Which one to use for Active Directory Authentication? [closed]

Question

Closed. This question needs to be more focused. It is not currently accepting answers.

---

Want to improve this question? Update the question so it focuses on one problem only by editing this post.

Closed 7 years ago.

Improve this question

I'm looking to switch to Active Directory for authentication and roles, but I'm not sure what to use for either.

For membership, I've come across these two options for authentication:

1. ActiveDirectoryMembershipProvider
2. LdapMembershipProvider

What are the differences? Does one have an advantage over the other? I just need to authenticate the user and know what roles they are in, nothing more.

For roles, I'm even less clear on what to use.

Thanks!

Answer 1

To validate I find it simpler to just do something like this:

using System.DirectoryServices.AccountManagement;

bool flag = false;
try
{
    using (PrincipalContext principalContext = new PrincipalContext(ContextType.Domain))
    {
        flag = principalContext.ValidateCredentials("UserId", "Password");
    }
}
catch (PrincipalServerDownException)
{
}

To get roles you can look at this answer:

https://stackoverflow.com/a/6247905/67566

I wouldn't use the two options you mentioned, personally, as there are newer options that I think make life simpler.

There are various options on instantiating PrincipleContext so you may want to look at:

http://msdn.microsoft.com/en-us/library/system.directoryservices.accountmanagement.principalcontext(v=vs.110).aspx

Answer 2

My solution is to not use either membership provider you have suggested. Instead use Integrated Windows Authentication. You don't have to bother with logging users in and out as it's done via SPNEGO. Users just access the site and are automatically logged in (with some browsers, otherwise it prompts them for username/password and handles that for you). You can then figure out which user is logged in via the User.Identity.Name property available on any code behind page.

This is the simplest solution you'll find, as it doesn't take modification of any code or configuration files. Just check a simple box in IIS and you're good to go.