ActiveDirectoryMembershipProvider woes




Ok, I've run into the same problem at a different company. Some time ago I posted this:
http://groups.google.com/group/microsoft.public.dotnet.framework.aspnet.security/browse_thread/thread/d6d44686f14fdf61

The short version is that I'm setting up a site using FormsAuthentication and the ActiveDirectoryMembership provider. I suspect given the "wonderful" error messages that I'm getting that the user account I was given is missing some permissions somewhere. The problem is that tracking down what permissions are missing is a serious bear. At the last company where I ran into this problem, they punted and made the user used for authentication a Domain Admin because we could not track down the problem.

I'm really trying to find an actionable solution that I can give to relatively inexperienced domain admin to fix. To that end, I'm trying to use the acldiags and dsacls to hopeful detemrine what is missing but I can't make heads or tails of the output.

Here is the output from dsacls run from a command prompt as the user I'm trying to use for authentication (domain has been changed obviously). This is a 2003 Domain as far as I can tell.

Access list:
Effective Permissions on this object are:
Allow FOO\Exchange Enterprise Servers SPECIAL ACCESS
READ PERMISSONS
Allow FOO\Domain Admins SPECIAL ACCESS
READ PERMISSONS
WRITE PERMISSIONS
CHANGE OWNERSHIP
CREATE CHILD
LIST CONTENTS
WRITE SELF
WRITE PROPERTY
READ PROPERTY
LIST OBJECT
CONTROL ACCESS
Allow FOO\Exchange Enterprise Servers SPECIAL ACCESS
LIST CONTENTS
Allow FOO\Exchange Recipient Administrators SPECIAL ACCESS
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow FOO\Enterprise Admins FULL CONTROL
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS
READ PERMISSONS
READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS
LIST CONTENTS
Allow BUILTIN\Administrators SPECIAL ACCESS
DELETE
READ PERMISSONS
WRITE PERMISSIONS
CHANGE OWNERSHIP
CREATE CHILD
LIST CONTENTS
WRITE SELF
WRITE PROPERTY
READ PROPERTY
LIST OBJECT
CONTROL ACCESS
Allow Everyone SPECIAL ACCESS
READ PROPERTY
Allow NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS SPECIAL ACCESS
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow NT AUTHORITY\Authenticated Users SPECIAL ACCESS
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow NT AUTHORITY\SYSTEM FULL CONTROL
Allow FOO\Exchange Recipient Administrators FULL CONTROL for msExchDynamicDistributionList
Allow FOO\Exchange Servers SPECIAL ACCESS for Exchange Personal Information
READ PROPERTY
Allow FOO\Exchange Servers SPECIAL ACCESS for canonicalName
READ PROPERTY
Allow FOO\Exchange Servers SPECIAL ACCESS for userAccountControl
READ PROPERTY
Allow FOO\Exchange Servers SPECIAL ACCESS for Exchange Information
READ PROPERTY
Allow FOO\Exchange Servers SPECIAL ACCESS for memberOf
READ PROPERTY
Allow FOO\Exchange Servers SPECIAL ACCESS for garbageCollPeriod
READ PROPERTY
Allow FOO\Exchange Recipient Administrators SPECIAL ACCESS for proxyAddresses
WRITE PROPERTY
Allow FOO\Exchange Recipient Administrators SPECIAL ACCESS for showInAddressBook
WRITE PROPERTY
Allow FOO\Exchange Recipient Administrators SPECIAL ACCESS for Exchange Personal Information
WRITE PROPERTY
Allow FOO\Exchange Recipient Administrators SPECIAL ACCESS for adminDisplayName
WRITE PROPERTY
Allow FOO\Exchange Enterprise Servers SPECIAL ACCESS for groupType
WRITE PROPERTY
Allow FOO\Exchange Servers SPECIAL ACCESS for groupType
WRITE PROPERTY
Allow FOO\Exchange Servers SPECIAL ACCESS for msExchMailboxSecurityDescriptor
WRITE PROPERTY
Allow FOO\Exchange Servers SPECIAL ACCESS for msExchUMServerWritableFlags
WRITE PROPERTY
Allow FOO\Exchange Enterprise Servers SPECIAL ACCESS for displayName
WRITE PROPERTY
Allow FOO\Exchange Recipient Administrators SPECIAL ACCESS for displayName
WRITE PROPERTY
Allow FOO\Exchange Enterprise Servers SPECIAL ACCESS for Public Information
WRITE PROPERTY
Allow FOO\Exchange Servers SPECIAL ACCESS for msExchUserCulture
WRITE PROPERTY
Allow FOO\Exchange Recipient Administrators SPECIAL ACCESS for displayNamePrintable
WRITE PROPERTY
Allow FOO\Exchange Recipient Administrators SPECIAL ACCESS for mail
WRITE PROPERTY
Allow FOO\Exchange Servers SPECIAL ACCESS for msExchMobileMailboxFlags
WRITE PROPERTY
Allow FOO\Exchange Servers SPECIAL ACCESS for userCertificate
WRITE PROPERTY
Allow FOO\Exchange Enterprise Servers SPECIAL ACCESS for Personal Information
WRITE PROPERTY
Allow FOO\Exchange Recipient Administrators SPECIAL ACCESS for textEncodedORAddress
WRITE PROPERTY
Allow FOO\Exchange Enterprise Servers SPECIAL ACCESS for Exchange Information
WRITE PROPERTY
Allow FOO\Exchange Recipient Administrators SPECIAL ACCESS for Exchange Information
WRITE PROPERTY
Allow FOO\Exchange Servers SPECIAL ACCESS for publicDelegates
WRITE PROPERTY
Allow FOO\Exchange Recipient Administrators SPECIAL ACCESS for publicDelegates
WRITE PROPERTY
Allow FOO\Exchange Servers SPECIAL ACCESS for msExchUMSpokenName
WRITE PROPERTY
Allow FOO\Exchange Recipient Administrators SPECIAL ACCESS for garbageCollPeriod
WRITE PROPERTY
Allow FOO\Exchange Servers SPECIAL ACCESS for msExchUMPinChecksum
WRITE PROPERTY
Allow FOO\Exchange Recipient Administrators SPECIAL ACCESS for legacyExchangeDN
WRITE PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Domain Password & Lockout Policies
READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Other Domain Parameters (for use by SAM)
READ PROPERTY
Allow NT AUTHORITY\Authenticated Users SPECIAL ACCESS for Other Domain Parameters (for use by SAM)
READ PROPERTY
Allow NT AUTHORITY\NETWORK SERVICE SPECIAL ACCESS for Exchange Personal Information
READ PROPERTY
Allow NT AUTHORITY\Authenticated Users SPECIAL ACCESS for Exchange Information
READ PROPERTY
Allow FOO\Exchange Enterprise Servers Manage Replication Topology
Allow FOO\Domain Controllers Replicating Directory Changes All
Allow FOO\Exchange Servers Change Password
Allow BUILTIN\Administrators Replicating Directory Changes
Allow BUILTIN\Administrators Replication Synchronization
Allow BUILTIN\Administrators Manage Replication Topology
Allow BUILTIN\Administrators Replicating Directory Changes All
Allow S-1-5-32-557 Create Inbound Forest Trust
Allow NT AUTHORITY\Authenticated Users Enable Per User Reversibly Encrypted Password
Allow NT AUTHORITY\Authenticated Users Unexpire Password
Allow NT AUTHORITY\Authenticated Users Update Password Not Required Bit
Allow NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Replicating Directory Changes
Allow NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Replication Synchronization
Allow NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Manage Replication Topology

Permissions inherited to subobjects are:
Inherited to all subobjects
Allow FOO\Exchange Enterprise Servers SPECIAL ACCESS
LIST CONTENTS
Allow FOO\Exchange Recipient Administrators SPECIAL ACCESS
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow FOO\Enterprise Admins FULL CONTROL
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS
LIST CONTENTS
Allow BUILTIN\Administrators SPECIAL ACCESS
DELETE
READ PERMISSONS
WRITE PERMISSIONS
CHANGE OWNERSHIP
CREATE CHILD
LIST CONTENTS
WRITE SELF
WRITE PROPERTY
READ PROPERTY
LIST OBJECT
CONTROL ACCESS
Allow FOO\Exchange Recipient Administrators FULL CONTROL for msExchDynamicDistributionList
Allow FOO\Exchange Servers SPECIAL ACCESS for Exchange Personal Information
READ PROPERTY
Allow FOO\Exchange Servers SPECIAL ACCESS for canonicalName
READ PROPERTY
Allow FOO\Exchange Servers SPECIAL ACCESS for userAccountControl
READ PROPERTY
Allow FOO\Exchange Servers SPECIAL ACCESS for Exchange Information
READ PROPERTY
Allow FOO\Exchange Servers SPECIAL ACCESS for memberOf
READ PROPERTY
Allow FOO\Exchange Servers SPECIAL ACCESS for garbageCollPeriod
READ PROPERTY
Allow FOO\Exchange Recipient Administrators SPECIAL ACCESS for proxyAddresses
WRITE PROPERTY
Allow FOO\Exchange Recipient Administrators SPECIAL ACCESS for showInAddressBook
WRITE PROPERTY
Allow FOO\Exchange Recipient Administrators SPECIAL ACCESS for Exchange Personal Information
WRITE PROPERTY
Allow FOO\Exchange Recipient Administrators SPECIAL ACCESS for adminDisplayName
WRITE PROPERTY
Allow FOO\Exchange Enterprise Servers SPECIAL ACCESS for groupType
WRITE PROPERTY
Allow FOO\Exchange Servers SPECIAL ACCESS for groupType
WRITE PROPERTY
Allow FOO\Exchange Servers SPECIAL ACCESS for msExchMailboxSecurityDescriptor
WRITE PROPERTY
Allow FOO\Exchange Servers SPECIAL ACCESS for msExchUMServerWritableFlags
WRITE PROPERTY
Allow FOO\Exchange Enterprise Servers SPECIAL ACCESS for displayName
WRITE PROPERTY
Allow FOO\Exchange Recipient Administrators SPECIAL ACCESS for displayName
WRITE PROPERTY
Allow FOO\Exchange Enterprise Servers SPECIAL ACCESS for Public Information
WRITE PROPERTY
Allow FOO\Exchange Servers SPECIAL ACCESS for msExchUserCulture
WRITE PROPERTY
Allow FOO\Exchange Recipient Administrators SPECIAL ACCESS for displayNamePrintable
WRITE PROPERTY
Allow FOO\Exchange Recipient Administrators SPECIAL ACCESS for mail
WRITE PROPERTY
Allow FOO\Exchange Servers SPECIAL ACCESS for msExchMobileMailboxFlags
WRITE PROPERTY
Allow FOO\Exchange Servers SPECIAL ACCESS for userCertificate
WRITE PROPERTY
Allow FOO\Exchange Enterprise Servers SPECIAL ACCESS for Personal Information
WRITE PROPERTY
Allow FOO\Exchange Recipient Administrators SPECIAL ACCESS for textEncodedORAddress
WRITE PROPERTY
Allow FOO\Exchange Enterprise Servers SPECIAL ACCESS for Exchange Information
WRITE PROPERTY
Allow FOO\Exchange Recipient Administrators SPECIAL ACCESS for Exchange Information
WRITE PROPERTY
Allow FOO\Exchange Servers SPECIAL ACCESS for publicDelegates
WRITE PROPERTY
Allow FOO\Exchange Recipient Administrators SPECIAL ACCESS for publicDelegates
WRITE PROPERTY
Allow FOO\Exchange Servers SPECIAL ACCESS for msExchUMSpokenName
WRITE PROPERTY
Allow FOO\Exchange Recipient Administrators SPECIAL ACCESS for garbageCollPeriod
WRITE PROPERTY
Allow FOO\Exchange Servers SPECIAL ACCESS for msExchUMPinChecksum
WRITE PROPERTY
Allow FOO\Exchange Recipient Administrators SPECIAL ACCESS for legacyExchangeDN
WRITE PROPERTY
Allow NT AUTHORITY\NETWORK SERVICE SPECIAL ACCESS for Exchange Personal Information
READ PROPERTY
Allow NT AUTHORITY\Authenticated Users SPECIAL ACCESS for Exchange Information
READ PROPERTY
Allow FOO\Exchange Servers Change Password

Inherited to user
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Inherited to group
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Inherited to user
Allow FOO\Exchange Enterprise Servers SPECIAL ACCESS
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Inherited to group
Allow FOO\Exchange Enterprise Servers SPECIAL ACCESS
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow FOO\Exchange Servers SPECIAL ACCESS
WRITE PERMISSIONS
Inherited to user
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Remote Access Information
READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Logon Information
READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Account Restrictions
READ PROPERTY
The command completed successfully

.