I am trying to configure an ActiveDirectoryMembershipProvider but I keep getting the message "Unable to establish secure connection with the server".
I have seen online at the MSDN website that I should configure the trust level to unrestricted on my site and I still get that.
Here is my example:
<connectionStrings>
<add name="LocalAD" connectionString="LDAP://example.com/dc=example,dc=com" />
</connectionStrings>
<membership defaultProvider="AspNetActiveDirectoryMembershipProvider">
<providers>
<add name="AspNetActiveDirectoryMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider"
applicationName="adtest"
connectionUsername="cn=Users"
connectionPassword="password"
connectionStringName="LocalAD" >
</add>
</providers>
</membership>
<trust level="Full" />
<authentication mode="Forms">
<forms loginUrl="login.aspx"
protection="All"
timeout="30"
name="miBenefitsAdminToolCookie"
path="/"
requireSSL="false"
slidingExpiration="true"
defaultUrl="Default.aspx"
cookieless="UseCookies"
enableCrossAppRedirects="false" />
</authentication>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
You're supplying what looks like a container instead of an actual user name to be used in making the connection to AD. Provide the canonical name of a user with sufficient credentials to access AD. Note that if the server is in the same domain, the Network System user that the worker process runs under may already have enough privileges and you won't need to provide a name/password at all.
<add name="AspNetActiveDirectoryMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider"
applicationName="adtest"
connectionUsername="cn=actualUser"
connectionPassword="actualUsersPassword"
connectionStringName="LocalAD">
</add>
The connection username can have different formats depending on how it was configured. If the user is added to the user role only as a DN (distinguished name) then the format of CN=username,DC=container can be used
If the user is added to the user role as a windows user, then the username can be username only.
I hope this clarification helps.
Related
I want to authenticate users using active directory..but when i want to login it fails.
this is my web.config:
<add name="ADConnectionString" connectionString="LDAP://IPAddress/CN=Users,DC=domain,DC=net"/>
<authentication mode="Forms">
<forms name=".ADAuthCookie" timeout="10" loginUrl="Login.aspx" defaultUrl="Default.aspx">
</forms>
</authentication>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
<membership defaultProvider="DomainLoginMembershipProvider">
<providers>
<add name="DomainLoginMembershipProvider", connectionStringName="ADConnectionString" enableSearchMethods="true" connectionUsername="domain.net\myuser" connectionPassword="mypassword"/>
</providers>
</membership>
and also when I use asp.net configuration to see the users, there is only one user, domaincontroller#domain.net and when I search active directory in windows there is not any domaincontroller#doamin.net...please help me...why I cant at least authenticate through my username!?
Authentication with active directory means windows authentication, so first of all, you need to set
<authentication mode="Windows"> instead of <authentication mode="Forms">
I'm trying to implement the ActiveDirectoryMembership provider so I can use forms authentication against active directory.
I can browse to the application, and be redirected to the signin page. If I enter the incorrect password I get the correct error. If I enter the correct password it redirects me to the default url (/Secure/Default.aspx), but immediately get redirected back to the signin page. I can see the two redirects because I'm using fiddler. So I know for sure that it is authenticating against AD correctly, but still taking me back to the signin page. I also know that the browser does accept cookies, because I built a test page in the application to prove that. I've included the web.config and relevant code below, just can't figure out what I am missing...
Edit:
I have found that if I specify UseUri instead of UseCookies, everything starts working. But I have validated that I can store data in a cookie on one page, and retrieve it on another page, so why wouldn't it work for the authentication piece?
Edit 2
I've also removed my code from the signin page and used the standard login control, same problem.
Web.config file:
<connectionStrings>
<add name="ADConnectionString" connectionString="LDAP://YNET" />
</connectionStrings>
<system.web>
<authentication mode="Forms">
<forms name=".ASPXAUTH"
path="/FormsAuth"
loginUrl="~/SignIn.aspx"
defaultUrl="~/Secure/Default.aspx"
timeout="20"
requireSSL="false"
protection="All"
slidingExpiration="true"
cookieless="UseCookies"
enableCrossAppRedirects="false"/>
</authentication>
<authorization>
<!-- Deny unauthenticated users will cause automatic redirect to the sign in page when using forms authentication. -->
<deny users="?"/>
<allow users="*"/>
</authorization>
<!-- For non AD passthrough authentication, specify the defaultProvider property -->
<membership defaultProvider="ActiveDirectoryMembershipProvider">
<providers>
<clear/>
<add name="ActiveDirectoryMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider"
connectionStringName="ADConnectionString"
attributeMapUsername="sAMAccountName"/>
</providers>
</membership>
</system.web>
Signin page:
bool bIsValid = System.Web.Security.Membership.ValidateUser(txtUsername.Text, txtPassword.Text);
//Authenticate the user credentials against the default membership provider specified in configuration
if (bIsValid)
{
System.Web.Security.FormsAuthentication.SetAuthCookie(txtUsername.Text, true);
System.Web.Security.FormsAuthentication.RedirectFromLoginPage(txtUsername.Text, true);
}
else
{
//display error
....
}
The cookie issue (and likely the login issue) is due to the fact that you are setting the cookie path to be /FormsAuth. That means the cookie is only valid for that URL path and will be discarded otherwise. Also, your <authorization> section can be tweaked a bit as I have adjusted in the following full update of your partial Web.config:
<connectionStrings>
<add name="ADConnectionString" connectionString="LDAP://YNET" />
</connectionStrings>
<system.web>
<authentication mode="Forms">
<forms name=".ASPXAUTH"
path="/"
loginUrl="~/SignIn.aspx"
defaultUrl="~/Secure/Default.aspx"
timeout="20"
requireSSL="false"
protection="All"
slidingExpiration="true"
cookieless="UseCookies"
enableCrossAppRedirects="false"/>
</authentication>
<authorization>
<allow users="*"/>
</authorization>
<!-- For non AD passthrough authentication, specify the defaultProvider property -->
<membership defaultProvider="ActiveDirectoryMembershipProvider">
<providers>
<clear/>
<add name="ActiveDirectoryMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider"
connectionStringName="ADConnectionString"
attributeMapUsername="sAMAccountName"/>
</providers>
</membership>
</system.web>
<location path="Secure">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
If the /Secure folder is truly the only folder you want to protect with the login, then the above works, but if you want to lock everything down except the login page, you simply need <deny users "?" /> in your main <authorization> section.
I'm trying to develop an ASP.NET website which has registration and login functions. To do this, I'm using Membership by following this guide:
http://msdn.microsoft.com/en-us/library/ff648345.aspx
I've run Aspnet_regsql.exe and set up the database, and also changed by Web.config file to reflect this:
<connectionStrings>
<add name="MsSqlConnection" connectionString="Data Source=fostvm;Initial Catalog=db_74;User ID=user74;password=mypassword;Integrated Security=SSPI;" />
</connectionStrings>
<authentication mode="Forms">
<forms loginUrl="Account/Login.aspx"
protection="All"
timeout="30"
name="AppNameCookie"
path="/FormsAuth"
requireSSL="false"
slidingExpiration="true"
defaultUrl="default.aspx"
cookieless="UseCookies"
enableCrossAppRedirects="false" />
</authentication>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
<membership defaultProvider="SqlProvider" userIsOnlineTimeWindow="15">
<providers>
<clear />
<add
name="SqlProvider"
type="System.Web.Security.SqlMembershipProvider"
connectionStringName="MsSqlConnection"
applicationName="WebSite10"
enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresQuestionAndAnswer="true"
requiresUniqueEmail="true"
passwordFormat="Hashed" />
</providers>
</membership>
I don't get any errors while loading the log in or registration page, but when I try to log in with dummy account data I get this error thrown:
Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.
I've Googled it and found loads of threads from different forums and blogs but no solutions have worked.
Is there any glaring error in my config that I've missed?
Thanks.
My guess would be, that in your connection string you have.
Data Source=fostvm;Initial Catalog=db_74;User ID=user74;password=mypassword;Integrated Security=SSPI;
And can someone correct me, that when you have Integrated Security=SSPI specified, the User ID and password are ignored and windows authentication will be used? In this case most likly it would be Application Pool account, or maybe even IUSR_Account, for anonymous access, which may not have permissions to your database.
So to sum it up - try to remove the Integrated Security=SSPI from connection string, or replace it with Integrated Security=false
I am using ASP.NET MVC 3 and am trying to do something that should be really straight forward...
My application uses Forms authentication and that is working perfectly for controllers/actions. For example if I decorate either a controller or an action with the attribute below only members of the administrators group can view them:
[Authorize(Roles="Administrators")]
However I have a folder under the default Scripts folder called Admin. I only want members of the Administrators group to be able to access scripts within this directory so I created a new web.config in the directory with the following inside:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow roles="Administrators"/>
<deny users="*"/>
</authorization>
</system.web>
</configuration>
However no matter whether a user is a member of the Administrators group or not they receive a 302 Found message and are then redirected to the login page.
If I change the web.config to allow user="*" then it works. It also works if I add an allow users="Username" for a specific user I am testing with.
Any ideas on where I'm going wrong or where I could start investigating?
Do you have RoleManager added into your web.config in default Scripts folder
something as below
system.web>
<authentication mode="Forms" >
<forms loginUrl="login.aspx"
name=".ASPXFORMSAUTH" />
</authentication>
<roleManager defaultProvider="SqlProvider"
enabled="true"
cacheRolesInCookie="true"
cookieName=".ASPROLES"
cookieTimeout="30"
cookiePath="/"
cookieRequireSSL="false"
cookieSlidingExpiration="true"
cookieProtection="All" >
<providers>
<add
name="SqlProvider"
type="System.Web.Security.SqlRoleProvider"
connectionStringName="SqlServices"
applicationName="SampleApplication" />
</providers>
</roleManager>
</system.web>
I'm having trouble getting AD authentication working on my website. I have the following test code that works fine :
DirectoryEntry entry = new DirectoryEntry(srvr, usr, pwd);
object nativeObject = entry.NativeObject;
On my website I get an error "Your login attempt was not successful. Please try again.". I really haven't been able to figure out what's the underlying error in the process that prevents the login.
Here are the sections in my web.config :
<authentication mode="Forms">
<forms loginUrl="Default.aspx"
timeout="30"
name=".ADAuthCookie"
path="/"
requireSSL="false"
slidingExpiration="true"
defaultUrl="Edit.aspx"
cookieless="UseCookies"
enableCrossAppRedirects="false"/>
</authentication>
<authorization>
<allow users="*"/>
</authorization>
<membership defaultProvider="MyADMembershipProvider">
<providers>
<add name="MyADMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="ADAuthConnection"
applicationName="/"
connectionProtection="Secure"
enableSearchMethods="true"
connectionUsername="company\usr"
connectionPassword="pwd"/>
</providers>
</membership>
Shouldn't this be all that is required? I don't plan to use profile so I haven't configured ProfileProvider, could this cause the problems?
Thanks for help!
Did you check out the
How To: Use Membership in ASP.NET 2.0
which gives a nice walk-through of how to set up and use AD membership provider? But glancing over that article, it seems you're doing everything right...
Except I don't know what your AD connection string looks like - can you show us that piece of information??