This steps are only required if the Organization wants to allow the Active Directory users to login to the sitecore as content authors.

This feature in sitecore is called Single Sing-on

In most cases, if an organization has the domain controller set up, the workstations are usually included into this domain. Imagine that you have established a connection between the Managers organization unit and your Sitecore CMS installation. This means that the members of this organization unit are now able to work in Sitecore CMS according to their roles. Naturally, these users wish to be logged in to Sitecore CMS automatically. When users start Sitecore CMS, they are definitely logged in to their organization domain.
This feature is called Single Sign-on and the Active Directory module supports this it.

Caution: I would advise that before you enable this feature client should work with the sitecore to find out how many concurrent users are allowed in the current sitecore license client have. Reason is if all the AD users are logging in and you have a very low number of concurrent users allowed to login to sitecore client might be hitting the limit multiple times and sitecore may contact them to find out or increase the license cost.

Prerequisites

There are some prerequisites for using this functionality:

To disable anonymous access in IIS 7+ follow below steps:

Caution: IIS 7 does not support mixed authentication mode. Hence you cannot have several authentication types enabled on the /sitecore/admin/ldaplogin.aspx page. To use Windows Authentication, you must disable all other authentications and enable Windows Authentication for this page.
To configure IIS 7:
1. Open IIS.
2. Expand the target website.
3. Navigate to the /sitecore/admin folder and in the context menu select Switch to Content View.
4. Select the LDAPLogin.aspx page and click on Switch to Features View.
5. In the right-hand pane click on the Authentication.
6. Disable all the authentications and enable the Windows Authentication one.

Caution: If windows authentication does not work then try to enable the Basic Authentication as shown below.

I ran into issues if i had just enabled the windows authentication, my AD users were not identified so i disabled the windows auth and enabled the basic authentication.

 

Once the above configurations are done you should be able to log into the sitecore using the AD users.

Note: The link for AD users and link for regular sitecore content authors are different.

For regular SC content author use http://sitename.com/sitecore

For AD content author they MUST use http://sitename.com/sitecore/admin/ldaplogin.aspx

Upon log into the LDAPLogin.aspx page AD users will automatically be redirected to the SC dashboard.

 

Caution: IIS 7 does not support mixed authentication mode. Hence you cannot have several authentication types enabled on the /sitecore/admin/ldaplogin.aspx page. To use Windows Authentication, you must disable all other authentications and enable Windows Authentication for this page.
To configure IIS 7:
1. Open IIS.
2. Expand the target website.
3. Navigate to the /sitecore/admin folder and in the context menu select Switch to Content View.
4. Select the LDAPLogin.aspx page and click on Switch to Features View.
5. In the right-hand pane click on the Authentication.
6. Disable all the authentications and enable the Windows Authentication one.

Caution: If windows authentication does not work then try to enable the Basic Authentication as shown below.

I ran into issues if i had just enabled the windows authentication, my AD users were not identified so i disabled the windows auth and enabled the basic authentication.

 

Once the above configurations are done you should be able to log into the sitecore using the AD users.

Note: The link for AD users and link for regular sitecore content authors are different.

For regular SC content author use http://sitename.com/sitecore

For AD content author they MUST use http://sitename.com/sitecore/admin/ldaplogin.aspx 

Upon log into the LDAPLogin.aspx page AD users will automatically be redirected to the SC dashboard.

 

Some extra information for the SSO. May come handy as the debugging if issues arise.

When the prerequisites are satisfied, you can log in to Sitecore CMS with your system account without manually providing your user credentials. Enter the following URL in your browser: http://%5Byoursite%5D/sitecore/admin/LDAPLogin.aspx Note You can still login in the usual way by opening the default Sitecore shell login page (http://%5Byoursite%5D/sitecore)
If you forget to verify the prerequisites and your machine appears not to be in a domain or anonymous access has not been removed from the login page, the system will not let you log in, displaying the reason of the refusal:
Some errors may occur when the system begins to analyze the user credentials. For instance, if the domain name is correct, and you are a member of the Active Directory domain, but you’re not a member

of the Managers organization unit which is plugged into Sitecore, you’ll receive the following warning:
The real domain name might differ from the domain name entered in Sitecore CMS. For instance, you may be a user of the Active Directory domain called Company.com, but this domain is plugged into Sitecore CMS as “ad” (which is done by default). In this case, the system won’t reject your attempt to log in, but it will iterate the existing Sitecore CMS domains in an attempt to find the appropriate user. If the user cannot be found, the following warning is displayed:
When the user is found in the Active Directory domain, but doesn’t have enough permissions to log in to Sitecore CMS (the user is not included in the sitecore\Sitecore Client Users role), the system will reject the log in attempt and display the following message:
Finally, if everything is fine and the user is allowed to log in, you’ll be logged in automatically and redirected to the Sitecore CMS desktop.
The page redirects you to a user’s StartURL. Please check the following method:

//LightLDAP.LDAPLogin
private string GetStartUrl(User user)
{
  string text = WebUtil.GetCookieValue("sitecore_starturl");
  if (user != null)
    {
       text = StringUtil.GetString(new string[] { user.Profile.StartUrl, text });
    }
  return StringUtil.GetString(new string[] { text, "/sitecore/shell/applications/clientusesoswindows.aspx" });
}

By default, a user’s StartUrl file (user.Profile.StartUrl) is empty (StartURL.png). Therefore, the clientusesoswindows.aspx file is used.
The page redirects you to the Content Editor if your user has access to it:

<%@ Page language="c#" AutoEventWireup="false" %>
<%@ Import namespace="Sitecore.Data.Items"%>
<%
Sitecore.Configuration.State.Client.UsesBrowserWindows = true; Sitecore.Configuration.State.Client.NoDesktop = true;
Item item = Sitecore.Context.Database.Items["/sitecore/content/Applications/Content Editor"];
if (item != null && item.Access.CanRead())
{
  Response.Redirect("/sitecore/shell/Applications/Content editor.aspx");
}
Response.Redirect("/sitecore/login/default.aspx?sc_error=You do not have access to the Content Editor."); %>

Note: If you are in debug mode, you’ll first see the entire list of roles that you are a member of in Sitecore CMS. The Login button will be enabled allowing you to login then. You can read more about debug mode later in this article.

Advertisements