Re: AD Login failure when using ActiveDirectoryMembershipProvider

the problem is that XP is just not a realistic test environment!

to access AD you need a domain account, but ASP.NET runs under the local ASPNET account on XP. IIS6 on Windows Server 2003 behaves totally different as it uses a machine account that is a domain member when the machine gets joined to the domain (or you manually set a domain account of your choice for the worker process).

If XP is only your testing environment then you can temporarily use the <identity> element.


-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

Here's my configuration:

- ASP.NET application
- Windows XP Pro running IIS
-Vdir is configured to allow anonymous access
- Anonymous access account is my domain account (for testing purposes
it's
quicker and easier to do this than to try to get another domain
account set
up)
- Web application has impersonation turned on (i.e. <identity
impersonate="true" />)
My web.config contains:

<membership defaultProvider="AspNetActiveDirectoryMembershipProvider">
<providers>
<add name="AspNetActiveDirectoryMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider...
connectionStringName="ADService"
connectionProtection="Secure"
attributeMapUsername="sAMAccountName"
/>
</providers>
</membership>
With the above configuration, when I hit the following line of code I
get an exception of "Logon failure: unknown user name or bad
password."

Membership.ValidateUser( txtUsername.Text, txtPassword.Text );

If I change the web.config to the following, it works.

<membership defaultProvider="AspNetActiveDirectoryMembershipProvider">
<providers>
<add name="AspNetActiveDirectoryMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider...
connectionStringName="ADService"
connectionUsername="mydomainaccount"
connectionPassword="mydomainpassword"
connectionProtection="Secure"
attributeMapUsername="sAMAccountName"
/>
</providers>
</membership>
What has me baffled is that everything I've read says that if you
don't supply the connectionUsername and connectionPassword it will use
the process identity to connect to AD. The process identity SHOULD be
my domain account, because that's the anonymous access account and
impersonation is turned on, and it obviously works when I use my
domain account credentials.



.

Relevant Pages

  • Re: Performance counters
    ... provide a domain account to run the asp.net application(set it as teh ... process identity in the IIS6's application pool setting). ... complete description on the default aspnet process identify's access rights: ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: IIS 6 CreateObject premissions issue
    ... >> tier system so I am confident that running on Windows 2000 what I am ... >> What I am attempting is to add a Windows 2003 server box to function as ... However if it is set for anonymous access using the ... >> end boxes to specifically allow the Domain account I attempted to use as ...
    (microsoft.public.inetserver.iis.security)
  • RE: IUSER in MSCS
    ... Yes it is recommended that you use a Domain account for anonymous access on ... Restart IIS by running IISreset ... This posting is provided "AS IS" with no warranties, and confers no rights. ...
    (microsoft.public.inetserver.iis.security)
  • Re: AD Login failure when using ActiveDirectoryMembershipProvider
    ... Anonymous access account is my domain account (for testing purposes it's ... supply the connectionUsername and connectionPassword it will use the ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Annonymous account using domain account
    ... Well, after opened a case with M$, we can try using a vbscript to grab ... How To Set Up Duplicate Anonymous Accounts on Separate Servers ... > Some of the folders are using a domain account as anonymous access. ...
    (microsoft.public.inetserver.iis.security)