Enabling Windows Authentication — Sitecore 9.2

Sitecore 9.2 Identity Server VS Windows Authentication

It is an internal website that uses Windows Authentication to authenticate the user. A custom Sitecore Membership Provider uses the Windows userId to pull from Lightweight Directory Access Protocol (LDAP) Active Directory all profile information such as — email, first name, last name, manager information, roles, and more. So, it’s crucial having windows authentication working 100% on Sitecore 9.2. and most importantly, the website personalized the content for the user based on their roles coming from LAPD.  This document presents a solution on how to enable Windows Authentication on Sitecore 9.2.  

Challange

Here are the Challenges — As we all know, Sitecore 9.2 handler the Authentication through the Sitecore Identity Server, which is entirely different then Sitecore 8.2. So, how are you going to have Windows Authentication working on Sitecore 9.2?

The Windows Authentication implementations as simple as having a Default.aspx inside the WindowsAuthentication folder at the Site root folder. The code inside Default.aspx is what you see in the screenshot below.

Figure 1: Windows Authentication implementation

The problem is that in Sitecore 9.2, the “LOGON_USER” returns empty. Furthermore, when you try to get the windows identity username through the System.Security.Principal.WindowsIdentity.GetCurrent().Name it returns the Anonymous User or the application Poll identity name. It will not give you the windows userId that it’s logged in the Windows computer or Windows Virtual Machine

I realize that Sitecore 9.2 out-of-the-box does not longer support Windows Authentication. To have the user authenticate on the website using windows authentication, I had to perform the following steps below. Furthermore, I reached out to the Sitecore Support, and they confirmed that the only way to have Windows authentication is to disable the Sitecore Identity.

Build Sitecore Windows Authentication Login

I wanted to share with you my Site definitions, where I highlighted some attributes such as the domain, requiredLogin, loginPage.

Figure 2: Configure Site for windows authentication and extranet domain

Enabling Windows Authentication on IIS

1. Open IIS.
2. Expand your Sitecore install under the Sites node.
3. Click on the WindowsAuthentication folder.
4. In the right-hand pane, double click on Authentication under the IIS section.
5. Disable Anonymous Authentication.
6. Enable Windows Authentication.
7. Disable all other types of Authentication.
8.  Click on the IIS server node to expand the Feature View the open the Configuration Editor under the Management section.
9. Unlock all these sections by navigating through each one from dropdown list section
   1. system.webServer/security/authentication/anonymousAuthentication
   2. system.webServer/security/authentication/basicAuthentication
   3. system.webServer/security/authentication/WindowsAuthentication

Figure 5: Unlock the IIS Configuration Section related to Windows Authentication

Enable Windows Authentication on Web.Config 

Also, I have added the following section below on the web.config to ensure the configuration will take place just in case forget to configure IIS.

Figure 6: Web.Config configuration for Windows Authentication

Disable Identity Server

A workaround to have windows authentication working on Sitecore 9.2 is to disable the Server Identity. In addition to some changes on the web.config, Sitecore provides the patches config files that will disable Server Identity.

The path file below does the following

• Sets the Enabled property of the SitecoreIdentityServer provider to false.
• Patches the loginPage attributes of the shell and admin sites to their initial values (/sitecore/login and /sitecore/admin/login.aspx).

Figure 7: Disabling the Sitecore Identity Server

To disable the OWIN and federated authentication patch, the following config to your Sitecore instance.

The config patch below does the following:

• Sets Owin.Authentication.Enabled, and FederatedAuthentication.Enabled to false.
• Patches the loginPage attributes of the shell and admin sites to their initial values (/sitecore/login and /sitecore/admin/login.aspx).

Figure 8: Disabling Owin and Federated Authetication

Add this setting to the web.config file:

<add key="owin:AutomaticAppStartup" value="false" />

Restore the original authentication node in the web.config file:

<authentication mode="None">

      <forms name=".ASPXAUTH" cookieless="UseCookies" />

</authentication>

Finally build your solution and deploy to website and enjoy your website.

I hope you find this blog very helpful in case you need further assistance with your Sitecore implementation do not hesitate to reach out to our XC Support Team.