I am trying to setup my local asp.net web application to use an LDAP connection string (active directory domain controller) for user authentication.
LDAP connection string points to an active directory domain controller accessible via a VPN connection I am using. Also I am using some public LDAP directories for testing.
I have deployed an IIS (7) to my local workstation. I also have followed instructions found here and I created a simple Active Directory forms authentication application.
I am trying to authenticate my users to 4 different LDAP servers (2 of the AD, 2 non AD)
Here are some parts of my web.config
:
<connectionStrings>
<!--<add name="ADConnectionString1" connectionString="LDAP://x01.x02.x03.x04:389/DC=NPAPAN,DC=local" />--> <!-- Active Directory in VPN1 -->
<add name="ADConnectionString4" connectionString="LDAP://y01.y02.y03.y04:389/DC=corporate,DC=mycompany,DC=com"/> <!-- Active Directory in VPN2 -->
<!--<add name="ADConnectionString2" connectionString="LDAP://ldap.forumsys.com:389/dc=example,dc=com"/>--> <!-- LDAP server 1 public -->
<!--<add name="ADConnectionString3" connectionString="LDAP://zflexldap.com:389/dc=example,dc=com"/>--> <!-- LDAP server 1 public -->
</connectionStrings>
...
<authentication mode="Forms">
<forms
name=".ADAuthCookie"
timeout="10" requireSSL="false" protection="None"/>
</authentication>
....
<membership defaultProvider="MyADMembershipProvider">
<providers>
<!--<add name="MyADMembershipProvider1"
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="ADConnectionString"
connectionUsername="NPAPAN\testadmin"
connectionPassword="zzzzzzz"
attributeMapUsername="sAMAccountName"/>-->
<add name="MyADMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0,Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="ADConnectionString"
connectionUsername="CORPORATE\_ADMIN_USER"
connectionPassword="cccccccc"
attributeMapUsername="sAMAccountName" />
<!--<add name="MyADMembershipProvider2"
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="ADConnectionString"
connectionUsername="cn=read-only-admin,dc=example,dc=com"
connectionPassword="password"
attributeMapUsername="uid" />-->
<!--<add name="MyADMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="ADConnectionString3"
connectionUsername="cn=ro_admin,ou=sysadmins,dc=zflexsoftware,dc=com"
connectionPassword="zflexpass" />-->
</providers>
</membership>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
...
The code I am using is the one used on the link from sample application.
A) In case of VPN Active Directory servers
I am able to browse ADs by using the information (LDAP url, port, base DN, connectionUsername
, connectionPassword
) listed in the code above with an LDAP browser.
From within IIS web application I am able to bind and authenticate users only for VPN 1 Active Directory.
In case of VPN 2 Active Directory I am getting:
Unable to establish secure connection with the server
B) In case of public LDAP servers (v3)
I am not able to bind + authenticate users in both cases, receiving:
Unable to establish secure connection with the server
In both cases the LDAP server is using non-AD standard object attributes as shown below:
So in the first case I tried to map user login name by :
attributeMapUsername="uid"
Obviously it did not work.
My questions are the following:
A) In the second case that I can not bind to VPN2 AD, I can ping & telnet the AD controller. I can also connect to AD controller using an LDAP browser. I am wondering if the AD controller or something else could block requests from my local IIS. What is happening?
B) Can I use ActiveDirectoryMembershipProvider
to bind and use LDAP V3 servers of all types?
If so what am I missing here?