Active Directory integration with Sitecore on Azure PaaS

On a recent project we came across the key requirement of Single Sign-On (SSO) for the Sitecore 8.2 Update 2 PaaS implementation on Microsoft’s Azure. The integration of client’s Active Directory (AD) domain with a Sitecore 8.2 Update 2 was a challenge because:

  1. Sitecore XP on Microsoft Azure Compatibility Table explicitly states that Active Directory (Component or Module) is not supported.
  2. Azure VNET Integration with Azure web app does not support Active Directory integration as mentioned in Azure Web Apps documentation

The matter was more interesting because:

  1. Neither Sitecore had a clarification on their website on an Azure web app (Sitecore PaaS CM) integration with Active Directory or Azure Active Directory; well they had that it is not supported but what is the work around.
  2. And neither Microsoft had mentioned on their website in Azure Web Apps documentation that, AD integration is fully not supported or partially not supported and / or what part of AD is incompatible with Azure Web Apps.

Hence the need for a Proof of Concept (PoC) arose, along with checking with our Sitecore and Microsoft counterparts about their official stance on support if our PoC worked.

Creating Microsoft Active Directory domain in Azure

  1. First Sitecore XP 8.2 Update 2 was spun up in Azure.
    Sitecore Azure Resources
  2. We created the following:
    • Virtual network (VNET)
    • Subnets (Gateway, Web management)
    • VNET Gateway in the GatewaySubnet
    • Allocate  point-to-site address pool that is outside of VNET range and
    • Virtual machine (VM)
      in the same Azure Resource Group as Sitecore XP resources.
      VNET VM Azure Resources
      Azure VNET VPN Gateway Configuration for Web App VNET Integration
  3. How is all it wired?
    VN-PAAS-Sitecore is the virtual network (VNET) that connects to the Sitecorevanilla Azure Web App. In the below image under the Networking section of Sitecorevanilla web app, VNET Integration shows Connected to VN-PAAS-Sitecore VNET.
    VNET Web App Connectivity
  4. VN-PAAS-Sitecore VNET has two connected devices in it – a virtual network gateway (VPN- -VN-PAAS-Sitecore) and network interface (nic-M 1-C-SCOD)
    VNET Devices
  5. Network Interface (nic-M 1-C-SCOD) is attached to Virtual Machine (M 1-C-SCOD) that hosts the Active Directory on it.
    NIC 2 VM Connectivity
  6. Active Directory that we configured for this PoC looks something along these lines which shows the virtual machine (M 1-C-SCOD)
    Domain Controller
  7. The Organisational Unit (OU) called sitecore that we created in the AD and the groups that were assigned to that sitecore OU.
    Sitecore OU Related Groups in AD
  8. Last but not the least, Joe Bloggs our AD user we will use to test the successful login into Sitecore.
    Joe Bloggs User in AD
  9. This user belongs to TestDomainLocalGroup AD Group.
    Joe Bloggs AD Group

Integrating Microsoft Active Directory domain in Sitecore Content Management (CM) Azure Web App

  1. For integrating the AD domain in Sitecore, the obvious choice was Sitecore’s Active Directory Module 1.3, specially prepared for Sitecore XP 8.2.

    The Sitecore XP Active Directory module provides the integration of a Microsoft Active Directory domain with a Sitecore XP solution. You can integrate domain users and groups available into Sitecore XP as Sitecore users and Sitecore roles immediately after the module installation and configuration. Moreover, user profiles can be easily extended with custom properties from Active Directory.

  2. We downloaded the module from here and the guide on how to install, configure, and use of the Active Directory module.
  3. For the purpose of our PoC we focused on the Chapter 2 (pages 5 to 11) of the guide.
  4. We first installed the Sitecore Active Directory component 1.3 rev. 161017.zip module using the Installation Wizard.
    Sitecore Active Directory Module 1.3 Installation
  5. Once successful installation of the module was done we modified the following files as per the guide:
    • Modified the /App_Config/ConnectionStrings.config file to add a Connection String to the Active Directory Domain.
      We added the following just before the </connectionStrings> tag.

      <add name="ManagersConnString" connectionString="LDAP://1xx.1x.1x.1xx:389/DC=companyADdomain,DC=company,DC=com" />

      One can also specify Organisational Unit (OU), as shown below, within this string but it will restrict user visibility – so be aware!

       <add name="ManagersConnString" connectionString="LDAP://1xx.1x.1x.1xx:389/OU=sitecore,DC=companyADdomain,DC=company,DC=com" />

      Refer page 5 & 6 of the guide it has very interesting details.

    • Modified the /App_Config/Security/Domains.config.xml file for adding a New Domain.
      We added

       <domain name="ad" ensureAnonymousUser="false"/>

      just before

       <domain name="extranet" />
    • Penultimate but important set of changes to the web.config file for Configuring the ASP.NET Security Providers – Membership, Role and Profile (Optional), including the Activating of Switching Providers.

    • Configuring Membership Provider:
      We searched for the <membership> element in the <system.web> section and added the following code (remember the order is not important)

       <add name="ad"
       type="LightLDAP.SitecoreADMembershipProvider"
       connectionStringName="ManagersConnString"
       applicationName="sitecore"
       minRequiredPasswordLength="1"
       minRequiredNonalphanumericCharacters="0"
       requiresQuestionAndAnswer="false"
       requiresUniqueEmail="false"
       connectionUsername="[put the user here]"
       connectionPassword="[put the password here]"
       connectionProtection="Secure"
       attributeMapUsername="sAMAccountName"
       enableSearchMethods="true" />

      Including the connectionProtection attribute set to Secure requires that we add one more element to the <system.web> section – Machine key attributes:

       <!-- Machine key attributes -->
      <machineKey
      validationKey="BDDFE367CD36AAA81E195761BEFB073839549FF7B8E34E42C0DEA4600851B0065856B211719ADEFC76F3F3A556BC61A5FC8C9F28F958CB1D3BD8EF9518143DB6"
      decryptionKey="0DAC68D020B8193DF0FCEE1BAF7A07B4B0D40DCD3E5BA90D" validation="SHA1" />
      

      Refer page 7, 8 & 9 of the guide for more details.

       

    • Configuring Role Provider:
      We searched for the <roleManager> element in the <system.web> section and added the following code (remember the order is not important)

       <add name="ad" type="LightLDAP.SitecoreADRoleProvider"
            connectionStringName="ManagersConnString"
            applicationName="sitecore" 
            username="[put the user here]"
            password="[put the password here]"
            attributeMapUsername="sAMAccountName" 
            cacheSize="12MB" />

      Refer page 9 of the guide for more details.
      Note: We gave a slightly larger cache size than the default 2MB.

    • Configuring the Profile Provider:
      Since it was optional so we left it out.
    • Activating the Switching Providers:
      • Note: This was the step which was missed off completely in our excitement of getting this PoC working! We encountered a road/block due to this for which I have written this blog post which might be useful if you see the below message on the Provider Status Page.
        The multiple providers service is OFF
      • Basically in web.config file, in <system.web> section, search for <membership> element, find the provider called sitecore and set its realProviderName attribute to switcher.
        <membership defaultProvider="switcher" hashAlgorithmType="SHA1">
      • Same way within <system.web> section, search for <roleManager> element, find the provider inside called sitecore and set its realProviderName attribute to switcher.
        <roleManager defaultProvider="switcher" enabled="true">

        Refer page 10 of the guide for more details.

      • Final changes to the /App_Config/Sitecore.config file for Adding the Domain-Provider Mappings.Adding the Domain-Provider Mappings:
        Search for the <switchingProviders> element in Sitecore.config, it contains three groups: <membership>, <roleManager> and <profile>. We added the following line of code to all the three groups  (remember  the order is not important)

        <provider providerName="ad" storeFullNames="false" wildcard="*" domains="ad" />

        So the  section will look as below:

        <!-- SWITCHING PROVIDERS -->
        <switchingProviders>
             <membership>
                  <provider providerName="sql" storeFullNames="true" wildcard="%" domains="*" />
                  <provider providerName="ad" storeFullNames="false" wildcard="*" domains="ad" />
             </membership>
             <roleManager>
                  <provider providerName="sql" storeFullNames="true" wildcard="%" domains="*" ignoredUserDomains="" allowedUserDomains="" />
                  <provider providerName="ad" storeFullNames="false" wildcard="*" domains="ad" />
             </roleManager>
             <profile>
                  <provider providerName="ad" storeFullNames="false" wildcard="*" domains="ad" />
                  <provider providerName="sql" storeFullNames="true" wildcard="%" domains="*" ignoredDomains="" />
             </profile>
        </switchingProviders>

        Refer page 10 of the guide for more details.

Check if Active Directory Groups and Users are visible

So now one would think that, since we have followed all the instructions mentioned in the Active Directory module’s guide to the dot, we will be able to check if the AD Domain’s Groups and Users are visible or not, but (there is always a but), we were faced an error – Login attempt leads to Sitecore CM web app to crash! I have written a blog post about it.

Once we resolved the error and on successful login, we were now able to verify the Active Directory Domain Groups, Users and Domain that were visible in Sitecore’s Role, User and Domain Managers.

Domain Manager
With our custom domain “ad”. Domain Manager

Role Manager
With our test AD Groups as Sitecore Roles – TestGlobalGroup, TestDomainLocalGroup and TestUniversalGroup and including few other groups. Role Manager

User Manager
With our test AD User as Sitecore User – Joe Bloggs and including few other users. User Manager.png The AD Domain, Groups & Users visible and confirmed as Sitecore Domain, Role and Users we moved on to configuring these so that our AD User Joe Bloggs can login to Sitecore.

Configure Active Directory Groups to Sitecore Roles in Sitecore Roles Manager

Now this is slightly complicated but let me try and explain visually first

Sitecore Roles
    sitecore\Sitecore Client Author
      + sitecore\List Manager Editors (Role)
      + ad\TestDomainLocalGroup (AD Group now as a Role)
      + sitecore\Author (Role)

Active Directory Groups
    ad\TestDomainLocalGroup
      + ad\joebloggs
    ad\TestGlobalGroup
    ad\TestUniversalGroup

The Sitecore Role that we are testing is sitecore\Sitecore Client Author which has the necessary content authoring permissions that we want for our AD user Joe Bloggs to have.

AD user, Joe Bloggs is part of the ad\TestDomainLocalGroup group within the AD and Sitecore. This ad\TestDomainLocalGroup group has been added as a member of sitecore\Sitecore Client Author role. AD User ad\joebloggs is a member of ad\TestDomainLocalGroup group within the AD.

AD Group Member of Sitecore Role.png

And now the final piece in the jigsaw, to test if AD User ad\joebloggs can login to Sitecore or not?

Joe Bloggs Sitecore LoginJoe Bloggs Sitecore Launch Pad and Content Editor

Sitecore Logs Diagnostic Console

As you can see from the above images our AD user ad\joebloggs can successfully login to Sitecore CMS and access the areas to which we have given permissions.

Appreciate this is a very long blog post but wanted to share this PoC for Sitecore Azure PaaS implementation with Active Directory. Special thanks to Vijay Thakorlal for being partner in crime.

Hope this helps my fellow Sitecorians in the world of Azure!

Happy Sitecoring!

Reference Materials:

Advertisements

3 thoughts on “Active Directory integration with Sitecore on Azure PaaS

  1. Any word from Sitecore as to why the AD module is listed as unsupported for Azure PaaS, but you were able to get it working?

    • They did comment that in theory it should work but since Sitecore haven’t thoroughly tested it internally on Azure PaaS – official statement is that it is not supported.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s