Ok, I'm new to Sitefinity (just started evaluating it today), but I think I might have some answers for you. We're in a similar boat, needing to use AD credentials for the administration and "other" for the public web users. You can probably use Sitefinity's built-in membership components, but, in our case, I'm going to need to integrate it with our third-party CMS. Should be loads of fun. But, for now, I have it working with AD and Sitefinity as the two authentication sources.
The documentation is really lacking in this area - I was expecting simple step-by-step instructions, since this is a feature I think plays a major role in the decision to use Sitefinity in the first place. But here's a rundown of what I did, all taken from several articles in the help.
First, add a connectionString (leave the default Sitefinity one in place). Should look like:
| <add name="ActiveDirectory" connectionString="LDAP://yourDomainName" /> |
Second, add a roleManager provider (again, leave the default alone):
|<add connectionStringName="ActiveDirectory" groupMaps="ADgroup" |
| name="Active Directory" type="Telerik.Security.ActiveDirectory.TelerikADRoleProvider, Telerik.Security" /> |
Replace "ADgroup" with the name of your AD security group for Sitefinity to read. If you have multiples, separate with commas. Edit the roleManager element and set the defaultProvider="Active Directory"
Third, add a membership provider:
|<add connectionStringName="ActiveDirectory" enableSearchMethods="true" |
| attributeMapUsername="sAMAccountName" connectionUsername="ADuserName" |
| connectionPassword="ADpassword" name="Active Directory" type="Telerik.Security.ActiveDirectory.TelerikADMembershipProvider, Telerik.Security" /> |
Replace ADuserName and ADpassword with the credentials of a user with AD access rights. If you leave these properties out, the ASP.NET account with be used, which may work just fine for you. Edit the membership element and set the defaultProvider="Active Directory"
Finally, edit the security element (under telerik), edit the cmsProvidersName="Active Directory" under the roles element, add in the group(s) you defined earlier in the roleManager step:
|<add name="ADgroup" permission="Unrestricted" /> |
Replace ADgroup with the group name you used previously. Add as many as you need, with the appropriate permissions.
I *think* those are all the changes I made, but I tried so many things, I could have left something out. That should enable you to log in to the admin interface using a user account that is a member of "ADgroup."
When you drop in a login control, click edit, then the edit button. Under data -> membershipProvider, enter Sitefinity to use the Sitefinity-native authentication. Leave blank to use the default, AD in this case. That way, you web users will authenticate against Sitefinity and your admin users against AD.
If an admin user is logged in through the admin login screen and goes to a membership-required section, their credentials will be used. If they're not logged in, their AD credentials won't work on a login control set to use Sitefinity. I imagine there's a way around this, I just haven't found it yet.
Hope that gets you started....