Forms Authentication and Active Directory

Question

Currently I have a few projects that use Forms Authentication and I'm able to have users log in with their AD Account. The way I have been doing it, is very easy.

web.config

//first I set up the connection string to the active directory account
<connectionStrings>
    <add name="ADService" connectionString="LDAP://ourDomainController/OU=stores,DC=DOMAIN,DC=net" />
<ConnectionStrings>

//Then I add the membership provider for active directory
<membership defaultProvider="AspNetActiveDirectoryMembershipProvider">
      <providers>
        <clear />
        <!--Membership provider for Active Directory-->
        <add name="AspNetActiveDirectoryMembershipProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider,  System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="ADService" attributeMapUsername="sAMAccountName" />
      </providers>
</membership>

I'm not able to log in using the Active Directory Usernames and Passwords. However, I'm not able to deny access to certain parts of the website to specific groups. This way searches the entire active directory and if you are part of it, you're able to log in. In one application, I would insert users into an SQL table, then grant users access to the website and so on if they were part of the sql table. This works well, however, the application is growing rapidly with many users and I would like to take advantage of the groups within Active Directory. I have spent the past few days researching and experimenting but I'm not finding any solutions. Many have used Windows Authentication, but it is less visually appealing and at this stage, would probably just freak out the end-users for a few weeks. (The application spreads across 13 different stores) I have also looked into this article... and have tried this solution in a test application but didn't have any luck. Keep getting an error saying "Object reference not set to an instance of an object" in the custom ADRoleProvider.

var root = new DirectoryEntry(WebConfigurationManager.ConnectionStrings[ConnectionStringName].ConnectionString, ConnectionUsername, ConnectionPassword);

I'm just wondering if anyone knows of a way to do this properly or a different way to do this. Any suggestion is helpful! Thanks!

Answer 1

I have solved the issue. I used the link that I provided in my question and the link that was provided by Kamlesh. The issue was my.. GetRolesForUser. I had to fix this with this code..

public override string[] GetRolesForUser(string username)
    {
        List<string> allRoles = new List<string>();
        var ctx = new PrincipalContext(ContextType.Domain);
        UserPrincipal user = UserPrincipal.FindByIdentity(ctx, username);
        if (user != null)
        {
            var groups = user.GetGroups();
            allRoles.AddRange(groups.Select(x => x.Name));
        }

        return allRoles.ToArray();
    }

I no longer get a NullReferenceException and this finds the roles that the use is currently in. Make sure that you are using Groups in the active directory as well. Hope this saves someone sometime.

Answer 2

Ideal way for AD Role Provider you can write your own role provider following link my solve your problem Role Provider Link