Home > Others

Active Directory Membership Provider

Source: Internet
Author: User
Tags ldap syntax connectionstrings
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >
ASP. NET 2.0 allows you to validate users via Active Directory, database, or even a custom algorithm.

ASP. NET 2.0 supports a provider-based model for a number of application services including membership. the membership provider is therefore a component that defines the contract between ASP. NET applications and the repository of membership information. among other things, the contract includes methods to validate users 'credentials; change and reset passwords; and create, find, and delete user accounts.

TheActiveDirectoryMembershipProviderProvider manages storage of membership information in Active Directory and Active Directory Application Mode (ADAM) user stores. when using the Active Directory provider, you specify the connection string in the web. config file along with valid credentials to access the Active Directory server. if you do not specify account credentials, Active Directory will use the credentials of the ASP. NET worker process.

You can useActiveDirectoryMembershipProviderAlso in an Active Directory scenario where multiple domains are defined. Suppose you have two domains, each with a connection string entry in<ConnectionStrings>Pointing to the specific user database. You define an instance of the Active Directory provider for each domain to support. Each entry will have different settings for its connection string and perhaps administrative account.

<providers><add name="TestDomain1"type="System.Web.Security.ActiveDirectoryMembershipProvider, ..."connectionStringName="TestDomain1ConnString"connectionUsername="TestDomain1\Admin"connectionPassword="..." /><add name="TestDomain2"type="System.Web.Security.ActiveDirectoryMembershipProvider, ..."connectionStringName="TestDomain2ConnString"connectionUsername="TestDomain2\Admin"connectionPassword="..." /></providers>

The user must indicate the domain in the login page along with credentials. Once you know the user's domain, you change the validation code of the login page as follows:

 

MembershipProvider domainProvider;if (domainName == "TestDomain1")domainProvider = Membership.Providers["TestDomain1"];else if (domainName == "TestDomain2.test.com")domainProvider = Membership.Providers["TestDomain2"];if (domainProvider.ValidateUser(userName, pswd){:}

In general, the two predefined membership providers serve the vast majority of the cases. however, a custom membership system is reasonable if you want to use a non-Active Directory Lightweight Directory Access Protocol (LDAP) provider for authentication, a local or remote Web service, or in general, a completely custom validation algorithm.

Here's what you can follow:

  1. Created a new web site.
  2. Added a web. config file.
  3. Set the authentication type to "Forms"
  4. Added a connection string pointing to my Active Directory store. this was one of the parts I had trouble with, since I wasn' t very familiar with LDAP syntax. the fully-qualified domain name for my domain controller wasWin2k3. vstsb2.local(I know, not very creative), while the domain wasVstsb2.local. So the successful connection string section in web. config looks like this:
    <ConnectionStrings>
    <Add connectionString = "LDAP: // win2k3. vstsb2.local/CN = Users, DC = vstsb2, DC = local"
    Name = "ADConnString"/>
    </ConnectionStrings>
  5. Then I added the following Membership section (note that this is a very simple implementation, and omits attributes of the optional attributes ):
    <Membership defaultProvider = "AspNetActiveDirectoryMembershipProvider">
    <Providers>
    <Add name = "AspNetActiveDirectoryMembershipProvider"
    Type = "System. Web. Security. ActiveDirectoryMembershipProvider,
    System. Web, Version = 2.0.3600.0, Culture = neutral,
    PublicKeyToken = b03f5f7f11d50a3a"
    ConnectionStringName = "ADConnString"
    ConnectionUsername = "vstsblocal \ Administrator"
    ConnectionPassword = "password"/>
    </Providers>
    </Membership>
  6. Next, I added a new folder to the site, named it "protected" (the name is arbitrary), and added a web. config to this folder with an authorization section denying access to anonymous users.
  7. Finally, I added a page to the new folder that writes out the name of the current user, and added a login page at the root level with a Login control to perform the authentication.

In addition to my musings above, there's some good coverage of this provider in the security article I pointed to earlier this week (see the authentication section ).

A couple of other notes:

  • With the syntax above for the membership provider configuration, you'll need to log in using the User Principal Name (UPN) rather than the typical DOMAIN \ user syntax used for Windows authentication. the UPN syntax is basicallyUser@Domain (Note that there may be more to it than that... UPN is something I only read up on today, so I'm hoping my explanation is adequate <g> ). so for my example above, the user Andrew wowould log in using andrew@vstsb2.local as the username, and then the password as normal.
  • If you 'd prefer to use the SAM account name instead of the UPN, you'll need to add the following attribute to the <membership> element:
    AttributeMapUsername = "SAMAccountName"
  • Once having added the above attribute, you should be able to log in using the username alone.

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
active directory sso saml active directory search base laravel active directory ldap parameters active directory php kerberos active directory php active directory integration port ldap active directory

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More