Frank Wang's inspirations on .NET

IEnumerable<Inspiration> inspirations = from i in DataContext.Inspirations where i.Sharable == true select i

Forms Authentication with Active Directory in ASP.NET 2.0

Sunday, May 18, 2008 12:59 AM

The Membership API is new to ASP.NET 2.0. It provides you with a full-fledged infrastructure for managing and authenticating users of your applications. ASP.NET 2.0 shipped two Membership providers, SQL Server and Active Directory. While plenty of articles and blog posts have been published on how to use the SQL Server Membership provider, very few have been done for the Active Directory Membership provider. I was recently leading an enterprise web site project that required the Active Directory authentication. I just thought it might be interesting to share with you a few bullet points of using Active Directory Membership provider in ASP.NET 2.0.

In this blog post, we will implement the AD authentication in an ASP.NET web site by completing the following four steps.

  • Create a web app with a login page
  • Configure the web app to use forms authentication
  • Add the ActiveDirectoryMemebershipProvider into the web app
  • Manager users with ActiveDirectoryMemebershipProvider

Create a web app with a login page

Open Visual Studio 2008, create a new Web Site named FormsAuthAD. After the web site is created, add a new web form named "Login.aspx", and then place a Login control onto the form.

<asp:Login ID="Login1" runat="server" BackColor="#F7F6F3" BorderColor="#E6E2D8" 
            BorderPadding="4" BorderStyle="Solid" BorderWidth="1px" Font-Names="Verdana" 
            Font-Size="Small" ForeColor="#333333" Height="130px" 
            onloginerror="Login1_LoginError" Width="303px">
          <TextBoxStyle Font-Size="Small" />
          <LoginButtonStyle BackColor="#FFFBFF" BorderColor="#CCCCCC" BorderStyle="Solid" 
              BorderWidth="1px" Font-Names="Verdana" Font-Size="Small" ForeColor="#284775" />
          <InstructionTextStyle Font-Italic="True" ForeColor="Black" />
          <TitleTextStyle BackColor="#5D7B9D" Font-Bold="True" Font-Size="Small" 
              ForeColor="White" />
        </asp:Login>

We don't need to configure anything for the Login control.

Configure the web app to use forms authentication

If the web.config file was not created, go ahead and add it to the project. Locate the <authentication> element in the web.config file, and then change the mode attribute to Forms. Add the <forms> element as the child of the <authentication> element, set the loginUrl, defaultUrl, name and the timeout attributes as shown in the following example.

<authentication mode="Forms">
            <forms name=".ADAuthCookie" timeout="10" 
                    loginUrl="Login.aspx" defaultUrl="Default.aspx">
            </forms>
        </authentication>

The <authorization> element is also required to make the forms authentication work. Add the following <authorization> element beneath the <authentication> element in the web.config file.

<authorization>
   <deny users="?"/>
   <allow users="*"/>
</authorization>

What's happening here is we are allowing only authenticated users to access the app. The "?" indicates unauthenticated users and the "*" indicates all users.

Add the ActiveDirectoryMemebershipProvider

The ActiveDirectoryMemebershipProvider can be configured by specifying memebership settings in the web.config file. First of all, we need to add a connection string that points to the Active Directory user container. The domain name of my home lab is called dotnetinspirations.com, so my connection string looks like this:

<connectionStrings>
    <add name="ADConnectionString" connectionString="LDAP://dotnetinspirations.com/CN=Users,DC=dotnetinspirations,DC=com"/>
</connectionStrings>

Now we need to add the ActiveDirectoryMemebershipProvider to use the connection string defined above. Add a <membership> element after the <authorization> element as shown below.

<membership defaultProvider="DomainLoginMembershipProvider">
   <providers>
     <add name="DomainLoginMembershipProvider" 
          type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0,Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" 
          connectionStringName="ADConnectionString" 
          connectionUsername="dotnetinspiration.com\administrator" connectionPassword="youradminpassword"/>
   </providers>
 </membership>

Note the connectionStringName is set to the name "ADConnectionString" we specified earlier. An interesting point here is we overwrote the defaultProvider attribute to "DomainLoginMemebershipProvider", which is defined in the <providers> element. We have to overwrite this attribute because the machine-level default MembershipProvider points to SQLMembershipProvider, using the localhost\SQLExpress instance, and that's the default provider used by ASP.NET.

In this example, I have all the control over my own dotnetinspiration.com domain and I logged into the Active Directory as the administrator. If you are running this application in a less flexible environment, you need to obtain an domain account that has sufficient permissions in Active Directory. If you do not specify account credentials (connectionStringName and connectionPassword), Active Directory uses your ASP.NET web app's process account, which typically has fairly low priviledges, and you may not be able to test all the features of the application. 

Up to this point, we are ready to test the Active Directory authentication. We will just add a quick line of code in the default.aspx page to display the authenticated user's identity. This should be done in the Page_Load event handler of the default.aspx page.

protected void Page_Load(object sender, EventArgs e)
{
  Response.Write("Hello, " + Server.HtmlEncode(User.Identity.Name));
}

Run the web site and log in using any existing account on your domain. If the the login is successful, you will be redirected to the default.aspx page, which displays the name of the logged in user. Otherwise, the login control will automatically display login failure message to you.

Manager users with ActiveDirectoryMemebershipProvider

The ActiveDirectoryMemebershipProvider not only provides you with you the capability of authenticating users without writing any code but also allows you to conveniently manage users in ASP.NET as if you were working on the Active Directory. We will demonstrate this by creating a new web form for adding new users. From the Solution Explorer, add a new page called CreateNewUser.aspx, add a CreateUserWizard control to the form once it is generated.

<asp:CreateUserWizard ID="CreateUserWizard1" runat="server" BackColor="#F7F6F3" 
    BorderColor="#E6E2D8" BorderStyle="Solid" BorderWidth="1px" 
    Font-Names="Verdana" Font-Size="Small">
    <SideBarStyle BackColor="#5D7B9D" BorderWidth="0px" Font-Size="0.9em" 
        VerticalAlign="Top" />
    <SideBarButtonStyle BorderWidth="0px" Font-Names="Verdana" ForeColor="White" />
    <ContinueButtonStyle BackColor="#FFFBFF" BorderColor="#CCCCCC" 
        BorderStyle="Solid" BorderWidth="1px" Font-Names="Verdana" 
        ForeColor="#284775" />
    <NavigationButtonStyle BackColor="#FFFBFF" BorderColor="#CCCCCC" 
        BorderStyle="Solid" BorderWidth="1px" Font-Names="Verdana" 
        ForeColor="#284775" />
    <HeaderStyle BackColor="#5D7B9D" BorderStyle="Solid" Font-Bold="True" 
        Font-Size="0.9em" ForeColor="White" HorizontalAlign="Center" />
    <CreateUserButtonStyle BackColor="#FFFBFF" BorderColor="#CCCCCC" 
        BorderStyle="Solid" BorderWidth="1px" Font-Names="Verdana" 
        ForeColor="#284775" />
    <TitleTextStyle BackColor="#5D7B9D" Font-Bold="True" ForeColor="White" />
    <StepStyle BorderWidth="0px" />
   <WizardSteps>
       <asp:CreateUserWizardStep ID="CreateUserWizardStep1" runat="server">
       </asp:CreateUserWizardStep>
       <asp:CompleteWizardStep ID="CompleteWizardStep1" runat="server">
       </asp:CompleteWizardStep>
   </WizardSteps>
</asp:CreateUserWizard>

Just like the Login control, nothing needs to be configured for the CreateUserWizard control to work. The ASP.NET reads the web.config file during runtime and it becomes aware of the underlying data source for managing users.

Run the web site again, log into the site this time with a privileged account (we need to be able to create new users). In the browser's address bar, replace default.aspx with CreateNewUser.aspx. Follow the wizard and create a brand new user. Log into the web site one more time with this new account.

The source code for the example can be downloaded here.




Feedback

# re: Forms Authentication with Active Directory in ASP.NET 2.0

Nice article. You're right, there's not so much info on AD Auth. Nice intro, although how straightforward is it to, say, use the AD permissions to show specific links in a page?

I.e. I have a page of links. I want to show or hide various links (and allow/deny certain actions) based on AD permissions. (something akin to ASP.NET Site-Map Security Trimming)

Any info/links/examples? 5/28/2008 4:54 AM | Mark

# re: Forms Authentication with Active Directory in ASP.NET 2.0

hai te4sting page 6/29/2008 2:15 AM | satish

# re: Forms Authentication with Active Directory in ASP.NET 2.0

Hi.

I just like to create a login page for one AD User. So just one AD User should be able to login. How can this be done ? What's the easiest way to do it ?

thx

Rudi 7/15/2008 9:26 AM | Rudi

# re: Forms Authentication with Active Directory in ASP.NET 2.0

Hi Rudi,

I would say the easiest way to do it is use the same AD login and check the user's credential in the OnLoggingIn event.

Hope this helps.

Frank 7/15/2008 10:31 AM | Frank Wang

# re: Forms Authentication with Active Directory in ASP.NET 2.0

hi Frank!

First of all thx. What do you mean with the same AD login. You mean I just should check in the OnLoggingIn event if the correct Username is supplied [without password validation] ? The other problem I'm facing right know is that I don't know the connectionstring in advance because the site is deployed on many servers and I don't know these domains in advance. Is there a way to construct the connectionstring somehow dynamically !

thx in advance

Rudi 7/15/2008 12:13 PM | Rudi

# re: Forms Authentication with Active Directory in ASP.NET 2.0

Hai

Very nice article! I was also gotten this far (with a lot of trial and error). One question though: what do you mean by "if you are running this application in a less flexible environment, you need to obtain an domain account that has sufficient permissions in Active Directory."

What is sufficient permissions? What kind of permissions are needed to authenticate a user?

Thanks! 8/6/2008 1:13 AM | Pieter-Jan

# re: Forms Authentication with Active Directory in ASP.NET 2.0

Hi Pieter-Jan,

The user that logs into the domain controller needs to have permissions for querying Active Directory to be able to authenticate users. Consult your network administrator, who should be able to create an account with sufficient priviledges.

Frank
8/6/2008 3:19 PM | Frank Wang

# re: Forms Authentication with Active Directory in ASP.NET 2.0

Hi Frank;
Thanks about the article. I can`t use the sample code, and the membership specified here isn't working for me. I found an alternate membership specification:

<add name="MembershipADProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="ADConnectionString"
attributeMapUsername="sAMAccountName"
enableSearchMethods="true"/>

...but users can't log-in with domain\user user-name. Only with user. Why this happens?. How can i set the membership or connection string in order to get this working?. any suggestion?.

My conn. string :

<add name="ADConnectionString" connectionString="LDAP://ip/OU=my bu,DC=companyname,DC=net"/>

Thanks in advance. 8/18/2008 6:45 AM | Alex Segovia

# re: Forms Authentication with Active Directory in ASP.NET 2.0

Hey Alex, if you want the login to accept domain\username and not just username... delete the line (attributeMapUsername="sAMAccountName")

Hope that helps
9/16/2008 6:49 AM | Tony

# re: Forms Authentication with Active Directory in ASP.NET 2.0

Hi,

Nice article on Active Directory.
I have a question. Is there any way to allow certain users from the Active Directory?

Like for example: there are 100s of names in Active Directory and I wld like to allow only 5 of them to access the webpage.

I guess
<Allow users='name1'> works only for hardcoded usernames.

Thanks,
Sreenath 10/8/2008 8:31 AM | Sreenath

# re: Forms Authentication with Active Directory in ASP.NET 2.0

Yes Sreenath. Using the "allow users" only works for hardcoded usernames. So what i would do is check the usernames in the Login_LoggingIn event of your Login control and programmatically allow those 5 users to access the web page based on your business rules. 10/8/2008 11:30 AM | Frank Wang

# re: Forms Authentication with Active Directory in ASP.NET 2.0

This is a great article I have been looking for a jumping off point like this for a long time. Thanks so much for this example, 3 things
First, do you have any recommendations for Reference material like books or sites that relate to asp.net and Active Directory Management?
Second, is there an alternate Download location for the source code?
Third, can you limit the login to group membership? If so how would you approach this?
Thanks again for this. It’s exactly what I’ve been looking for. 12/2/2008 2:40 PM | TJ

# re: Forms Authentication with Active Directory in ASP.NET 2.0

I cant run this code... I read it 5 times. and i repeat again and again the procedures. I am always stuck with the error "System.Web.Security.ActiveDirectoryMembershipProvider" 12/5/2008 1:46 AM | help me

# re: Forms Authentication with Active Directory in ASP.NET 2.0

Configuration Error
Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately.

Parser Error Message: Unable to establish secure connection with the server

Source Error:


Line 91: <add
Line 92: name="MyADMembershipProvider"
Line 93: type="System.Web.Security.ActiveDirectoryMembershipProvi der, System.Web, Version=2.0.0.0,
Line 94: Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
Line 95: connectionStringName="ADConnectionString" />
12/5/2008 1:57 AM | help me

# re: Forms Authentication with Active Directory in ASP.NET 2.0

Regarding the first posters question, I have a similar need for allowing users to various parts of our intranet site based on their AD account. How do you implement this on specific pages? I'm using master pages with one site.master. I see this growing into a larger site so this will definitely grow. I need to be able to limit access to certain pages/sub-directories based on AD groups or memberships.

Great info btw. 12/8/2008 5:17 AM | Rog...

# re: Forms Authentication with Active Directory in ASP.NET 2.0

I want to read out the User's Group, so I can generate the following output "Welcome XY, your Role is Admin/User/ etc?

How do I read that out? 12/11/2008 7:13 AM | Erle

# re: Forms Authentication with Active Directory in ASP.NET 2.0

This is a nice article. I need something different
and I don't understand how could I do that. In my organization more than 100 users will see my application. All users should have view permission
(there are reports and charts - so everyone should
has the view permission) but few users (3/4) should have insert,update and delete permission. User should not need to login to the application.
From active directory my application will identify if it's read-only user or read-write authenticated user. Is there any way to do that?
Need help pls......... 3/16/2009 6:36 AM | Maksuda

# re: Forms Authentication with Active Directory in ASP.NET 2.0

Very nice... I got it working without the login.aspx page. I made it completely wide open. No authentication whatsover to create a guest WiFi AD account. I have three issues. First my page is displaying extremely slowly. It takes about one full minute or more to display one single .aspx page. Second, it takes even longer once the submit button is clicked. Third, the username field in AD for pre-2000 is automaticately created randomly with symbols and numbers, etc... Therefore, completely useless, because that's what the Cisco WiFi controller is matching against.

Any thoughts, suggestions or comments? Yes, I am basically building a self-serving WiFi guest portal. Thanks for reading. 3/17/2009 6:32 PM | Seng

# re: Forms Authentication with Active Directory in ASP.NET 2.0

Exactly what I was looking for.

Is it possible to use webpart personalisation using this method, storing the personalisation in the aspnet user database? 4/28/2009 4:49 AM | Paul Creedy

# re: Forms Authentication with Active Directory in ASP.NET 2.0

this has simply been lifted from the Micro$oft site..... 5/19/2009 3:08 PM | joe

# re: Forms Authentication with Active Directory in ASP.NET 2.0

Out of the box ASP.NET MVC forces developers to understand HTML, CSS, and JavaScript. There is little to no abstraction which can be a double edged sword. On one hand your development team has access to the raw power of the markup & languages that make up the web. On the other; if your development team is not experienced with HTML, CSS, and JavaScript there might be a learning curve. 5/25/2009 3:21 AM | ZK@Web Marketing Blog

# re: Forms Authentication with Active Directory in ASP.NET 2.0


I've been trying to have a Custom Control ctrlA that inherits script controls and has a property another custom control ctrlB (which inherits script control). How can I achieve it and be sure that the ctrlB is
initialized before the "parent" control ?

I hope my question wasn't to unclear. 6/23/2009 12:07 AM | texas hold em poker download

# re: Forms Authentication with Active Directory in ASP.NET 2.0

Blogging is very useful, and your blog in particular has a lot of good tips for me. I currently provide
debt relief
and your blog had a lot of great info that I could really use! 12/15/2010 6:46 PM | debt relief

# re: Forms Authentication with Active Directory in ASP.NET 2.0

he ASP.NET QuickStart is a series of ASP.NET samples and supporting commentary designed to quickly acquaint developers with the syntax, architecture, and power of the ASP.NET Web programming framework. The QuickStart samples are designed to be short, easy-to-understand illustrations of ASP.NET features. By the time you finish reading this tutorial, you will be familiar with the broad range of the new features in ASP.NET 2.0, as well as the features that were supported in earlier versions.RotoShave Review
1/10/2011 5:25 PM | RotoShave Review

# re: Forms Authentication with Active Directory in ASP.NET 2.0

Just wanted to say thank you this helped me alot! 11/2/2011 11:17 AM | Aliyyah

# re: Forms Authentication with Active Directory in ASP.NET 2.0

Nice blog... it worked for me.. thanks a lot... 7/18/2012 8:16 AM | ganesh

Post a comment