2

I'm encountering this error : Membership credential verification failed. when I try to login with Active Directory user in an ASP.NET aplication using form based authentication.

I have a complex set-up as follow:

I'm using an Active Directory Lightweight Directory Services (Ad LDS), aka ADAM as a membership repository. I binded it to an Active Directory with proxy users and completed an adamsync. I configured an SSL certificate for the AD LDS. While connected to the AD LDS with LDP.exe, i'm able to connect/bind with both AD LDS users or AD users, so the proxy is ok. My ASP.NET application talk to the AD LDS, an i'm able to successfully login with AD LDS users using forms based authentication.

But i'm unable to login with my AD users with the ASP.NET application, what am i missing out ?

Heres my Provider Section from my web.config :

<add name="MyADConnectionString"
     connectionString="LDAP://localhost/OU=Users,DC=PreuveConcept,DC=local" />

<authentication mode="Forms">
  <forms loginUrl="~/Account/LogOn" timeout="2880" />
</authentication>

<membership defaultProvider="AspNetActiveDirectoryMembershipProvider">
  <providers>
    <clear/>
    <add name="AspNetActiveDirectoryMembershipProvider" 
         type="System.Web.Security.ActiveDirectoryMembershipProvider" 
         connectionStringName="MyADConnectionString" 
         connectionProtection="Secure" 
         enableSearchMethods="true"/>
  </providers>
</membership>

Heres my login action (Default MVC AcountControler) :

    [HttpPost]
    public ActionResult LogOn(LogOnModel model, string returnUrl)
    {
        if (ModelState.IsValid)
        {
            if (Membership.ValidateUser(model.UserName, model.Password))
            {
                FormsAuthentication.SetAuthCookie(model.UserName, model.RememberMe);
                if (Url.IsLocalUrl(returnUrl) && returnUrl.Length > 1 && returnUrl.StartsWith("/")
                    && !returnUrl.StartsWith("//") && !returnUrl.StartsWith("/\\"))
                {
                    return Redirect(returnUrl);
                }
                else
                {
                    return RedirectToAction("Index", "Home");
                }
            }
            else
            {
                ModelState.AddModelError("", "The user name or password provided is incorrect.");
            }
        }

        // If we got this far, something failed, redisplay form
        return View(model);
    }
Groumy
  • 213
  • 4
  • 9
  • Can you post your Code .. . also have you considered looking at PrincipalContext ..? how are you passing DC= CN= etc...? in the web Config or ASP.NET class – MethodMan Jan 20 '12 at 15:14
  • Also take a look at this site within there Click on the ContextOptions Link where it says Options http://msdn.microsoft.com/en-us/library/bb300969.aspx | http://msdn.microsoft.com/en-us/library/system.directoryservices.accountmanagement.contextoptions.aspx PrincipalContext might be your better option – MethodMan Jan 20 '12 at 15:19
  • I didn't check for the PrincipalContext, since I'm using the ActiveDirectoryMembershipProvider, I supposed it was able to perform such connection. – Groumy Jan 20 '12 at 15:26
  • This is an odd way to check the user credentials against AD you're exposing the Username / Password in the config file where if you use PrincipalContext it should validate against AD based on if the user is a valid member of that Group within AD.. check this as a reference as well similar issues / post http://stackoverflow.com/questions/4712927/activedirectorymembershipprovider-to-validate-a-user – MethodMan Jan 20 '12 at 15:41
  • I removed the connectionUsername and the connectionPassword from My Web.Config and it's the same. They were there just because the tutorial I followed specified them – Groumy Jan 20 '12 at 16:07
  • Have you tried the PrincipalContext becasue it will be able to return if a user is valid or not as well and it's easier from my perspective... – MethodMan Jan 20 '12 at 16:24
  • I juste found out that the ActiveDirectoryMembershipProvider use this filter when it FindUser : (&(objectCategory=person)(objectClass=user). As you can see, it's rules out userProxy. So I have to build my own membershipProvider based on your suggestion with PrincialContext. – Groumy Jan 20 '12 at 16:46
  • But why do you feel you have to build a Proxy.. because techically if an outside user tries to access your website and they are not in the AD Group let alone AD you would issues a Redirect to another page .. you shouldn't have to do that.. but maybe I am not completely understanding your business rules / specs – MethodMan Jan 20 '12 at 17:13
  • Ok, I have to build a buisness application, that will be expose on the internet and it will have to accept AD users and custom users for the application. Yes a could use two MembershipProvider and check against one or the other be we are currently searching for a global solution for multiple applications. Since it's not recomended to expose an Active Directory on internet, we wanted to kill two birds with one stone and use ADAM to proxy in the DMZ our AD and use it at the same time to manage extra users, since it's no more recomended to add external users to an AD. – Groumy Jan 20 '12 at 17:19
  • I know I am not suggesting adding External Users but for internal users AD would still work without Exposing so to speak AD outside the DMZ we did the same thing by providing different URL's that Alias in the background and based on the network it knew if you were internal or not.. not that I understand you are exposing for Custom Users that all makes sense now in regards to your initial approach.. – MethodMan Jan 20 '12 at 17:25
  • Part of the request, is to made all the process complitly autonomous from the TI department, so yes your suggestion would have work, but can't be used ;). Now I have created a simple MembershipProvider that use the PrincipalContext to authenticate my users, and even in simple bind it is able to validate the credential of both my adam users and my AD users. So thx for your help. – Groumy Jan 20 '12 at 18:41

2 Answers2

1

Base on that blog post : http://erlend.oftedal.no/blog/?blogid=71

I appears the source of my problem is that I use the ActiveDirectoryMembershipProvider and it specifically rulled out proxyusers.

Additionnaly, As I found out there : http://directoryprogramming.net/forums/thread/4181.aspx

AD LDS or ADAM, cannot use Secure bind, that are not a simple bind over a secure connection (using SSL). But the Active Directory on wich I want to bind uses Secure Bind only.

So if i'm in a Windows Based auth, my AD users can be authenticated, but not ADAM and if I use form based ADAM can be authenticated but not AD.

In conclusion, I have to create my own Provider that will use as DJ KRAZE specified the Principal Context with multiple Context

Groumy
  • 213
  • 4
  • 9
0

Old question but in my case this was caused by missing attributeMapUsername="sAMAccountName" from the configuration file.

Giorgi
  • 30,270
  • 13
  • 89
  • 125