[FAQ]Active Directory Membership Provider Integration

Author
APGvNext Sam
vNext Dev
  • Total Posts : 13006
  • Joined: 2001/05/23 00:00:00
  • Status: offline
2010/12/21 16:38:55 (permalink) Authentication
0

Active Directory Membership Provider Integration

In order to use the Active Directory Membership Provider, you need complete the following steps:
  1. Update ~/config/appSettings.config:
    <add key="EnableMembershipIntegration" value="true" /> 

    The key is already defined. You just need to set the value to "true"
  2. Provide the necessary AD connection information (info taken from http://blogs.msdn.com/b/g...2005/08/17/452905.aspx )
    1. In ~/config/sqlconnections.config, add a connection string pointing to the Active Directory store. The following example assumes that your fully-qualified domain name for the domain controller is win2k3.vstsb2.local, while the domain is vstsb2.local. The connection string section in web.config would then look like this:
      <connectionStrings>
       <add connectionString="LDAP://win2k3.vstsb2.local/CN=Users,DC=vstsb2,DC=local" name="ADConnString"/>
      </connectionStrings>
    2. Then in ~/web.config, add the following membership provider info inside <system.web> (note: the following is a very simple implementation, and omits many of the optional attributes):
      <membership defaultProvider="AspNetActiveDirectoryMembershipProvider">
         <providers>
            <add name="AspNetActiveDirectoryMembershipProvider"
               type="System.Web.Security.ActiveDirectoryMembershipProvider,
               System.Web, Version=4.0.0.0, Culture=neutral,
               PublicKeyToken=b03f5f7f11d50a3a"
               attributeMapUsername="sAMAccountName" <!--possible values are: sAMAccountName or userPrincipalName-->
               connectionStringName="ADConnString" <!-- must match the connectionString name value -->
               connectionUsername="vstsb2.local\Administrator"
               connectionPassword="password"
               enableSearchMethods="true" />
         </providers>
      </membership>
You should be able to authenticate your user via the AD now.
 
Another expert info on AD configuration: http://blogs.msdn.com/b/d...2005/10/11/479941.aspx
 
ADTester.zip - Download this tester to make sure your AD is set up correctly.
Installation: Download & unzip the files onto your forum's root dir, browse to the aspx file and try logging in with the form provided by this tester.

Common Issues:

1. With my local test AD, I'm unable to log in using the ADTester after I created my user using ADSI Edit?

 
There are 2 possible issues: you didn't reset password after creating the account or you did not set the userPrincipalName attribute.
 
Ensure that you Reset Password for the user (right click on the user and select Reset Password...), and also make sure that the userPrincipalName attribute is set to the same value as the name attribute.

2. ADTester show that I can log in, but in the forum I get "There is no such user in our database. You can register an account here..."

Check the Error log in the AdminCP -> System Related Options -> Error Log. Import errors first if there is any.
 
There are 2 common causes: you didn't specify email for the account (the mail attribute), or the email is used by another account already in the forum database. The forum software cannot auto import your AD accounts if the AD accounts have these email issues.
 
See the attached screenshot for the important fields that must be present for AD integration to work. Pay special attention to the mail and userPrincipalName attributes as the other attributes are usually created by default.
 

3. What if I cannot put my username and password in the web.config?

If you find it impossible to implement such integration because of the Username / Password requirement (note: you only need an non-privileged account, not an admin account), or because you want users to be logged in automatically once they log on to the domain account, here is an alternative method:
 
Windows Authentication without AD membership provider
post edited by APGvNext Sam - 2014/08/01 13:58:38

Attached Image(s)

#1
GREater
New Member
  • Total Posts : 9
  • Joined: 2013/08/03 11:51:00
  • Status: offline
Re: Active Directory Membership Provider Integration 2013/08/06 03:15:09 (permalink)
0
Thanks. this info is very helpful.
 
One question though: should I put the connection string in web.config, or /config/sqlconnections.config?
#2
APGvNext Sam
vNext Dev
  • Total Posts : 13006
  • Joined: 2001/05/23 00:00:00
  • Status: offline
Re: Active Directory Membership Provider Integration 2013/08/06 08:47:52 (permalink)
0
You should put it in ~/config/sqlconnections.config along with your SQL server connection. Thanks for the heads up. I'll update the info right away.
#3
Jump to:
© 2014 APG vNext Commercial Version 5.5