So we have been using the same login gode to connect to various domains in asp.net, with and without MVC. The code works.
We have a new server, first one to run server 2008 r2, set up with a directory structure similar to one of the ones that has been working.
Using forms authentication, I set up in the web.config
<add name="ADConnectionString" connectionString="LDAP://10.1.XXX.XXX"/>
and
<!--<authentication mode="Windows" />-->
<membership defaultProvider="MyADMembershipProvider" >
<providers >
<add name="MyADMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="ADConnectionString"
connectionUsername="XXXX\Brown.Eric"
connectionPassword="XXXX"
connectionProtection="None"
/>
</providers>
</membership>
It connects to build the membership provider just fine, but when I tryto use the exact same username and password to login on the forms login page (the stock asp.net stuff) it fails to login.
same user, same password that's being used to connect with the membership provider.
If I change the password in the web.config, I get an error that it's incorrect, so I know that the membership provider is getting connected with those credentials.
What I can't figure out is why can't I use the same credentials to login?
I've checked:
The user is not locked.
the user is not set to change password on next logon.
The user is not expired.
Any help or hints are apprecaited.
Thanks,
Cal-
Figured it out, had indavertantly removed the use SAM Account setting from the above
config, and it was wanting me to use userPrincipalName instead.
Switched it back to sam and all worked as expected.
Cal-
Related
I am using ASP.NET profile properties in .NET framework 2.0 application.
Hosting: On Amanzon server
Operating System: Windows Server 2012
Sql Server : 2012
IIS: 8.5
Profile Properties are anonymous users
What is happening with the end users (not able to replicate myself) that the end users are seeing the profile properties of another user
Example Say i have country USA set in my profile property
Next time i visit the webpage it may show some another Country which may be set by another user.
In IIS currently User Mode caching and Kerner Mode Caching enable.
Additionally:
I recently change the hosting means moved to another server so is that anything to do
with properties of anonymous users or do i need to clean all of the current profile users
data which i am scare of
Code:
<profile enabled="true" defaultProvider="AspNetSqlProfileProvider">
<properties>
<add name="ActionRemember" allowAnonymous="true" />
<add name="ActionName" allowAnonymous="true" />
/// huge list of properties .......
</properties>
<providers>
<remove name="AspNetSqlProfileProvider" />
<add name="AspNetSqlProfileProvider" connectionStringName="LocalSql2005Server" applicationName="/" type="System.Web.Profile.SqlProfileProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</profile>
Open to give you more details..
Update: I disabled Kernel Caching for the aspx page and the error still persists
Static variables retain their values across user sessions.
You will run in concurrency issues as more than one thread servicing a request can modify the value of the variable.
What happens if there are 2 users simultaneously logged in from two
computers, User 1 sets the value as 100, then User 2 sets the value as
200. after that user 1 invokes the Get Value button.
What will he see as the value?
The user will see 200 afterwards.
I added a link for additional information here
The application I setup uses an AspNetActiveDirectoryMembershipProvider to an LDAP server with Forms Authentication. The user authenticates properly, but the first time a user tries to log in a new browser window causes a delay of over one minute till it authenticates. If the user logs out of the application (but doesn't close the browser) and tries to log back in it only takes around 6-7 seconds to authenticate.
I figure the second authentication is using a cached connection or socket to make up the initial slow behavior. But how do I get around this problem for the first attempt? Can I somehow initiate a connection to the LDAP server during page load thus saving time during the login process?
Note: I've checked over the LDAP connection string and it's as direct as it's going to get.
<add name="ADService" connectionString="LDAP://doctor.at.ad.cynwulfdesign.com/CN=Users,DC=at,DC=ad,DC=cynwulfdesign,DC=com" />
...
<membership defaultProvider="AspNetActiveDirectoryMembershipProvider">
<providers>
<clear/>
<add name="AspNetActiveDirectoryMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="ADService"
attributeMapUsername="sAMAccountName"/>
</providers>
</membership>
I happened across the reason why the LDAP was taking so long. At first, I thought it was a problem within the Active Directory database causing a slow response. But it appears that it needed the LDAP port number to speed things up. Once I added ":389" to the LDAP url it went from 1:07 down to :03 seconds to authenticate. It's amazing what adding a port number can do to increase response time. I would have figured it already knew what the default LDAP port was. Live and learn.
<add name="ADService" connectionString="LDAP://doctor.at.ad.cynwulfdesign.com:389/CN=Users,DC=at,DC=ad,DC=cynwulfdesign,DC=com" />
We have a couple of ASP.NET WebForms applications that use the ADAM Membership provider, one of which includes the ChangePassword control. The control has started to fail every password change:
Password incorrect or New Password invalid.
New Password length minimum: 6.
Non-alphanumeric characters required: 0.
We can still successfully reset passwords on the ADAM instance, and the logins still authenticate in the applications. There are no exceptions thrown, and no errors in EventViewer.
Here is the provider section of the Web.config:
<membership defaultProvider="ADAMMembershipProvider">
<providers>
<clear/>
<add name="ADAMMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider"
connectionStringName="MembershipConnectionString"
connectionProtection="None"
connectionUsername="[the username]"
connectionPassword="[the password]"
enableSearchMethods="true"
minRequiredPasswordLength="6"
minRequiredNonalphanumericCharacters="0"
maxInvalidPasswordAttempts="3"
passwordAttemptWindow="5"
requiresQuestionAndAnswer="false"
requiresUniqueEmail="true"/>
</providers>
</membership>
The problem is that ADAM does not allow passwords to be changed over insecure connections by default. There are couple ways around this problem:
Setting your connectionProtection property to "Secure" and having the necessary SSL certificates in place.
or
Using dsmgmt and changing the "Ds Behavior" to "Allow passed op on unsecured connection".
Is it possible to authorise/deny users of an MVC3 application using AD?
My app is secured using Windows authentication at the moment, but that means adding users to groups on the Win2007 server.
I'd like to change that so that users were allowed/denied access to the appliction/and controller actions/view based upon their AD roles instead, so they either auto-logged in (like Windows auth) or they get redirected to a "denied" page.
Any help very gratefully accepted...everything I find seems to be based upon Windows groups, or forms authentication.
You could use the Roles property:
[Authorize(Roles = #"SOMEDOMAIN\somegroup")]
public ActionResult Foo()
{
...
}
Here's a tutorial which explains the steps.
I'm using AD Groups for my intranet app.
<authentication mode="Windows" />
<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">
<providers>
<clear />
<add applicationName="/" name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</roleManager>
then just added Authorization attributes to my controller actions that I needed to secure:
[Authorize(Roles = MyNamesspace.Constants.MANAGER_GROUP)]
public ActionResult Blah() {...
And in a view you can use User.IsInRole and the name of their AD/Windows group.
Or get a list of the roles the webserver sees from that user: System.Web.Security.Roles.GetRolesForUser();
Caveat: my server and my clients are all on the same domain. this won't work if you need to do the same for web clients off site against your ActiveDirectory.
Just use the Membership provider framework that comes built-in to Asp.net. You will find that there is already an ActiveDirectoryMembershipProvider out of the box, but you will have to implement the RoleProvider yourself, as membership can be defined different ways in different networks.
I'm having some trouble with the ASP.NET 2.0 Login Control.
I've setup a database with the aspI.net regsql tool.
I've checked the application name. It is set to "/".
The application can access the SQL Server. In fact, when I go to retrieve the password, it will even send me the password. Despite this, the login control continues to reject logins.
I added this to the web.config:
<membership defaultProvider="AspNetSqlProvider">
<providers>
<clear/>
<add name="AspNetSqlProvider" connectionStringName="LocalSqlServer" applicationName="/" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
</providers>
And I added the following to my connection strings:
<remove name="LocalSqlServer" />
<add name="LocalSqlServer" connectionString="Data Source=IDC-4\EXCALIBUR;Initial Catalog=allied_nr;Integrated Security=True;Asynchronous Processing=True"/>
(Note the "remove name" is to get rid of the default connection string in the App_Data directory.)
Why won't the login control authenticate users?
It sounds like you are storing your passwords in plain text, but the default password storage format of SqlMembershipProvider is "Hashed." You would never be able to retrieve a user's password from the database if it is stored as hashed.
A great set of articles about the Memebership Provider was written on the 4 Guys From Rolla site. Check it out, as I think it will help!
https://web.archive.org/web/20211020202857/http://www.4guysfromrolla.com/articles/120705-1.aspx
From Part 4 of the series:
"In the Membership system, there are multiple scenarios by which a user's credentials can be invalid:
The username supplied might not exist in the membership directory
The username may exist, but the supplied password might be incorrect
The username and password may be correct, but:
The user may not yet be approved
The user may be locked out; this can happen if the user attempts to login with an invalid password for a specified number of tries (five, by default)
Unfortunately, the ValidateUser(userName, password) method just returns False if the credentials are invalid, and does not include information as to why, exactly, the credentials are invalid"