Using the active directory membership provider with EPiServer
EPiServer implements standard provider functionality for role and membership access through the ASP.NET framework. The most common membership- and role provider is the SQL provider. Through this the administrator can add, delete and modify users contained in a database. This is ideal for a website.
However, EPiServer is also a platform for intranets that rely heavily on the Active Directory. There are two options when integrating EPiServer with an active directory:
- The windows membership- and role provider.
- The active directory membership- and role provider.
The windows provider works great with EPiServer. There’s just one issue: the user must’ve attempted to log on to the EPiServer site before he/she is granted access! What EPiServer does is that it recognizes the user trying to access the site and stores their username. Then, and only then, the administrator can find the user in admin mode and assign them the appropriate permissions. This is not actually all that a strange behaviour since the EPiServer database would be flooded with data if you would import a large AD-structure into it. EPiServer has no way of distinguishing “real” user accounts and service accounts.
The AD provider – so, what’s the problem?
So, let’s have a look at the active directory provider. It sounds good – doesn’t it? By integrating EPiServer with the active directory we can search for users and grant them permission to the site without them having to try to access the site beforehand. But here’s the problem: EPiServer assigns wildcards when searching for users. The standard wildcard in an SQL database is a percentage sign (%). This will never work in an AD search since it utilizes asterix (*) as wildcard. So, we can’t search for users.
The solution is to create your own active directory membership provider, override the methods FindUsersByName and FindUsersByEmail. Just do a .Replace(“%”, “*”); on the input variable (username or email) before performing the search.
I’ve included a code sample. Download it here.
EPiServer provides source code to the AdsiDatafactory class. This has a limit of users to search (1000). So, if you have an active directory with more than 1000 users in it, you need to change the PageSize when searching for users. This property is set in the FindAll method. Use the following line of code to enables searches that contain more than 1000 users: userSearcher.PageSize = Int32.MaxValue;