Using login alias in Membership Provider

S

Stephen Walch

Our user directly allows authentication with "short names". For example,
the user "Joe Cool/Acme" can log in with the user id "jcool".

In implementing an ASP.NET Membership Provider, we can not figure out how to
supply the real user name (used in access control settings, etc.) when users
log in using just the short name. It seems like the ValidateUser method
should provide a way to supply the real name in addition to just returning
true or false. Are we missing something?

Thanks!
 
D

Dominick Baier

no - this is just not supported by membership. If you need to augment the
membership data with additional data you need to use Profile and simply write
your own authentication library that is not tied to membership.
 
S

Steven Cheng[MSFT]

Hello Stephen,

I think Dominick's suggestion is reasonable. From the requirement you
mentioned, you want to also provide an additional display name when the
user login through their logid. I think the Display name is an additional
field to the built-in membership provider, the built-in membership provider
exposs username, password, email, question, answer.... properties.

Therefore, if you want to attache such additional properties, you may
consider extending the default membership provider or use other storage
(such as the Profile properties Dominick mentioned). Would you also tell us
how you will use the display name in your application's code (some pseudo
code will be helpful). We can consider whch approach is better according to
your concrete scenario.

Here are some articles about the ASP.NET profile service and memberhip
provider

#ASP.NET Profile Properties
http://msdn2.microsoft.com/en-us/library/at64shx3.aspx

#Defining ASP.NET Profile Properties
http://msdn2.microsoft.com/en-us/library/d8b58y5d.aspx


#ASP.NET 2.0 Membership, Roles, Forms Authentication, and Security
Resources
http://weblogs.asp.net/scottgu/archive/2006/02/24/438953.aspx

Please feel free to let me know if you have any further questions or ideas.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead



==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.



Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================



This posting is provided "AS IS" with no warranties, and confers no rights.
 
S

Stephen Walch

I believe that you have misunderstood my question. I am not trying to add a
"Display Name". Users have only one name ("John Smith/Acme") and that is
the only name that is ever used in access control lists, role membership
lists, etc. and it is the only name that should be displayed.

The problem is that my directory allows users to authenticate with multiple
versions of their name ("John Smith", "jsmith" (e-mail address removed)" or even
"John" or "Smith" if those happen to be unique in the organization).
Regardless of how they authenticate, I always want to return the real name
"John Smith/Acme" to ASP.NET.
 
S

Steven Cheng[MSFT]

Thanks for your reply Stephen,

So are you using the AD membership provider currently? If so, AD membership
provider only allow us to authenticate user in a single format only. If
you're not authenticate user through AD membership provider, are you using
custom provider or a extended membership provider derived from AD memberhip
provider? As you said that

"Users have only one name ("John Smith/Acme") and that is the only name
that is ever used in access control lists, role membership lists, etc."

Then, you should always use this name as the username to validate through
membership provider. In other words, you can not make the membership
provider know both "John Smith/Acme" and "(e-mail address removed)", you must
determine which schema to use. At least the current built-in
ActiveDirectory membership provider require this.

Also, as for the ACL(Access Control List) you mentioned, are they normal
NTFS file ACL or AD object ACL? How will you use them in your application?

If convenient, you can provide the membership & role manager specific
configuration in your application's web.config so that we can get a clear
view of it.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead



This posting is provided "AS IS" with no warranties, and confers no rights.
 
R

Renaud Langis

Hello,

If i understand correctly, you want to authenticate a user with either his
userId, his name, shortname, cn....?

You can search through ad using the anr property then get the user's upn.

For this, you need to add some code to perform the search (something like
the following)

ValidateUser(GetUPN(<whatever>),<password>)

Private Function GetUPN(ByVal userId As String) As String
Dim de As DirectoryEntry =
System.DirectoryServices.ActiveDirectory.Domain.GetCurrentDomain().GetDirectoryEntry()
Dim deSearch As DirectorySearcher = New DirectorySearcher()

deSearch.SearchRoot = de
deSearch.Filter = "(&(objectClass=user)(anr=" + userId + "))"
deSearch.SearchScope = SearchScope.Subtree
Dim results As SearchResult = deSearch.FindOne()
If Not (results Is Nothing) Then
Return results(0).Properties("userPrincipalName")
Else
Return Nothing
End If
End Function

You may need additional search properties.

warning: the function may not work as is.

HTH

Renaud
 
S

Stephen Walch

Thanks, but I am not using AD. See above posts.

Renaud Langis said:
Hello,

If i understand correctly, you want to authenticate a user with either his
userId, his name, shortname, cn....?

You can search through ad using the anr property then get the user's upn.

For this, you need to add some code to perform the search (something like
the following)

ValidateUser(GetUPN(<whatever>),<password>)

Private Function GetUPN(ByVal userId As String) As String
Dim de As DirectoryEntry =
System.DirectoryServices.ActiveDirectory.Domain.GetCurrentDomain().GetDirectoryEntry()
Dim deSearch As DirectorySearcher = New DirectorySearcher()

deSearch.SearchRoot = de
deSearch.Filter = "(&(objectClass=user)(anr=" + userId + "))"
deSearch.SearchScope = SearchScope.Subtree
Dim results As SearchResult = deSearch.FindOne()
If Not (results Is Nothing) Then
Return results(0).Properties("userPrincipalName")
Else
Return Nothing
End If
End Function

You may need additional search properties.

warning: the function may not work as is.

HTH

Renaud
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top