comments (not for humans)
Making Active Directory Application Mode (ADAM) work with ASP.NET 2.0 in Visual Studio 2005 can be quite a hassle. This post is a step by step guide to successfully creating and using an ADAM instance with ASP.NET 2.0 without the need to install SSL-certificates.

1. Installing ADAM
  1. Download and install ADAM from http://www.microsoft.com/adam
  2. Run the installer
  3. Select "unique instance"
  4. Give the instance a sensible name (I will use TestInstance in this example)
  5. Select a couple of free ports (I will use 50000 and 50001 in this example)
  6. Select "Yes, create an application directory" and give it a sensible name. (O=TestDirectory will be used in this example)
  7. Accept default or select a suitable place for the files
  8. Choose default for Service Account Selection
  9. Choose "Currently logged on account" for ADAM Adminstrators
  10. Import "MS-InetOrgPerson", "MS-User" and "MS-Userproxy"
  11. Click next to complete the install

2. Configuring the ADAM instance
  1. Open "ADAM ADSI Edit" from the ADAM program group in your start menu
  2. Select "Action->Connect to..."
  3. For name use [instance name] + "directory" ("TestInstance directory")
  4. Alter the correct portnumber in the Port textbox (50000)
  5. Choose "Distinguished name" and enter the distinguished name of your instance ("O=TestDirectory")
  6. Click "Ok"
  7. Right-click the "O=TestDirectory"-folder and select "New" and "Object..". Choose "organizationalUnit" and name it "Users"
  8. Right-click the new "OU=Users"-folder and select "New" and "Object...". Select "user" and give the user an admin-like name ("ADAMAdmin"). We have now created our ADAM-adminuser
  9. Right-click the "CN=ADAMAdmin"-account and choose "Reset password". Choose a sensible admin password.
  10. Double-click the "CN=ADAMAdmin"-user and set the "msDS-UserAccountDisabled" to False
  11. Go to the "CN=Roles"-folder and double-click the "Administrators"-account. Locate the "member" attrbitute and double-click it. Choose "Add ADAM-account" and enter the distinguished name of your newly created user (CN=ADAMAdmin,OU=Users,O=TestDirectory). Click the Ok-buttons to close the editor.
  12. Close the "ADAM ADSI Edit"-application
  13. Open "ADAM Tools Command Prompt" from your ADAM program group on the start menu.
  14. Type the following commands: "dsmgmt", "ds behavior", "connections", "connect to server localhost:50000", "quit","allow passwd op on unsecured connection", "quit", "quit". This commands allows sending plain text password from you application to the ADAM-instance (avoid this in production enviroments). Thanks to Dan Seller for this part.

3. Configuring your ASP.NET 2.0 application
  1. Open your web.config. If you don't have one, click "Website", "Add new item...", "Web configuration file"
  2. Replace the "<connectionStrings>"-tag with:
    <connectionStrings>
    <add name="ADService" connectionString="LDAP://localhost:50000/OU=Users,O=TestDirectory"/>
    </connectionStrings>

  3. Right above the "</system.web>"-tag add the following:
    <membership defaultProvider="AspNetActiveDirectoryMembershipProvider">
    <providers>
    <add name="AspNetActiveDirectoryMembershipProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="ADService" connectionUsername="CN=ADAMAdmin,OU=Users,O=TestDirectory" connectionPassword="myAdminPassword" connectionProtection="None" enableSearchMethods="true"/>
    </providers>
    </membership>

You should now be able to open the "ASP.NET configuration"-utility and add users.

edgar

Helps with the class membership !!!!

He article this very good, but I have a problem, when trying to obtain an user with the method GetUser() of the class membreship it returns hole, as if the user didn't exist,and if it exists.
You can to say if you know that it can be happening?

It excuses, my English is not very good
Erlend

Re: Helps with the class membership !!!!

I'm not sure I understand your question, but if you are logged in, the Membership.GetUser() should return the current user.
You can use Membership.GetUser("some username") to get hold of a user that is not logged in.
anonymous
First of all thanks for this great article. I'm trying to use forms auth with ADAM in ASP.NET 2.0 but it seems I can't get to work correctly. The problem seems to be the format of user id in the "login" dialog box. I've tried "CN=ADAMAdmin,OU=Users,O=TestDirectory" and "ADAMAdmin" and "ADAMAdmin@localhost:50000" but none works. Any idea?
Thanks!
Erlend
As long as you specified the connectionString correctly in web.config, you should be able to login using only the CN (ADAMAdmin for CN=ADAMAdmin,OU=Users,O=TestDirectory and a connectionString of "LDAP://localhost:50000/OU=Users,O=TestDirectory").
What error message do you get? Can you open the "ASP.NET configuration" web dialog from Visual Studio (click web site and then the icon looking like a hammer and a globe)?
Todd

Allows sending plain text passwords

You can also the same task as step 14 from with in ADAM ADSI Edit

1. Start the ADAM ADSI Edit tool (%systemroot%\\ADAM\\ADAM-adsiedit.msc).
2. Right-click the root of the \&quot;ADAM ADSI Edit\&quot; navigation branch in the left hand pane of the Microsoft Management Console (MMC) and select \&quot;Connection to...\&quot;
3. Under the Connection name, enter \&quot;Configuration partition.\&quot; Enter the server name and port. If you\'re running ADSI Edit on the ADAM server, the server name can be localhost and the port is the value set during installation (typically 389). Under \&quot;Connect to the following node,\&quot; click \&quot;Well-known naming context:\&quot; and select Configuration, as the figure shows. Click OK.
4. Navigate to CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,CN={GUID of the ADAM}.
5. Right-click \&quot;CN=Directory Service\&quot; and select Properties.
6. Double-click the dSHeuristics attribute.
7. Set the value to 0000000001001 and click OK.
8. Click OK to the CN=Directory Service properties box.
Jim

Using ADAM and AzMAN for forms based authentication on a website

Hi there.

Great article, which seems to work fine. My problem is that I\'m trying to use ADAM and AzMan, ADAM as my membership provider and AzMan as my role manager, and connecting the ADAM and AzMan together in the background.

I\'ve pretty much followed this doc to set up AzMan and ADAM

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/PAGHT000018.asp?_r=1

But it only explains how to use ADAM/AzMan as a roles provider for windows based forms, and assumes you\'re going to be using domain active directory to hold the user data.

Similarly this one

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000019.asp

Uses azman as the roles provider only.

Now, this page that I\'m posting on here uses ADAM as the actual user store. This is great, but how do I know go and configure ADAM to use AzMan as my roles provider and what settings do i put in my web.config to tell my web site where to get the roles info from? Anyone done this, or found a web site that explains it?

Thanks!

Jim Smith - frustrated ADAM AzMAN user...

Erlend

Re: Using ADAM and AzMAN for forms based authentication on a website

You should read my other article: http://www.oftedal.no/~erlend/?blogid=8
Ed

Setting passwords in ADAM

Hi,
I keep getting an error message when I attempt to reset a user password in ADAM ADSI Edit : "Illegal modify operation. Some aspect of the modification is not permitted." Any ideas on what's causing this? Thanks.
Erlend

Re: Setting passwords in ADAM

I guess it might have to do with what security restriction are set on your user. What access does the user you connect to ADAM with ADSI Edit have? Is it in the Administrators role? Also ADAM uses the password policy of the Active Directory/Windows OS of the computer it is running on. Maybe the password you are trying to set is too weak?
You can disable the password policy by following the recipe here:
http://technet2.microsoft.com/WindowsServer/en/Library/f2bd8a7c-3ecd-4779-974c-c466ae61ddba1033.mspx
Irfan

Usernames must not contain \'\\\' when mapped to \'userPrincipalName\'.

i am getting an error when i used the initial posted solution . I would like to get any idea about this . Exact error is

Usernames must not contain \'\\\' when mapped to \'userPrincipalName\'.
Parameter name: username

regards
Irfan
Erlend

Re: Usernames must not contain

Are you sure you set your solution to use forms-authentication and not windows-authentication in your web.config? This error usually stems from the username containing the domain ("ACME\John Doe").
anonymous
thanks and You were right and now i am using following settings
in web.config as below. But when i execute following line in page load on login.aspx

MembershipUser obj = Membership.GetUser()

it raises an error username can not be empty.

authentication mode=\\\"Forms\\\">
<forms loginUrl=\\\"Login.aspx\\\" name=\\\"ADAMAdmin\\\" defaultUrl=\\\"default.aspx\\\"/>
</authentication>
<authorization>
<deny users=\\\"?\\\"/>
<allow users=\\\"*\\\"/>
</authorization>
<identity impersonate=\\\"true \\\"/>

Some question which i need to know about ADAM is that.....

I am new comer in the world of active directory and reaching the following things.
Actually I am developing a windows client using SCSF and for that we are deciding to use Active directory to store the user rihgts and roles and i was assigend this task . I googled a lot reach to yours.

I am planning to use webservice for that so that i will be able to use ASP.NEt Activedirecotory membership provider and facilitaet my windows client with that, And store user GUI based rights, GUI Objects[controls] based rights and admin type activity [Assigining roles and responsibility]. Is this good approach. I ll prefer to have your valuable suugestion about this.

We are prefering ADAM on the classic way of storing user rights in Data base and offcource due to benefits of ADAM.

I am hopeful to get some boosting help from your side. Thanks a lot for your time and concern

regards
Irfan
Erlend

Re:

First of all, you cannot run Membership.GetUser() untill the user is logged in. I usually write code like:
if (HttpContext.Current.User.Identity.IsAuthenticated) {
MembershipUser user = MembershipUser.GetUser();
//Do something with user object...
}

If you want to run GetUser before the user is logged in, you have to specify the username like:
Membership.GetUser("John Doe");
To assign rights and roles you can probably use Microsoft Authorization manager (the abbreviation is actually AzMan :D ). AzMan allows you to assign roles to the users in an ADAM store. I have some code in one of my other blog posts about how to setup Azman with ADAM, but I suggest you read a bit about AzMan on Micrsofts web site before installing it. The basic idea is that you can define operations (e.g. "open document") and group these operations into tasks (e.g. "manage documents"). You then create roles and allow the roles to perform tasks. You can then check programatically if a user has access to an operation. But as I said, go to Microsoft's web site. They have a lot of useful information
Sharat

Problem while configuring and authentication AD domain user using ADAM

Hi folks,
We are developing an application, and it would use ADAM and AD for user authentication. We configured all the users in AD. Whenever the request comes to the application it first comes to ADAM then the ADAM internally checks into AD domain for authentication, after successful authentication it should get the privileges from AzMan. We are able to create the normal users in ADAM by following the guidelines given by this resource. And also we are able to authenticate the users using .Net 2.0 web application. But the problem comes only with domain users. We are unable to find the way to select the AD domain user as ADAM user. We found the way to select as a group user. But on top of my knowledge we need to add AD domain user as ADAM user to authenticate.
For this we are using Windows-XP machine with SP-2 and Windows 2003 Administrative Tools pack and IIS 5.1 installed, and our Active Directory is on Windows 2003 machine, and ADAM is on Windows-XP machine.

We have been struggling for a long time to configure the Active Directory, and ADAM works closely. Please help on these issues
1) How to select AD domain user as ADAM user?
2) What kind of credentials we need to pass to authenticate the selected AD domain user?
3) Is there any other .Net providers to validate the users other than ActiveDirectoryMembershipProvider?
4) How the ADAM requests the AD for authentication?
Erlend

Re: Problem while configuring and authentication AD domain user using ADAM

1) You need to set up your users as proxy users (userProxy object), which means that login requests to ADAM will automatically be forwarded to AD. http://technet2.microsoft.com/windowsserver/en/library/f0db9c4b-5c40-4548-8ac7-677682a3ec051033.mspx?mfr=true
2) Username in ADAM and AD password - which is then translated in ADAM and sent to AD for authentication
3) ActiveDirectoryMembershipProvider is sufficient for this scenario
4) You can read more about that here: http://technet2.microsoft.com/windowsserver/en/library/7b6c4b5c-58be-4b4c-90e9-f464dd1a09311033.mspx?mfr=true
mbonet

Illegal Modify Operation

Regarding the post from January 2007 \"Illegal modify operation. Some aspect of the modification is not permitted.\" I am getting the same error. My ADAM install is on a windows XP box. My domain user account is a local administrator on the XP box. The article you pint to explictly states \"Password policy settings are not enforced on ADAM instances that run on a computer running Windows XP Professional.\". Do you have any other ideas why this is happening
mbonet

Password Resets

I found this link
http://www.windowsitpro.com/Article/ArticleID/47482/47482.html
Synopsis:
By default, ADAM requires that you perform password operations over a secure channel.
Erlend

Re: Password resets

I see. Thanks for clearing that up.
TNET

Your login attempt was not successful. Please try again.

Hi,

I follow the whole steps and everything looks fine, but when I try to login using ADAMAdmin with password = password (or other user) I get the \"Your login attempt was not successful. Please try again.\" message. Do you know why this could be?



TNET

Its working

Its working, Thanks!!!
Ponnu

ADAM & Vitsa

Hi,

This doesn't seem to work in Vista, get this error at the end of the wizard
"An internal error has occurred and ADAM Setup must close."

Any idea?

Thanks
Ponnu
Anonymous

Your login attempt was not successful. Please try again.

I was getting this problem as well, and it turned out that the userPrincipal attribute must be set. See http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=344889&SiteID=1 for more info.
Erlend

Re: Your login attempt was not successful. Please try again.

Yes, good point. The users must be valid (have a password, have a username in userPrincipalName and msDS-UserAccountDisabled should NOT be set to true).
Hugo

Related Problems

Hi,

First of all ... great article!! It's quite good and it helped me in understanding things about Active Directory.

I don't know if my problem has to do with this but I really need help with this issue.

The thing is that I adapted a VS2003 web application to VS2005. This application access Active Directory to get some information about the user.
When I published the new VS2005 application on the server I found that it wasn't able to access AD, even when the old application still works that perfectly.
Some other strange details: I didn't noticed this before because the access to AD from my machine worked correctly. The thing is that when I write "localhost/application" it works but when I write "MyIP/application" or anybody try to access this application through the Intranet ("MyIp/application") it doesn't read from AD.
So, is it a problem of security, IIS, WEB.CONFIG ....?

I'll really apreciate your help, thanks in advance.
Mila

userproxy problem

Great article.
I had tested with ADAM accounts and it works perfectly, but my userProxy objects are not being recognized as users, even though they have the userPrincipalName attribute set (I had tested bind redirection with ldp tool and it works).

Any suggestions on what I could look at to correct this?

Thanks for your help!
Neeraj

Default Credentials are not supported

Hi There,

I followed all the steps in your aticle. I am working on Windows Server 2008 and IIS 7.0. I am getting the following exception when I am try to authenticate user:-
\"Default credentials are not supported when the connection protection is set to None.\"

Any suggestion is highly appreciated.

Thanks in advance for ur help !

Regards,
Neeraj Tomar
Erlend

Re: Default Credentials are not supported

Try setting up ADAM with SSL as described here http://erlend.oftedal.no/blog/?id=7 and change connectionProtection to \"Secure\".
Some password related functions may not be available on unencrypted connections.
Neeraj

Its Working with SSL

Many Thanks Erlend. I followed your steps described in SSL article and it worked.

Now I am facing another issue required secure authentication. i will post that on ur SSL article.

Thanks Again !

Appreciate your help.
P

Error Initialize AZMAN

Hi there,

Great article. I am trying to make it work but when I want to
AzAuthorizationStoreClass AzManStore = new AzAuthorizationStoreClass();
I get this error:

The handle is invalid. (Exception from HRESULT: 0x80070006 (E_HANDLE))

Do you know what is cousing this error?

Also when I want to Initialize AzManStore I get this errot:

The specified network provider name is invalid. (Exception from HRESULT: 0x800704B4)

I hope you can help me solve these problems.

Thanks.
sabarna

nice article

it is a very nice article.it was very useful for me.thanks a lot
Brindha

Your login attempt was not successful. Please try again.

Hi,
I cpnfigured ADAM as said before.When i try to login the following message shows up \"Your login attempt was not successful. Please try again.\" What may the cause and its solution.Very urgent plz help me
Erlend

Re: Your login attempt was not successful. Please try again.

Are you able to connect to the ADAM using LDP.exe with simple bind for the service account? What about with the user account?
Brindha

Erlend: Re: Your login attempt was not successful. Please try again.

Yes, I have connected but not using LDP.exe.Connected using ADAMADSI EDIT. Username and password are \"ADAMAdmin\", \"myadmin\".
Brindha

Erlend: Re: Your login attempt was not successful. Please try again.

Connected using LDP.exe.But simple bind using tha username \"ADAMAdmin\" it displays \"0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 0)
res = ldap_simple_bind_s(ld, \'ADAMAdmin\', <unavailable>); // v.3
Error <49>: ldap_simple_bind_s() failed: Invalid Credentials
Server error: <empty>\"


But when i bind using my windows user account it displays \"0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 0)
res = ldap_simple_bind_s(ld, \'user\', <unavailable>); // v.3
Authenticated as: \'NT AUTHORITY\\ANONYMOUS LOGON\'\".

Will u please tell me using which account i have to bind.Dont mistake me .
Brindha

TestDirectory unavailable

Hi,
While binding using ldp.exe it displays as \"0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 0)
res = ldap_simple_bind_s(ld, \'CN=ADAMAdmin,OU=Users,O=TestDirectory\', <unavailable>); // v.3
Authenticated as: \'NT AUTHORITY\\ANONYMOUS LOGON\'\"


Where the TestDirectory be stored? Because it shows as \"unavailable\"
Erlend

Re: TestDirectory unavailable

No, that's not it. Unavaiable simply means it's not going to show the password as a part of the log message. You authentication was successful. If you want to see the tree like in ADAM ADSI Edit, open the "View" menu in ldp, and select "Tree view". Next select the bottommost entry in the list and hit ok.
Anyways your result from your last comment, indicates that you are able to connect to the ADAM with your account.
When you are setting up user accounts in the OU=Users, remember to set "msDS-UserAccountDisabled" to false or "not set" after setting a password. If you don't do that, they won't be able to login.
Brindha

Your login attempt was not successful. Please try again.

As u said above i set msDS-UserAccountDisabled to false.In ADAM ADSI Edit,if i opened the \"View\" menu in ldp, and selected \"Tree view\". and then select the bottommost entry in the list and hit ok it displays as follows,

Expanding base \'CN=ADAMAdmin,OU=Users,O=TestDirectory\'...
Getting 1 entries:
>> Dn: CN=ADAMAdmin,OU=Users,O=TestDirectory
4> objectClass: top; person; organizationalPerson; user;
1> cn: ADAMAdmin;
1> distinguishedName: CN=ADAMAdmin,OU=Users,O=TestDirectory;
1> instanceType: 0x4 = ( IT_WRITE );
1> whenCreated: 10/15/2009 14:20:23 India Standard Time India Standard Time;
1> whenChanged: 10/22/2009 15:18:29 India Standard Time India Standard Time;
1> uSNCreated: 12416;
1> memberOf: CN=Administrators,CN=Roles,O=TestDirectory;
1> uSNChanged: 49159;
1> name: ADAMAdmin;
1> objectGUID: c90f46e1-4e5f-4b8d-bf6d-bd1e634eb7de;
1> badPwdCount: 0;
1> badPasswordTime: 0;
1> pwdLastSet: <ldp error <0x0>: cannot format time field;
1> objectSid: S-1-307065357-362316744-2945465980-1232925254-1789952414-1116187653;
1> objectCategory: CN=Person,CN=Schema,CN=Configuration,CN={6F3F908D-EEF5-42FD-8ADA-BAC5159465F7};
1> lastLogonTimestamp: <ldp error <0x0>: cannot format time field;
1> msDS-UserAccountDisabled: FALSE;

When i try to login using asp.net it displays the error message \"Your login attempt was not successful. Please try again\". I cannot find where is the problem. Please help me to find a solution.
anonymous
thanks a lot... this article did help me
Girish
Hi,
Your article really helped me with setting ADAM n
I am trying to enforce constraints on my password by using activeDirectoryMembershipProvider. Currently I am setting all my settings in Local Security Policy Congifguration Wizard which we opens through administrative tools.
I have overwritten some default settings(ex: minimum Password Length = 10). But they have not been taken in my asp.net application when I try to create new user or change password of existing user. Only default constraints are being applied. I am using ASP.NET 4.0
Am I missing any step to integrate Policy in asp.net app.
Comments closed for this post