Separate authenticataion for edit/admin

Hi. Can anyone give me a quick hint/example as how to completely separate the authentication for edit/admin pages from the authentication used in the actual web site? If I set a custom section in web.config like I will get an error "it is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level. This error can be caused by a virtual directory not being configured as an application in IIS." Ok, so if I configure edit and admin as applications, instead I get a "file not found" error in the httpmodules workflow section. (Since these subapplications look for the episerver dll.s in its own bin-directory.) Tried to copy the dll-s to edit\bin but ran into a new error "ClassFactory not initialized" I suppose there is a standard way to do this that I'm missing?
May 02, 2007 11:13
The usual way to accomplish what you want is to have a separate Edit/Admin-site parallell to the web site (two EPiServer installation pointing to the same database). The edit/admin-site can then have another authentication mode than the public website (some also use another port number to make it a little more difficult for hackers). Regards Johan Olofsson
May 03, 2007 15:03
I've created an EPiServer site with two different types of authentication + EPiServer authentication, without using more than one site. An ASP.NET site can only have one authentication and one loginURL. An unauthenticated user (trying to access a protected page) will always be redirected to the page specified in loginURL (for example MainLogin.aspx). In MainLogin.aspx you have to find out if the user wants log in to edit/admin, or is trying to access a page on your site. If trying to access a page on your site, redirect to your custom login page. Since I had two different types of authentication, I also had to find out what section of the site the user was trying to access, and redirect the user to one of the two custom login pages.
May 09, 2007 14:03
Cool. But could you mix Windows with Forms authentication within the same site? /johan
May 09, 2007 16:08
I didn't try that but I dont see that it should be a problem. I created two custom EPiServer authentication providers and added these to the authentication provider chain (as specified in I removed the windows authentication provider from the chain since we don't need it, but I guess that if it was still there it would be possible to log in with a "windows login". When creating this solution I also solved an issue with the EPiServer authentication provider chain solution: If two different kind of users (using different kinds of authentication) are having the same username, you will get a problem. For example, use a default installation of EPiServer (4.61 in my case) and add a user in the admin tool with the same username as a "windows user" on the same machine/domain. The user will function fine in EPiServer, but after a while the windows account gets locked because EPiServer also tries to authenticate the user in the active directory. I had to solve this so that a username just needed to be unique for that type of user. But the solution wasn't very pretty... :-)
May 11, 2007 10:16
But the problem was (as far as I've understood it), that Asp.Net wont let you specify a different "authentication mode" for separate locations within the site. Say for example that you want "/edit" and "/admin" authenticated with (so users can be authenticated through NTLM challenge/response and wont have to see a login page at all) and the rest of the site be using (for extranet users) If that's the scenario, I dont think there is a way but setting up two parallell sites towards the same database, one edit/admin-site with and the other with . Regards, Johan Olofsson
May 11, 2007 11:43
No, you're probably right. If you don't want to have a login form at all you can't use this approach.
May 11, 2007 12:14
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.