Using same AD across multiple environments with Sitecore

One of the common ways to authenticate users is using an Active Directory. Few months ago we had an opportunity to implement AD authentication for one of our Sitecore implementations. Development all went fine we delivered code till TEST environment. 

Everything was fine till TEST deployment. No major defects and we are ready to move to QA. At that point we ran into an issue when our client suggested that the system we designed should use the same AD for QA and Staging environments also. Below are some more requirements we go clarity on at that point.

1. Need to use same AD for TEST, QA and Staging.
2. Should not use Sitecore roles for authorizing users for accessing Sitecore pages.
3. Roles should be configured in AD and should work for all environments.
4. Should be able to register user with same email id across environments.
5. Some end users of the application will also act as Content Authors/ Security Admins.

I am not going to go into all the details of how we achieved above. This post is rather simple explaining how easy is it to configure membership/role providers in Sitecore to meet some of the above requirements.

Our initial AD setup was to include the Roles & Users in under same OU. We were not thinking around changing this approach. So, we tried to reinvent the wheel by skipping Sitecore AD membership provider and call our own Authentication Service passing some environment variables and OU information. After a day we realized we were looking into it from wrong angle. There is rather simple solution to this problem.

We adjusted our AD OUs in such a way that Roles are outside of any environment specific OU (e.g TestOU, QAOU, StagingOU). This helped us register same email id across different OUs. Secondly, we updated our connectionStrings with multiple LDAP:// connections. One for Roles (rolesConn) and other for Users (usersConn).

Under MembershipProvider element in web.config, have used the "usersConn" connectionSting to configure ActiveDirectory membership provider. And used "rolesConn" connectionString to configure AD role provider under RoleProvider element. By using the web.config transformations, updated the users connection string to use different OU for each environment.

Above setup helped us serving the requirement our client asked us.




Comments