ActiveDirectoryMembershipProvider Attribute schema mappings

[James Coleman]

I am trying to use the ADMembershipProvider and running into an error. I am
not strong in AD so I am fumbling. Any help would be appreciated.

Web.Config Prividers Section:
<membership defaultProvider="AspNetActiveDirectoryMembershipProvider">
<providers>
<add name="AspNetActiveDirectoryMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider,
System.Web, Version=2.0.0.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="ADMembershipService"
connectionProtection="Secure"
enablePasswordReset="true"
enableSearchMethods="true"
requiresQuestionAndAnswer="true"
applicationName="/"
description="Default AD connection"
attributeMapPasswordQuestion="extensionAttribute1"
attributeMapPasswordAnswer="extensionAttribute2"
attributeMapFailedPasswordAnswerCount="badPwdCount"
attributeMapFailedPasswordAnswerTime="badPasswordTime"

attributeMapFailedPassswordAnswerLockoutTime="lastBackupRestorationTime"
requiresUniqueEmail="true"
clientSearchTimeout="30"
serverSearchTimeout="30"
passwordAttemptWindow="10"
passwordAnswerAttemptLockoutDuration="30"
maxInvalidPasswordAttemps = "5"
minRequiredPasswordLength="6"
minRequiredNonalphanumericCharacters="1"

passwordStrengthRegularExpression="@\"(?=.{6,})(?=(.*\d){1,})(?=(.*\W){1,})"/>
</providers>
</membership>

The error I get in the WSA Tool Security Tab:

The following message may help in diagnosing the problem: Attribute schema
mappings for bad password answer tracking must be specified to enable
password reset functionality. (C:\Inetpub\wwwroot\allsteel\web.config line
62)

Thanks
~James

 

[MikeS]

Did you already modify the AD scehma to create the extensionAttribute1,
extensionAttribute2, badPwdCount and badPasswordTime attributes and add
them to the User class?

Additional Considerations
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000026.asp

 

[James Coleman]

No. I found them already in ADSIEdit. The extensionAttribute1 and 2 look
like they are from Exchange and I just picked the other two out from
anywhere. I don't know if they are named correctly though, I was using the
IDAPDisplayName when I view the properties of the attributes.

I am just trying to get this to work in my dev environment, when I push it
to production they can map it to real 'customized' schema fields but I don't
have permission to modify our (Agency.com's) AD schema.

Thanks
~James

 

[Joe Kaplan \(MVP - ADSI\)]

I haven't spent much time yet with the AD membership provider, so I don't
know a lot of its details yet. However, I do know that badPasswordTime and
badPwdCount are used by AD to implement its policy-based lockout mechanism.
You should not be using those for anything application-specific as you won't
have permission to write to them.

Perhaps you should continue with using the extension attributes, unless you
want to set up dev against an ADAM instance (whose schema you can easily
control).

Best of luck,

Joe K.

No. I found them already in ADSIEdit. The extensionAttribute1 and 2 look
like they are from Exchange and I just picked the other two out from
anywhere. I don't know if they are named correctly though, I was using
the
IDAPDisplayName when I view the properties of the attributes.

I am just trying to get this to work in my dev environment, when I push it
to production they can map it to real 'customized' schema fields but I
don't
have permission to modify our (Agency.com's) AD schema.

Thanks
~James
--
James Coleman
Technical Director
AGENCY.COM [Chicago]

Did you already modify the AD scehma to create the extensionAttribute1,
extensionAttribute2, badPwdCount and badPasswordTime attributes and add
them to the User class?

Additional Considerations
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000026.asp

 

[James Coleman]

makes sense. The problem however is that I need an Int and a LongInt for
those fields and the extension fields are strings so it blows up and gets
fussy.
--
James Coleman
Technical Director
AGENCY.COM [Chicago]

I haven't spent much time yet with the AD membership provider, so I don't
know a lot of its details yet. However, I do know that badPasswordTime and
badPwdCount are used by AD to implement its policy-based lockout mechanism.
You should not be using those for anything application-specific as you won't
have permission to write to them.

Perhaps you should continue with using the extension attributes, unless you
want to set up dev against an ADAM instance (whose schema you can easily
control).

Best of luck,

Joe K.

No. I found them already in ADSIEdit. The extensionAttribute1 and 2 look
like they are from Exchange and I just picked the other two out from
anywhere. I don't know if they are named correctly though, I was using
the
IDAPDisplayName when I view the properties of the attributes.

I am just trying to get this to work in my dev environment, when I push it
to production they can map it to real 'customized' schema fields but I
don't
have permission to modify our (Agency.com's) AD schema.

Thanks
~James
--
James Coleman
Technical Director
AGENCY.COM [Chicago]

Did you already modify the AD scehma to create the extensionAttribute1,
extensionAttribute2, badPwdCount and badPasswordTime attributes and add
them to the User class?

Additional Considerations
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000026.asp

 

[Joe Kaplan \(MVP - ADSI\)]

I can't think of a way around this without extending the schema then. I'm
pretty sure there aren't any unused attributes floating around in AD that
use those syntaxes.

I assume that if you are going to actually use this in your own directory,
then you should be able to get the schema extended, so maybe you can talk
you AD guys into making the necessary changes.

ADAM is also another option if you want complete control.

Joe K.

 

[Dominick Baier [DevelopMentor]]

yes - you need to extend the schema for that functionality - that's also
MS "official" answer to that.

 

[James Coleman]

Okay thanks guys. I will talk to our IT guys and see if I am allowed. This
site is for a client which is why I was trying to do it on our dev
environment without a schema change.

Can someone tell me in laymans terms how I would add theses fields. I am
assuming I would use ADSI Edit but if someone could tell me how to set them
up and specify the type I would appreciate it.

~James
--
James Coleman
Technical Director
AGENCY.COM [Chicago]

 

[Joe Kaplan \(MVP - ADSI\)]

Unfortunately, extending the schema is not quite that straightforward. You
really need to know what you are doing, especially if the schema will go
into AD, as AD schema extensions aren't as easy to undo as "drop table xxx".
Additionally, you need to use real OIDs for your schema, which means that
you need to get an OID prefix from a registry (like MS) in order to issue
your own OIDs.

Typically, you want to put your schema extensions in an LDIF file. LDIF is
a standard text-based data interchange format for LDAP directories and is
something that AD admins should be comfortable with. Doing schema
extensions programmatically or with ADSI Edit is not usually the way to go.
LDIF makes your changes transparent and repeatable.

I'd suggest reading the MSDN documentation on this subject before moving
forward. I can also recommend Active Directory 3rd Edition from O'Reilly,
which was recently updated by AD ubergeek Joe Richards.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/extending_the_schema.asp

Another thing you need to think carefully about is how you plan to protect
the password answer questions in the directory. It would be a horrifying
security breakdown if those were readable in plain text by typical users
with a simple LDAP query. It will completely undermine AD password security
in your client's environment.

Joe K.

Okay thanks guys. I will talk to our IT guys and see if I am allowed.
This
site is for a client which is why I was trying to do it on our dev
environment without a schema change.

Can someone tell me in laymans terms how I would add theses fields. I am
assuming I would use ADSI Edit but if someone could tell me how to set
them
up and specify the type I would appreciate it.

~James
--
James Coleman
Technical Director
AGENCY.COM [Chicago]