Using Active Directory for the Back Office in Umbraco 7
Hi,
I'm trying to get it so that the umbraco Back Office does an AD lookup whehn editors authenticate.
I've done this before in v4.7.2 many times by:
1. Adding an LDAP connection string which relates to my AD in the web.config
2. Adding the AD provider to the web.config file
3. Adding a setting for DefaultBackofficeProvider in the appropriate place in the umbracoSettings.config file.
I've done this here in v7, but I'm getting either a 400 - Bad Request or and 500 Internal Server error. Using the Chrome developer tools, I can see that entering wrong credentials etc. does impact on the response.
The OG post is old, but the follow up isn't - and i've also made it here so i'll doc what i've found for future landers. I've had some fun figuring out how to connect LDAP for the user and membership provider.
edited 2014.01.17, see follow-up comment below As of umbraco7 -your web.config membership/providers section items has to have the names equal to the umbraco default providers. This means that if you want to implement your own AD provider - it has to be called "UsersMembershipProvider" or "UmbracoMembershipProvider". Simply comment out or remove the original declaration - but still use umbracos name.
It doesn't seem to matter a bit about changing the 'defaultProvider attribute: There are also no other configuration files that seem to matter, beyond your connectionstring of course.
"and then specifying this as the DefaultBackofficeProvider in the appSettings file" - this is no longer relevant.
A hopefully super helpful tip i can offer is to use a second browser (chrome vs firefox etc..) log in to the backoffice (admin user or whatever) before changing the provider configuration.
Belle is awesome for a lot of reasons - but it has a tendency in many spots to fail siltently and doesn't offer a bit of help if you're on the login screen, for example: "I've done this here in v7, but I'm getting either a 400 - Bad Request or and 500 Internal Server error. Using the Chrome developer tools, I can see that entering wrong credentials etc. does impact on the response."
By logging into the backoffice first - you can click on a User in the User section so as to load that particular edit page. If your provider has issues - you'll be able to see a YSOD from this section. Your AD user trying to login will never get any messages so friendly or helpful.. they just seen to fail silently.
ugg, super-sleepy and having issue with posting an example. Hit me with a question and i'll make it back to try and better help. Perhaps i'll spin up a blog post if somebody thinks it's helpful? -'night!
well well, it seems as of this morning - that much of what i noted above about the provider names having to be the same as the umbraco default is not true.
I definitely had issues in that area at the begining of AD set-up and it was the only thing i could do to get it working - but i find that it's no longer true and in fact, i see very different behaviour in the backend on the member edit pages with a different provider name.
I'm going through the umbraco source to get the facts straight as there's obviously a bit of wiggle in my understanding and how the system is behaving and i'd hate to adivse anybody in the wrong direction. I do stand by my double browser sign in suggestion though ;) .
After banging my head against undefined 500 "internal server error" at the backoffice login page, I remembered you suggestion. Thank you very much for that :) After I logged in with a different browser and kept reloading a user I received the actual error. In 15 minutes I was able to remedy the errors.
Using Umbraco V7.1.1 with A/D Backoffice Authentication and couldn't get any helpful A/D membership provider errors beside the "500 internal server error".
Damian's suggestion to login using the UmbracoMembershipProvider and drill down on the A/D user in the Users section - then change over to your ADMembershipProvider (in web.config) and hitting refresh will expose useful error messages if any exist (you saved me a lot of time Damian!).
Using Active Directory for the Back Office in Umbraco 7
Hi,
I'm trying to get it so that the umbraco Back Office does an AD lookup whehn editors authenticate.
I've done this before in v4.7.2 many times by:
1. Adding an LDAP connection string which relates to my AD in the web.config
2. Adding the AD provider to the web.config file
3. Adding a setting for DefaultBackofficeProvider in the appropriate place in the umbracoSettings.config file.
I've done this here in v7, but I'm getting either a 400 - Bad Request or and 500 Internal Server error. Using the Chrome developer tools, I can see that entering wrong credentials etc. does impact on the response.
Can anyone help me please?
Thanks,
Matt
CONNECTIONSTRING.CONFIG
<add name="LDAPConnectionString" connectionString="LDAP://xxx.yyy/OU=aaa,OU=bbb ccc,DC=xxx,DC=yyy" />
WEB.CONFIG
<membership defaultProvider="ADMembershipProvider" userIsOnlineTimeWindow="15">
<providers>
<clear />
<add name="UmbracoMembershipProvider" type="umbraco.providers.members.UmbracoMembershipProvider" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" defaultMemberTypeAlias="Member" passwordFormat="Hashed" />
<add name="UsersMembershipProvider" type="umbraco.providers.UsersMembershipProvider" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" passwordFormat="Hashed" />
<add name="ADMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="LDAPConnectionString"
connectionUsername="domain\user"
connectionPassword="password"
attributeMapUsername="sAMAccountName" />
</providers>
</membership>
UMBRACOSETTINGS.CONFIG (I added this, it wasn't there like in previous versions)
<providers>
<users>
<!-- if you wish to use your own membershipprovider for authenticating to the umbraco back office -->
<!-- specify it here (remember to add it to the web.config as well) -->
<DefaultBackofficeProvider>ADMembershipProvider</DefaultBackofficeProvider>
</users>
</providers>
and then specifying this as the DefaultBackofficeProvider in the appSettings file
Hi Matt,
I am looking into doing the same with an upcoming Umbraco 7 website. Did you find a solution to your problem?
Cheers
Bjørn
The OG post is old, but the follow up isn't - and i've also made it here so i'll doc what i've found for future landers. I've had some fun figuring out how to connect LDAP for the user and membership provider.
edited 2014.01.17, see follow-up comment below As of umbraco7 -your web.config membership/providers section items has to have the names equal to the umbraco default providers. This means that if you want to implement your own AD provider - it has to be called "UsersMembershipProvider" or "UmbracoMembershipProvider". Simply comment out or remove the original declaration - but still use umbracos name.
It doesn't seem to matter a bit about changing the 'defaultProvider attribute:
There are also no other configuration files that seem to matter, beyond your connectionstring of course.
"and then specifying this as the DefaultBackofficeProvider in the appSettings file" - this is no longer relevant.
A hopefully super helpful tip i can offer is to use a second browser (chrome vs firefox etc..) log in to the backoffice (admin user or whatever) before changing the provider configuration.
Belle is awesome for a lot of reasons - but it has a tendency in many spots to fail siltently and doesn't offer a bit of help if you're on the login screen, for example: "I've done this here in v7, but I'm getting either a 400 - Bad Request or and 500 Internal Server error. Using the Chrome developer tools, I can see that entering wrong credentials etc. does impact on the response."
By logging into the backoffice first - you can click on a User in the User section so as to load that particular edit page. If your provider has issues - you'll be able to see a YSOD from this section. Your AD user trying to login will never get any messages so friendly or helpful.. they just seen to fail silently.
Hi Damian,
Thank you very much for sharing. I am sure it will prove helpful :)
Cheers
Bjørn Fridal
well well, it seems as of this morning - that much of what i noted above about the provider names having to be the same as the umbraco default is not true.
I definitely had issues in that area at the begining of AD set-up and it was the only thing i could do to get it working - but i find that it's no longer true and in fact, i see very different behaviour in the backend on the member edit pages with a different provider name.
I'm going through the umbraco source to get the facts straight as there's obviously a bit of wiggle in my understanding and how the system is behaving and i'd hate to adivse anybody in the wrong direction. I do stand by my double browser sign in suggestion though ;) .
Hi again,
After banging my head against undefined 500 "internal server error" at the backoffice login page, I remembered you suggestion. Thank you very much for that :) After I logged in with a different browser and kept reloading a user I received the actual error. In 15 minutes I was able to remedy the errors.
Very, very handy tip.
Cheers
Bjørn
Hi all,
Using Umbraco V7.1.1 with A/D Backoffice Authentication and couldn't get any helpful A/D membership provider errors beside the "500 internal server error".
Damian's suggestion to login using the UmbracoMembershipProvider and drill down on the A/D user in the Users section - then change over to your ADMembershipProvider (in web.config) and hitting refresh will expose useful error messages if any exist (you saved me a lot of time Damian!).
Cheers, J
is working on a reply...