Using Forms Authentication with Membership Providers in ASP.NET 2.0
page 2 of 6
by Sudeep G
Average Rating: This article has not yet been rated.
Views (Total / Last 10 Days): 74189/ 183

Part 1: Setting up ActiveDirectoryMembershipProvider

Configuring & Setting up the application in Internet Information Services 6.0

Step 1: Add a connection string for connecting to the active directory

ASP.NET 2.0 introduced the <connectionStrings> configuration section that allows us to define all types of connection strings used by the application. It also includes a default connection string to use SQL Express edition. Open web.config and then locate <configuration>. Add a new line after this and add your connection string.

Listing 1

name="ADConnectionString" />

When I started, I wanted to know how to ensure that this connectionString was a valid one. Here is how I figured it out. Please note that this step assumes that you have read permissions to your Active Directory or you have a dedicated setup as I mentioned in the beginning. I installed Windows Server 2003 Support tools using the link in this KB article:

Windows Server 2003 Service Pack 1 Support Tools.

Run ADSIEDIT.MSC and under ADSI edit you can see your domain structure. Expand the first node in the tree. You should see something like: DC=test,DC=mydomain,DC=com. This is your last part of the LDAP connectionString. If you combine the values against “DC,” then you get your domain name, which will be – the first part of your connectionString. Now, all objects in active directory typically live under an OU (Organization Unit) or “CN.” If you expand the node DC=test,DC=mydomain,DC=com, then you will see either CN=Users or OU=User Accounts or something like this that contains your user accounts. By default, it falls into CN=Users. You can check with your network administrator or expand the OU/CN to locate the user accounts. Once you determine if they are part of or CN, then you can use that in your connection string. In my case when I expanded DC=test,DC=mydomain,DC=com, I found another node CN=Users that contained my user accounts. So I used it. Combining all the portions and then prefixing “LDAP://”, I got my connectionString, which is LDAP://,DC=test,DC=mydomain,DC=com.

Step 2: Add & configure your ActiveDirectoryMembershipProvider

Alright, now we have a connectionString and the next step is to configure your ActiveDirectoryMembershipProvider to use this connectionString. The <membership> element is a configuration that falls under <system.web>/<membership>. You can always refer to the schema settings at MSDN - that is the bible! Here is the link:

add Element for providers for membership (ASP.NET Settings Schema)

The membership provider must have certain attributes to be set. You can refer to the required attributes in the above link. In the description, it is indicated whether it is a required or an optional attribute. The two attributes that are absolutely required are name and type. The name attribute is used to uniquely identify the provider among a collection and used for its instance. The type specifies the type of a custom membership provider that that inherits the MembershipProvider abstract base class. So our provider configuration will look as follows:

Listing 2

<add name="MyADMembershipProvider" 
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, 
Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" 

So, how do you get the value against “type”? You can refer to the GAC to get these. Make sure you pick the PublicKeyToken for the correct version of the framework you are using; in this case 2.0. Besides these, I also highly recommend that you configure the following optional attributes. If you wish to know why, please refer to the ASP.NET Settings Schema on MSDN. This is going to save a lot of pain during deployment.

·         applicationName

·         connectionStringName

·         connectionUsername

·         attributeMapUsername

Listing 3

<add name="MyADMembershipProvider" 
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, 
Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" 
applicationName="FormsWithADAuth" connectionStringName="ADConnectionString"
connectionUsername="domain\username" connectionPassword="StrongPassword"

Step 3: Configure forms authentication in ASP.NET

Add the following under <system.web>.

Listing 4

<authentication mode="Forms">
<forms loginUrl="Login.aspx" name=".ADAUTH" slidingExpiration="false" timeout="5" />
<deny users=”?”/>
<allow users=”*”/>

So now we have wired these up as follows: Forms authentication (Uses) à Login Control (talks to) à MemberShipProvider (Uses) à specified connectionString.

Step 4: Configuring Application Settings in IIS

Forms authentication requires anonymous access enabled. The following are the steps to enable anonymous authentication in IIS 6.0.

1.    Open Internet Information Services Manager.

2.    Click Start, run and type “Inetmgr” without quotes and press ENTER.

3.    Expand the <ComputerName> node and then expand “Web Sites” node.

4.    Locate your website/virtual folder. Right click and select Properties.

5.    Select Directory Security tab.

6.    Under Authentication and access control, click the “Edit...” button.

7.    Ensure there is a check against “Enable anonymous access” and no other check boxes are checked.

8.    Click OK.

Setting up the application in Internet Information Services 7.0

I really love IIS 7. The new UI allows you to accomplish all of the above tasks from within the IIS manager.

Step 1: Configure Forms Authentication

1.    Open Internet Information Services Manager. Click Start, run and type “Inetmgr” without quotes and press ENTER.

2.    Expand the <ComputerName> node and then expand “Sites” node.

3.    Locate your website/virtual folder and click on it.

4.    Double click on the Authentication icon.

5.    Right click on Anonymous Authentication and select “Enable.”

6.    Right click on Forms Authentication and select “Enable.”

7.    Ensure that any other authentication status is “Disabled.”

8.    Right click on Forms Authentication and select Edit. Configure the following:

          Login URL: Login.aspx

          Authentication cookie time-out (in minutes): 5

          Name: .ADAUTH

          Protection Mode: Encryption and Validation

          Uncheck Extend cookie expiration on every request.

9.    Click on the Back button in IIS User Interface.

Step 2: Configure Authorization

1.    Double click the Authorization Rules icon

2.    In the Actions pane, click on Add Deny Rule...., then select “All Anonymous users” and click on the OK button.

3.    Click on the Back button in IIS User Interface.

Step 3: Configure Connection Strings

1.    Double click on the Connection Strings icon

2.    In the Actions Pane, click on Add...

3.    Configure the following:

Name: ADConnectionString

Click on Custom and then enter your connection string: LDAP://,DC=test,DC=mydomain,DC=com.

4.    Click OK.

5.    Click on the Back button in IIS User Interface.

Step 4: Configure ActiveDirectoryMembershipProvider

1.    Double click on the Providers icon

2.    From the Feature drop down, select .NET Users.

3.    In the Actions Pane, click on Add...

4.    From the Type dropdown, select “ActiveDirectoryMembershipProvider (System.Web.Security...).

5.    In the name box type “MyADMembershipProvider.”

6.    Under ConnectionStringName, select ADConnectionString.

7.    Under ApplicationName, provide a name for the application.

8.    Under Provider Specific Settings, click on the button “...” 

9.    Select each entry after connectionStringName and click on the Remove button.

10. Click on the Add button and for Name, provide: connectionUsername, value: domain\username.

11. Click on the Add button and for Name, provide: connectionPassword, value: Password.

12. Click on the Add button and for Name, provide: attributeMapUsername, value=sAMAccountName.

13. Click on the OK button.

14. Click on the Back button in IIS User Interface.

15. Open the application’s web.config and remove the attribute & value: PasswordFormat=”clear.”


The enablePasswordRetrieval attribute is not supported by ActiveDirectoryMembershipProvider. So remove this property.

PasswordFormat attribute will not be removed due to a bug. So you need to remove this manually.

Run the application and at the forms authentication login page, provide your username (not domain\username) and password and test if you get the home page/default.aspx page.

View Entire Article

User Comments

No comments posted yet.

Product Spotlight
Product Spotlight 

Community Advice: ASP | SQL | XML | Regular Expressions | Windows

©Copyright 1998-2019  |  Page Processed at 2019-04-19 2:57:30 PM  AspAlliance Recent Articles RSS Feed
About ASPAlliance | Newsgroups | Advertise | Authors | Email Lists | Feedback | Link To Us | Privacy | Search