Sunday, May 18, 2008 12:59 AM
The Membership API is new to ASP.NET 2.0. It provides you with a full-fledged infrastructure for managing and authenticating users of your applications. ASP.NET 2.0 shipped two Membership providers, SQL Server and Active Directory. While plenty of articles and blog posts have been published on how to use the SQL Server Membership provider, very few have been done for the Active Directory Membership provider. I was recently leading an enterprise web site project that required the Active Directory authentication. I just thought it might be interesting to share with you a few bullet points of using Active Directory Membership provider in ASP.NET 2.0.
In this blog post, we will implement the AD authentication in an ASP.NET web site by completing the following four steps.
- Create a web app with a login page
- Configure the web app to use forms authentication
- Add the ActiveDirectoryMemebershipProvider into the web app
- Manager users with ActiveDirectoryMemebershipProvider
Create a web app with a login page
Open Visual Studio 2008, create a new Web Site named FormsAuthAD. After the web site is created, add a new web form named "Login.aspx", and then place a Login control onto the form.
<asp:Login ID="Login1" runat="server" BackColor="#F7F6F3" BorderColor="#E6E2D8"
BorderPadding="4" BorderStyle="Solid" BorderWidth="1px" Font-Names="Verdana"
Font-Size="Small" ForeColor="#333333" Height="130px"
onloginerror="Login1_LoginError" Width="303px">
<TextBoxStyle Font-Size="Small" />
<LoginButtonStyle BackColor="#FFFBFF" BorderColor="#CCCCCC" BorderStyle="Solid"
BorderWidth="1px" Font-Names="Verdana" Font-Size="Small" ForeColor="#284775" />
<InstructionTextStyle Font-Italic="True" ForeColor="Black" />
<TitleTextStyle BackColor="#5D7B9D" Font-Bold="True" Font-Size="Small"
ForeColor="White" />
</asp:Login>
We don't need to configure anything for the Login control.
Configure the web app to use forms authentication
If the web.config file was not created, go ahead and add it to the project. Locate the <authentication> element in the web.config file, and then change the mode attribute to Forms. Add the <forms> element as the child of the <authentication> element, set the loginUrl, defaultUrl, name and the timeout attributes as shown in the following example.
<authentication mode="Forms">
<forms name=".ADAuthCookie" timeout="10"
loginUrl="Login.aspx" defaultUrl="Default.aspx">
</forms>
</authentication>
The <authorization> element is also required to make the forms authentication work. Add the following <authorization> element beneath the <authentication> element in the web.config file.
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
What's happening here is we are allowing only authenticated users to access the app. The "?" indicates unauthenticated users and the "*" indicates all users.
Add the ActiveDirectoryMemebershipProvider
The ActiveDirectoryMemebershipProvider can be configured by specifying memebership settings in the web.config file. First of all, we need to add a connection string that points to the Active Directory user container. The domain name of my home lab is called dotnetinspirations.com, so my connection string looks like this:
<connectionStrings>
<add name="ADConnectionString" connectionString="LDAP://dotnetinspirations.com/CN=Users,DC=dotnetinspirations,DC=com"/>
</connectionStrings>
Now we need to add the ActiveDirectoryMemebershipProvider to use the connection string defined above. Add a <membership> element after the <authorization> element as shown below.
<membership defaultProvider="DomainLoginMembershipProvider">
<providers>
<add name="DomainLoginMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0,Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="ADConnectionString"
connectionUsername="dotnetinspiration.com\administrator" connectionPassword="youradminpassword"/>
</providers>
</membership>
Note the connectionStringName is set to the name "ADConnectionString" we specified earlier. An interesting point here is we overwrote the defaultProvider attribute to "DomainLoginMemebershipProvider", which is defined in the <providers> element. We have to overwrite this attribute because the machine-level default MembershipProvider points to SQLMembershipProvider, using the localhost\SQLExpress instance, and that's the default provider used by ASP.NET.
In this example, I have all the control over my own dotnetinspiration.com domain and I logged into the Active Directory as the administrator. If you are running this application in a less flexible environment, you need to obtain an domain account that has sufficient permissions in Active Directory. If you do not specify account credentials (connectionStringName and connectionPassword), Active Directory uses your ASP.NET web app's process account, which typically has fairly low priviledges, and you may not be able to test all the features of the application.
Up to this point, we are ready to test the Active Directory authentication. We will just add a quick line of code in the default.aspx page to display the authenticated user's identity. This should be done in the Page_Load event handler of the default.aspx page.
protected void Page_Load(object sender, EventArgs e)
{
Response.Write("Hello, " + Server.HtmlEncode(User.Identity.Name));
}
Run the web site and log in using any existing account on your domain. If the the login is successful, you will be redirected to the default.aspx page, which displays the name of the logged in user. Otherwise, the login control will automatically display login failure message to you.
Manager users with ActiveDirectoryMemebershipProvider
The ActiveDirectoryMemebershipProvider not only provides you with you the capability of authenticating users without writing any code but also allows you to conveniently manage users in ASP.NET as if you were working on the Active Directory. We will demonstrate this by creating a new web form for adding new users. From the Solution Explorer, add a new page called CreateNewUser.aspx, add a CreateUserWizard control to the form once it is generated.
<asp:CreateUserWizard ID="CreateUserWizard1" runat="server" BackColor="#F7F6F3"
BorderColor="#E6E2D8" BorderStyle="Solid" BorderWidth="1px"
Font-Names="Verdana" Font-Size="Small">
<SideBarStyle BackColor="#5D7B9D" BorderWidth="0px" Font-Size="0.9em"
VerticalAlign="Top" />
<SideBarButtonStyle BorderWidth="0px" Font-Names="Verdana" ForeColor="White" />
<ContinueButtonStyle BackColor="#FFFBFF" BorderColor="#CCCCCC"
BorderStyle="Solid" BorderWidth="1px" Font-Names="Verdana"
ForeColor="#284775" />
<NavigationButtonStyle BackColor="#FFFBFF" BorderColor="#CCCCCC"
BorderStyle="Solid" BorderWidth="1px" Font-Names="Verdana"
ForeColor="#284775" />
<HeaderStyle BackColor="#5D7B9D" BorderStyle="Solid" Font-Bold="True"
Font-Size="0.9em" ForeColor="White" HorizontalAlign="Center" />
<CreateUserButtonStyle BackColor="#FFFBFF" BorderColor="#CCCCCC"
BorderStyle="Solid" BorderWidth="1px" Font-Names="Verdana"
ForeColor="#284775" />
<TitleTextStyle BackColor="#5D7B9D" Font-Bold="True" ForeColor="White" />
<StepStyle BorderWidth="0px" />
<WizardSteps>
<asp:CreateUserWizardStep ID="CreateUserWizardStep1" runat="server">
</asp:CreateUserWizardStep>
<asp:CompleteWizardStep ID="CompleteWizardStep1" runat="server">
</asp:CompleteWizardStep>
</WizardSteps>
</asp:CreateUserWizard>
Just like the Login control, nothing needs to be configured for the CreateUserWizard control to work. The ASP.NET reads the web.config file during runtime and it becomes aware of the underlying data source for managing users.
Run the web site again, log into the site this time with a privileged account (we need to be able to create new users). In the browser's address bar, replace default.aspx with CreateNewUser.aspx. Follow the wizard and create a brand new user. Log into the web site one more time with this new account.
The source code for the example can be downloaded here.