Code to allow Umbraco 7.7.0 Beta or newer to use MembershipProvider-based providers for Active Directory authentication.
Users of Umbraco 7.4.2-7.6.x should use UmbBackofficeMembershipProvider 3.0.0 (NuGet). Umbraco 7.7.0 includes a breaking change in its API. UmbBackofficeMembershipProvider 4.0.0 is not compatible with Umbraco versions older than v7.7.0.
This project includes a DLL that will allow you to use a traditional MembershipProvider
for logging in Umbraco backoffice users.
- NET Framework 4.5
- Umbraco 7.7.0 Beta or newer
This project is available on NuGet.
- Before making any configuration file changes, make sure that you have an Administrator-level user account in Umbraco with the same username as the Active Directory account that you will use to login to Umbraco. It doesn't matter what you set for the password once UmbBackofficeMembershipProvider is enabled as it will check against Active Directory and not Umbraco for the password.
- Add UmbBackofficeMembershipProvider.dll as a reference in your project or place it in the \bin folder.
- In web.config, make the following modifications:
-
Add or modify the following line in the
<appSettings>
section:<add key="owin:appStartup" value="BackofficeMembershipProviderCustomOwinStartup" />
-
Add a LDAP connection string to your LDAP server in the
<connectionStrings>
section, like shown in the example code below. Specify a path to the domain root or a container/OU if you want to limit where the user accounts can be located.<add connectionString="LDAP://mydomain.mycompany.com/DC=mydomain,DC=mycompany,DC=com" name="ADConnectionString" />
-
Add a membership provider named
BackofficeMembershipProvider
, like shown in the example code below. Be sure theconnectionStringName
matches the LDAP connection string you defined.attributeMapUsername
specifies the username format -sAMAccountName
for just the username, oruserPrincipalName
to use username@mydomain.mycompany.com. Be sure the usernames you configure in Umbraco use the same format. Clean Umbraco 7.7.0 Beta or newer installations will need to use theuserPrincipalName
format; existing installations upgraded to Umbraco 7.7.0 Beta or newer can use whichever format is preferred but the account usernames must be set consistently. -
If you are upgrading from a pre-7.3.1 version of Umbraco that used an Active Directory provider for backoffice users, you must change
UsersMembershipProvider
toUmbraco.Web.Security.Providers.UsersMembershipProvider
. If you have a new installation, this is the default provider already.
<membership defaultProvider="UmbracoMembershipProvider">
<providers>
<add
name="BackofficeMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=4.0.0.0,
Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="ADConnectionString"
attributeMapUsername="sAMAccountName"
connectionUsername="testdomain\administrator"
connectionPassword="password"/>
<add
name="UsersMembershipProvider"
type="Umbraco.Web.Security.Providers.UsersMembershipProvider, Umbraco"
minRequiredNonalphanumericCharacters="0" minRequiredPasswordLength="8"
useLegacyEncoding="true" enablePasswordRetrieval="false"
enablePasswordReset="true" requiresQuestionAndAnswer="false"
passwordFormat="Hashed" />
</providers>
</membership>
- In config\UmbracoSettings.config:
- If you are using the default
Umbraco.Web.Security.Providers.UsersMembershipProvider
class forUsersMembershipProvider
, you don't need to do anything.
- If you are using the default
In versions of Umbraco before 7.3.0, Umbraco automatically creates Umbraco user accounts for Active Directory users on first login. In versions 7.3.0 and newer, an administrator must create an Umbraco user account (use the same username) first before an Active Directory user can login. Be careful that you've created an Administrator-level account with the same username as your Active Directory account before enabling UmbBackofficeMembershipProvider.
It does not matter what password you use for local Umbraco accounts. Umbraco will authenticate against Active Directory rather than checking the locally stored passwords.