Directory Services and Asp.Net 2.0 Authentication

Yes, yes… .Net 2 is so last season. Even so, I’ve noticed that a lot of coders, especially those who haven’t played with it in depth, are still missing out on some of the excellent components that come bundled with it. Case in point are the authentication tools. Setting them up couldn’t be much easier – just write up the settings in your web.config file and plonk the authentication control on your page.

 In an attempt to reduce the number of home-made authentication systems I keep seeing – some of them quite good, I must admit – below is a (very) short guide to configure a web application to authenticate users against a Directory Service such as Active Directory or LDAP.

Let’s start off with the web.config file. The first thing you need, is a connection to a directory service provider, like this:

<add name=MyDirectoryService connectionString=“LDAP://[SERVER]/>


The name attribute is an identifier that will let us hook up the connection string with a membership provider a bit further on – you can set it to anything you like, really. The connectionString attribute specifies the directory service we want to use. Active Directory and LDAP servers both use the LDAP protocol, so if we want to use one of those, we’ll need to set up the connection string like so:


It’s important to note that the URL of the service must be specified in full. From my muddlings with the provider, it looks like the network name is not enough.

Once we have a connection string, we can set up a provider. The membership provider is used to work with account information – specifically, whether an account exists, whether it can log in, whether a given password is valid, and so on. It can also be responsible for user creation and maintenance. That is, however, a bit beyond the scope of our discussion, however, so I’ll just point you to the MSDN Library reference for ASP.NET Membership for the full details.

The membership provider can be set up as follows:

<membership defaultProvider=DirectoryServiceMembershipProvider>
<add name=DirectoryServiceMembershipProvider  type=System.Web.Security.ActiveDirectoryMembershipProvider  connectionStringName=MyDirectoryService/>

The defaultProvider attribute tells the membership framework to use the specified provider as a default (honest). The provider definition is a bit more interesting. We’re only using the bare bones minimum configuration here – if you look at the ActiveDirectoryMembershipProvider page on MSDN, you’ll find a shipload of settings you can apply to it. Again, we’re not going into all that because this is meant to be a simple example.

To test the configuration (or, more likely, get on with the task at hand) add an authentication and an authorization section to the web.config file:

<authentication mode=Forms>
forms loginUrl=~/MyLoginPage.aspx/>
deny users=?/>

and put a login page in the application, with the name you specified in the configuration file (in our case MyLoginPage.aspx). DO NOT call the page Login.aspx – it will cause a name clash with the Login component. Drop the login component (Login, from the Login tab of the toolbox in VS2005). Run the application and try to log in using your username and password. The username has to be entered in email format (i.e. If the login is successful, you will be directed to your application’s default page (unless you had another page selected in VS at the time, in which case that will be the one to show up.

If all you need is a simple login, you’re set. If, however, you want role based access, there’s a little more work to be done. Providers are highly specialised, so the membership provider doesn’t worry about anything else. If you inspect the User object in debug mode, you will notice that it will not, in fact, have any roles loaded into it. To sort that out, we need to go back to the configuration and enable the role manager:

<roleManager enabled=true defaultProvider=DirectoryServiceRoleProvider>
<add name=DirectoryServiceRoleProvider type=System.Web.Security.WindowsTokenRoleProvider />

And that should be it.


2 comments so far

  1. Sonia on

    hey karl … just read ur article..
    ah me always learning something new from you.. thanks sonia… 🙂

  2. marlongrech on

    Hey dude….

    brilliant post…

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: