ActiveDirectoryMembershipProvider Attribute schema mappings

Discussion in 'ASP .Net Security' started by James Coleman, Apr 7, 2006.

  1. I am trying to use the ADMembershipProvider and running into an error. I am
    not strong in AD so I am fumbling. Any help would be appreciated.

    Web.Config Prividers Section:
    <membership defaultProvider="AspNetActiveDirectoryMembershipProvider">
    <providers>
    <add name="AspNetActiveDirectoryMembershipProvider"
    type="System.Web.Security.ActiveDirectoryMembershipProvider,
    System.Web, Version=2.0.0.0, Culture=neutral,
    PublicKeyToken=b03f5f7f11d50a3a"
    connectionStringName="ADMembershipService"
    connectionProtection="Secure"
    enablePasswordReset="true"
    enableSearchMethods="true"
    requiresQuestionAndAnswer="true"
    applicationName="/"
    description="Default AD connection"
    attributeMapPasswordQuestion="extensionAttribute1"
    attributeMapPasswordAnswer="extensionAttribute2"
    attributeMapFailedPasswordAnswerCount="badPwdCount"
    attributeMapFailedPasswordAnswerTime="badPasswordTime"

    attributeMapFailedPassswordAnswerLockoutTime="lastBackupRestorationTime"
    requiresUniqueEmail="true"
    clientSearchTimeout="30"
    serverSearchTimeout="30"
    passwordAttemptWindow="10"
    passwordAnswerAttemptLockoutDuration="30"
    maxInvalidPasswordAttemps = "5"
    minRequiredPasswordLength="6"
    minRequiredNonalphanumericCharacters="1"

    passwordStrengthRegularExpression="@\"(?=.{6,})(?=(.*\d){1,})(?=(.*\W){1,})"/>
    </providers>
    </membership>

    The error I get in the WSA Tool Security Tab:

    The following message may help in diagnosing the problem: Attribute schema
    mappings for bad password answer tracking must be specified to enable
    password reset functionality. (C:\Inetpub\wwwroot\allsteel\web.config line
    62)

    Thanks
    ~James

    --
    James Coleman
    Technical Director
    AGENCY.COM [Chicago]
    James Coleman, Apr 7, 2006
    #1
    1. Advertising

  2. James Coleman

    MikeS Guest

    MikeS, Apr 8, 2006
    #2
    1. Advertising

  3. No. I found them already in ADSIEdit. The extensionAttribute1 and 2 look
    like they are from Exchange and I just picked the other two out from
    anywhere. I don't know if they are named correctly though, I was using the
    IDAPDisplayName when I view the properties of the attributes.

    I am just trying to get this to work in my dev environment, when I push it
    to production they can map it to real 'customized' schema fields but I don't
    have permission to modify our (Agency.com's) AD schema.

    Thanks
    ~James
    --
    James Coleman
    Technical Director
    AGENCY.COM [Chicago]


    "MikeS" wrote:

    > Did you already modify the AD scehma to create the extensionAttribute1,
    > extensionAttribute2, badPwdCount and badPasswordTime attributes and add
    > them to the User class?
    >
    > Additional Considerations
    > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000026.asp
    >
    >
    James Coleman, Apr 8, 2006
    #3
  4. I haven't spent much time yet with the AD membership provider, so I don't
    know a lot of its details yet. However, I do know that badPasswordTime and
    badPwdCount are used by AD to implement its policy-based lockout mechanism.
    You should not be using those for anything application-specific as you won't
    have permission to write to them.

    Perhaps you should continue with using the extension attributes, unless you
    want to set up dev against an ADAM instance (whose schema you can easily
    control).

    Best of luck,

    Joe K.

    "James Coleman" <> wrote in message
    news:...
    > No. I found them already in ADSIEdit. The extensionAttribute1 and 2 look
    > like they are from Exchange and I just picked the other two out from
    > anywhere. I don't know if they are named correctly though, I was using
    > the
    > IDAPDisplayName when I view the properties of the attributes.
    >
    > I am just trying to get this to work in my dev environment, when I push it
    > to production they can map it to real 'customized' schema fields but I
    > don't
    > have permission to modify our (Agency.com's) AD schema.
    >
    > Thanks
    > ~James
    > --
    > James Coleman
    > Technical Director
    > AGENCY.COM [Chicago]
    >
    >
    > "MikeS" wrote:
    >
    >> Did you already modify the AD scehma to create the extensionAttribute1,
    >> extensionAttribute2, badPwdCount and badPasswordTime attributes and add
    >> them to the User class?
    >>
    >> Additional Considerations
    >> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000026.asp
    >>
    >>
    Joe Kaplan \(MVP - ADSI\), Apr 8, 2006
    #4
  5. makes sense. The problem however is that I need an Int and a LongInt for
    those fields and the extension fields are strings so it blows up and gets
    fussy.
    --
    James Coleman
    Technical Director
    AGENCY.COM [Chicago]


    "Joe Kaplan (MVP - ADSI)" wrote:

    > I haven't spent much time yet with the AD membership provider, so I don't
    > know a lot of its details yet. However, I do know that badPasswordTime and
    > badPwdCount are used by AD to implement its policy-based lockout mechanism.
    > You should not be using those for anything application-specific as you won't
    > have permission to write to them.
    >
    > Perhaps you should continue with using the extension attributes, unless you
    > want to set up dev against an ADAM instance (whose schema you can easily
    > control).
    >
    > Best of luck,
    >
    > Joe K.
    >
    > "James Coleman" <> wrote in message
    > news:...
    > > No. I found them already in ADSIEdit. The extensionAttribute1 and 2 look
    > > like they are from Exchange and I just picked the other two out from
    > > anywhere. I don't know if they are named correctly though, I was using
    > > the
    > > IDAPDisplayName when I view the properties of the attributes.
    > >
    > > I am just trying to get this to work in my dev environment, when I push it
    > > to production they can map it to real 'customized' schema fields but I
    > > don't
    > > have permission to modify our (Agency.com's) AD schema.
    > >
    > > Thanks
    > > ~James
    > > --
    > > James Coleman
    > > Technical Director
    > > AGENCY.COM [Chicago]
    > >
    > >
    > > "MikeS" wrote:
    > >
    > >> Did you already modify the AD scehma to create the extensionAttribute1,
    > >> extensionAttribute2, badPwdCount and badPasswordTime attributes and add
    > >> them to the User class?
    > >>
    > >> Additional Considerations
    > >> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000026.asp
    > >>
    > >>

    >
    >
    >
    James Coleman, Apr 8, 2006
    #5
  6. I can't think of a way around this without extending the schema then. I'm
    pretty sure there aren't any unused attributes floating around in AD that
    use those syntaxes.

    I assume that if you are going to actually use this in your own directory,
    then you should be able to get the schema extended, so maybe you can talk
    you AD guys into making the necessary changes.

    ADAM is also another option if you want complete control.

    Joe K.

    "James Coleman" <> wrote in message
    news:...
    > makes sense. The problem however is that I need an Int and a LongInt for
    > those fields and the extension fields are strings so it blows up and gets
    > fussy.
    > --
    > James Coleman
    > Technical Director
    > AGENCY.COM [Chicago]
    >
    Joe Kaplan \(MVP - ADSI\), Apr 9, 2006
    #6
  7. yes - you need to extend the schema for that functionality - that's also
    MS "official" answer to that.

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > I can't think of a way around this without extending the schema then.
    > I'm pretty sure there aren't any unused attributes floating around in
    > AD that use those syntaxes.
    >
    > I assume that if you are going to actually use this in your own
    > directory, then you should be able to get the schema extended, so
    > maybe you can talk you AD guys into making the necessary changes.
    >
    > ADAM is also another option if you want complete control.
    >
    > Joe K.
    >
    > "James Coleman" <> wrote in
    > message news:...
    >
    >> makes sense. The problem however is that I need an Int and a LongInt
    >> for
    >> those fields and the extension fields are strings so it blows up and
    >> gets
    >> fussy.
    >> --
    >> James Coleman
    >> Technical Director
    >> AGENCY.COM [Chicago
    Dominick Baier [DevelopMentor], Apr 9, 2006
    #7
  8. Okay thanks guys. I will talk to our IT guys and see if I am allowed. This
    site is for a client which is why I was trying to do it on our dev
    environment without a schema change.

    Can someone tell me in laymans terms how I would add theses fields. I am
    assuming I would use ADSI Edit but if someone could tell me how to set them
    up and specify the type I would appreciate it.

    ~James
    --
    James Coleman
    Technical Director
    AGENCY.COM [Chicago]


    "Dominick Baier [DevelopMentor]" wrote:

    > yes - you need to extend the schema for that functionality - that's also
    > MS "official" answer to that.
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    > > I can't think of a way around this without extending the schema then.
    > > I'm pretty sure there aren't any unused attributes floating around in
    > > AD that use those syntaxes.
    > >
    > > I assume that if you are going to actually use this in your own
    > > directory, then you should be able to get the schema extended, so
    > > maybe you can talk you AD guys into making the necessary changes.
    > >
    > > ADAM is also another option if you want complete control.
    > >
    > > Joe K.
    > >
    > > "James Coleman" <> wrote in
    > > message news:...
    > >
    > >> makes sense. The problem however is that I need an Int and a LongInt
    > >> for
    > >> those fields and the extension fields are strings so it blows up and
    > >> gets
    > >> fussy.
    > >> --
    > >> James Coleman
    > >> Technical Director
    > >> AGENCY.COM [Chicago]

    >
    >
    >
    James Coleman, Apr 9, 2006
    #8
  9. Unfortunately, extending the schema is not quite that straightforward. You
    really need to know what you are doing, especially if the schema will go
    into AD, as AD schema extensions aren't as easy to undo as "drop table xxx".
    Additionally, you need to use real OIDs for your schema, which means that
    you need to get an OID prefix from a registry (like MS) in order to issue
    your own OIDs.

    Typically, you want to put your schema extensions in an LDIF file. LDIF is
    a standard text-based data interchange format for LDAP directories and is
    something that AD admins should be comfortable with. Doing schema
    extensions programmatically or with ADSI Edit is not usually the way to go.
    LDIF makes your changes transparent and repeatable.

    I'd suggest reading the MSDN documentation on this subject before moving
    forward. I can also recommend Active Directory 3rd Edition from O'Reilly,
    which was recently updated by AD ubergeek Joe Richards.

    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/extending_the_schema.asp

    Another thing you need to think carefully about is how you plan to protect
    the password answer questions in the directory. It would be a horrifying
    security breakdown if those were readable in plain text by typical users
    with a simple LDAP query. It will completely undermine AD password security
    in your client's environment.

    Joe K.

    "James Coleman" <> wrote in message
    news:D...
    > Okay thanks guys. I will talk to our IT guys and see if I am allowed.
    > This
    > site is for a client which is why I was trying to do it on our dev
    > environment without a schema change.
    >
    > Can someone tell me in laymans terms how I would add theses fields. I am
    > assuming I would use ADSI Edit but if someone could tell me how to set
    > them
    > up and specify the type I would appreciate it.
    >
    > ~James
    > --
    > James Coleman
    > Technical Director
    > AGENCY.COM [Chicago]
    >
    >
    > "Dominick Baier [DevelopMentor]" wrote:
    >
    >> yes - you need to extend the schema for that functionality - that's also
    >> MS "official" answer to that.
    >>
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>
    >> > I can't think of a way around this without extending the schema then.
    >> > I'm pretty sure there aren't any unused attributes floating around in
    >> > AD that use those syntaxes.
    >> >
    >> > I assume that if you are going to actually use this in your own
    >> > directory, then you should be able to get the schema extended, so
    >> > maybe you can talk you AD guys into making the necessary changes.
    >> >
    >> > ADAM is also another option if you want complete control.
    >> >
    >> > Joe K.
    >> >
    >> > "James Coleman" <> wrote in
    >> > message news:...
    >> >
    >> >> makes sense. The problem however is that I need an Int and a LongInt
    >> >> for
    >> >> those fields and the extension fields are strings so it blows up and
    >> >> gets
    >> >> fussy.
    >> >> --
    >> >> James Coleman
    >> >> Technical Director
    >> >> AGENCY.COM [Chicago]

    >>
    >>
    >>
    Joe Kaplan \(MVP - ADSI\), Apr 9, 2006
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jay Balapa
    Replies:
    2
    Views:
    462
    Jay Balapa
    Jul 23, 2003
  2. Replies:
    0
    Views:
    625
  3. Markus
    Replies:
    1
    Views:
    1,497
    Markus
    Nov 23, 2005
  4. Stanimir Stamenkov
    Replies:
    3
    Views:
    1,171
    Stanimir Stamenkov
    Apr 25, 2005
  5. jfkrueger
    Replies:
    1
    Views:
    124
    jfkrueger
    Apr 19, 2006
Loading...

Share This Page