ActiveDirectoryMembershipProvider

G

Glenn Eastlack

I have been trying to use ASP.NET 2.0 built-in Membership Providers.
Particularly the ActiveDirectoryMembershipProvider.

My web.config looks like this:
<connectionStrings>
<clear/>
<add name="ADConnectionString"
connectionString="LDAP://192.168.32.129/CN=users,CN=testdns,DC=test,DC=com"
/>
</connectionStrings>

<membership defaultProvider="MembershipADProvider">
<providers>
<add name="MembershipADProvider"

type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web,
Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="ADConnectionString"

connectionUsername="testdns.test.com\administrator"
connectionPassword="password"/>
</providers>
</membership>


Active Directory is running on a Windows 2003 server within a VMWare
instance.

When I run the app and try to log in using the asp:Login control, I
receive the following error:

A referral was returned from the server

<providers>
Line 64: <add name="MembershipADProvider"
Line 65:
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web,
Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
Line 66: connectionStringName="ADConnectionString"

Line 67: connectionUsername="(e-mail address removed)"


Source File: C:\www\etlap-01.wur.ecri.org\html\web.config Line: 65

I can connection to AD just fine using the LDAPBrowser and the ADAM
adsiedit utility. Can anyone point me in the right direction to what
the error "A referral was returned from the server" means?

Much appreciated,
Glenn
 
M

MSDN

Hello,

Few questions if you don't mind

Is it possible to set the
connectionUsername="" connectionPassword="" for a Provider Programmatically?

if so How

What tools I can use to test the AD connection string etc....

SA
 
M

MSDN

Juan,

Do I have to use the administrator account for this to work
Can I set the connectionUsername="" connectionPassword="" for a Provider
Programmatically?

Thanks in advance

Sa
 
J

Juan T. Llibre

re:
Do I have to use the administrator account for this to work

No. To read the user database, you can use any account listed in AD.
To add users, you must have admin rights to the AD database.

re:
Can I set the connectionUsername="" connectionPassword="" for a Provider Programmatically?

Sure.

In all cases, though, you must refer to a valid domain/AD database.
You can't use a "test" domain/AD database.

That's why I asked you if :

actually exist.

I don't think you are the owner of test.com and testdns.test.com
is a subdomain of test.com, so you're using invalid domains.

That will never work.
That's why you received the error message you received.

You *must* use valid domains for AD queries.
 
M

MSDN

Juan,

FYI: You mixed us up. MSDN and Glenn Eastlack. No problem....

I am currently using my account for the connectionUsername="" and the
connectionPassword="" properties.
Also using the correct domain name that we own etc...
however my if statement below is evaluating to false always.
if (Membership.ValidateUser(Login1.UserName, Login1.Password))

I know that my username and passwords for the provider properties above are
correct because if I use the wrong one then I get an error that said

"Unable to establish secure connection..." so it is doing something and
talking to the AD I think.

The Membership object is usable...

Now when I use the same UserName and Password that I use for the Providers
Properties I can not get authenticated.

What utility can I use to test this and how do I debug this to get going.

Thank you Juan.

SA
 
M

MSDN

Juan,

I have th following in my web.config.

<add name="ADConnectionString_corp"
connectionString="LDAP://corp.ourdomain.com/CN=Users,DC=corp,DC=ourdomain,DC=com"/>


and

<providers>

<add name="MembershipADProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web,
Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="ADConnectionString_corp"
connectionUsername="ourdomain.com\sam.agent"
connectionPassword="mypasswordhere"/>

</providers>

Do you see anything wrong here??

SA
 
G

Glenn Eastlack

Thanks for your help. It turns out that I misspelled the base DN in the
connection string (I actually changed the name to hide my client).

My connection string now looks like this:
<add name="ADConnectionString"
connectionString="LDAP://192.168.32.129/DC=testdns,DC=client,DC=com" />

and my Providers look like this:

<add name="MembershipADProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web,
Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="ADConnectionString"

connectionUsername="(e-mail address removed)"
connectionPassword="password"
/>

I've now moved on to trying to create my own custom Provider and
MembershipUser. The question I have is when and how does the
MembershipUser get created and can you override how it gets created? In
particular, I have several attributes held in a SQL Server database that
I want to value.

Thanks,
Glenn
 
M

MSDN

Glenn,

I have no errors or exceptions in my code but I keep on getting false in my
if statement when I try to validate the username and password.

So the Membership object is created with no problem.

if (Membership.ValidateUser(Login1.UserName, Login1.Password))

Do you know what I should look for??

Thanks for any help you can give me.

Sa
 
J

Juan T. Llibre

re:
You'll find a complete roadmap to creating your own Providers in Scott's blog :

http://weblogs.asp.net/scottgu/archive/2006/02/24/438953.aspx

In particular, check out the sections titled "Custom Membership and Roles Providers"

re:
I have several attributes held in a SQL Server database that I want to value.

Check the section titled "Storing Custom Properties about a User during Registration".
There's full sample and a couple of links there.
 
G

Glenn Eastlack

What are you entering for the username? It has to be in the form
'<username>@<domain>' In my case, I have to enter (e-mail address removed).

Thanks,
Glenn
 
M

MSDN

on our Active Directory the username is not in the form of
(e-mail address removed)
Our usernames are in the form of FirstName.LastName only.

and I have tried it, because I am desperate now,
(e-mail address removed) and it does not work.
I have tried many combinations.

Does the user name have to be in the form of (e-mail address removed) ??? I
don't think so.
Does LDAP require that???

So I am completely stuck.

How do I get some tools that can tell me what to do or how to test.

Thanks again,

SA
 
M

MSDN

Glenn,

I can get the following with no problem

Membership.MaxInvalidPasswordAttempts.ToString()
Membership.MinRequiredPasswordLength.ToString()
Membership.PasswordAttemptWindow.ToString()
Membership.PasswordStrengthRegularExpression

So it seems that I am talking to the LDAP server or whatever.

What seems to be the problem here...

Any Ideas

Thanks again,

SA
 
E

Erik Funkenbusch

How do I get some tools that can tell me what to do or how to test.

You can't. They don't exist, that i'm aware of.

Let me ask a few questions:

1: Is the server you are running the asp.net code on a member of the
domain?

2: What is your LDAP connection string?

3: What format are you using for the useername parameter of the connection
string?
 
M

MSDN

Erik,

1. The computer I am running asp.net code on is NOT a member of the
domain.

2.
<add name="ADConnectionString_corp"
connectionString=LDAP://corp.ourdomain.com/CN=Users,DC=corp,DC=ourdomain,DC=com
/>

<providers>

<add name="MembershipADProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web,
Version=2.0.0.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="ADConnectionString_corp"
connectionUsername="corp.mcbreo.com\gus.awar"
connectionPassword="G$us123456789" />

</providers>

Also,,,

I can get the following with no problem

Membership.MaxInvalidPasswordAttempts.ToString()
Membership.MinRequiredPasswordLength.ToString()
Membership.PasswordAttemptWindow.ToString()
Membership.PasswordStrengthRegularExpression

So it seems that I am talking to the LDAP server or whatever.

What seems to be the problem then...

Thank you Erik,

SA
 
M

MSDN

Erik,

1. The computer I am running asp.net code on is NOT a member of the
domain.

2.
<add name="ADConnectionString_corp"
connectionString=LDAP://corp.ourdomain.com/CN=Users,DC=corp,DC=ourdomain,DC=com
/>

<providers>

<add name="MembershipADProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web,
Version=2.0.0.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="ADConnectionString_corp"
connectionUsername="corp.ourdomain.com\Sam.Agent"
connectionPassword="S$amPass123" />

</providers>

Also,,,

I can get the following with no problem

Membership.MaxInvalidPasswordAttempts.ToString()
Membership.MinRequiredPasswordLength.ToString()
Membership.PasswordAttemptWindow.ToString()
Membership.PasswordStrengthRegularExpression

So it seems that I am talking to the LDAP server or whatever.

What seems to be the problem then...

Thank you Erik,

SA
 
G

Glenn Eastlack

Sorry, this thread is getting too long and I forgot what your original
problem was. Although, it does sound like you are biding successfully.

Try using LDAP Browser (http://www-unix.mcs.anl.gov/~gawor/ldap/) to
read your Active Directory. It's a great tool to view LDAP data stores
and also works nicely with AD.

I'm far from being a Active Directory expert. But the only way I could
bind is with a user in the form (e-mail address removed). Per this blog
http://blogs.msdn.com/gduthie/archive/2005/08/17/452905.aspx :

"...you'll need to log in using the User Principal Name (UPN) rather
than the typical DOMAIN\user syntax used for Windows authentication. The
UPN syntax is basically user@domain (note that there may be more to it
than that..."

Thanks,
Glenn
 
E

Erik Funkenbusch

Erik,

1. The computer I am running asp.net code on is NOT a member of the
domain.

If it's not a member of the domain, you will be unable to use the
WindowsTokenRoleProvider.
2.
<add name="ADConnectionString_corp"
connectionString=LDAP://corp.ourdomain.com/CN=Users,DC=corp,DC=ourdomain,DC=com
/>

Is the machine in the DMZ? If so, is it using your AD DNS? Or is it using
internet DNS? In other words, does corp.ourdomain.com resolve to your LDAP
server from the web server? If not, you may need to explicitly use IP
address, and make sure your firewall allows the pinhole.
connectionUsername="corp.mcbreo.com\gus.awar"

You need to use the NETBIOS name here, whatever the short name for your
domain is, otherwise you need to use the username@... format, but this is
not your email address, it's your distinguished name (what you see on the
account tab in AD Users and Computers)
So it seems that I am talking to the LDAP server or whatever.

Some things work anonymously, others do not.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,744
Messages
2,569,483
Members
44,901
Latest member
Noble71S45

Latest Threads

Top