Setup MultiplexMembershipProvider in EPiServer
Note: It is presumed that both the EPiServer site and the AD already exists in the environment and are running.
To setup multiplex provider for EPiServer you need to have access to the Web.Config
, connectionStrings.config
, a domain user for the AD lookups, and two groups in the AD.
Start by creating a user (with no special rights) in Active Directory.
Username: EPiUser
Password: SecurePassw0rd
Then create two groups:
WebAdmins
WebEditors
WebAdmins group will have the AD users who have administrator access to the EPiSever site. As with WebAdmins group, WebEditors will contain the AD user with editor rights to the EPiServer site. You can choose to use other AD groups (ex. EPiAdmin, APiEditors, etc), just remember to add them under authorization for the location in Web.Config. You will need to add the groups in Web.Config, if you are going to use groups base rights access management.
Now over to the EPiServer configuration. Open connectionStrings.Config
in your favorite text/xml editor. Add the key:
<add name="ActiveDirectoryProviderConnection" connectionString="LDAP://test.local" />
Replace test.local
with your AD URL, alternatively use the url to one of the domains controllers on the network. Now open Web.Config
in your favorite text/xml editor, and make change to it:
<system .web>
<rolemanager enabled="true" defaultProvider="MultiplexingRoleProvider" cacheRolesInCookie="true">
<providers>
<clear />
<add name="MultiplexingRoleProvider"
type="EPiServer.Security.MultiplexingRoleProvider, EPiServer"
provider1="SqlServerRoleProvider"
provider2="ActiveDirectoryRoleProvider"
providerMap1="SqlServerMembershipProvider"
providerMap2="ActiveDirectoryMembershipProvider" />
<add name="WindowsRoleProvider"
applicationName="EPiServerSample"
type="EPiServer.Security.WindowsRoleProvider, EPiServer" />
<add name="SqlServerRoleProvider"
connectionStringName="EPiServerDB"
applicationName="EPiServerSample"
type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
<add name="ActiveDirectoryRoleProvider"
type="EPiServer.Security.ActiveDirectoryRoleProvider, EPiServer"
connectionStringName="ActiveDirectoryProviderConnection"
connectionUsername="TEST\EPiUser"
connectionPassword="SecurePassw0rd"
attributeMapUsername="sAMAccountName"
cacheTimeout="1:30:0" />
</providers>
</rolemanager>
<membership defaultProvider="MultiplexingMembershipProvider" userIsOnlineTimeWindow="10">
<providers>
<clear />
<add name="MultiplexingMembershipProvider"
type="EPiServer.Security.MultiplexingMembershipProvider, EPiServer"
provider1="SqlServerMembershipProvider"
provider2="ActiveDirectoryMembershipProvider" />
<add name="WindowsMembershipProvider"
type="EPiServer.Security.WindowsMembershipProvider, EPiServer"
deletePrefix="BUILTIN\ "
searchByEmail="true" />
<add name="SqlServerMembershipProvider"
type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="EPiServerDB"
requiresQuestionAndAnswer="false"
applicationName="EPiServerSample"
requiresUniqueEmail="true"
passwordFormat="Hashed"
maxInvalidPasswordAttempts="5"
minRequiredPasswordLength="7"
minRequiredNonalphanumericCharacters="0"
passwordAttemptWindow="10"
passwordStrengthRegularExpression="" />
<add name="ActiveDirectoryMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="ActiveDirectoryProviderConnection"
connectionUsername="TEST\EPiUser"
connectionPassword="SecurePassw0rd"
enableSearchMethods="true"
attributeMapUsername="sAMAccountName" />
</providers>
</membership>
</system>
You might need to change the default role/membership provider to MultiplexingRoleProvider, and change the provider1
, provider2
, providerMap
and providerMap2
to the appropriate AD provider. Also don't forget to change the connectionUsername and connectionPassword to the AD user created before. EPiServer need the attribute attributeMapUsername="sAMAccountName" to be able to authenticate the user properly. The attribute cacheTimeout="HH:mm:ss" can be used to override the the default 10 min for cache.
Note: You will need to logout and login to EPiServer after every changes made in AD, also there can be need to recycle the application pool before any AD changes can be seen by EPiServer.