SSL ADAM and XP

Discussion in 'ASP .Net Security' started by Noremac, Sep 5, 2006.

  1. Noremac

    Noremac Guest

    I am going around in circles. Sorry for posting a question that may already
    be answered.

    I want to use the ADAM Membership Provider on my development Windows XP
    machine using VS2005.

    I have ADAM working on my local computer. I got it working through the
    ASP.NET 2.0 RBAC article.

    I setup web.config based on stuff I googled. But when I call this line:
    MembershipUserCollection users = Membership.GetAllUsers(), I get the "Unable
    to establish secure connection with the server using SSL".

    I can only find references to getting SSL with W2K machines or disabling SSL
    on XP machines. I want to have SSL work on XP.

    I do have a fabrikam certificate from other samples I have on this machine.

    These are the ldap connection strings I have tried that do not work:
    LDAP://localhost:389/CN=AzManAdamStore,OU=SecNetPartition,O=SecNet,C=US
    LDAP://localhost:636/CN=AzManAdamStore,OU=SecNetPartition,O=SecNet,C=US
    LDAP://fabrikam.com:389/CN=AzManAdamStore,OU=SecNetPartition,O=SecNet,C=US
    LDAP://fabrikam.com:636/CN=AzManAdamStore,OU=SecNetPartition,O=SecNet,C=US

    Thanks!
    Noremac
    Noremac, Sep 5, 2006
    #1
    1. Advertising

  2. Noremac

    Joe Kaplan Guest

    If you already have an SSL cert for fabrikam.com, you can use that for ADAM
    (as long as you use the fabrikam.com DNS name to connect, not localhost).

    For ADAM, you want to install the cert and private key into store for the
    service account running ADAM. If you do some Google searches, you'll find
    more details.

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "Noremac" <> wrote in message
    news:...
    >I am going around in circles. Sorry for posting a question that may already
    > be answered.
    >
    > I want to use the ADAM Membership Provider on my development Windows XP
    > machine using VS2005.
    >
    > I have ADAM working on my local computer. I got it working through the
    > ASP.NET 2.0 RBAC article.
    >
    > I setup web.config based on stuff I googled. But when I call this line:
    > MembershipUserCollection users = Membership.GetAllUsers(), I get the
    > "Unable
    > to establish secure connection with the server using SSL".
    >
    > I can only find references to getting SSL with W2K machines or disabling
    > SSL
    > on XP machines. I want to have SSL work on XP.
    >
    > I do have a fabrikam certificate from other samples I have on this
    > machine.
    >
    > These are the ldap connection strings I have tried that do not work:
    > LDAP://localhost:389/CN=AzManAdamStore,OU=SecNetPartition,O=SecNet,C=US
    > LDAP://localhost:636/CN=AzManAdamStore,OU=SecNetPartition,O=SecNet,C=US
    > LDAP://fabrikam.com:389/CN=AzManAdamStore,OU=SecNetPartition,O=SecNet,C=US
    > LDAP://fabrikam.com:636/CN=AzManAdamStore,OU=SecNetPartition,O=SecNet,C=US
    >
    > Thanks!
    > Noremac
    >
    >
    >
    >
    >
    >
    Joe Kaplan, Sep 6, 2006
    #2
    1. Advertising

  3. Noremac

    Noremac Guest

    Hi Joe,

    I think I am getting close.

    The missing piece for the certificate setup for me was going into MMC and
    adding a Certificates SNAP-IN pointing to the ADAM Instance Service. Then I
    added fabrikam to the Personal folder. I tested with ldp and confirmed it
    connects.

    Also, I found this relevant blog: http://www.oftedal.no/~erlend/?blogid=7.
    Also, if you don't have a cert, look at this one:
    http://blogs.msdn.com/cjacks/archive/2005/11/15/493122.aspx

    The other piece of the puzzle that is missing for me is connecting through
    the Membership provider in ASP.NET 2.0. With connectionProtection="Secure" it
    complains with "Logon failure: unknown user name or bad password". It is
    calling the exception a Configuration Error. The exception is only published
    to the application event viewer through the generic ASP.NET 2.0 logging
    handler. Nothing is reported to the Security Audit log nor the ADAM instance
    log.

    BTW, this happens when I call Membership.GetAllUsers();

    I have no users in the ADAM so far.

    We won't be using ADAM for authenticating users. The users will exist
    through CardSpace or OpenId. We'll just be using ADAM as an account store to
    augment those identities with some attributes we want (last visited, etc.).

    So the idea is the Windows Identity of the ASPNET process (currently the
    same one running the ADAM instance on my dev box) will connect to ADAM to
    create and retrieve user objects. But is this the wrong idea? Do I need to
    create an ADAM user object through LDP that will be the administrator and
    then hard-code that username and password into web.config?

    Noremac

    "Joe Kaplan" wrote:

    > If you already have an SSL cert for fabrikam.com, you can use that for ADAM
    > (as long as you use the fabrikam.com DNS name to connect, not localhost).
    >
    > For ADAM, you want to install the cert and private key into store for the
    > service account running ADAM. If you do some Google searches, you'll find
    > more details.
    >
    > Joe K.
    >
    > --
    > Joe Kaplan-MS MVP Directory Services Programming
    > Co-author of "The .NET Developer's Guide to Directory Services Programming"
    > http://www.directoryprogramming.net
    > --
    > "Noremac" <> wrote in message
    > news:...
    > >I am going around in circles. Sorry for posting a question that may already
    > > be answered.
    > >
    > > I want to use the ADAM Membership Provider on my development Windows XP
    > > machine using VS2005.
    > >
    > > I have ADAM working on my local computer. I got it working through the
    > > ASP.NET 2.0 RBAC article.
    > >
    > > I setup web.config based on stuff I googled. But when I call this line:
    > > MembershipUserCollection users = Membership.GetAllUsers(), I get the
    > > "Unable
    > > to establish secure connection with the server using SSL".
    > >
    > > I can only find references to getting SSL with W2K machines or disabling
    > > SSL
    > > on XP machines. I want to have SSL work on XP.
    > >
    > > I do have a fabrikam certificate from other samples I have on this
    > > machine.
    > >
    > > These are the ldap connection strings I have tried that do not work:
    > > LDAP://localhost:389/CN=AzManAdamStore,OU=SecNetPartition,O=SecNet,C=US
    > > LDAP://localhost:636/CN=AzManAdamStore,OU=SecNetPartition,O=SecNet,C=US
    > > LDAP://fabrikam.com:389/CN=AzManAdamStore,OU=SecNetPartition,O=SecNet,C=US
    > > LDAP://fabrikam.com:636/CN=AzManAdamStore,OU=SecNetPartition,O=SecNet,C=US
    > >
    > > Thanks!
    > > Noremac
    > >
    > >
    > >
    > >
    > >
    > >

    >
    >
    >
    Noremac, Sep 6, 2006
    #3
  4. Noremac

    Joe Kaplan Guest

    Unfortunately I don't know anything useful about the AD membership provider
    yet, so I'm not sure exactly what to tell you regarding how you want to use
    it. It should be possible to find a way to augment use data in ADAM but use
    a different source for the actual authentication. However, I'm guessing
    you'll need to write your own provider to accomplish that. I don't think
    any of the built in providers allow for a split model like that.

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "Noremac" <> wrote in message
    news:...
    > Hi Joe,
    >
    > I think I am getting close.
    >
    > The missing piece for the certificate setup for me was going into MMC and
    > adding a Certificates SNAP-IN pointing to the ADAM Instance Service. Then
    > I
    > added fabrikam to the Personal folder. I tested with ldp and confirmed it
    > connects.
    >
    > Also, I found this relevant blog: http://www.oftedal.no/~erlend/?blogid=7.
    > Also, if you don't have a cert, look at this one:
    > http://blogs.msdn.com/cjacks/archive/2005/11/15/493122.aspx
    >
    > The other piece of the puzzle that is missing for me is connecting through
    > the Membership provider in ASP.NET 2.0. With connectionProtection="Secure"
    > it
    > complains with "Logon failure: unknown user name or bad password". It is
    > calling the exception a Configuration Error. The exception is only
    > published
    > to the application event viewer through the generic ASP.NET 2.0 logging
    > handler. Nothing is reported to the Security Audit log nor the ADAM
    > instance
    > log.
    >
    > BTW, this happens when I call Membership.GetAllUsers();
    >
    > I have no users in the ADAM so far.
    >
    > We won't be using ADAM for authenticating users. The users will exist
    > through CardSpace or OpenId. We'll just be using ADAM as an account store
    > to
    > augment those identities with some attributes we want (last visited,
    > etc.).
    >
    > So the idea is the Windows Identity of the ASPNET process (currently the
    > same one running the ADAM instance on my dev box) will connect to ADAM to
    > create and retrieve user objects. But is this the wrong idea? Do I need to
    > create an ADAM user object through LDP that will be the administrator and
    > then hard-code that username and password into web.config?
    >
    > Noremac
    >
    > "Joe Kaplan" wrote:
    >
    >> If you already have an SSL cert for fabrikam.com, you can use that for
    >> ADAM
    >> (as long as you use the fabrikam.com DNS name to connect, not localhost).
    >>
    >> For ADAM, you want to install the cert and private key into store for the
    >> service account running ADAM. If you do some Google searches, you'll
    >> find
    >> more details.
    >>
    >> Joe K.
    >>
    >> --
    >> Joe Kaplan-MS MVP Directory Services Programming
    >> Co-author of "The .NET Developer's Guide to Directory Services
    >> Programming"
    >> http://www.directoryprogramming.net
    >> --
    >> "Noremac" <> wrote in message
    >> news:...
    >> >I am going around in circles. Sorry for posting a question that may
    >> >already
    >> > be answered.
    >> >
    >> > I want to use the ADAM Membership Provider on my development Windows XP
    >> > machine using VS2005.
    >> >
    >> > I have ADAM working on my local computer. I got it working through the
    >> > ASP.NET 2.0 RBAC article.
    >> >
    >> > I setup web.config based on stuff I googled. But when I call this line:
    >> > MembershipUserCollection users = Membership.GetAllUsers(), I get the
    >> > "Unable
    >> > to establish secure connection with the server using SSL".
    >> >
    >> > I can only find references to getting SSL with W2K machines or
    >> > disabling
    >> > SSL
    >> > on XP machines. I want to have SSL work on XP.
    >> >
    >> > I do have a fabrikam certificate from other samples I have on this
    >> > machine.
    >> >
    >> > These are the ldap connection strings I have tried that do not work:
    >> > LDAP://localhost:389/CN=AzManAdamStore,OU=SecNetPartition,O=SecNet,C=US
    >> > LDAP://localhost:636/CN=AzManAdamStore,OU=SecNetPartition,O=SecNet,C=US
    >> > LDAP://fabrikam.com:389/CN=AzManAdamStore,OU=SecNetPartition,O=SecNet,C=US
    >> > LDAP://fabrikam.com:636/CN=AzManAdamStore,OU=SecNetPartition,O=SecNet,C=US
    >> >
    >> > Thanks!
    >> > Noremac
    >> >
    >> >
    >> >
    >> >
    >> >
    >> >

    >>
    >>
    >>
    Joe Kaplan, Sep 6, 2006
    #4
  5. Have a look at the profile feature in ASP.NET - thats what you really want.
    That said, there is no profile provider for ADAM and you have to write your
    own.

    ---
    Dominick Baier, DevelopMentor
    http://www.leastprivilege.com

    > Hi Joe,
    >
    > I think I am getting close.
    >
    > The missing piece for the certificate setup for me was going into MMC
    > and adding a Certificates SNAP-IN pointing to the ADAM Instance
    > Service. Then I added fabrikam to the Personal folder. I tested with
    > ldp and confirmed it connects.
    >
    > Also, I found this relevant blog:
    > http://www.oftedal.no/~erlend/?blogid=7. Also, if you don't have a
    > cert, look at this one:
    > http://blogs.msdn.com/cjacks/archive/2005/11/15/493122.aspx
    >
    > The other piece of the puzzle that is missing for me is connecting
    > through the Membership provider in ASP.NET 2.0. With
    > connectionProtection="Secure" it complains with "Logon failure:
    > unknown user name or bad password". It is calling the exception a
    > Configuration Error. The exception is only published to the
    > application event viewer through the generic ASP.NET 2.0 logging
    > handler. Nothing is reported to the Security Audit log nor the ADAM
    > instance log.
    >
    > BTW, this happens when I call Membership.GetAllUsers();
    >
    > I have no users in the ADAM so far.
    >
    > We won't be using ADAM for authenticating users. The users will exist
    > through CardSpace or OpenId. We'll just be using ADAM as an account
    > store to augment those identities with some attributes we want (last
    > visited, etc.).
    >
    > So the idea is the Windows Identity of the ASPNET process (currently
    > the same one running the ADAM instance on my dev box) will connect to
    > ADAM to create and retrieve user objects. But is this the wrong idea?
    > Do I need to create an ADAM user object through LDP that will be the
    > administrator and then hard-code that username and password into
    > web.config?
    >
    > Noremac
    >
    > "Joe Kaplan" wrote:
    >
    >> If you already have an SSL cert for fabrikam.com, you can use that
    >> for ADAM (as long as you use the fabrikam.com DNS name to connect,
    >> not localhost).
    >>
    >> For ADAM, you want to install the cert and private key into store for
    >> the service account running ADAM. If you do some Google searches,
    >> you'll find more details.
    >>
    >> Joe K.
    >>
    >> --
    >> Joe Kaplan-MS MVP Directory Services Programming
    >> Co-author of "The .NET Developer's Guide to Directory Services
    >> Programming"
    >> http://www.directoryprogramming.net
    >> --
    >> "Noremac" <> wrote in message
    >> news:...
    >>> I am going around in circles. Sorry for posting a question that may
    >>> already be answered.
    >>>
    >>> I want to use the ADAM Membership Provider on my development Windows
    >>> XP machine using VS2005.
    >>>
    >>> I have ADAM working on my local computer. I got it working through
    >>> the ASP.NET 2.0 RBAC article.
    >>>
    >>> I setup web.config based on stuff I googled. But when I call this
    >>> line:
    >>> MembershipUserCollection users = Membership.GetAllUsers(), I get the
    >>> "Unable
    >>> to establish secure connection with the server using SSL".
    >>> I can only find references to getting SSL with W2K machines or
    >>> disabling
    >>> SSL
    >>> on XP machines. I want to have SSL work on XP.
    >>> I do have a fabrikam certificate from other samples I have on this
    >>> machine.
    >>>
    >>> These are the ldap connection strings I have tried that do not work:
    >>> LDAP://localhost:389/CN=AzManAdamStore,OU=SecNetPartition,O=SecNet,C
    >>> =US
    >>> LDAP://localhost:636/CN=AzManAdamStore,OU=SecNetPartition,O=SecNet,C
    >>> =US
    >>> LDAP://fabrikam.com:389/CN=AzManAdamStore,OU=SecNetPartition,O=SecNe
    >>> t,C=US
    >>> LDAP://fabrikam.com:636/CN=AzManAdamStore,OU=SecNetPartition,O=SecNe
    >>> t,C=US
    >>>
    >>> Thanks!
    >>> Noremac
    Dominick Baier, Sep 6, 2006
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Michael Herman \(Parallelspace\)

    ASP.NET 2.0, MS AD/ADAM and Authorization Manager (AzMan)

    Michael Herman \(Parallelspace\), Jul 6, 2005, in forum: ASP .Net
    Replies:
    1
    Views:
    874
    Michael Herman \(Parallelspace\)
    Jul 9, 2005
  2. =?Utf-8?B?SmFtZXMgQ29sZW1hbg==?=

    ADAM and AzMan with ASP.NET 2.0

    =?Utf-8?B?SmFtZXMgQ29sZW1hbg==?=, Feb 24, 2006, in forum: ASP .Net
    Replies:
    0
    Views:
    590
    =?Utf-8?B?SmFtZXMgQ29sZW1hbg==?=
    Feb 24, 2006
  3. ADAM and AuthorizationStoreRoleProvider

    , Mar 22, 2006, in forum: ASP .Net Security
    Replies:
    3
    Views:
    265
  4. JB
    Replies:
    0
    Views:
    173
  5. mfaulcon

    AD/ADAM and application settings storage

    mfaulcon, Jul 27, 2006, in forum: ASP .Net Security
    Replies:
    2
    Views:
    121
    Dominick Baier
    Jul 27, 2006
Loading...

Share This Page