Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

LDAP Authentication in ASP.Net MVC

Tags:

c#

asp.net-mvc

I want to be able to authenticate a user by using their domain UserId and Password, but the default ASP.Net MVC application allows the user to register a userId and password and then log in. How can I do this?

I don't want the user to be able to register; however, he should be able to enter his windows domain userId and password and be authenticated by the domain server.

The solutions I have seen (for example here on Mike's Blog) do not require the user to enter his/her UserId or password.

How can I get my ASP.Net MVC application to show a log on form and authenticate the user against the windows domain?

Please explain with a sample if possible

like image 687
user99513 Avatar asked Sep 09 '09 19:09

user99513


People also ask

What is LDAP authentication C#?

LDAP. We have an web application developed using c#(VS 2008/3.5 framework). The application uses the mode of authentication as "Windows" with a service account present in domain (Domain1) to run the application as ASP.Net user. We have authentication to be done for the users present in different domain (Domain 2).

What are three ways to LDAP authenticate?

LDAP v3 supports three types of authentication: anonymous, simple and SASL authentication.

Which authentication is used in MVC?

The Authentication is performed by IIS in one of three ways such as basic, digest, or Integrated Windows Authentication. When IIS authentication is completed, then ASP.NET uses the authenticated identity to authorize access.


2 Answers

This is how to do it in web Apps forms authentication so it may need some adapting for MVC. Use the asp.net membership and roles engine. Setup the provider to use the Active Directory Membership provider AND ALSO use forms for authentication.

<authentication mode="Forms">   <forms name=".ADAuthCookie"           timeout="10"                               loginUrl="Login.aspx"           defaultUrl="Default.aspx">               </forms> 

or something like it....

The provider setup will look something like this:

<membership defaultProvider="DomainLoginMembershipProvider">   <providers>     <add name="DomainLoginMembershipProvider"                         type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0,Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"                     connectionStringName="ADConnectionString"          connectionProtection="Secure"          connectionUsername="domainuser"          connectionPassword="pwd"          attributeMapUsername="sAMAccountName"           enableSearchMethods="false"/>   </providers> </membership> 

The connection protection, user name and pwd are for the account that has access to query AD on behalf of the system. Depending on the security of your network this may have to be setup or you won't be able to query AD to authenticate the user.

Your connection string will look something like:

<connectionStrings>   <add name="ADConnectionString"        connectionString="LDAP://servername:port#/DC=domainname"/> </connectionStrings> 

The connection string can take many forms so you may have to research it for your environment.

For the login page you might have to execute the authentication method and test...

    e.Authenticated = Membership.ValidateUser(username, password);     if (e.Authenticated == false)... 

Stephen Shackow's book "Professional ASP.Net 2.0 Security, Membership, and Role Management" has a good coverage on using AD Membership (Chapter 12). It's not in the context of MVC but the configuration and setup would be the same.

like image 135
Kevin LaBranche Avatar answered Sep 25 '22 14:09

Kevin LaBranche


thanks for pointing me the right direction, this is what i ended up doing

        <authentication mode="Forms">               <forms loginUrl="~/Account/LogOn" timeout="10"/>         </authentication>                     public bool ValidateUser(string userName, string password)         {             bool validation;             try             {                 LdapConnection ldc = new LdapConnection(new LdapDirectoryIdentifier((string)null, false, false));                 NetworkCredential nc = new NetworkCredential(userName, password, "DOMAIN NAME HERE");                 ldc.Credential = nc;                 ldc.AuthType = AuthType.Negotiate;                 ldc.Bind(nc); // user has authenticated at this point, as the credentials were used to login to the dc.                 validation = true;             }             catch (LdapException)             {                 validation = false;             }             return validation;         } 

I don't like the fact that I am using the catch on the try block to determine if the users validation was successful, but I couldn't find another way around it.

like image 31
user99513 Avatar answered Sep 26 '22 14:09

user99513