Can't get ActiveDirectoryMembershipProvider to work

[David Thielen]

Hi;

How do I set up my ASP.NET 2.0 app to use ActiveDirectory for login? (I have
AspNetSqlMembershipProvider working fine)?

My web.config is:
....
<add name="ADConnectionString"
connectionString=LDAP://picard.windward.local/CN=Users,DC=picard,DC=windward,DC=local />
....
<membership defaultProvider="MembershipADProvider">
<providers>
<add name="MembershipADProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web,
Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="ADConnectionString"
connectionUsername="windward\administrator"
connectionPassword="******"/>
</providers>
</membership>

Depending on what I try (I have tried other values above) I get either "A
referral was returned from the server." or ""Unable to establish secure
connection with the server".

I tried ldp to test the LDAP connection and got these errors:
ld =
ldap_open(LDAP://picard.windward.local/CN=Users,DC=picard,DC=windward,DC=local, 389);
Error <0x51>: Fail to connect to
LDAP://picard.windward.local/CN=Users,DC=picard,DC=windward,DC=local.
ld =
ldap_open("//picard.windward.local/CN=Users,DC=picard,DC=windward,DC=local",
389);
Error <0x51>: Fail to connect to
//picard.windward.local/CN=Users,DC=picard,DC=windward,DC=local.
ld =
ldap_open("picard.windward.local/CN=Users,DC=picard,DC=windward,DC=local",
389);
Error <0x51>: Fail to connect to
picard.windward.local/CN=Users,DC=picard,DC=windward,DC=local.
ld = ldap_open("LDAP://windward.net/CN=Users,DC=windward,DC=net", 389);
Error <0x51>: Fail to connect to
LDAP://windward.net/CN=Users,DC=windward,DC=net.
ld =
ldap_open("LDAP://picard.windward.net/CN=Users,DC=picard,DC=windward,DC=net",
389);
Error <0x51>: Fail to connect to
LDAP://picard.windward.net/CN=Users,DC=picard,DC=windward,DC=net.

Any ideas???

 

[Joe Kaplan \(MVP - ADSI\)]

When using ldp, you connect with the DNS name of the server. In your case,
this is:

picard.windward.local

Make sure you do a bind operation after that with the credentials you are
using in your code.

Then, what I would do is look under the "View | Tree" and see what naming
contexts are mentioned. You could also try pasting in the name

CN=Users,DC=picard,DC=windward,DC=local

into that dialog and seeing if that works. You might also try the higher
level name and see if that works:

DC=picard,DC=windward,DC=local

The "LDAP://" thing is an ADSI provider model moniker, so you will never use
that in ldp (since it does not use ADSI under the hood).

Another thing you can do with ldp is if your machine is joined to
windward.local, you can use a null value for the server name in ldp.exe and
it will find a DC in your domain automatically.

HTH,

Joe K.

 

[David Thielen]

Hi;

Progress!!!

Ok, that got me connected with ldp. And in ldp view | tree failed for
"CN=Users,DC=picard,DC=windward,DC=local" but succeeded for
"CN=Users,DC=windward,DC=local". So I changed my string in Web.Config to
"LDAP://picard.windward.local/CN=Users,DC=windward,DC=local" but still got:

Parser Error Message: Default Membership Provider could not be found.

And it highlights:

Line 42: <membership defaultProvider="ADMembershipProvider">

Any other ideas?

 

[Joe Kaplan \(MVP - ADSI\)]

That looks like more of a error with the provider model's class factory.
Like I said before, I don't really know much about membership stuff (just
the LDAP stuff), so I'm not sure what's up with that.

You might want to start a new thread on that though with just the relevant
config stuff.

Joe K.

 

[Luke Zhang [MSFT]]

Hello,

In your original message:

<membership defaultProvider="MembershipADProvider">

And then, in this message:

<membership defaultProvider="ADMembershipProvider">

Is there anything wrong here?

Thanks,

Luke Zhang
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[David Thielen]

Hello;

I have seen both in various postings and so have tried both. I don't know
what belongs there as I have not found any documentation for this. Which
should I use?

 

[Luke Zhang [MSFT]]

By default, it is ="AspNetActiveDirectoryMembershipProvider":

http://msdn2.microsoft.com/en-us/library/system.web.security.activedirectory
membershipprovider.aspx

Luke Zhang
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[David Thielen]

Hello;

Ok, I tried:
<authentication mode="Forms">
<forms name=".ADAuthCookie" loginUrl="login.aspx">
</forms>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
<membership defaultProvider="AspNetActiveDirectoryMembershipProvider">
<providers>
<add name="AspNetActiveDirectoryMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider,
System.Web, Version=2.0.3600, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</membership>

And got the error:
Parser Error Message: Could not load file or assembly 'System.Web,
Version=2.0.3600, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a' or one of
its dependencies. The system cannot find the file specified.

Source Error:


Line 64: <providers>
Line 65: <add name="AspNetActiveDirectoryMembershipProvider"
Line 66:
type="System.Web.Security.ActiveDirectoryMembershipProvider,
Line 67: System.Web, Version=2.0.3600, Culture=neutral,
Line 68: PublicKeyToken=b03f5f7f11d50a3a" />

Any ideas?

 

[David Thielen]

I noticed that
http://msdn2.microsoft.com/en-us/library/system.web.security.activedirectorymembershipprovider.aspx
gives two different version numbers depending on the sample (short or long).

I finally got it to accept System.Web with a version number of 2.0.0.0 -
which is not the displayed version number of System.Web!!

Second, it shows:
connectionUserName="UserWithAppropriateRights"
connectionPassword="PasswordForUser"
but should be:
connection-username="UserWithAppropriateRights"
connection-password="PasswordForUser"

And finally, with or without username/password I now get:
Parser Error Message: The specified connection string does not represent a
valid LDAP adspath.

I have tried:
<add name="ADService" connectionString="LDAP://picard.windward.local/" />
<add name="ADService" connectionString="LDAP://windward.local/" />
<add name="ADService" connectionString="LDAP://picard/" />

Same error on all. My domain is windward.local and my SBS server (domain
server) is the machine picard.

?????

--
thanks - dave
david_at_windward_dot_net
http://www.windwardreports.com

 

[David Thielen]

Hi;

Also, I can connect using ldp to "picard.windward.local", "windward.local",
and "picard".

--
thanks - dave
david_at_windward_dot_net
http://www.windwardreports.com

 

[Luke Zhang [MSFT]]

Can you post the whole section of <connectionStrings> and <membership > for
us study?

Thanks,

Luke Zhang
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[David Thielen]

Here is the entire Web.Config:

<?xml version="1.0"?>
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
<appSettings/>

<connectionStrings>
<add name="ADService" connectionString="LDAP://picard/" />
<add name="WindwardPortal" connectionString="Data Source=BELLE;Initial
Catalog=WindwardPortal;Integrated Security=True"
providerName="System.Data.SqlClient" />
</connectionStrings>

<system.web>

<roleManager enabled="true"/>
<compilation debug="true">
<assemblies>
<add assembly="System.Security, Version=2.0.0.0, Culture=neutral,
PublicKeyToken=B03F5F7F11D50A3A"/>
</assemblies>
</compilation>

<pages theme="Portal"/>

<authentication mode="Forms">
<forms name=".ADAuthCookie" loginUrl="login.aspx">
</forms>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
<membership defaultProvider="AspNetActiveDirectoryMembershipProvider">
<providers>
<add name="AspNetActiveDirectoryMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider,
System.Web, Version=2.0.0.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="ADService"
/>
</providers>
</membership>

</system.web>
</configuration>

 

[David Thielen]

Got it! I had to remove:
<authentication mode="Forms">
<forms name=".ADAuthCookie" loginUrl="login.aspx">
</forms>
</authentication>

I don't know where I saw that but when I removed it, it worked. Do I need to
have some kind of <authentication> tag for when it does have to prompt
someone (they are not hitting it with IE from a domain computer)?

 

[Luke Zhang [MSFT]]

If you only add:

<authentication mode="Forms" />

Will it report same error?

Luke Zhang
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[c.ramanjaneyulu]

Hi Guys,
I too getting same problem even if I specify <authentication
mode="Forms" />.
Parser Error Message: The specified connection string does not
represent a valid LDAP adspath.

I'm trying to reset the password for active directory but I 'm
getting following problem if I remove backslash(/) from the
LDAP://rmz.domain.local/
"The Active Directory membership provider does not support password
reset without password question and answer."

else getting same problem as you stated.

please help me out from this problem...

 

[David Thielen]

Hello;

If I have:

<add name="ADService" connectionString="LDAP://picard.windward.local/" />

....

<authentication mode="Forms">
</authentication>
<authorization>
<deny users="?"/>
</authorization>
<membership defaultProvider="AspNetActiveDirectoryMembershipProvider">
<providers>
<add name="AspNetActiveDirectoryMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider,
System.Web, Version=2.0.0.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="ADService"
/>
</providers>
</membership>

It goes to login.aspx and when I enter username/password and click login I
get:

Parser Error Message: The specified connection string does not represent a
valid LDAP adspath.


If I use:
<authorization>
<deny users="?"/>
</authorization>
<membership defaultProvider="AspNetActiveDirectoryMembershipProvider">
<providers>
<add name="AspNetActiveDirectoryMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider,
System.Web, Version=2.0.0.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="ADService"
/>
</providers>
</membership>

then I get no login and my Context.User is WINDWARD\dave and authenticated
via NTLM (this is good).

But when I call Membership.GetUser() I get the exception:
{"The specified connection string does not represent a valid LDAP adspath.
(C:\\src\\portal\\web.config line
49)"} System.Configuration.ConfigurationErrorsException

Any ideas?

 

[David Thielen]

ps - I can use ldp.exe to get info from picard.windward.local on the same
machine so that should work.

 

[Luke Zhang [MSFT]]

Did you enable full-trust policy for the ASP.NET application? The
ActiveDirectoryMembershipProvider class requires unrestricted
DirectoryServicesPermission permission to run. This permission is not added
to any of the partial-trust policy files supplied with ASP.NET.

Luke Zhang
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[David Thielen]

No, how do I do that? And must it be full trust or just
DirectoryServicesPermission?

 

[Dominick Baier [DevelopMentor]]

maybe you should read a book about that...

http://www.amazon.com/gp/product/B0...9087-8058353?_encoding=UTF8&v=glance&n=551440