Active Directory Provider for ASP.NET V2 Membership Services

  • Article

 

For AD/ADAM, there is a Membership provider - both in the later CTPs and Beta 2. It is not immediately obvious though since - a.) we don't have a default setting for it and b.) the docs for it won't be completed until RTM.

 

In the interim though, you can enable the AD/ADAM provider using the following provider <add /> and connection strings element in config:

  <connectionStrings>
<add name="MyADProviderConnection" connectionString="LDAP://mydomain.corp.test.com/ou=SomeUserOU,DC=mydomain,DC=corp,DC=test,DC=com" />
</connectionStrings>

 

Note that I threw in all of the config attributes - a lot of these have defaults and don't need to be in config unless you want different value:

 

<add name="MyADProvider"

        type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"

        connectionStringName="MyADProviderConnection"

 

        connectionUsername="mydomain\administrator"

        connectionPassword="password"

        connectionProtection="Secure"

 

        description="Some description."

 

        enablePasswordReset="true"

        enableSearchMethods="false"

        requiresQuestionAndAnswer="true"

        applicationName="/"

        requiresUniqueEmail="false"

 

        maxInvalidPasswordAttempts = “5”
passwordAttemptWindow = “10”
passwordAnswerAttemptLockoutDuration = “30”

 

        minRequiredPasswordLength = “7”
minRequiredNonAlphanumericCharacters = “1”
passwordStrengthRegularExpression = “”

 

        attributeMapUsername="userPrincipalName"

        attributeMapEmail="mail"

 

        attributeMapPasswordQuestion="astringattributeforquestion"

        attributeMapPasswordAnswer="astringattributeforanswers"

        attributeMapFailedPasswordAnswerCount="anIntegerattribute"

        attributeMapFailedPasswordAnswerTime="anotherIntegerattribute"

        attributeMapFailedPasswordAnswerLockoutTime="anIntervalattribute"

 />

 

Note that mapping username and email is not necessary if the userPrincipalName and mail are attributes in your directory - these two values are the defaults for the provider. Also, setting up password reset is moderately complex. If you set "enablePasswordReset" and "requiresQuestionAndAnswer" to false, then you don't need the attribute mappings for password question and password answer.