ILearnable .Net

September 20, 2010

Windows authentication nightmare gone bad…. with a vengeance…

Filed under: Uncategorized — andreakn @ 21:11
Tags: , , ,

Today I spent a large portion of my day chasing around bugs related to windows authentication and episerver.

My basic premise was this:
– End users will connect to the site I’m making use IE7 under “local intranet” thereby magically getting access without logging in. (WindowsRoleProvider)
– developers / support personnel / admins will use EPiServer logins (SqlRoleProvider)
– in order to get this to work I need to use the MultiplexingRoleProvider.

There are numerous writeups on how to use the multiplexingroleprovider, but none actually say out loud *you cannot use MultiplexingRoleProvider and ALSO get automatic NTLM windows authentication* So now I’ve said it.

The first hint I got was this image from IIS when I tried to set it up: where IIS7 complained that you cannot have your cake and eat it too (you can’t use both challenge-based (NTLM) and redirect-based (Forms) auth in the same app.

I talked to a few guys I trust and they convinced me that “it should be possible, I think I have done it at some point but I can’t remember how”. Time would convince me otherwise, though.

Setting up Multiplexer is easy, just look here:
I always wondered what the “BUILTIN\” signifies in WindowsMembershipProvider, for the record it is there to nullify the prefix of the local groups on the machine (Administrators and Everyone) which are actually called BUILTIN\Administratos and BUILTIN\Everyone when under UAC

I was able to set up the MPRP easily enough, but the IE auto-login didn’t work.

I was able to get IE auto-login to work, but only using windows authentication only.
Also I wasn’t able to log in to localhost for some reason. but when I accessed the server from a different machine I could authenticate.

So then I got carried away on a wild goose chase (maybe?) with there might be problems using windows auth on localhost: So I regedited the server a few times and reset it a few times, cursed the sky a few times, fetal-cried a few brave tears, then I pulled myself together and went for one final google-push.

And lo and behold:

Turns out that when UAC is turned on on a Windows Server 2008, the BUILTIN\Administrators group is banned from authenticating, but only when the request is made from the local machine. (how weird is that? probably some security scenario I’m too tired to consider) So the final solution was to greate a new local group and assign appropriate God-like priviliges to that group, (I considered calling it Developersdevelopersdevelopers) and put all the devs into that group and configure the site to accept users belonging to devdevdev. So that we can deploy the site (admins only.. UAC is your friend here to help you) and also test that the deploy went well, all on the same machine.


Blog at