Tuesday, June 23, 2009

How To: Use Active Directory Membership Provider in ASP.NET

The ASP.NET version 2.0 membership feature provides secure credential storage for application users.

We Will Use The Following:

- Web Page Named Login.aspx and another Web Page Named CreateUser.aspx

- Login Control

- Create User Wizard Control

Steps:

1- Configure Forms Authenticationin Web.config File


To configure forms authentication, set the <authentication> element's mode attribute to "Forms" and then configure your application's Web.config file as shown in the following example.





<authentication mode="Forms">
    <forms loginUrl="Login.aspx" 

           protection="All" 

           timeout="30" 

           name="AppNameCookie" 

           path="/FormsAuth" 

           requireSSL="false" 

           slidingExpiration="true" 

           defaultUrl="default.aspx"

           cookieless="UseCookies"

           enableCrossAppRedirects="false"/>

</authentication>

Where:


  • loginUrl points to the login page. You should place this in a folder that requires Secure Sockets Layer (SSL) for access.

  • protection is set to "All" to specify privacy and integrity for the forms authentication ticket.

  • timeout is used to specify a limited session lifetime.

  • name and path are set to unique values for the current application.

  • requireSSL is set to "false". This configuration means that authentication cookie can be transmitted over channels that are not SSL-protected. If you are concerned about session hijacking, you should consider setting this to "true".

  • slidingExpiration is set to "true" to enforce a sliding session lifetime. This means that the timeout is reset after each request to your application.

  • defaultUrl is set to the Default.aspx page for the application.

  • cookieless is set to "UseCookies" to specify that the application uses cookies to send the authentication ticket to the client.

  • enableCrossAppRedirects is set to "false" to indicate that the application cannot redirect requests outside the application scope.


Add the following <authorization> element after the <authentication> element. This permits only authenticated users to access the application. The previously established loginUrl attribute of the <authentication> element will redirect unauthenticated requests to the Login.aspx page.




<authorization>

<deny users="?" />

<allow users="*" />

</authorization>


Configure the ActiveDirectoryMembershipProvider in Web.config File

Configure the ActiveDirectoryMembershipProvider in your application's Web.config file as shown in the following example.

There is An Important Point in this Case How I Can Get My Active Directory Connection String

Please Visit:


<connectionStrings>

<add name="ADConnectionString"

connectionString=

"LDAP://domain.testing.com/CN=Users,DC=domain,DC=testing,DC=com" />

</connectionStrings>


<system.web>

...

<membership defaultProvider="MembershipADProvider">

<providers>

<add name="MembershipADProvider"

type="System.Web.Security.ActiveDirectoryMembershipProvider,System.Web,

Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"

connectionStringName="ADConnectionString"

connectionUsername="<domainName>\administrator"

connectionPassword="password"/>

</providers>

</membership>

...

</system.web>

The Last Step:

-      Drag and drop Login Control into the Login page.

-      Drag and drop Create User Wizard Control into the CreateUser page.

Now Your Web Application or your Website Secured.

No comments:

Post a Comment