Re: ActiveDirectoryMembershipProvider & ValidateUser
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 27 Feb 2007 16:02:37 -0600
It is entirely possible that your company is using implicit
userPrincipalName values instead of expliciting setting them. By default,
if UPN isn't set, then the user will have an implicit UPN of
sAMAccountName@DNSDomainOfTheDomain. This works for authentication, but I'm
not sure you can search for it that way. I wouldn't be surprised if you
can't in this particular case. I actually don't have an AD to play with
right now that uses implicit UPNs, so I'm not sure what the expected query
behavior is.
If you need to use sAMAccountName, make sure you are using the unqualified
version of the name.
In a multi-domain environment, sAMAccountName will be unique to a given
domain, but it won't necessarily be unique across the forest. UPN is
supposed to be unique forest wide, although the DS doesn't actually try to
enforce that like it does with sAMAccountName at the domain level.
I hope that helps some. I wish I knew all the details here.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Craig Wagner" <MSDNNospam207@xxxxxxxxxxxxx> wrote in message
news:F4F22583-2050-4C2C-A48C-2C82E329E641@xxxxxxxxxxxxxxxx
I believe we have multiple domains, but the user I'm trying to authenticate
(me) is in the domain that the provider is configured to access.
I did just discover one interesting thing. I have an Active Directory on
my
home network. I took my proof-of-concept code to my home environment and
ran
it. There I was able to authenticate using user@domain.
What my POC does is authenticates using the
ActiveDirectoryMembershipProvider then uses DirectorySearcher to get
information about a username that was entered. Finally it spits out the
values of all the properties associated with the DirectoryEntry.
On my home environment, one of the properties that shows up in the output
is
userPrincipalName. In my work environment the userPrincipalName is not in
the
property collection.
"Joe Kaplan" wrote:
I doubt that anything in AD needs to change. My guess is that my lack of
detailed knowledge of how the membership provider is designed is the
problem
here.
A few more questions:
- Is the AD in question a single domain forest or are there multiple
domains involved?
- If multiple domains, is the user you are trying to authenticate in a
different domain than what you've configured the provider to access?
I'll try to do some poking around this afternoon to see if I can figure
out
what the likely cause of the problem is.
.
- References:
- Re: ActiveDirectoryMembershipProvider & ValidateUser
- From: Joe Kaplan
- Re: ActiveDirectoryMembershipProvider & ValidateUser
- From: Joe Kaplan
- Re: ActiveDirectoryMembershipProvider & ValidateUser
- Prev by Date: Re: CAS newbie
- Next by Date: Re: How to start/stop windows service on a remote machine?
- Previous by thread: Re: ActiveDirectoryMembershipProvider & ValidateUser
- Next by thread: [2.0] Cannot create membership database on webhost provider
- Index(es):
Relevant Pages
|
|
