by January 1, 2009 0 comments

We often face difficulty in modifying Active directory entries using
non-Microsoft solutions. We are going to demonstrate here a simple way of
accessing Active Directory using ASP.NET 2.0, applying password complexity rules
in it and modifying it. This demo will also throw some light on key security
considerations while using form authentication. What we are going to use here is
‘ActiveDirectoryMembershipProvider’ membership feature that can be used with
form authentication present in ASP.NET 2.0. This member feature includes API
that helps in managing user credentials in Active Directory. We are carrying
this implementation in test environment in an isolated network.

To demonstrate this implementation in test setup, we have used Active
Directory of Windows Server 2003 and Visual Studio 2008 for creation of ASP.NET
web site (with C# as programming language). Start with installing Active
directory using ‘dcpromo’ command in command prompt and create domain (sandeep.local)
in it with user (Sandeep Koul). Once your active directory is ready on test
machine, use a machine with Visual Studio to create a ASP.NET web site. Open
Visual Studio, click on ‘File>New>Web Site” and change name and location of web
site along with Language (C#). Now in ‘Solution Explorer’, right click on the
created web site and click on ‘Add Items’. From the template window, select ‘Web
Forms’ and name it ‘login.aspx’. On this page, drag and drop ‘Login’ control and
‘CreateUserWizard’ control for logging in and creation of new account in Active
Directory (one needs appropriate privilege for creation of new user). ‘Login’
control has ‘Remember me next time’ check box that remembers password, it is
suggested to disable it by setting ‘DisableRememberMe’ to ‘False’, this makes
your page more secure. Now add (if not present) and then modify ‘web.config’
file present in ‘Solution Explore’. Here is the code snippet showing content of

Direct Hit!

Applies To: System Administrators
USP: Access Active Directory using
Primary Link:
Keyword: ActiveDirectory

<?xml version="1.0"?>

Here is connection sting that points to Active Directory users container, we
are using LDAP (lightweight directory access protocol) for quiring and modifying
directory service.

<add name="ADConnectionString"
<roleManager enabled="true"
defaultProvider="AspNetWindowsTokenRoleProvider" />
<compilation debug="true">
<add assembly="System.DirectoryServices,
Version=, Culture=neutral,

Locate and change ‘<authentication>’ element as shown below, change ‘mode’
attribute to ‘Forms’.

<authentication mode="Forms">
<forms name=".ADAuthCookie" timeout="10" />

Beneath ‘<authentication>’ element add ‘<authorization>’ element, this
enables only authenticated users to access application. Here ‘?’ indicates
unauthenticated users while ‘*’ indicates authenticated ones.

<deny users="?"/>
<allow users="*"/>

Under ‘<authorization>’ element add ‘<membership>’, this along with ‘<connectionString>’
is to point and configure Active Directory membership provider. In this element
,one needs to override ‘defaultProvider’ (MyADMembershipProvider) as shown in
code snippet. As one can see we are providing information regarding
administartor i.e. ‘connectionUsername’, ‘connectionPassword’, and ‘connectionStringName’,
therefore it is recommended to encrypt these portions. Finally make sure that
‘connectionStringName’ is same as mentioned in ‘<connectionStrings>’ element.

This window shows default page
on the left that is displayed when running the project and output that would
be displayed after authentication on right side.

<membership defaultProvider="MyADMembershipProvider">
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web,
Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"

Besides the attributes mentioned above ‘ActiveDirectoryMembershipProvider’
has number of other attributes that one can configure according to his/her

As we have finished configuring ‘web.config’ file, now is the time to test
authentication. To accomplish it, open ‘Default.aspx.cs’ file and add the
following code on the ‘Page_Load’ event. If works properly, this will show
information related to authenticated users.

using System.Data;
using System.Web;

protected void Page_Load(object sender, EventArgs e)
Response.Write("Hello, " + Server.HtmlEncode(User.Identity.Name));
FormsIdentity id = (FormsIdentity)User.Identity;
FormsAuthenticationTicket ticket = id.Ticket;
Response.Write("<p/>TicketName: " + ticket.Name);
Response.Write("<br/>Cookie Path: " + ticket.CookiePath);
Response.Write("<br/>Ticket Expiration: " +
Response.Write("<br/>Expired: " + ticket.Expired.ToString());
Response.Write("<br/>Persistent: " + ticket.IsPersistent.ToString());
Response.Write("<br/>IssueDate: " + ticket.IssueDate.ToString());
Response.Write("<br/>UserData: " + ticket.UserData);
Response.Write("<br/>Version: " + ticket.Version.ToString());

Though it’s easy to implement and work with, form authentication have much
vulnerability that can easily be exploited, which in turn can lead to spoofing
and other threats. Many security measures can be taken like account lockout and
password reset i.e. one can set following attributes of ActiveDirectory
MembershipProvider’: ‘maxInvalidPasswordAttempts’ that defines the number of
failed attempts that can be made before account is considered locked and
‘passwordAttemptWindow’ that defines in minutes how long provider tracks failed
password attempts. More information about security considerations can be gained
from following link ‘http:// ary/ms 998310.aspx’.

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.