Adjunto el texto del artículo, cualquier cosa que necesites me avisas
Active Directory and ASP.NET 2.0 Beta 2
Are you evaluating Visual Studio 2005 Beta 2 and ASP.NET 2.0? Did you know that
we shipped an Active Directory Membership Provider in Beta 2? Until recently, I
didn't either. Apparently we didn't make too much noise about it because while
the team had the time to get the provider in, they didn't have time to get the
documentation for it.
The good news is that (with a little coaching from some of the very helpful
folks on the ASP.NET team) I was able to get this provider working successfully
on a Virtual PC image of Visual Studio Team System Beta 2. Given that I'm
hardly what one would call an active directory expert, if I can get it working
that's a pretty good sign.
So here's what I did:
1. Created a new web site.
2. Added a web.config file.
3. Set the authentication type to "Forms"
4. Added a connection string pointing to my Active Directory store. This
was one of the parts I had trouble with, since I wasn't very familiar with LDAP
syntax. The fully-qualified domain name for my domain controller was
win2k3.vstsb2.local (I know, not very creative), while the domain was
vstsb2.local. So the successful connection string section in web.config looks
like this:
<connectionStrings>
<add
connectionString="LDAP://win2k3.vstsb2.local/CN=Users,DC=vstsb2,DC=local"
name="ADConnString"/>
</connectionStrings>
5. Then I added the following Membership section (note that this is a very
simple implementation, and omits many of the optional attributes):
<membership defaultProvider="AspNetActiveDirectoryMembershipProvider">
<providers>
<add name="AspNetActiveDirectoryMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider,
System.Web, Version=2.0.3600.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="ADConnString"
connectionUsername="vstsb2.local\Administrator"
connectionPassword="password"/>
</providers>
</membership>
6. Next, I added a new folder to the site, named it "protected" (the name
is arbitrary), and added a web.config to this folder with an authorization
section denying access to anonymous users.
7. Finally, I added a page to the new folder that writes out the name of
the current user, and added a login page at the root level with a Login control
to perform the authentication.
In addition to my musings above, there's some good coverage of this provider in
the security article
<http://msdn.microsoft.com/library/en-us/dnpag2/html/PAGPractices0001.asp> I
pointed to <http://blogs.msdn.com/gduthie/archive/2005/08/16/452112.aspx>
earlier this week (see the authentication section).
A couple of other notes:
* With the syntax above for the membership provider configuration, you'll
need to log in using the User Principal Name (UPN) rather than the typical
DOMAIN\user syntax used for Windows authentication. The UPN syntax is basically
[EMAIL PROTECTED] (note that there may be more to it than that...UPN is
something I only read up on today, so I'm hoping my explanation is adequate
<g>). So for my example above, the user Andrew would log in using [EMAIL
PROTECTED] as the username, and then the password as normal.
* If you'd prefer to use the SAM account name instead of the UPN, you'll
need to add the following attribute to the <membership> element:
attributeMapUsername="SAMAccountName"
* Once having added the above attribute, you should be able to log in
using the username alone.
I hope if other folks are experimenting with this provider, it'll help you
avoid some of the pitfalls that I ran into. I'm guessing that folks with a
little more AD and/or LDAP experience will find it easier than I did, but it's
very cool to be able to take advantage of AD with a pretty straightforward
configuration change, and still have all the login controls "just work".
UPDATE:
One other point I want to be sure to make is that it is even more critical,
when using Forms Authentication to authenticate against an Active Directory
credential store, that you use SSL to protect the login page. By default Forms
Authentication (much like Basic Authentication in IIS) sends credentials across
the wire unencrypted. So make sure SSL is a part of your development, testing,
and deployment plan.
From: [email protected] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL
PROTECTED]
Sent: Thursday, December 14, 2006 6:11 PM
To: [email protected]
Subject: [puntonet] RE: RE: [puntonet] Autentificación en un Dominio
Hola Martin y de paso muchas gracias, pero... pudieras ser más específico
puesto que no tengo acceso a Internet :-( gracias de antemano...
Saludos,
Raynier Rivero Mayo
Informático Oficina Central | Sucursal Matanzas
Dir: Ave. Playa e/ 39 y 40, Varadero
Tel: 66-8880, Beeper: 3035
E-mail: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
________________________________
De: [email protected] [mailto:[EMAIL PROTECTED] En nombre de Martín Olivares
Enviado el: jueves, 14 de diciembre de 2006 13:10
Para: [email protected]
Asunto: [puntonet] RE: [puntonet] Autentificación en un Dominio
Podés hacerlo utilizando un Active Directory MembershipProvider
(http://blogs.msdn.com/gduthie/archive/2005/08/17/452905.aspx ) .
Para mas info sobre la clase que lo implementa
http://msdn2.microsoft.com/en-us/library/system.web.security.activedirectorymembershipprovider.aspx
Saludos.
Martín Olivares
Senior Engineer
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
+54 9 351 686 7663
martin.olivares <callto:martin.olivares>
Avellaneda, 240
5000 Córdoba
Córdoba / Argentina
Telf. +54 351 426 21 47
www.raona.com.ar <http://www.raona.com/>
________________________________
This message may contain confidential information that is protected by
professional privilege or whose disclosure is prohibited by law.
If you are not the addressee indicated in this message, please delete it,
notify us immediately and neither forward nor copy its content.
If your company does not allow receipt of this type of message, please inform
us immediately.
From: [email protected] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL
PROTECTED]
Sent: Thursday, December 14, 2006 1:35 PM
To: [email protected]
Cc: c#@mug.org.ar
Subject: [puntonet] Autentificación en un Dominio
Importance: High
Hola:
Estoy en una red privada y estoy haciendo una aplicación .NET la
cual tiene un módulo de administración pero quiero que la autenticación para
acceder al mismo sea contra el Directorio Activo. ¿Me pueden asistir? Porque
tengo una vaga idea pero no estoy seguro.
P.D: Tengo VS2005 & .NET Framework 2.0.
Saludos,
Raynier Rivero Mayo
Informático Oficina Central | Sucursal Matanzas
Dir: Ave. Playa e/ 39 y 40, Varadero
Tel: 66-8880, Beeper: 3035
E-mail: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
