Making my way through Active Directory forests

In this blog post I share some of my experiences integrating with Global Catalog service of multi-tiered Active Directory Forests for Single Sign On Purpose. This solution provides a viable alternative to the Active Directory Module which is by default used for similar scenarios.

Writing this as I am flying back from Nashville, Tennessee. Too bad the in-fight wi-fi does not work, so I have to wait to post this until I am safe on the ground. It was one of those trips…. Almost did not make it to the airport in time due to some serious snow fall in all Tennessee! Most of the state was crippled, unbelievable. Made it just before the Southwest people closed the gate!

This has been quite an interesting and challenging engagement including all parties – Sitecore as a vendor, partner as implementer and a customer. What makes it even more existing is that I was called in to work on some fancy Active Directory stuff! The partner brought us in as to assist with the product configuration for this enterprise level implementation. What I have been presented to was truly interesting. The customer had quite an advanced Active Directory infrastructure built up with 3 mirrored AD forests each containing a few nested domains. Each environment had a designated AD forest to connect to (DEV, QA and PROD).

Here is the picture that more or less describes what I am referring to:

Such a setup requires a very efficient way of connecting to and querying an AD forest. The forests are generally huge within an enterprise, so it was logical to see the customer currently relying on the Global Catalog feature within the existing integrations. GC helps efficiently query for objects (users, groups and resources), even on large forests, however, since GC is simply a replica of what’s stored within the domains, and there are a few limitations. For example, not all the attributes are replicated to Global Catalog. User password is one of them, so you cannot really authenticate against it.

To find out more about the Global Catalog, visit the following resources:

So first thing I have evaluated was the ability of our AD module to connect to a Global Catalog. Unfortunately, this proved to be impossible due to some restrictions within the underlying Microsoft’s Active Directory Membership provider we rely on.

One of the alternative solutions I have evaluated was based on a custom aspx web form which executes System.DirectoryServices APIs allowing to connect and query a Global Catalog. This page was configured to be protected by IIS authentication (Windows or Basic). Since IIS was helping out with the authentication, the only thing this page required was the user token. I was able to retrieve it from either HttpRequest or HttpHeaders, depending on the authentication type. At that point, the user token was used to build a virtual user in Sitecore. Find out more about virtual user functionality here.

The group mapping was also implemented in a way that if one of the AD groups that user belongs to exist in Sitecore (matching name), then the virtual user is assigned to that Sitecore role. At that point, the custom login page was able to login the user and grant access to appropriate resources. Turned out to be quite an elegant solution, and the best thing was that this approach was fitting in nicely into the existing Single Sign-On infrastructure.

The ones who remember the good old 5.3 days, this approach is very similar to the Live mode of the LDAP module.

The prototype has been implemented and proven on the customer environment.

Great testimony of how Sitecore fits in nicely within an enterprise environment thanks to the product’s openness to all sorts of integration scenarios.

Do you leverage Active Directory within your enterprise?
Do you have any Single Sign-On infrastructure to integrate with?
Let me know, this solution may suit your needs as well.