I have a site that I'm trying to migrate into my Sitecore instance. The Sitecore instance has multiple sites. For the one site I'm trying to migrate over, there is a login page for external users to login. I'm validating this against an external database. This all works so far. My issue is that I need to prevent the external users from accessing certain pages without logging in(they should be redirected to the login page). The way that this was working when the site was outside of Sitecore was that there was forms authentication being done and when a page was trying to be accessed without the user being logged in the ReturnURL would be used to return the user to the proper page after login.
I'm not sure how to do this now that I have multiple sites inside of my sitecore instance.
Any suggestion?
This is not very different in Sitecore to how it was done before, except now you can control the security of which pages should be accessible by logged in users with the Sitecore Security Editor. There are a few pieces which you need to hook up in order to get this work properly though.
Have a read through these articles, they should provide everything you need to get this to work:
Implementing Sitecore Extranet login on a website
Setting Up a Sitecore Extranet (site seems to be down, view cached copy)
Set the value of <setting name="NoAccessUrl" value="/sitecore/service/noaccess.aspx" /> in web.config to your Login page (this can be an item in Sitecore) using a patch config and if a user tries to access a restricted page they will be redirected to this page, which will also include the return url parameter.
If you are using an external database to authenticate users then you will also need implement your own membership provider:
Sitecore authenticate users against external membership database
Sitecore Membership Providers
Be sure to correctly set the domain attribute of your <site> definition to whatever you set in domains.config and set as the providerName of your <provider> definition.
Related
I need to allow users to login website either with their Active Directory accounts if they are in local network (Sitecore's single sign-on functionality) or with their credentials (email and social security number) if they access site being outside local network.
First option could be achieved by enabling Windows Authentication mode in IIS and second - by using Anonymous mode. But it is impossible to enable these two modes at the same time for one site. So the question is how to configure website in IIS to allow both groups of users login it with appropriate option and do not create different site for each option?
Any good ideas are appreciated.
Assuming you are talking about the Sitecore interface, you can disable Windows Authentication and your AD users can still log in by specifying the domain as part of their username, e.g. <AD-Domain>\AD-username and then supplying their AD password. If you have followed the Sitecore Active Directory Module Guide then domain in this instance should be ad but you can change this to whatever you like, just make sure the rest of the config and references to "ad" have been changed to match.
In order to still allow Single Sign On without the user having to type in their domain/username/password you need to remove Anonymous and enable Windows Authentication for the login file only located at /sitecore/admin/ldaplogin.aspx. See section 4.3.1 of the documentation.
In order to use this Single Sign On page and login, your AD users need to browser to http://<your-site>/sitecore/admin/ldaplogin.aspx. I provided a link on Sitecore login page by creating an HTML page with a link to this page:
<html>
<body>
Login with your Windows account
</body>
<html>
And then updating the Login.SitecoreUrl setting to the html page:
<!-- LOGIN SITECORE URL
Specifies the Url of the Sitecore pane on the login startpage.
-->
<setting name="Login.SitecoreUrl" value="/sitecore/admin/ldaplogin.html" />
Your users will then be provided with a link in the pane on the right side of the login page for Sitecore 7.5 and earlier.
Sitecore does have its own Active Directory module that its worth investigating. The links to documents are broken currently so can't find the exact answer to help you.
Here is the link to the main page and download - sdn.sitecore.net/Products/AD.aspx
It's their own Module so if you do have any questions or issues you can raise a support ticket with them.
hi i would like to know how would you lougout an user if he modifies the url or refreshes the web pages like in bank web sites
in asp .net.
Thanks for your answers
I have implemented a solution similar to Vignesh Kumar's answer by using roles and restricting access to pages based on the roles a user has. When a user logs in I check which pages they can access based on their assigned roles and build the navigation menu accordingly so that they're not able to navigate to restricted pages.
In my master page's Page_Load method I check whether a user has access to the page they're trying to access and if not I log them out and redirect them to the login screen.
i have a web site that uses forms authentication. the problem is that i have the site installed multiple times on the same production servers because i need to have a few different login pages (based on the domain in this case). after the domain specific login page, the rest of the site is the same. obviously, this requires a lot of maintenance as each new version has to be installed multiple times on the server (with varying the login page in the web.config file).
so i thought is there a way to install the site on 1 folder on the disk, have a web site on the IIS take in all the needed domains and make some http module (or some other solution) in which i could give it a list of domains and the forms authentication for that domain. this way make the login page used by each site change according to the domain while still having only one site to maintain on the server.
Thanks
Dani Avni
I have seen this go a number of ways and a lot of it depends on how you have things setup in IIS.
If all domains are on the same IIS website the most common solution would be to create a httpmodule, or even an actual .aspx page, that loads configuration and based on the requested URL send the user to the right login page. You could even do a "Server.Transfer()" if you want the users URL to stay the same. Then in the web.config you still set a single login page. Just make sure that each other login page allows anonymous users access.
If all domains are separate IIS sites, i would recommend at that point just maintaining different copies of the sites. But the real question is why you need different logins.
My workplace has a couple of web applications that do exactly what you are trying to describe. There are a couple of approaches we have used, depending on the situation.
The more common approach we use is to have all the actual sites on IIS point to the same directory. The logic for the login gets the URL, determines which client site is being requested, and takes that into account on login. The actual login page is the same for all client sites, though, so it's just determining which database to use.
If you want to do anything fancier than that, another approach we have used is to create our own MembershipProvider, at which point you can basically do whatever you want. You should have access to HttpContext.Current if your class is being called by the ASP.NET authentication provider (you would set the membership provider in Web.config to your provider).
I've built a new sharepoint site page using the example I found here:
Link
The purpose of the page is to add a new user to the aspnet membership database that serves as the authentication provider for my sharepoint site, which uses forms based authentication.
I've slightly customized the asp createuser control.
The sharepoint site is forms based but the top level site is accessible anonymously, and I've created a subsite for members (hence the user registration page). The site page is in the top level site so that people can register.
If I'm already logged in and fill out the form, the user is successfully added to the membership store, however if I access the page anonymously and fill out the form, the user is successfully added to the membership database, but I can no longer navigate the website, I keep getting http 500 page cannot be displayed errors until I clear the browser cache and cookies.
I don't think it's a programming error but more likely something to do with site security and authentication
Once the user is created successfully and page is redirected to the one you provided in ContinueDestinationPageUrl property, the page is being loaded with the recently created user’s credentials. Since you haven’t added this new user to your MOSS site, you’ll get Access Denied error. So, in order to resolve this issue, you need to set LoginCreatedUser property of the control to false, so that page is loaded with the original user’s credentials, not with the one’s recently created.
Hallo,
i have created a web site with Asp.Net by using Sql Membership Provider, sitemap and security trimming enabled.
Based on these i have set web.config files into directories for allowing or not the users access according to their roles.
After some time i removed the MembershipProvider and i creted by hand the "standard" login procedure which cretaed a ticket and a authentication cookie and sets the GenericPrincipal into the Application_AuthenticateRequest.
The problem after these changes is that althought the sitemap displays the right pages for each different user according to his roles, when i click on this page the system redirects me to the "default.aspx" page such as the user is not allowed to enter that page!
It is strange that the sitemap and security trimming is working BUT actually i cannot enter the pages!!!!!
You can add users and roles with IIS management tool. This way you can avoid any typing error.