Moss 2007 Active Directory/LDAP with SSL Configuration Issue

Hi all, I tried to setup moss 2007 form based authentication against
Active Directory with AD/LDAP Membership Provider. However, I tried
for the last 5 days to figure out what's wrong with the setup but no
luck. Could anyone tell me what could be wrong with the setup?

Here is what I did

1. Create web application to host https://extranet.acme.com with
"default zone" and use form with either AD/LDAP Membership
Provider so external users login with their internal NT Account or
Email (BTW I used SSL 128 bit)

2. Extend the above web application to host intranet http://intranet
with "Intranet zone"

3. Modify web.config of both Central Administration and extranet

4.Here is partial of web.config file that show connection and
membership


//AD Membership Provider

<connectionStrings>
<add name="ADConnection" connectionString="LDAP://server1.acme.com/
CN=Users,DC=acme,DC=com" />
</connectionStrings>

<membership defaultProvider="ADProviderService">
<providers>
<add name="ADProviderService"
type="System.Web.Security.ActiveDirectoryMembershipProvider,
System.Web, Version=2.0.0.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="ADConnection"
connectionUsername="acme\app_account" connectionPassword="abc123"/>
</providers>
</membership>

//LDAP Membership Provider

<membership>
<providers>
<add name="ADProviderService"
type="Microsoft.Office.Server.Security.LDAPMembershipProvider,
Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral,
PublicKeyToken=71E9BCE111E9429C" server="server1.acme.com" port="389"
useSSL="true" userDNAttribute="distinguishedName"
userNameAttribute="sAMAccountName"
userContainer="OU=Users,OU=Dener,DC=acme,DC=com"
userObjectClass="person" userFilter="(|(ObjectCategory=group)
(ObjectClass=person))" scope="Subtree"
otherRequiredUserAttributes="sn,givenname,cn" />
</providers>
</membership>

When I try AD Membership Provider and login to the form with either
email or nt account, I got the following sign in form error

"The server could not sign you in. Make sure your user name and
password are correct, and then try again."

Then I take a look at the server event viewer, I got the following
error


Event Type: Information
Event Source: ASP.NET 2.0.50727.0
Event Category: Web Event
Event ID: 1315
Date: 5/1/2008
Time: 12:40:27 AM
User: N/A
Computer: MYSERVER
Description:
Event code: 4006 Event message: Membership credential verification
failed. Event time: 5/1/2008 12:40:27 AM Event time (UTC): 5/1/2008
7:40:27 AM Event ID: 5ed5b12b0e7c491fb4962f07827ac9f3 Event
sequence: 4 Event occurrence: 1 Event detail code: 0 Application
information: Application domain: /LM/W3SVC/918023365/
Root-1-128541012094024926 Trust level: WSS_Minimal
Application Virtual Path: / Application Path: C:\Inetpub\wwwroot
\wss\VirtualDirectories\extranet.acme.com80\ Machine name:
MYSERVER Process information: Process ID: 3824 Process
name: w3wp.exe Account name: acme\app_account Request
information: Request URL: https://extreanet.acme.com:443/_layouts/login.aspx?ReturnUrl=Membership
credential verification failed.f_layoutsMembership credential
verification failed.fAuthenticate.aspx5/1/2008 12:40:27
AMfSource5/1/2008 12:40:27 AMd%252f&Source=Membership credential
verification failed.f Request path: /_layouts/login.aspx
User host address: 10.247.229.41 User: Is authenticated:
False Authentication Type: Thread account name: MYSERVER
\IUSR_FLATFILE Name to authenticate: john.doen@xxxxxxxx Custom
event details:

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

After the above AD membership provider failed, I then try to use LDAP
Membership Provider and I still get the same sign in form error above.
There was no server error in the event viewer.

For both provider, I try to look up user in people picker Ex:
ADProviderService:jonh.doe@xxxxxxxx, but I could not find any of them

I checked membership/connection string syntax many times and could not
find anything wrong.

I search on the internet and found several threads about above issues
and followed those instructions, but no luck.

Here is some of the threads that I found


http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=2337663&SiteID=1
http://www.setfocus.com/technicalarticles/nickkellett/MOSS2007-and-Novell-LDAP-Authentication_pg1.aspx
http://blogs.msdn.com/harsh/archive/2007/01/10/forms-based-authentication-in-moss.aspx
http://blogs.infosupport.com/porint/archive/2007/05/07/Step_2D00_by_2D00_Step-guide_2C00_-installing-AD-Provider-on-WSS-v3.aspx
http://jasonflowers2k.spaces.live.com/blog/cns!1889117EF017B979!118.entry

Thanks all
.

Relevant Pages

  • Re: WindowsTokenRoleProvider & Domain Groups
    ... as the auth store. ... If you do plan to use the AD membership provider, ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... The only reason I'm using Windows Authentication ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Custom Membership provider without password management
    ... a Web Access Control environment so that authentication is performed ... I don't have to concern about authentication since ... I want to use ASP.NET 2.0 membership provider model, ... (nor is this allowed by the company's security policy). ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Active Directory Membership Provider permission
    ... The AD membership provider plugs ... It sounds like he just wants the authentication part and doesn't need the ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... The current service account is a User account and the subject provider ...
    (microsoft.public.windows.server.active_directory)
  • RE: ActiveDirectory and user page Access
    ... ActiveDirectory membership is not required under Integrated windows ... ActiveDirectory membership provider to authenticate again under Integrated ... windows authentication. ...
    (microsoft.public.vsnet.general)