hashed"
              maxInvalidPasswordAttempts="5"
              minRequiredPasswordLength="7"
              minRequiredNonalphanumericCharacters="0"
              passwordAttemptWindow="10"
              passwordStrengthRegularExpression="" /><add name="ActiveDirectoryMembershipProvider"
              type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
              connectionStringName="ActiveDirectoryProviderConnection"
              connectionUsername="[domain\user]"
              connectionPassword="[password]"
              enableSearchMethods="true"
              attributeMapUsername="sAMAccountName"
              connectionProtection="None"/></providers></membership><roleManager enabled="true" defaultProvider="MultiplexingRoleProvider" cacheRolesInCookie="true"><providers><clear /><add name="MultiplexingRoleProvider"
            type="EPiServer.Security.MultiplexingRoleProvider, EPiServer.Framework.AspNet"
            provider1="SqlServerRoleProvider"
            provider2="ActiveDirectoryRoleProvider"
            providerMap1="SqlServerMembershipProvider"
            providerMap2="ActiveDirectoryMembershipProvider" /><add name="SqlServerRoleProvider" connectionStringName="EPiServerDB" applicationName="Intranett" type="System.Web.Security.SqlRoleProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /><add name="ActiveDirectoryRoleProvider"
             type="EPiServer.Security.ActiveDirectoryRoleProvider, EPiServer.Cms.AspNet"
             connectionStringName="ActiveDirectoryProviderConnection"
             connectionUsername="[domain\user]"
             connectionPassword="[password]"
             enableSearchMethods="true"
             attributeMapUsername="sAMAccountName"
             connectionProtection="None"/></providers></roleManager>​

  
  
  
• I add a connectionString
  
  

  <add name="ActiveDirectoryProviderConnection" connectionString="LDAP://domain/OU=xxx,OU=xxx,DC=xxx,DC=xxx"/>​

• I added virtualRoles to map the groups from AD to Episerver groups for authorization.

Because it didn't work, I tried different configurations:

• Only use the ActiveDirectoryProviders. I actually started with this and then changed to multiplex
• Changed the connectionstring so it looks in a different OU and even without any OU, only DC.
• Added the AD groups to the "<allow roles="" />" for both EPiServer and EPiServer/CMS/admin

The webserver has been connected to the domain, but no AD user has yet loggedin. I'm a local administrator on the webserver.

I'm not sure what to do next. I'm not an expert in c# nor EPiServer.

I've found some forum post here, suggesting to change:

• IIS application pool identity
• the query in EPiServer.Security.ActiveDirectoryRoleProvider -> FindUsersInRole because EpiServer uses * instead of % (or the other way around) in older versions. I can't imagine that this is still a problem... but maybe it is?

The latest thing I tried was to find out the roles (or groups) of the currently loggedin user (this is my own user) just to get some information on what is going on, and suddenly I got a list of all the groups my user is a member of in the AD... I figured that it has something to do with that the username in EPiServer is the same in the AD.

If you need more code examples or need more info, please just ask. I'm stuck at the moment.

Cheers Rob