< Return to Feed
Scott Reinhardt - 03.05.2018

Basic Authentication in Sitecore

I needed to lock down access to our stage site with basic authentication.

Normally, enabling basic authentication is a simple task of enabling it in IIS. However, Sitecore uses forms authentication to log in to the /sitecore area. IIS does not allow for both forms authentication and basic authentication to be enabled at the same time. Try it, and you'll get familiar with this error message:

Example of IIS alert pop-up reading 'challenge-based login redirect-based authenticaiton cannot be used simultaneously.'


I saw two main paths I could go down:

  1.  Create a custom login page for non-Sitecore users and manage a user account for it, or
  2. Handle the basic authentication outside of IIS.

I went with the second option because creating a new Sitecore pipeline is a very simple solution.

Here is the pipeline:

Here is the Config File to patch it in:

The pipeline works by checking to see if we have an Authorization header included.  If not, do a 401 and present the WWW-Authenticate header back to the browser.

If the header is present and has the basic scheme, decode the basic authentication header, which is a base64 encoded string of username:password, and compare it to a setting in the config file - this could easily be adjusted to be stored in the database, as a Sitecore extranet user, or in Active Directory.

As a Sitecore partner, our team of developers at Sagepath are adept at innovating in the CMS to help our clients meet their goals. Check out our blog for more innovative Sitecore solutions and how-tos.