Re: Active Directory Membership Provider permission
- From: "Joe Kaplan \(MVP - ADSI\)" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 12 Jul 2006 12:20:52 -0500
Hi Paul, I think he was asking a question about the Active Directory
Membership Provider, which is one of the membership providers included in
the new membership system in ASP.NET 2.0. The AD membership provider plugs
into the framework and allows you to do forms-based authentication against
AD, as well as some account maintenance features like self-service
provisioning, if you enable that.
It sounds like he just wants the authentication part and doesn't need the
provisioning features, so he should only need a service account with read
access. However, it isn't working. I'm not sure why.
My guess is though that OP will get a better response from the
aspnet.security newsgroup, as that is where most of the expertise with the
membership providers currently exists.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Paul Bergson" <pbergson@xxxxxxxxxxxxxxxxx> wrote in message
news:OGwVKIdpGHA.148@xxxxxxxxxxxxxxxxxxxxxxx
There is no way you can authenticate users other than determine whether or
not they are in AD. To authenticate them you would have to know there
password which you don't. The best you could hope for would be to pass
the enetered password to AD in attempt to logon as the user who has
provided you their user id and password. Which is a HUGE security
violation, since you would be provided all the security credentials for
everyone from within the company. Even if you are not scrupulous I highly
doubt you could make it secure so that the system would be compromised.
You could look up the id within AD and see if the user exists or you could
look at using AD/AM which is free from Microsoft.
--
Paul Bergson MCT, MCSE, MCSA, Security+, CNE, CNA, CCA
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.
"Jim Carlson" <JimCarlson@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:3480DC6F-B0B9-429B-95C5-69A2AFF6A7FE@xxxxxxxxxxxxxxxx
I need to authenticate users but not make any additions or changes.
The current service account is a User account and the subject provider
does
not work.
What permissions are needed by the service account to authenticate?
Thanks,
Jim Carlson
.
- Follow-Ups:
- Re: Active Directory Membership Provider permission
- From: Paul Bergson
- Re: Active Directory Membership Provider permission
- References:
- Re: Active Directory Membership Provider permission
- From: Paul Bergson
- Re: Active Directory Membership Provider permission
- Prev by Date: Re: Deny workstation removal from domain
- Next by Date: Re: locking down the desktop
- Previous by thread: Re: Active Directory Membership Provider permission
- Next by thread: Re: Active Directory Membership Provider permission
- Index(es):
Relevant Pages
|
