Enabling Windows Authentication Sitecore 9.2
Sitecore 9.2 Identity Server VS Windows Authentication
It is an internal website that uses Windows Authentication to authenticate the user. A custom Sitecore Membership Provider uses the Windows userId to pull from Lightweight Directory Access Protocol (LDAP) Active Directory all profile information such as email, first name, last name, manager information, roles, and more. So, it s crucial having windows authentication working 100% on Sitecore 9.2. and most importantly, the website personalized the content for the user based on their roles coming from LAPD. This document presents a solution on how to enable Windows Authentication on Sitecore 9.2.
Challange
Here are the Challenges As we all know, Sitecore 9.2 handler the Authentication through the Sitecore Identity Server, which is entirely different then Sitecore 8.2. So, how are you going to have Windows Authentication working on Sitecore 9.2?
The Windows Authentication implementations as simple as having a Default.aspx inside the WindowsAuthentication folder at the Site root folder. The code inside Default.aspx is what you see in the screenshot below.
Figure 1: Windows Authentication implementation
The problem is that in Sitecore 9.2, the LOGON_USER returns empty. Furthermore, when you try to get the windows identity username through the System.Security.Principal.WindowsIdentity.GetCurrent().Name it returns the Anonymous User or the application Poll identity name. It will not give you the windows userId that it s logged in the Windows computer or Windows Virtual Machine
I realize that Sitecore 9.2 out-of-the-box does not longer support Windows Authentication. To have the user authenticate on the website using windows authentication, I had to perform the following steps below. Furthermore, I reached out to the Sitecore Support, and they confirmed that the only way to have Windows authentication is to disable the Sitecore Identity.
Build Sitecore Windows Authentication Login
I wanted to share with you my Site definitions, where I highlighted some attributes such as the domain, requiredLogin, loginPage.
Figure 2: Configure Site for windows authentication and extranet domain
Enabling Windows Authentication on IIS
- Open IIS.
- Expand your Sitecore install under the Sites node.
- Click on the WindowsAuthentication folder.
- In the right-hand pane, double click on Authentication under the IIS section.
- Disable Anonymous Authentication.
- Enable Windows Authentication.
- Disable all other types of Authentication.
- Click on the IIS server node to expand the Feature View the open the Configuration Editor under the Management section.
- Unlock all these sections by navigating through each one from dropdown list section
- system.webServer/security/authentication/anonymousAuthentication
- system.webServer/security/authentication/basicAuthentication
- system.webServer/security/authentication/WindowsAuthentication
Figure 5: Unlock the IIS Configuration Section related to Windows Authentication
Enable Windows Authentication on Web.Config
Also, I have added the following section below on the web.config to ensure the configuration will take place just in case forget to configure IIS.
Figure 6: Web.Config configuration for Windows Authentication
Disable Identity Server
A workaround to have windows authentication working on Sitecore 9.2 is to disable the Server Identity. In addition to some changes on the web.config, Sitecore provides the patches config files that will disable Server Identity.
The path file below does the following
- Sets the Enabled property of the SitecoreIdentityServer provider to false.
- Patches the loginPage attributes of the shell and admin sites to their initial values (/sitecore/login and /sitecore/admin/login.aspx).
Figure 7: Disabling the Sitecore Identity Server
To disable the OWIN and federated authentication patch, the following config to your Sitecore instance.
The config patch below does the following:
- Sets Owin.Authentication.Enabled, and FederatedAuthentication.Enabled to false.
- Patches the loginPage attributes of the shell and admin sites to their initial values (/sitecore/login and /sitecore/admin/login.aspx).
Figure 8: Disabling Owin and Federated Authetication
Add this setting to the web.config file:
Restore the original authentication node in the web.config file:
?
Finally build your solution and deploy to website and enjoy your website.
I hope you find this blog very helpful in case you need further assistance with your Sitecore implementation do not hesitate to reach out to our XC Support Team.