ActiveDirectoryMembershipProvider "The specified domain or server could not be contacted."

Question

I have an application that is using ActiveDirectoryMembershipProvider to grant access to users. The application is hosted on a non-domain machine, with a firewall between the application server and the domain controller.

We've opened the LDAP port to the DC on the inside network - yet no matter what we try, we end up with an error that says "The specified domain or server could not be contacted."

Does anyone have any suggestions on how I can resolve this? We've tried everything we can think of and just aren't getting anywhere.

My connection string is:

<add name="ADConnectionString"
    connectionString="LDAP://10.5.3.7:389/DC=MyTestDomain,DC=local"/>

And my provider is:

<add name="ActiveDirectoryMembershipProvider"
    type="System.Web.Security.ActiveDirectoryMembershipProvider"
    connectionStringName="ADConnectionString"
    attributeMapUsername="SAMAccountName"
    connectionProtection="None"
    connectionUsername="LdapUser"
    connectionPassword="LdapPassword"   />

Answer 1

The application is hosted on a non-domain machine, with a firewall between the application server and the domain controller.

Since you could query directly using an LDAP tool, that suggests that the firewall is open correctly. However, keep in mind that the ActiveDirectoryMembershipProvider is not using plain old LDAP, it's using Microsoft technologies. For example, if you set connectionProtection="Secure", ADMP will try using SSL and port 636, if that fails, it will use Microsoft's built-in IPSec signing (see this article for more details).

Anyway, this makes me wonder about a couple things:

1. Does the AD domain have an IPSec "required" policy which refuses connections from non-domain/non-configured computers? (Probably not, since you connected with plain LDAP, but it's worth investigating.)
2. Have you added the domain controller's NetBIOS name to your lmhosts file, and its DNS name to your hosts file? (Many protocols check that their target's reported name matches the name you tried to connect to.)
3. A lot of people have noted problems using ADMP between different domains, and the solution required that a one-way trust be created. Since it sounds like your client computer is not in a domain, you can't have that trust--unless either (a) it is a member of a different domain with a one-way trust or (b) it is a member of the same domain and thus client-server trust is implicit.