This is a quick guide showing how to configure Episerver to use Active Directory instead of Multiplexing/WindowsProvider. This is NOT showing how to use Azure AD.
Im testing this on a new Alloy site running Episerver 11.3.1.

NOTE, while this is a quick way of adding Active Directory support, I still recommend using ADFS or something similar instead.

Some good resources if you want to read more about this topic:

Active Directory

My AD setup.

  • Domain:
  • AD Service account: [email protected], this is a normal user account responsible for connecting to the AD, used in the Membership/RoleProvider section in Web.config.
  • AD user in correct OU. In my case I will name my user josefweb and the OU will be Web
  • AD Groups named CmsAdmins and CmsEditors(you can name these groups whatever you want).

Here's an image of how my AD is setup, it's pretty standard, for this guide I've added a new OU(Organizational Units) named Web where I will add all users who will be able to access the Edit interface.

Adding new user to AD

The users also needs to be a member of the correct groups to be able to login. I will add my user to the group CmsAdmins which means that this user will be able to do everything in the cms/admin(because we will map this role to the virtual role CmsAdmins further down).

Adding correct A group to the user



Change the <membership> section to the following

<membership defaultProvider="ActiveDirectoryMembershipProvider" userIsOnlineTimeWindow="10" hashAlgorithmType="HMACSHA512">  
      <clear />
      <add name="ActiveDirectoryMembershipProvider"
          type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
          connectionUsername="[email protected]"
          attributeMapUsername="sAMAccountName" />

Change the <rolemanager> section to the following

<roleManager enabled="true" defaultProvider="ActiveDirectoryRoleProvider" cacheRolesInCookie="true">  
        <clear />
        <add name="ActiveDirectoryRoleProvider"
         type="EPiServer.Security.ActiveDirectoryRoleProvider, EPiServer.Cms.AspNet, Version=, Culture=neutral, PublicKeyToken=8fe83dea738b45b7"
         connectionUsername="[email protected]"
         attributeMapUsername="sAMAccountName" />


Add a new connectionstring, ActiveDirectoryProviderConnection

    <add name="ActiveDirectoryProviderConnection" connectionString="LDAP://,DC=local,DC=josef,DC=guru" />

If you are unsure about how your LDAP connectionstring should look, read this.

Virtual roles

Map the virtual roles, we want to map our AD groups CmsAdmins/CmsEditors to the virtual roles CmsAdmins and CmsEditors, this is achieved by populating the roles attribute. I've also removed the default WebAdmins, WebEditors and Administrators roles.

<virtualRoles addClaims="true">  
        <add name="CmsAdmins" type="EPiServer.Security.MappedRole, EPiServer.Framework" roles="CmsAdmins" mode="Any" />
        <add name="CmsEditors" type="EPiServer.Security.MappedRole, EPiServer.Framework" roles="CmsAdmins, CmsEditors" mode="Any" />

Location sections

You will need to edit the authorization section under the following locations:

  • EPiServer
  • EPiServer/CMS/admin

It should look like this <allow roles="CmsAdmins, CmsEditors" />


<location path="EPiServer">  
            <allow roles="CmsAdmins, CmsEditors" />
            <deny users="*" />

You should now be able to login!

Login with AD credentials