Well, with all the acronyms which exist in the software development world, Harry Potter should have found a lot of words for his magic formulas. Today, I will explain you two of them, AZAM and ADAM.

The ASP.NET Membership Provider

In my opinion, membership provider of ASP.NET provides a good abstraction for the authentication and the authorization. Moreover, I guess it is enough flexible that you can use it almost all the time. Thus, stop implementing your own custom authentication layer to make something that the framework does better than you and begin to learn it.

Note : If you have cases where Membership provider cannot be use, please, share us your experience and leave a comment.

• The SqlMembershipProvider (absolutely needs a Sql Server database for working; Sql Express per default).
• The ActiveDirectoryMembershipProvider.

Today, we will focus on ActiveDirectory Membership Provider; I will show you how to setup the ActiveDirectoryMembershipProvider, use Authorization Manager (Azman) as role provider and give you an introduction of Active Directory Application Mode (ADAM). Of course, to use ActiveDirectoryMembershipProvider, you need a domain controller (2003 SP2). It is not my aim to show you how to configure a DC, so I assume you have it up.

If you only need an active directory authentication with no role managment, here is a post of my friend Mike who explains how to use Active Directory for the authentication with the new framework MVC (http://helios.ca/2009/05/04/aspnet-mvc-forms-authentication-with-active-directory/).

Setting up Active Directory Membership Provider:

1. Add a ldap connection string to you Active Directory:

Note : I assume you have the read permissions to your Active Directory.

If like me, you are sometimes a bit loss with active directory and the ldap protocol, here is a good tip to ensure a valid connection string. Download the Windows Server 2003 Support tools: Windows Server 2003 Service Pack 1 Support Tools and run the ADSIEDIT.MSC (per default in C:/ProgramFile/Support Tools). This tool allows you to see the structure of your Active Directory and it helps to make valid ldap connection string.

By default, you should see: DC = test, DC=mydomain, DC=COM. This is the first part of the connection string. Here is the first part of the connection string “test.mydomain.com”.
After that, you should see objects as OU (organization unit) or CN (common name). If you expend the node DC=test, DC=mydomain. DC=COM, you will see all the OUs and the CNs of your active directory.  Normally, you should see the CN=Users or the OU User Accounts. When you have located where all your users are, you can now gathering the objects to make a valid LDAP connection string.

And here is the result: “LDAP://test.mydomain.com/CN=Users,DC=test,DC=mydomain,DC=com”.

So in you webconfig, you have to add this code :

2. Configure the active directory membership provider :

Now that you have a connection between your webserver and your domain controller, you will now be able to use AD for the authentication. To enable the active directory membership provider with you application, add some links to your webconfig file.

Find the <membership> element in your webconfig and add this:

More info here: http://msdn.microsoft.com/en-us/library/whae3t94.aspx

3. Wire Forms authentication with MemberShipProvider and your connection string :

Add this code under the <system.web>

To use forms authentication, your IIS must use anonymous access enabled.

For IIS 6.0 :

• Command run : inetmgr
• Right-click “properties” on your website
• Directory Security-Edit and you will receive this screen : Check that Anonymous access is enabled

For IIS 7.0: Here is the link.

Note : To avoid storing a username and a password in a connection string, you can use IIS to manage that.  I hope I will have some time to write a post about that in the future.

4. Taste it!

Create a new MVC project and follow all the steps above, you should be now able to log you in with your active directory account.

Note : Here is the end of the first part, we saw the different methods to use ASP.NET Membership Provider and how to enable ActiveDirectory Membership provider. In next step, we will see how to use Authorization Manager and Active directory application mode.

5. Active Directory Role manager :

Now, that you have your authentication, you would expect an active directory role manager who retrieves the current user’s group information. Unfortunately, it does not exist. I saw interesting posts on the net (http://oricode.wordpress.com/2008/02/14/active-directory-role-provider/ and http://www.codeproject.com/KB/aspnet/active_directory_roles.aspx ) but I did not have the time to test it. It seems to sounds pretty good but if you search on MSDN, you will find that the “best practices” for Microsoft is using Azman.

6. Authorization Manager:

Azman or Authorization Manager “enables you to define individual operations, which can be grouped together to form tasks. You can then authorize roles to perform specific tasks and/or individual operations. AzMan provides an administration tool as a Microsoft Management Console (MMC) snap-in to manage roles, tasks, operations, and users. You can configure an AzMan policy store in an XML file, Active Directory, or in an Active Directory Application Mode (ADAM) store.” More info : here.
Here is a good “how to” from Msdn: http://msdn.microsoft.com/en-us/library/ms998336.aspx
Azman is installed with Windows Server 2003 SP1 and later. To use it with Windows XP, you need to install the Windows Server 2003 Administration Tools Pack (here).
Managing role membership with AzMan is quite easy; you can use the snap-in to add roles and tasks in your application. You can also easily map Windows accounts with the roles you have defined. It can be used with an XML file or ADAM.

Install The AzMan Snapin, install it :

First, Install the Windows Server 2003 Administration Tools Pack, which you can download here. If you have some difficulties to have this screen, please follow the guideline from MSDN. In a run command type : “azman.msc”, you’ll receive this window :

Developer Mode

Right-Click “Authorization Manager”, “options”, choose “Developer Mode”.

Create an Authorization Store

Right Click “New Authorization Store” on “Authorization Manager”. Choose the XML file.

Browse the directory you want the Xml to be stored.  For example: <PathOfYourApplicationFolder\App_Data\Roles.xml.
As soon as you have created your “Role Manager”, you should now create an application.
Right-Click on roles.xml, create New Application:

You have now a tree like this

-    Expand the Definitions folder and then right click on Role Definition…
-    Provide a name for the role “Admin”
-    Right Click on Role Assignments and select Assign Role Assignment, check the box against Admin and click OK. This role should now be listed under Role Assignments node.
-    Right-click on the role Admin and you can assign Users form Windows or Active Directory.
-    Choose assign to active directory and choose a user.

Use your authorization store with your application :

Open you web.config and add the connection string to your XML :

Enable Role Manager and configure the role provider :

Configure Role with your web.config :

Under “Secured”

Test your website and it should works. Try to login with a user account which is not a member of the role you decided. You should not have access, try the opposite and you should have access.

Note: After you add a role in your application authorization store, you certainly have noticed that it needs some times to be effective. Indeed, you have to restart the application or wait for a recycle. I did not find any solution for the moment but there should be a way to force it. If you have a solution, please leave me a comment.

6. Active directory application mode (ADAM)

Instead of using an xml with AzMan, you could use ADAM. The main quality is that you can have one instance for all your web application in place of a XML file for each one.
The “How to” in Msdn is so clear that I prefer to give you the link in place of explaining eveything step by step.

Here is the link: http://msdn.microsoft.com/en-us/library/ms998331.aspx. I tried it and I succeed to work with ADAM using AzMan policy.

Note:  ADAM is not supported on Windows Vista.

As always, if you have corrections or remarks, leave me a comment. Thank you.

Bookmark It

Hide Sites

Filed under: .NET on May 12th, 2009