ActiveDirectoryMembershipProvider and ADAM (or AD LDS) and SetPassword
- by Iulian
By the subject line it seems to be a rather broad subject and I need some help here.
Basically what I want is to use ActiveDirectoryMembershipProvider with an ADAM instance to authenticate users in an ASP.NET web application.
My development environment is a windows 7 machine with an AD LDS instance on it whilst the QA server is a Windows 2003 server with an ADAM instance on it.
I have all the required users on both instances plus one with adminsitrator role (CN=Admin,CN=xxx,DC=xxx,C=xx) which I want to use as the connection user.
Using connectonProtecton="None" connectionUsername="CN=Admin,CN=xxx,DC=xxx,C=xx" connectionPassword="xxx" I am able to authenticate on both environments (dev & qa).
If I change to the connectionProtection to "Secure" I am not able to authenticate anymore; the error I get is
"Parser Error Message: Unable to establish secure connection with the server"
To me it sounds wrong to use connectionProtection="None" although I found on the net a lot of samples using this setting.
Can I use connectionProtection="Secure" to connect to an ADAM instance using an account defined on that instance having Administrator role?
What other choices do I have (like using an domain account)? What if my machine where I am to deploy the application is not a part of the domain, will this affect in any way the behavior? I am novice in the respect so I would really appreciate some clear answers or some directions as where to look?
Now beside the "signing in" feature of the ActiveDirectoryMembershipProvider I also want to add an extra one, which is setting the password without knowing the old one (something that will be used by a "reset password" feature). So I added a couple of extension methods to the provider, and used System.DirectoryServices classes like DirectoryEntry and the like.
When creating a directory entry I use the same credentials provided in web.config for the provider minus the AuthenticationType as I don't know what is right combination of the flags that corresponds to None/Secure.
I am able to use Invoke "SetPassword" with ADS_OPTION_PASSWORD_METHOD option as ADS_PASSWORD_ENCODE_CLEAR on my dev machine (w/ AD LDS instance); nevertheless on qa environment (w/ ADAM instance) I am getting an error like
"Exception Details: System.DirectoryServices.DirectoryServicesCOMException: An operations error occurred. (Exception from HRESULT: 0x80072020)"
I am quite sure it is not about AD LDS vs ADAM but probably another configuration / permission issue.
So can anyone help me with some hints on how to use this SetPassword feature?
And as a general question what are the best practices when it comes to using ADAM regarding security, programming etc?
Thanks in advance
Iulian
