How To Log Into Episerver When You Don't Know A User or Password

This article is a continuation of Top Tips To Get An Existing Episerver Project Up And Running. Often when I start at a new company, I won't have a log-in to get access to Episerver and I'm left to my own devices to get started. In today's guide, I'm going to cover some of the things you can do to get access to the editor. In this post, I'm assuming you are familiar with logging into Episerver. If you're not, then I would recommend reading, Beginner’s Guide: How To Access The Episerver Login Page first.

Create a Local Admin Account

Out of the box, Episerver uses the Multiplexing Provider to deal with membership and logging in. If you are not familiar with the multiplexing provider use Windows Authentication, then fall back to SQL to try and log you in. The SQL provider is based on the standard.NET version and the log-in usernames can be found in the 'aspnet_Users' table in SQL. To log into Episerver with the multiplexing provider enabled, you can try your domain account. Your account will need local Admin privileges, so depending on how your IT department has set-up your account, this may or may not work. If your account doesn't work, if you can create a local user account on your computer that has local administrators group permissions. This should allow you to log into Episerver.

My Episerver Website Uses A SQL Membership Provider

In a lot of companies, the membership provider is set to SQL only, so unless you know a valid Episerver account you won't be able to access it. If you find yourself in this situation then the first trick is to check the roles and membership provider and switch both to Multiplexing. In your web.config, find the following section and change the 'defaultProvider' MultiplexingRoleProvider for the role provider and MultiplexingMembershipProvider' for the membership provider.

    <roleManager enabled="true" defaultProvider="MultiplexingRoleProvider" cacheRolesInCookie="true">
      <providers>
        <clear />
        <add name="MultiplexingRoleProvider" type="EPiServer.Security.MultiplexingRoleProvider, EPiServer.Framework" provider1="SqlServerRoleProvider" provider2="WindowsRoleProvider" providerMap1="SqlServerMembershipProvider" providerMap2="WindowsMembershipProvider" />
        <add name="WindowsRoleProvider" applicationName="EPiServerSample" type="EPiServer.Security.WindowsRoleProvider, EPiServer" />
        <add name="SqlServerRoleProvider" connectionStringName="EPiServerDB" applicationName="EPiServerSample" type="System.Web.Security.SqlRoleProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
      </providers>
    </roleManager>
    <membership defaultProvider="MultiplexingMembershipProvider" userIsOnlineTimeWindow="10" >
      <providers>
        <clear />
        <add name="MultiplexingMembershipProvider" type="EPiServer.Security.MultiplexingMembershipProvider, EPiServer.Framework" provider1="SqlServerMembershipProvider" provider2="WindowsMembershipProvider" />
        <add name="WindowsMembershipProvider" type="EPiServer.Security.WindowsMembershipProvider, EPiServer" deletePrefix="BUILTIN\" searchByEmail="true" />
        <add name="SqlServerMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="EPiServerDB" requiresQuestionAndAnswer="false" applicationName="EPiServerSample" requiresUniqueEmail="false" passwordFormat="Hashed" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" passwordStrengthRegularExpression="" />
      </providers>
    </membership>

If this doesn't work, then change your web.config back to SQL membership and role provider and then create a new file in your webroot called 'InstallUser.aspx'. In the file add this code:

  <%@ Page Language="C#" AutoEventWireup="true" %> <% try { Roles.CreateRole("Administrators"); } catch (Exception) { } try { var user = Membership.CreateUser("episerver", "episerver", "[email protected]"); user.IsApproved = true; } catch (Exception) { } try { } catch (Exception) { Roles.AddUserToRole("episerver", "Administrators"); } %> 

Now try running the page by using 'www.website.com/InstallUser.aspx'. If it runs correctly, you should now have a user in your database called 'episerver' with the password 'episerver' who is an admin.

Allow Anonymous Access To The Editor

If all of the above still doesn't work, you can always allow anonymous access to the editor and the admin and allow everyone in. In your web.config, update these two areas:

  <location path="EPiServer/CMS/admin">
    <system.web>
      <authorization>
        <allow roles="WebAdmins, Administrators" />
        <allow users="*" />
      </authorization>
    </system.web>
  </location>

and

      <authorization>
        <allow roles="WebEditors, WebAdmins, Administrators" />
        <allow users="*" />
      </authorization>

The only main difference is changing the deny all users, to allow all users. This should allow accessing edit and admin mode without authentication. I've bumped into a few issues with this historically with caching and temp internet files, so you may need to restart visual studio, or, your machine. This generally will always work.

NOTE:  You will run into the below error when you set Epi in this mode. 

This request has probably been tampered with. Close the browser and try again. 

 

The Sneaky Way... HACK SQL!

In the unlikely even that everything above doesn't work, you have an admin SQL account but you only know the details of a normal content editor account, if you have access to SQL it's also possible to reset an account's password. DO NOT TEST ON LIVE, without testing in QA, dev or staging first. You should aim to never have to run a SQL query against your Episerver database if you do make sure you back everything up first. In this approach, go into SQL find the user account you have valid details for and use the password and salt to override the password and salt of a locked admin account. If everything goes well you'll be able to log into the admin account whose password you have forgotten the new password. You should be able to get a list of all SQL users in your Episerver website using this SQL command:

 SELECT au.username, aa.ApplicationName, password, passwordformat, passwordsalt FROM aspnet_membership am INNER JOIN aspnet_users au ON (au.userid = am.userid) INNER JOIN aspnet_applications aa ON (au.applicationId = aa.applicationid) [/sql] Find the user you know the valid account details for and copy the password, salt, and password type. Next, find an account that has admin access and run this SQL snippet: [sql] set @changeDate = getdate() exec aspnet_Membership_setPassword ‘applicationName’, 'User', 'Password', 'Password Salt', @changeDate, 'Password format' 

Changing User, password, password salt and password format to the details you got from above. After running this, both user account will have the same password. So you should now be able to log into EpiServer with an admin account.


Jon D Jones

Software Architect, Programmer and Technologist Jon Jones is founder and CEO of London-based tech firm Digital Prompt. He has been working in the field for nearly a decade, specializing in new technologies and technical solution research in the web business. A passionate blogger by heart , speaker & consultant from England.. always on the hunt for the next challenge


Back to top
var _gaq = _gaq || []; _gaq.push(['_setAccount', 'UA-35662136-1']); _gaq.push(['_trackPageview']); (function() { var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; ga.src = ('https:' == document.location.protocol ? 'https://' : 'http://') + 'stats.g.doubleclick.net/dc.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s); })();