Re: ActiveDirectoryMembershipProvider woes
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 8 Jul 2009 08:43:59 -0500
Is the Domain Users group part of the Pre-Win2K compat access group? In many cases permissions are delegated to the Pre-Win2K group but in some domains the Domain Users group is not included in this group so normal users only end up getting the permissions that are delegated to Authenticated Users instead. This may be part of your issue.
Another approach would be to consider trying the ldp.exe tool to connect to the directory, bind with the creds of your service account and then try to search for users in the directory and see what attributes can be returned. That may shed some light.
Any reason why you need to use the AD membership provider? Can you skip the forms auth and just use Windows auth instead?
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"Thomas" <Thomas@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:DA199A56-B63C-4096-9D56-3A342341E9E7@xxxxxxxxxxxxxxxx
As a following up, I did find this:
http://world.episerver.com/Documentation/Items/Tech-Notes/EPiServer-CMS-5/EPiServer-CMS-SP2/Configuring-EPiServer-CMS-5-to-Use-Active-Directory-Membership-Provider/
Which lists out the permissions, but connecting the permissions it states
that the auth user needs and determining which ones it doesn't on what is
trickier.
Thomas
"Thomas" wrote:
Ok, I've run into the same problem at a different company. Some time ago I<snip>
posted this:
http://groups.google.com/group/microsoft.public.dotnet.framework.aspnet.security/browse_thread/thread/d6d44686f14fdf61
The short version is that I'm setting up a site using FormsAuthentication
and the ActiveDirectoryMembership provider. I suspect given the "wonderful"
error messages that I'm getting that the user account I was given is missing
some permissions somewhere. The problem is that tracking down what
permissions are missing is a serious bear. At the last company where I ran
into this problem, they punted and made the user used for authentication a
Domain Admin because we could not track down the problem.
I'm really trying to find an actionable solution that I can give to
relatively inexperienced domain admin to fix. To that end, I'm trying to use
the acldiags and dsacls to hopeful detemrine what is missing but I can't
make heads or tails of the output.
Here is the output from dsacls run from a command prompt as the user I'm
trying to use for authentication (domain has been changed obviously). This
is a 2003 Domain as far as I can tell.
.
- Follow-Ups:
- Re: ActiveDirectoryMembershipProvider woes
- From: Thomas
- Re: ActiveDirectoryMembershipProvider woes
- References:
- ActiveDirectoryMembershipProvider woes
- From: Thomas
- RE: ActiveDirectoryMembershipProvider woes
- From: Thomas
- ActiveDirectoryMembershipProvider woes
- Prev by Date: RE: ActiveDirectoryMembershipProvider woes
- Next by Date: Re: ActiveDirectoryMembershipProvider woes
- Previous by thread: RE: ActiveDirectoryMembershipProvider woes
- Next by thread: Re: ActiveDirectoryMembershipProvider woes
- Index(es):
Relevant Pages
|
