6

I implemented a form based authentication that uses AD in an ASP MVC 3 application following the directions I found here ASP.NET MVC - Authenticate users against Active Directory, but require username and password to be inputted

I works fine when I run using the ASP.NET Development Server, but fails to go beyond the login page after I enter my credentials and gives the following error:

Configuration Error

Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately.

Parser Error Message: An operations error occurred.

Source Error: 

Line 37:     <membership defaultProvider="MY_ADMembershipProvider">
Line 38:       <providers>
Line 39:         <add name="MY_ADMembershipProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider" connectionStringName="ADConnectionString" attributeMapUsername="sAMAccountName" />
Line 40:       </providers>
Line 41:     </membership>

Any help would be much appreciated, thanks in advance.

UPDATE: So far after a couple of debugs I think error might be coming from System.Web.Security.ActiveDirectoryMembershipProvider in the Web.xml config, I added System.Web (in which that class is found) as a reference and also to make a local copy but still, zip... :(

Community
  • 1
  • 1
dotKwame
  • 181
  • 3
  • 13

2 Answers2

6

Make sure you have passed a valid username and password of an account that has sufficient privileges to query your AD:

<add 
    name="MY_ADMembershipProvider" 
    type="System.Web.Security.ActiveDirectoryMembershipProvider" 
    connectionStringName="ADConnectionString" 
    attributeMapUsername="sAMAccountName" 
    connectionUsername="YOURDOMAIN\SomeAccount"
    connectionPassword="secret"
/>

If you don't want to do that you will have to configure the Application Pool in your IIS to run under an account which has sufficient privileges to query your Active Directory. By default your application runs under a local NetworkService account which has no access to the AD.

Darin Dimitrov
  • 1,023,142
  • 271
  • 3,287
  • 2,928
  • That may not be the case as the application works perfectly well when I switch from Forms to Windows as the authentication method. – dotKwame Feb 19 '13 at 10:41
  • That's perfectly normal. When you use Windows authentication you are using the credentials of the client to query your AD. When you use anonymous authentication, there are no permissions. – Darin Dimitrov Feb 19 '13 at 10:48
  • So just tested it out with an custom AD Membership Provider which "manually" authenticated via the AD in code `DirectoryEntry dsEntry = new DirectoryEntry(ldapSvrAddr, model.Username, model.Password); object nativeobj = dsEntry.NativeObject;`, then changed the type in the web.config from `System.Web.Security.ActiveDirectoryMembershipProvider` to `MyNamespace.MyCustomADClass` and it worked ok (no connectionUsername or Password required), but I want to use the standard AD Membership Provider in the .net framework and not end up implementing everything – dotKwame Feb 19 '13 at 11:20
  • @atokubi, in this example you already provided an username and password: `new DirectoryEntry(ldapSvrAddr, model.Username, model.Password)` to authenticate against Active Directory :-) That's why your code works. Try configuring the application pool in IIS to run under a domain account that has sufficient privileges to access your Active Directory to make this work as I already explained in my answer. I get the feeling that I am starting to repeat myself. – Darin Dimitrov Feb 19 '13 at 11:25
  • I added the connectionUsername and pass to the config as you directed and it worked okay, but i was wondering if it is possible to make do without it. But i would much prefer not to have a plain uname/pass in the config, how do I set up the App Pool in the IIS to run with an account that has AD access privileges. – dotKwame Feb 19 '13 at 14:52
  • 3
    Navigate to the `Internet Information Services (IIS) Manager` -> `Application Pools` -> Select the application pool -> Right click and select Advanced settings -> `Identity` -> `Custom account` -> type the credentials of an AD account that has permissions to access Active Directory. Finally recycle the application pool for the changes to take effect. – Darin Dimitrov Feb 19 '13 at 14:57
  • You might also want to checkout the following: http://www.iis.net/learn/manage/configuring-security/application-pool-identities – Darin Dimitrov Feb 19 '13 at 15:04
6

I changed the Identity of the Application Pool from "ApplicationPoolIdentity" to "NetworkService" and everything works great now.

Qantas 94 Heavy
  • 15,750
  • 31
  • 68
  • 83
Nick
  • 61
  • 1
  • 1