AD Membership Provider Can't See User Attributes

Discussion in 'ASP .Net' started by John F. Holliday, Dec 24, 2006.

  1. I need to use the ActiveDirectoryMembershipProvider in my application.
    I have setup the provider in the web config, etc. When I use the ASP.NET
    configuration utility and select the Security tab, it throws an
    exception saying that the attribute 'userPasswordQuestion' specified for
    the attributeMapPasswordQuestion property is not an attribute of the
    user class.



    I extended the AD attributes and mapped them to the 'user' class. To
    validate them, I used ADSIEdit to add simple editing functions to the
    context menu of the AD Users and Computers console. Sure enough, when I
    right-click on any user in any OU, I see the 5 attributes listed and the
    console calls my custom VB script that displays the current value of the
    attribute and lets me set the value to anything I want. Bottom line -
    the attributes do exist and are indeed associated with the user class.



    I rebooted the machine and ran the application again. Now the exception
    is different. It says that the userPasswordQuestion attribute must be
    of type 'Directory String'. All of the documentation I have read says
    to set it to "Context Insensitive String". I went back to the AD schema
    and tried to create an attribute of type 'Directory String', but no such
    type exists.



    What is going on? And why is this so difficult?
     
    John F. Holliday, Dec 24, 2006
    #1
    1. Advertisements

  2. I added another couple of attributes named 'pwdQuestion' and
    'pwdAnswer', both of type 'Unicode String'. At first, the only
    attribute it recognized was pwdQuestion. Although both attributes are
    the same type, it took about 10 minutes before it started recognizing
    pwdAnswer. This tells me there was some sort of system-wide indexing
    that needed to complete before the app would recognize the attribute as
    being associated with the user class.



    After it recognized both attributes, I was able to see the users in the
    designated OU. So far - so good. But when I try to create a user, it
    throws a huge exception saying there was a problem with the _InvokeFast
    method. No additional details. Apparently, it is trying to store the
    question and the answer and hitting a problem. I'm guessing security?
    I'm using a domain administrator account to connect to LDAP. Should I
    be using a different account?

    --

    John F. Holliday | Principal Architect - Information Worker Solutions

    Idea Integration, A MPS Group Company





    <
    I need to use the ActiveDirectoryMembershipProvider in my application.
    I have setup the provider in the web config, etc. When I use the ASP.NET
    configuration utility and select the Security tab, it throws an
    exception saying that the attribute 'userPasswordQuestion' specified for
    the attributeMapPasswordQuestion property is not an attribute of the
    user class.



    I extended the AD attributes and mapped them to the 'user' class. To
    validate them, I used ADSIEdit to add simple editing functions to the
    context menu of the AD Users and Computers console. Sure enough, when I
    right-click on any user in any OU, I see the 5 attributes listed and the
    console calls my custom VB script that displays the current value of the
    attribute and lets me set the value to anything I want. Bottom line -
    the attributes do exist and are indeed associated with the user class.



    I rebooted the machine and ran the application again. Now the exception
    is different. It says that the userPasswordQuestion attribute must be
    of type 'Directory String'. All of the documentation I have read says
    to set it to "Context Insensitive String". I went back to the AD schema
    and tried to create an attribute of type 'Directory String', but no such
    type exists.



    What is going on? And why is this so difficult?
     
    John F. Holliday, Dec 24, 2006
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.