Configuring & Setting up the
application in Internet Information Services 6.0
Step 1: Add a connection string for
connecting to the active directory
ASP.NET 2.0 introduced the <connectionStrings>
configuration section that allows us to define all types of connection strings
used by the application. It also includes a default connection string to use
SQL Express edition. Open web.config and then locate <configuration>. Add
a new line after this and add your connection string.
Listing 1
<connectionStrings>
<add
connectionString="LDAP://test.mydomain.com/CN=Users,DC=test,DC=mydomain,DC=com"
name="ADConnectionString" />
</connectionStrings>
When I started, I wanted to know how to ensure that this
connectionString was a valid one. Here is how I figured it out. Please note
that this step assumes that you have read permissions to your Active Directory
or you have a dedicated setup as I mentioned in the beginning. I installed
Windows Server 2003 Support tools using the link in this KB article:
Windows Server 2003 Service Pack 1 Support Tools.
Run ADSIEDIT.MSC and under ADSI edit you can see your domain
structure. Expand the first node in the tree. You should see something like: DC=test,DC=mydomain,DC=com.
This is your last part of the LDAP connectionString. If you combine the values
against “DC,” then you get your domain name, which will be test.mydomain.com –
the first part of your connectionString. Now, all objects in active directory
typically live under an OU (Organization Unit) or “CN.” If you expand the node DC=test,DC=mydomain,DC=com,
then you will see either CN=Users or OU=User Accounts or something like this
that contains your user accounts. By default, it falls into CN=Users. You can
check with your network administrator or expand the OU/CN to locate the user
accounts. Once you determine if they are part of or CN, then you can use that
in your connection string. In my case when I expanded DC=test,DC=mydomain,DC=com,
I found another node CN=Users that contained my user accounts. So I used it.
Combining all the portions and then prefixing “LDAP://”, I got my
connectionString, which is LDAP://test.mydomain.com/CN=Users,DC=test,DC=mydomain,DC=com.
Step 2: Add & configure your ActiveDirectoryMembershipProvider
Alright, now we have a connectionString and the next step is
to configure your ActiveDirectoryMembershipProvider to use this
connectionString. The <membership> element is a configuration that falls
under <system.web>/<membership>. You can always refer to the schema
settings at MSDN - that is the bible! Here is the link:
add
Element for providers for membership (ASP.NET Settings Schema)
The membership provider must have certain attributes to be
set. You can refer to the required attributes in the above link. In the
description, it is indicated whether it is a required or an optional attribute.
The two attributes that are absolutely required are name and type. The name
attribute is used to uniquely identify the provider among a collection and used
for its instance. The type specifies the type of a custom membership provider
that that inherits the MembershipProvider abstract base class. So our provider
configuration will look as follows:
Listing 2
<membership>
<providers>
<add name="MyADMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web,
Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
</providers>
</membership>
So, how do you get the value against “type”? You can refer
to the GAC to get these. Make sure you pick the PublicKeyToken for the correct
version of the framework you are using; in this case 2.0. Besides these, I also
highly recommend that you configure the following optional attributes. If you
wish to know why, please refer to the ASP.NET Settings Schema on MSDN. This is
going to save a lot of pain during deployment.
·
applicationName
·
connectionStringName
·
connectionUsername
·
attributeMapUsername
Listing 3
<membership>
<providers>
<add name="MyADMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web,
Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
applicationName="FormsWithADAuth" connectionStringName="ADConnectionString"
connectionUsername="domain\username" connectionPassword="StrongPassword"
attributeMapUsername="sAMAccountName"/>
</providers>
</membership>
Step 3: Configure forms authentication
in ASP.NET
Add the following under <system.web>.
Listing 4
<authentication mode="Forms">
<forms loginUrl="Login.aspx" name=".ADAUTH" slidingExpiration="false" timeout="5" />
</authentication>
<authorization>
<deny users=”?”/>
<allow users=”*”/>
</authorization>
So now we have wired these up as follows: Forms
authentication (Uses) à
Login Control (talks to) à
MemberShipProvider (Uses) à specified connectionString.
Step 4: Configuring Application
Settings in IIS
Forms authentication requires anonymous access enabled. The
following are the steps to enable anonymous authentication in IIS 6.0.
1.
Open Internet Information Services Manager.
2.
Click Start, run and type “Inetmgr” without quotes and press ENTER.
3.
Expand the <ComputerName> node and then expand “Web Sites” node.
4.
Locate your website/virtual folder. Right click and select Properties.
5.
Select Directory Security tab.
6.
Under Authentication and access control, click the “Edit...” button.
7.
Ensure there is a check against “Enable anonymous access” and no other
check boxes are checked.
8.
Click OK.
Setting up the application in
Internet Information Services 7.0
I really love IIS 7. The new UI allows you to accomplish all
of the above tasks from within the IIS manager.
Step 1: Configure Forms Authentication
1.
Open Internet Information Services Manager. Click Start, run and type
“Inetmgr” without quotes and press ENTER.
2.
Expand the <ComputerName> node and then expand “Sites” node.
3.
Locate your website/virtual folder and click on it.
4.
Double click on the Authentication icon.
5.
Right click on Anonymous Authentication and select “Enable.”
6.
Right click on Forms Authentication and select “Enable.”
7.
Ensure that any other authentication status is “Disabled.”
8.
Right click on Forms Authentication and select Edit. Configure the
following:
Login URL: Login.aspx
Authentication cookie time-out (in minutes): 5
Name: .ADAUTH
Protection Mode: Encryption and Validation
Uncheck Extend cookie expiration on every request.
9.
Click on the Back button in IIS User Interface.
Step 2: Configure Authorization
1.
Double click the Authorization Rules icon
2.
In the Actions pane, click on Add Deny Rule...., then select “All Anonymous
users” and click on the OK button.
3.
Click on the Back button in IIS User Interface.
Step 3: Configure Connection Strings
1.
Double click on the Connection Strings icon
2.
In the Actions Pane, click on Add...
3.
Configure the following:
Name: ADConnectionString
Click on Custom and then enter your connection string: LDAP://test.mydomain.com/CN=Users,DC=test,DC=mydomain,DC=com.
4.
Click OK.
5.
Click on the Back button in IIS User Interface.
Step 4: Configure
ActiveDirectoryMembershipProvider
1.
Double click on the Providers icon
2.
From the Feature drop down, select .NET Users.
3.
In the Actions Pane, click on Add...
4.
From the Type dropdown, select “ActiveDirectoryMembershipProvider
(System.Web.Security...).
5.
In the name box type “MyADMembershipProvider.”
6.
Under ConnectionStringName, select ADConnectionString.
7.
Under ApplicationName, provide a name for the application.
8.
Under Provider Specific Settings, click on the button “...”
9.
Select each entry after connectionStringName and click on the Remove
button.
10. Click
on the Add button and for Name, provide: connectionUsername, value:
domain\username.
11. Click
on the Add button and for Name, provide: connectionPassword, value: Password.
12. Click
on the Add button and for Name, provide: attributeMapUsername,
value=sAMAccountName.
13. Click
on the OK button.
14. Click
on the Back button in IIS User Interface.
15. Open
the application’s web.config and remove the attribute & value: PasswordFormat=”clear.”
NOTES:
The enablePasswordRetrieval attribute is not supported by ActiveDirectoryMembershipProvider.
So remove this property.
PasswordFormat attribute will not be removed due to a bug.
So you need to remove this manually.
Run the application and at the forms authentication login
page, provide your username (not domain\username) and password and test if you
get the home page/default.aspx page.