I'm trying to get users in the local domain authenticated from ActiveDirectory by iis/asp.net application hosted on a non-domain host.
This is the set up
local domain = MYDOMAIN
iis host = 10.10.1.1 (not in MYDOMAIN)
ActiveDirectory LDAP connection string = LDAP://10.20.1.1/DC=MYDOMAIN,DC=local
web.config
<connectionStrings>
<add name="ADConnectionString" connectionString="LDAP://10.20.1.1/DC=MYDOMAIN,DC=local" />
</connectionStrings>
...
<authorization>
<allow users="*"/>
<deny users="?"/>
</authorization>
<membership defaultProvider="ADMembershipProvider">
<providers>
<add
name="ADMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="ADConnectionString"
connectionUsername="MYDOMAIN\Administrator"
connectionPassword="password"
/>
</providers>
</membership>
iis settings
Basic Authentication enabled
All other Authentication methods disabled
But with this set up users are not authenticated when credentials entered on the browser auth prompt (user name entered as MYDOMAIN\user - no change without the MYDOMAIN\ part). I don't see iis even connecting to the AD server (10.20.1.1)
What am I doing wrong and how can I debug an issue like this?
Basic Authentication in IIS has no knowledge of Membership Providers in ASP.NET. If you want to do that, then you need to write a custom basic authentication module that uses the Mebership APIs (ValidateUser, RoleProvider and such). Luckily it is extremely easy to do that, and we wrote a sample several years ago on how to do that, see this for the end to end code and configuration of it (do note that the call to membership is commented out in the sample, but you can just uncomment the line) :
http://www.iis.net/learn/develop/runtime-extensibility/developing-a-module-using-net
Related
We are implementing a website in APS.NET MVC4 which has to run on intranet. We got a requirement for windows authentication with Active Directory (LDAP). When i change the authentication mode to windows from Forms , application logging automatically without explicit username and password from login page.
How to achieve windows authentication, in which the logon page which accept the username and password and should validate?
Please provide me if there are any examples...any help much appreciated.
Thanks in advance
You could leave FormsAuthentication enabled and then add the following membership provider:
<connectionStrings>
<add name="ADConnectionString" connectionString="YOUR AD CONNECTION STRING" />
</connectionStrings>
and then:
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" />
</authentication>
<membership defaultProvider="MY_ADMembershipProvider">
<providers>
<clear />
<add name="MY_ADMembershipProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider" connectionStringName="ADConnectionString" attributeMapUsername="sAMAccountName" />
</providers>
</membership>
</system.web>
The method you did already seems to be correct.
In windows authentication, you will get logged automatically if you try to load the page from the same machine. However it will ask for the windows credentials if you try to login from a different machine.
I'm trying to develop a web application with Novell LDAP Authentication.
I have added in my form login.aspx the Login control and I have configured the web.config in this way:
<connectionStrings>
<add connectionString="LDAP://10.0.0.100:389/cn=admin,o=pippo" name="myConnectionString"/>
</connectionStrings>
<authentication mode="Forms">
<forms loginUrl="~/Account/Login.aspx" timeout="2880"/>
</authentication>
<membership defaultProvider="MembershipADProvider">
<providers>
<add name="MyADMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider,
System.Web, Version=2.0.0.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="myConnectionString"
port="389"
useSSL="false"
connectionProtection="None"
connectionUsername="cn=admin,o=pippo"
connectionPassword="admin"
enableSearchMethods="true"
/>
</providers>
</membership>
But when I click on login button i receive this error:
"This provider can target only Active Directory and ADAM directories."
I noticed that if I'm wrong password the error message changes to:
"Logon failure: unknown user name or bad password". So I think that in some way the application is connected with ldap server and communicate with it.
Now the questions...
Which kind of provider I must choose? Or how can I setup the ActiveDirectoryMembershipProvider in order to make login against LDAP Novell?
In other word, how can develop LDAP Authentication Code to Look Up the User in Novell's LDAP?
Thanks to all in advance
Regards
You will need to create a custom membership provider. There's an example here:
http://forums.asp.net/t/970391.aspx/1
I am currently learning form authentication using a SQLMembership provider. The ASP:Login control does not seem to authenticate. Here is the structure of my test site on my local machine:
~/LoginTest/
Default.aspx
CreateUser.aspx
lostpassword.aspx
web.config
/login/
Login.aspx
ProtectedStuff.aspx
web.config
In the web.config file of the LoginTest folder I have added the following nodes:
<connectionStrings>
<add name="EvgSqlConnection" connectionString="connection string" />
</connectionStrings>
<authentication mode="Forms">
<forms name="LoginTest" loginUrl="~/login/Login.aspx" path="/login"
cookieless="UseCookies" />
</authentication>
<membership defaultProvider="mySqlProvider" userIsOnlineTimeWindow="15">
<providers>
<clear/>
<add
name="mySqlProvider"
type="System.Web.Security.SqlMembershipProvider"
connectionStringName="EvgSqlConnection"
applicationName="LoginTest"
enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresQuestionAndAnswer="true"
requiresUniqueEmail="true"
passwordFormat="Hashed" />
</providers>
</membership>
<roleManager enabled="true" defaultProvider="mySqlRoleProvider" cacheRolesInCookie="true" cookieProtection="All">
<providers>
<clear/>
<add name="mySqlRoleProvider" applicationName="LoginTest" connectionStringName="EvgSqlConnection"
type="System.Web.Security.SqlRoleProvider"/>
</providers>
</roleManager>
In the web.config in the login folder I have the following:
<configuration>
<appSettings/>
<connectionStrings/>
<system.web>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
</system.web>
</configuration>
So what this is supposed to do from what I have read is deny users access to anything in the login folder. In this case my test file is ProtectedStuff.aspx which is nothing more than a page with a label. What is currently happening is that everything seems to work except the ASP:Login control. I can currently create a new user with the ASP:CreateUserWizard on CreateUser.aspx. I can recover a new password using the question and answer set up using the ASP:PasswordRecovery control on lostpassword.aspx. I can enter the correct name and password in the ASP:Login control on Login.aspx. The only thing that doesn't seem to work is the actual authentication. Whenever I try to go to ProtectedStuff.aspx it kicks me back to Login.aspx like it is supposed to when you are not authenticated. Further, I can enter the wrong user name or wrong password and the Login control complains. I can see my user in the website administration page, I can see that the user is assigned a role.
There is no custom code behind any of these controls, all I have done is copied in the SqlProvider name into the MembershipProvider attribute of these controls. SQL Server 2000 is configured with an NT AUTHORITY\Network Service user that has aspnet_Membership Full Access checked. the config files seem to be okay, all the controls seem to be able to read and write to the database correctly, only the Login control doesn't seem to authenticate the user. What else should I be looking for?
I'd start by removing the path attribute from your Forms element:
Specifies the path for cookies issued by the application. The default value is a slash (/), because most browsers are case-sensitive and will not send cookies back if there is a path case mismatch.
If that still fails, I'd get hold of Fiddler and see what cookies are being sent back to the client and to the server after logging in.
I have setup a basic application which uses the ActiveDirectoryMembershipProvider to talk to our AD and authenticate users. It's a simple login page with the control which redirects me to a simple output of who is logged in and associated ticket information, this works great and when I test it on my development machine it just works.
However if I deploy this to the webserver under a virtual directory, it simple refuses to direct or even acknowledge that there ticket is a valid ticket, it just refreshes back to the login page. If I type in rubbish credentials it actually recognises this and tells me there';s an error, but if I login successfully it just refreshes the page. When I manually go the information page it treats me as an unauthenticated user!
This is most puzzling! Any help would be greatly appreciated!
Thanks
Jon
As requested a section of the Web.config
<connectionStrings>
<add name="ActiveDirectory" connectionString="LDAP://x.x.x.117:389/OU=Users,DC=BC,DC=Local"/>
</connectionStrings>
<membership defaultProvider="ADMembershipProvider">
<providers>
<add name="ADMembershipProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="ActiveDirectory" connectionUsername="xxxxxx" connectionPassword="xxxxxxx" attributeMapUsername="sAMAccountName" applicationName="/"/>
</providers>
</membership>
Have you turned on impersonation in the web.config file? I belive there are some issues revolving the membership provider that need impersonation to work properly.
<forms slidingExpiration="true" **path="/Search"** name=".ADAuthCookie" timeout="10"/>
It was also helpful to include a 'path' attribute!!!!
Jon
i'm a little confused while trying to find out how ActiveDirectory and ASP.NET Membership work... I've created a new MVC project and removed the AccountController / Views. I've changed the Web.Config so that it uses ActiveDirectory and automatically authenticates users based on their current Windows login:
Web.Config
<authentication mode="Windows">
<forms
name=".ADAuthCookie"
timeout="10" />
</authentication>
<membership defaultProvider="MyADMembershipProvider">
<providers>
<clear/>
<add
name="MyADMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="ADConnectionString"
connectionUsername="MYDOMAIN\myuser"
connectionPassword="xxx"
/>
</providers>
</membership>
This works nicely, as I can do the following to get the users username like this:
User.Idenity.Name() 'Gives MYDOMAIN\myuser
Looking at the following, actually makes me confused:
Threading.Thread.CurrentPrincipal.Identity.Name() 'Gives MYDOMAIN\myuser
1. Shouldn't the thread identity be IUSR_WORKSTATION or ASPNET_WP username?
2. What's the difference between Authentication and Impersonation?
myuser is the Authenticated user on that application, that's why your CurrentPrincipal is giving you MYDOMAIN/myuser. The application impersonates IUSR_WORKSTATION when it uses resources like the database, and is a completely different issue.
If you go to Project on your toolbar, and select ASP.NET Configuration, it will open a website that lets you access these settings and create users, roles etc.