PCQuest : Enterprise : Forms Authentication with Active Directory

Forms Authentication with Active Directory

Finding it difficult to change directory entries in Microsoft's Active Directory? Here is a simple way to accomplish this task using ASP.NET

Sandeep Koul

Thursday, January 01, 2009

Print Comment Email Digg Del.icio.us Reddit Twitter

We often face difficulty in modifying Active directory entries using non-Microsoft solutions. We are going to demonstrate here a simple way of accessing Active Directory using ASP.NET 2.0, applying password complexity rules in it and modifying it. This demo will also throw some light on key security considerations while using form authentication. What we are going to use here is 'ActiveDirectoryMembershipProvider' membership feature that can be used with form authentication present in ASP.NET 2.0. This member feature includes API that helps in managing user credentials in Active Directory. We are carrying this implementation in test environment in an isolated network.

Implementation
To demonstrate this implementation in test setup, we have used Active Directory of Windows Server 2003 and Visual Studio 2008 for creation of ASP.NET web site (with C# as programming language). Start with installing Active directory using 'dcpromo' command in command prompt and create domain (sandeep.local) in it with user (Sandeep Koul). Once your active directory is ready on test machine, use a machine with Visual Studio to create a ASP.NET web site. Open Visual Studio, click on 'File>New>Web Site'' and change name and location of web site along with Language (C#). Now in 'Solution Explorer', right click on the created web site and click on 'Add Items'. From the template window, select 'Web Forms' and name it 'login.aspx'. On this page, drag and drop 'Login' control and 'CreateUserWizard' control for logging in and creation of new account in Active Directory (one needs appropriate privilege for creation of new user). 'Login' control has 'Remember me next time' check box that remembers password, it is suggested to disable it by setting 'DisableRememberMe' to 'False', this makes your page more secure. Now add (if not present) and then modify 'web.config' file present in 'Solution Explore'. Here is the code snippet showing content of 'Web.config':

Direct Hit!

Applies To: System Administrators
Price: N/A
USP: Access Active Directory using ASP.NET 2.0
Primary Link: www.msdn.com
Keyword: ActiveDirectory MembershipProvider

<?xml version="1.0"?>
<configuration>
<appSettings/>

Here is connection sting that points to Active Directory users container, we are using LDAP (lightweight directory access protocol) for quiring and modifying directory service.

Locate and change '<authentication>' element as shown below, change 'mode' attribute to 'Forms'.

Beneath '<authentication>' element add '<authorization>' element, this enables only authenticated users to access application. Here '?' indicates unauthenticated users while '*' indicates authenticated ones.

Under '<authorization>' element add '<membership>', this along with '<connectionString>' is to point and configure Active Directory membership provider. In this element ,one needs to override 'defaultProvider' (MyADMembershipProvider) as shown in code snippet. As one can see we are providing information regarding administartor i.e. 'connectionUsername', 'connectionPassword', and 'connectionStringName', therefore it is recommended to encrypt these portions. Finally make sure that 'connectionStringName' is same as mentioned in '<connectionStrings>' element.

This window shows default page on the left that is displayed when running the project and output that would be displayed after authentication on right side.

Besides the attributes mentioned above 'ActiveDirectoryMembershipProvider' has number of other attributes that one can configure according to his/her needs.

As we have finished configuring 'web.config' file, now is the time to test authentication. To accomplish it, open 'Default.aspx.cs' file and add the following code on the 'Page_Load' event. If works properly, this will show information related to authenticated users.

using System.Data;
using System.Web;

protected void Page_Load(object sender, EventArgs e)
{
Response.Write("Hello, " + Server.HtmlEncode(User.Identity.Name));
FormsIdentity id = (FormsIdentity)User.Identity;
FormsAuthenticationTicket ticket = id.Ticket;
Response.Write("TicketName: " + ticket.Name);
Response.Write(" Cookie Path: " + ticket.CookiePath);
Response.Write(" Ticket Expiration: " +
ticket.Expiration.ToString());
Response.Write(" Expired: " + ticket.Expired.ToString());
Response.Write(" Persistent: " + ticket.IsPersistent.ToString());
Response.Write(" IssueDate: " + ticket.IssueDate.ToString());
Response.Write(" UserData: " + ticket.UserData);
Response.Write(" Version: " + ticket.Version.ToString());

Though it's easy to implement and work with, form authentication have much vulnerability that can easily be exploited, which in turn can lead to spoofing and other threats. Many security measures can be taken like account lockout and password reset i.e. one can set following attributes of ActiveDirectory MembershipProvider': 'maxInvalidPasswordAttempts' that defines the number of failed attempts that can be made before account is considered locked and 'passwordAttemptWindow' that defines in minutes how long provider tracks failed password attempts. More information about security considerations can be gained from following link 'http:// msdn.microsoft.com/en-us/libr ary/ms 998310.aspx'.

Page(s) 1




	Five Power Extensions for Joomla
	eBox Vs MS Small Business Server 2008
	Doing Document Management Right
	Getting a Taste of Open Source ERP

Untitled Document

ZTE:Leading CDMA Technology

Extraordinary Networks:Freedom of Choice

	Other CyberMedia web sites [Dataquest] [Voice&Data] [CIOL] [Living Digital] [IDC India] [DQ Channels] [the DQweek] [CyberMedia India] [Global Services Media] [CyberMedia Events] [Cybermedia Digital] [CyberAstro] [BioSpectrum] [BioSpectrum Asia] [Computer Shopper] [College Buying Guide] [Voice&DataConnect]