In most cases, if an organization has the domain controller set up, the workstations are usually included into a domain. Imagine that you have established a connection between the Managers organization unit and your Sitecore CMS installation. This means that the members of this organization unit are now able to work in Sitecore CMS according to their roles. Naturally, these users wish to be logged in to Sitecore CMS automatically.
The other implementation of SSO can be for an Organization’s intranet site where in, once the user is logged into a domain the intranet site should authenticate them and display sections of the sites based on their roles.
So if you are looking for SSO implementation with Sitecore for above scenarios this post might be helpful.
In order to implement SSO you will need to install Active Directory Module on your Sitecore CMS. For more details about installing and configuring active directory module you can visit my earlier post “Active Directory Module and Sitecore”.
There are some prerequisites for using this functionality:
- User’s workstation must be a member of the appropriate domain.
- The anonymous access must be disabled to the /sitecore/admin/ldaplogin.aspx page and the Integrated Windows security mode must be turned on.
1. IIS 6
In order to disable the anonymous access in IIS 6, follow the steps below:
- Start IIS.
- Expand the target website.
- Navigate to the /sitecore/admin folder and select the LDAPLogin.aspx page.
- Right-click the LDAPLogin.aspx page and select Properties.
Switch to the File Security tab, uncheck the anonymous access checkmark.
As a result, the IIS configuration should look similar to this:
2. IIS 7 or higher
The configuration of IIS 7 or higher differs a bit.
To begin with, IIS 7 does not support mixed authentication mode. Hence you cannot have several authentication types enabled for you site.
Hence for Windows Authentication you have to disable Forms authentication (which is default for Sitecore installation) and enable Windows Authentication for your site, as shown below
Next step is pretty straightforward. You have to go to the AD login page and disable anonymous access for that page, as shown below:
Now, when the prerequisites are satisfied, you can login to Sitecore CMS with your system account without providing the user credentials manually. So, run the following URL in your browser: http://[yoursite]/sitecore/admin/LDAPLogin.aspx
You can still login in the usual way by addressing the default Sitecore shell login page (http://[yoursite]/sitecore)
Errors & Resolutions
Below sections explains few errors and resolutions in case single sign on do not work.
- If you did forget to verify the prerequisites and your machine appeared not to be in a domain or the anonymous access has not been removed from the login page, the system will not log you in, displaying the reason of the refuse.
- Some errors may occur when the system begins to analyze user credentials. For instance, if the domain name is correct, and you’re a member of the Active Directory domain, but you’re not a member of the Managers organization unit which is plugged into Sitecore, you’ll get the following warning.
- It may happen that the real domain name differs from the domain name entered in Sitecore CMS. For instance, you may be a user of the Active Directory domain called “Company.com”, but this very domain is plugged into Sitecore CMS as “ad” (which is done by default). In such case, the system won’t reject your attempt to login, but will iterate the existent Sitecore CMS domains trying to find the appropriate user. If the user is still not found, the following warning will be displayed.
- In case when the user is found in Active Directory domain, but it doesn’t have enough permissions to login to Sitecore CMS shell interface (the user is not included in the sitecore\Sitecore Client Users role), the system will reject the login attempt and display the following message.
- Once you have passed through the above errors and still you are not able to login using SSO, there is a post “401.1 error + anonymos access + multiple host headers” by Alex Shyba on SDN, below is the extract from the post.This mostly happens in development environments, in case of production or staging servers where Sitecore is installed on other machine you just need to add the site to your list of Intranet sites.The problem can be reproduced if you add some host headers for your site in IIS (5.1 or 6.0) and disable anonymous access for the whole site. Let’s assume that you have two host headers added (test and test.mydomain). Disable anonymous login and try to access the site using test and test.mydomain.As a result, you have the IIS login prompting window shown. After specifying the correct(!) login credentials, you are not able to authenticate and get nothing but the 401.1 error screen in IE. Note that using the localhost host header doesn’t cause any problems, however.For development environment the solution is to hack into Windows registry and add some keys. You can find official instructions here:
<br/ >In order to make this annoying window disappear, you should add those sites (test and test.mydomain) to the list of Local intranet sites in IE.And finally if everything is fine and the user is allowed to login, you’ll be logged in automatically and redirected to Sitecore Content Editor.
- Single Sign On issue in sitecore 7.2
In sitecore 7.2 when we hit http://[yoursite]/sitecore/admin/LDAPLogin.aspx, it does authenticate the user, there are entries in log file confirming successful login of a user, but does not redirect the user to content editor and takes the user back to /sitecore/login/ page. It is a bug in Active Directory Module. A ticket was raised by me to sitecore support # 410076 the solution provided by sitecore support is as below.
a. Copy Sitecore.Support.403767.dll in your website bin folder.
b. Change the inherited type for the /sitecore/admin/ldaplogin.aspx page as below:
<%@ Page Language=”C#” AutoEventWireup=”true” Inherits=”LightLDAP.Support.LDAPLogin,Sitecore.Support.403767″ %>