ActiveDirectoryMembershipProvider and ADAM (or AD LDS) and SetPassword
Posted
by Iulian
on Stack Overflow
See other posts from Stack Overflow
or by Iulian
Published on 2010-06-10T19:14:13Z
Indexed on
2010/06/10
19:22 UTC
Read the original article
Hit count: 916
adam
|activedirectorymembership
By the subject line it seems to be a rather broad subject and I need some help here.
Basically what I want is to use ActiveDirectoryMembershipProvider
with an ADAM instance to authenticate users in an ASP.NET web application.
My development environment is a windows 7 machine with an AD LDS instance on it whilst the QA server is a Windows 2003 server with an ADAM instance on it. I have all the required users on both instances plus one with adminsitrator role (CN=Admin,CN=xxx,DC=xxx,C=xx) which I want to use as the connection user.
Using connectonProtecton="None" connectionUsername="CN=Admin,CN=xxx,DC=xxx,C=xx" connectionPassword="xxx"
I am able to authenticate on both environments (dev & qa).
If I change to the connectionProtection
to "Secure" I am not able to authenticate anymore; the error I get is
"Parser Error Message: Unable to establish secure connection with the server"
To me it sounds wrong to use connectionProtection="None"
although I found on the net a lot of samples using this setting.
Can I use connectionProtection="Secure"
to connect to an ADAM instance using an account defined on that instance having Administrator role?
What other choices do I have (like using an domain account)? What if my machine where I am to deploy the application is not a part of the domain, will this affect in any way the behavior? I am novice in the respect so I would really appreciate some clear answers or some directions as where to look?
Now beside the "signing in" feature of the ActiveDirectoryMembershipProvider
I also want to add an extra one, which is setting the password without knowing the old one (something that will be used by a "reset password" feature). So I added a couple of extension methods to the provider, and used System.DirectoryServices
classes like DirectoryEntry
and the like.
When creating a directory entry I use the same credentials provided in web.config
for the provider minus the AuthenticationType
as I don't know what is right combination of the flags that corresponds to None/Secure.
I am able to use Invoke "SetPassword" with ADS_OPTION_PASSWORD_METHOD
option as ADS_PASSWORD_ENCODE_CLEAR
on my dev machine (w/ AD LDS instance); nevertheless on qa environment (w/ ADAM instance) I am getting an error like
"Exception Details: System.DirectoryServices.DirectoryServicesCOMException: An operations error occurred. (Exception from HRESULT: 0x80072020)"
I am quite sure it is not about AD LDS vs ADAM but probably another configuration / permission issue.
So can anyone help me with some hints on how to use this SetPassword
feature?
And as a general question what are the best practices when it comes to using ADAM regarding security, programming etc?
Thanks in advance Iulian
© Stack Overflow or respective owner