Search code examples
.netactive-directoryasp.net-membershipactivedirectorymembership

Simple username login with membership provider in Active Directory

I use Active Directory for authentication through ActiveDirectoryMembershipProvider in one of my ASP.Net projects.

I connect to it successfully with this LDAP connection string:

LDAP://server/DC=mydomain,DC=com

but two issues remain :

  1. calling Membership.GetUser("moravej") returns Null whereas calling Membership.GetUser("[email protected]") get a correct object. Is there anyway to solve this? I don't want to make the users to use their complete name when AD is transparent to them. Also I prefer not to change my codes to concatenate @mydomain.com to entered values (because of lots of changes I need)

  2. I want the membership to be able to use all AD users for login. (it does it in this case) but I want to all the users that will be created by my application goto a CRM OU. If I set the connection string to LDAP://server/OU=CRM,DC=mydomain,DC=com it returns null when I call Membership.GetUser() for users that are not in this OU.

Is there any way to solve these issues?

Thanks in advance

Solution

  • According to this page here, you can define to use the SAMAccountName for your logon - with some config:

    The default configuration for the ActiveDirectoryMembershipProvider uses User Principal Names (UPNs) for name mapping as shown in the following example.

    attributeMapUsername="userPrincipalName"

    Because of this, all user names must have the format UserName@DomainName; for example: [email protected] or [email protected].

    But you can change that - see the paragraph below:

    You can change the name mapping so that it uses simple user name format by setting the following attribute in the Membership Provider configuration in the Web.config file.

    attributeMapUsername="sAMAccountName"

    With this configuration, you can use simple user names, for example: Mary or Steve.

    That appears to be what you're looking for - right?

    So in your web.config, you should have a configuration entry something like this (of course - use your connection string names etc. - this is just a sample!)

    <system.web>
<membership defaultProvider="MyADMembershipProvider">
   <providers>
      <add name="MyADMembershipProvider"
           type="System.Web.Security.ActiveDirectoryMembershipProvider,
                 System.Web, Version=2.0.0.0, Culture=neutral,
                 PublicKeyToken=b03f5f7f11d50a3a"
           connectionStringName="ADConnectionString"
           attributeMapUsername="sAMAccountName"/>  <== this is the magic to turn ON
  </providers>
</membership>
</system.web>

    For problem #2: if you want all users, then set your connection string for the membership provider to LDAP://server/DC=mydomain,DC=com so that it connects to the domain root of your AD domain.