The problem:

while working on the Allowing access to the organization’s users as Content Author on the Sitecore CM server using Sitecore’s Active Directory(AD) Module, we encounter very strange issue of not able to read user data from the AD user group. So the idea is to enable group of employees in organization to grant access to the CMS server to do the content authoring duties and enable their windows credential to get access to the Sitecore CMS.

In other words Sitecore’s User Manager wasn’t displaying user from active directory group.

Steps to reproduce issue/problem

1. Install Sitecore’s Active Directory Module from here.
2. Configure AD connection string to point to a logical group in the active directory structure.

   <connectionStrings>
       <add name="ManagersConnString" connectionString="LDAP://testsrv/OU=Managers,DC=testdomain,DC=sitecore,DC=net" />
   </connectionStrings>
   

3. Configuring the ASP.NET Security Providers(Membership Provider)

    <add name="ad"
    type="LightLDAP.SitecoreADMembershipProvider"
    connectionStringName="AD"
    applicationName="sitecore"
    minRequiredPasswordLength="1"
    minRequiredNonalphanumericCharacters="0"
    requiresQuestionAndAnswer="false"
    requiresUniqueEmail="false"
    connectionUsername="[put the username here]"
    connectionPassword="[put the password here]"
    connectionProtection="Secure"
    attributeMapUsername="sAMAccountName"
    enableSearchMethods="true" />

4. Activating Switching Providers

In web.config file, in <system.web> section, browse for <membership> element and find the provider called sitecore and set its realProviderName attribute to switcher.

<membership defaultProvider="sitecore" hashAlgorithmType="SHA1">
    <providers>
        <clear/>
        <add name="sitecore" type="Sitecore.Security.SitecoreMembershipProvider, Sitecore.Kernel" realProviderName="<strong>switcher</strong>" providerWildcard="%" raiseEvents="true"/>
        <add name="sql" type="System.Web.Security.SqlMembershipProvider" connectionStringName="core" applicationName="sitecore" minRequiredPasswordLength="1" minRequiredNonalphanumericCharacters="0" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" maxInvalidPasswordAttempts="256"/>
        <add name="switcher" type="Sitecore.Security.SwitchingMembershipProvider, Sitecore.Kernel" applicationName="sitecore" mappings="switchingProviders/membership"/>
    </providers>
</membership>

1. Open Sitecore’s User Manager Check the user listed from AD.

Here we are just interesting in getting the users from the Active Directory not the Roles. But you can extent Sitecore Securities to get the roles and the some of the additional User related data using configuring Role Manager and Profile Provider settings.

Root Cause

There are no actual user data present under the AD group. we have checked that, if you change the connection string to the node in the AD tree which contains the actual user under it will work. But if you are trying to point your AD connection to a Logical Group it won’t work.

Solution :
While dealing with the AD most of the time we have great difficulty to see and check what’s the structure and values of element/user properties.
For that I personally recommend the simple ans easy to use tool called “AD Explorer”. It is free and handy tool which gives you the graphical representation of you AD tree and also helps you to find the correct connection string.

It’s free tool and you can download it from https://technet.microsoft.com/en-us/library/bb963907.aspx

1. Step 1

Change the connection string to point to the parent node of the logical group.

<connectionStrings>
    <add name="ManagersConnString" connectionString="LDAP://testsrv/DC=testdomain,DC=sitecore,DC=net" />
</connectionStrings>

1. Step 2

In the system.web/membership/providers add the attribute customFilter for the “AD” node as shown in below configuration done in step 2 in reproduction steps above.

<add name="ad"
type="LightLDAP.SitecoreADMembershipProvider"
connectionStringName="AD"
applicationName="sitecore"
minRequiredPasswordLength="1"
minRequiredNonalphanumericCharacters="0"
requiresQuestionAndAnswer="false"
requiresUniqueEmail="false"
connectionUsername="[put the username here]"
connectionPassword="[put the password here]"
connectionProtection="Secure"
attributeMapUsername="sAMAccountName"
enableSearchMethods="true"
customFilter="(memberOf=CN=Managers,DC=testdomain,DC=sitecore,DC=net)" />

Once it is all done, Open Sitecore’s User Manager and check there are users listed from AD. It would be looks like image below.

 

Happy Active Directory Configuration 🙂