Re: ActiveDirectoryMembershipProvider & ValidateUser

Have you looked at the MS Patterns and Practices article on using the AD
membership provider to authenticate with AD?

Note that there are a variety of drawbacks with using forms auth. The
primary thing you loose is the actual Windows security token for the user
which contains all of their group membership information and can be used for
impersonation and delegation. You may or may not need those features, but
if you do, they aren't so easy to get back with forms auth.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Mike Voissem" <MikeVoissem@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:493C3361-8788-45C8-B2E1-E77EA388456C@xxxxxxxxxxxxxxxx
Craig,
I'm trying to do much like you mentioned in your MSDN post titled
ActiveDirectoryMembershipProvider & ValidateUser. I'm wondering if I
could
get some direction from you. I think what I'm trying to do is the same.
I'd
like for an asp.net page with the login control to authenticate the user
to
AD vs. using the ugly windows authentication login. For the life of me, I
have not been able to find any good example of how this all has to work.
There are bits and pieces but nothing makes any sense if I try to put it
all
together. Plus, the web admin's aren't very familiar with asp.net for web
development. I appreciate ANY insight or direction you might be able to
give
me.
Regards,
Mike
--
Mike Voissem
Lead Software Engineer
Donnelley Marketing


"Craig Wagner" wrote:

I reverse-engineered System.Web so I could see what the ADMP was doing.
It
doesn't do anything tricky with the input value for the user identifier.

I was able to find out from our IT staff that we do not explicitly set
the
userPrincipalName, so your suggestion that that was the problem was bang
on.

Thanks again.

"Joe Kaplan" wrote:

The membership provider may do some trickery to parse out a qualified
name
that you typed in though, so you might as well test it to see how it
behaves. I'm basing my recommendation more on my knowledge of how the
actual LDAP query to find the user works than on direct knowledge of
the
membership provider's behavior.



.

Relevant Pages

  • Re: Kerberos authentication NOT in AD
    ... username and password and authenticate it against your Kerb realm. ... If you can get some Windows code that can ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
    (microsoft.public.dotnet.security)
  • Re: Using login alias in Membership Provider
    ... the only name that is ever used in access control lists, role membership ... The problem is that my directory allows users to authenticate with multiple ... Microsoft MSDN Online Support Lead ... where an initial response from the community or a Microsoft Support ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Using login alias in Membership Provider
    ... you want to authenticate a user with either his ... the only name that is ever used in access control lists, role membership ... Microsoft MSDN Online Support Lead ... where an initial response from the community or a Microsoft Support ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Trying to retreive data from AD
    ... The operations error occurs on a bind operation when you failed to ... authenticate with the remote directory. ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: How to add a user to a group and programatically see that in its token
    ... Do you need a real kernel mode token or do you just need to verify the group ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... NetGroupAddUser() ...
    (microsoft.public.platformsdk.security)