Active Directory and ASP.NET 2.0 Beta 2


Are you evaluating Visual Studio 2005 Beta 2 and ASP.NET 2.0? Did you know that we shipped an Active Directory Membership Provider in Beta 2? Until recently, I didn’t either. Apparently we didn’t make too much noise about it because while the team had the time to get the provider in, they didn’t have time to get the documentation for it.


The good news is that (with a little coaching from some of the very helpful folks on the ASP.NET team) I was able to get this provider working successfully on a Virtual PC image of Visual Studio Team System Beta 2. Given that I’m hardly what one would call an active directory expert, if I can get it working that’s a pretty good sign.


So here’s what I did:



  1. Created a new web site.
  2. Added a web.config file.
  3. Set the authentication type to “Forms”
  4. Added a connection string pointing to my Active Directory store. This was one of the parts I had trouble with, since I wasn’t very familiar with LDAP syntax. The fully-qualified domain name for my domain controller was win2k3.vstsb2.local (I know, not very creative), while the domain was vstsb2.local. So the successful connection string section in web.config looks like this:
    <connectionStrings>
     <add connectionString=”
    LDAP://win2k3.vstsb2.local/CN=Users,DC=vstsb2,DC=local”
          name=”ADConnString”/>
    </connectionStrings>


  5. Then I added the following Membership section (note that this is a very simple implementation, and omits many of the optional attributes):
    <membership defaultProvider=”AspNetActiveDirectoryMembershipProvider”>
       <providers>
          <add name=”AspNetActiveDirectoryMembershipProvider”
             type=”System.Web.Security.ActiveDirectoryMembershipProvider,
             System.Web, Version=2.0.3600.0, Culture=neutral,
             PublicKeyToken=b03f5f7f11d50a3a”
             connectionStringName=”ADConnString”
             connectionUsername=”vstsb2.local\Administrator”
             connectionPassword=”password”/>
       </providers>
    </membership>
     

  6. Next, I added a new folder to the site, named it “protected” (the name is arbitrary), and added a web.config to this folder with an authorization section denying access to anonymous users.
  7. Finally, I added a page to the new folder that writes out the name of the current user, and added a login page at the root level with a Login control to perform the authentication.

In addition to my musings above, there’s some good coverage of this provider in the security article I pointed to earlier this week (see the authentication section).


A couple of other notes:



  • With the syntax above for the membership provider configuration, you’ll need to log in using the User Principal Name (UPN) rather than the typical DOMAIN\user syntax used for Windows authentication. The UPN syntax is basically user@domain (note that there may be more to it than that…UPN is something I only read up on today, so I’m hoping my explanation is adequate <g>). So for my example above, the user Andrew would log in using andrew@vstsb2.local as the username, and then the password as normal.
  • If you’d prefer to use the SAM account name instead of the UPN, you’ll need to add the following attribute to the <membership> element:
       attributeMapUsername=”SAMAccountName”
  • Once having added the above attribute, you should be able to log in using the username alone.

I hope if other folks are experimenting with this provider, it’ll help you avoid some of the pitfalls that I ran into. I’m guessing that folks with a little more AD and/or LDAP experience will find it easier than I did, but it’s very cool to be able to take advantage of AD with a pretty straightforward configuration change, and still have all the login controls “just work”.


UPDATE:


One other point I want to be sure to make is that it is even more critical, when using Forms Authentication to authenticate against an Active Directory credential store, that you use SSL to protect the login page. By default Forms Authentication (much like Basic Authentication in IIS) sends credentials across the wire unencrypted. So make sure SSL is a part of your development, testing, and deployment plan.

Comments (21)

  1. Big props to G. Andrew Duthie for pulling together this little post about how to get the AD providers…

  2. .NET

    Rocks – Reston, VA / Washington, DC! [Via: trobbins ]

    Active

    Directory and ASP.NET 2.0 Beta…

  3. kfarmer says:

    Does it use ADSI, or does it use a different (and relatively undocumented) LDAP mechanism I saw signs of in 2.0?

    ADSI has difficulties talking to other LDAP systems, such as OpenLDAP. This makes it difficult to integrate with such systems.

  4. You can thank Mr Duthie&amp;nbsp;for tracking down this info on hooking your application up to Active Directory.&amp;nbsp;…

  5. Link Blog says:

    .net DElirium : Active Directory and ASP.NET 2.0 Beta 2

    Are you evaluating Visual Studio 2005 Beta 2…

  6. Gollum's den says:

    Как настроить аутентификацию Forms для работы с Active Directory

  7. G. Andrew Duthie shows how to use the ASP.NET 2.0 Active Directory Membership Provider .&amp;nbsp; Sweet!…

  8. I’ve been round the blogverse and there are a lot of cool things being linked to. Seems a shame to have…

  9. kfarmer says:

    When I tried this, it would still throw errors, trying to create a sql data file, rather than just deferring to the AD provider. I’d turned off the role manager, and removed the LocalSqlServer connection string, to no avail.

    It’d be nice to use this, since the latest CTP of yukon doesn’t like to install with the beta2 release of .NET. (I wish they’d align these things better…)

  10. I’m getting a few questions from my post on using the AD Membership provider in ASP.NET 2.0 Beta 2, so…

  11. gduthie says:

    kfarmer,

    I’d suggest starting with a new web.config, and remove any pre-configured membership providers, in addition to removing the local SQL connection string and disabling the role manager as you’ve already done. I’ve not seen the issue you describe, so I’m not sure what else to suggest.

    Andrew

  12. Launch Tour 2005 Knowledge Center

    The launch site for VS2005 and SQL Server 2005

    Thom Robbins -…

  13. YQ Zhang says:

    I found your step-by-step approach very educational and interesting. I enjoy it very much.

  14. Chuck says:

    Have you configured the Active Directory Membership provider to work with the role manager? I’ve been able to authenticate, but when I go into my ASP.NET configuration (website) tool I can’t get it to authenticate. I think this is due to the configuration tool runs on the built in web server instead of my local instance of IIS. Is there a way to change the user that the built in webserver is running under so that I can connect to the AD store and configure the roles?

    Thanks.

  15. gduthie says:

    Chuck,

    I don’t think the web-based configuration tool is set up to work with the AD membership provider in Beta 2, so that may be the source of the issues that you’re running into. You may want to try it with the RC build, which is currently available on MSDN subscriber downloads (look for the Visual Studio 2005 Team Suite – Release Candidate item).

  16. Monte Balam says:

    Good info. I have a question. Can a user create via the Membership API also logon directly to Windows (assuming they have logon remotely authority)? Is this Windows user? I want it to be a Windows user so I can use Windows Authentication in Web Services.

  17. gduthie says:

    Monte,

    I was working with existing users in my experiment with this, and haven’t tried adding a user. But given that the provider can be configured to go against AD directly, and assuming that you have the provider configured to support adding new users, any user added should indeed be a Windows user account, I think. I’m assuming that there is probably more documentation on this in the recent release candidate, and will be even more in the released version of Visual Studio 2005.

  18. This blog entry shows how I researched using Active Directory with Forms Authent

  19. A while back I posted about using the Active Directory Membership Provider in Visual Studio 2005, Beta…