Maybe CMS 2002 is not most popular content management software in the world but some people are using it in the real world. This is a case with our customer here who will deploy web application based on CMS 2002 in his network. This company maintains two separated AD forests, one is internal forest for company itself and second is AD forest for its retail partners who are spread among the country. This application will be mainly used for communication with these retail partners.
So we have two separated AD forests, Web application and users who has to access it and are demanding to get rid of this annoying logon windows, when they are accessing resource in other forest. Perfect case for using ADFS, so I’ve tried to set up such configuration in lab as test environment for our customer.
I used 4 VMs: 2 DCs – one in each forest which holds also role of ADFS server, one Web server with CMS and SQL in resources forest and additional machine with Windows XP in account forest acting as a client machine. All Server were Windows 2003 R2 EE.
I used CMS 2002 with SP1 and Woodgrove Bank sample CMS application for purpose of this lab. Installation procedure is pretty straight forward, one thing You should remember if that if CMS asks about IE Web Controls it really looks for something called IE Web Controls for CMS, but these are available for download. Sample application required one simple modification, by default web.config file is configured to use forms based authentication, this should be changed to Windows.
Good news, it works very well.
If You ask me, CMS is a little odd application from management standpoint. Maybe I’m not used to channels, interface used to manage roles and permissions used in this product. I would feel much better with simple interface to assign AD groups directly, and if there wouldn’t be WinNT:// provider before every user or object group used as security principal there. But it works in this way, and from ADFS configuration standpoint it makes CMS 2002 a Windows NT token based application. To get it working together with ADFS one have to configure everything in the same way as for SharePoint Services which is pretty straight forward (and detailed described in this document). I used in my lab only basic UPN and Group based claim without any custom modules so it was just nice and easy configuration.
I’ve tested usage of group based claims as it will be most common scenario in this solution and also UPN claims. As it is token based application if You want to add permissions for resources on per user basis it requires shadow account for every user from account partner forest in resources forest. This account can be disabled and with very long password but yet, it have to be there which may be a little annoying. Unfortunately it is required only for user account for which we want to add separated set of permissions, which are not given to any group, and this should not be very common scenario (If You worked with CMS site manager You probably wouldn’t be eager to do this for large number of users 🙂 ).
One problem which I came across at the beginning – CMS sites are managed with application called Site manager which connects to admin web page and allows You to make modifications to CMS configuration. This application can’t connect to the web site for which Web SSO Agent was configured, because it doesn’t know what to do with all these redirections and cookies. However this is more lab-only problem then real deployment problem, as in my lab CMS was installed with defaults on single web site for content and management. Dividing these roles between two different web sites solves the problem – site manager was installed on separated web site configured with standard Windows Integrated authentication, and CMS sample site was installed on second site with Web SSO Agent enabled. This worked well and allows You to mange CMS and access it by users. To be honest I don’t think that Site manager will be here most crucial application to provide it with single sign-on experience, as it will be used only by few administrators.
Another thing I’ve noticed is maybe not a bug, but may become a little confusing. CMS is using sessions to store user’s session data , among others its permissions. Session of course has its live time configured in IIS properties. Ins situation when user will enable session with CMS as a user across ADFS trust, and then You will change for example group membership of these user this may lead to changed claims presented by ADFS, even if You will establish new connection to CMS resource You may not see changes in CMS permissions until old session is still valid. I have to examine this a little more but from my first tries and observations session object is a problem here to reflect changes in permissions based on new claims set. This may be more misleading as in event log You may see that new claim was correctly presented and transformed to ADFS server. Workaround solution is to shorten session lifetime, but maybe I will manage to investigate it a little further and find some more general solution.
One advice for anyone who will work with ADFS – if You are starting to have problems with solution or getting strange behavior – enable logging. Logs written to Security log after enabling object access auditing on ADFS server and these written in text log by ADFS service itself (configured in properties from ADFS MMC console) are very helpful in troubleshooting.
I don’t know if solution described here will be deployed at customers site – we will still work with them to analyze all potential factors and systems, as they want to develop general solution and guidelines for applications developed in the future, and ADFS is only one of possible solutions taken under consideration. But this case shows how it may be used in quick and easy way to improve users experience without spending a lot of money on development or additional software licenses. Of course this is true in Windows environment, as using ADFS with other platforms may require to purchase some licenses from solution vendors. Another task in this lab which I want to check is usage ADFS with SQL Reporting Services and with Linux\Apache tandem. Will try to post results here, so if You are interested in this topic … stay tuned.