Authenticate Active Directory Users
I'm working on some proof of concept stuff with a Sitefinity trial installation. I'm trying to allow it to authenticate me using my active directory domain account credentials. I've followed this document to set up my connection and have enabled the LDAP Membership and Role providers. I've restarted the app by saving a small change to the web.config after each change. I see my new provider listed on the login control, but I cannot log in with my domain account credentials. When logged in as a Sitefinity admin and navigating to Administration > Users > LDAP Uses, none are listed. Per the suggestion of another thread, I checked the sf_users table but only the sitefinity users are listed. I'm no AD whiz but I can't find a problem with the LDAP connection settings (See attachment). I've tried a couple different user & role filters based on different examples I've found but no luck. Any idea how to troubleshoot this?
Hi,
Have you tried with the default settings for
UserFilter - (&(objectClass=user)(!(objectClass=computer)))
RolesFilter - (objectClass=group)
Can you check if you use the same settings in our UI you are able to connect to the AD with another tool, because it looks like the connection to the AD is done but there is a problem with getting the users from it. Looking at the settings you used they look very common, so I also suppose that the problem might be related to the connection.
We have a class LdapQueryTranslator which works with the filters and expressions. This class is responsible for the way that queries are sent to the LDAP by LdapQueryProvider
and it would be hard to say what the problem is. If the same connection works with another tool, then something might be wrong with the translator or query data is passed by the LdapMembershipProvider and LdapFacade not correctly.
You can try to manually invoke LdapConnection (System.DirectoryServices.Protocols). Here is a sample that you can use to debug your Sitefinity connection.
protected
LdapConnection connection;
public
virtual
string
LdapConnectionName
get
;
set
;
protected
virtual
LdapConnection GetConnection(LdapSettingsConfig settings,
string
userName,
string
password)
LdapConnection connect =
null
;
string
connCacheName = GetConnectionCacheKey();
if
(connection ==
null
)
if
(SystemManager.HttpContextItems !=
null
&& SystemManager.HttpContextItems[connCacheName] !=
null
)
connection = ((LdapConnection)SystemManager.HttpContextItems[connCacheName]);
return
connection;
var identifier = GetLdapDirectoryIdentifier(settings);
NetworkCredential credential = GetNetworkCredential(settings, userName, password);
if
(settings.ConnectWithLogOnCredentials &&
credential ==
null
)
return
null
;
connect = BuildLdapConnection(settings, identifier, credential);
if
(connect !=
null
)
if
(SystemManager.HttpContextItems !=
null
)
SystemManager.HttpContextItems[connCacheName] = connect;
connection = connect;
return
connection;
protected
virtual
LdapConnection BuildLdapConnection(LdapSettingsConfig settings, LdapDirectoryIdentifier identifier, NetworkCredential credential)
LdapConnection connect =
new
LdapConnection(identifier, credential);
connect.AuthType = settings.AuthenticationType == AuthType.Ntlm ? AuthType.Negotiate : settings.AuthenticationType;
connect.Timeout = TimeSpan.FromSeconds(20);
// need additional check if you use SSL!
return
connect;
protected
virtual
string
GetConnectionCacheKey()
return
string
.Concat(
"ldapconn_"
,
this
.LdapConnectionName);
protected
virtual
LdapDirectoryIdentifier GetLdapDirectoryIdentifier(LdapSettingsConfig settings)
return
new
LdapDirectoryIdentifier(
settings.ServerName.Split(
new
char
[]
';'
, StringSplitOptions.RemoveEmptyEntries),
settings.Port,
true
,
false
);
protected
virtual
NetworkCredential GetNetworkCredential(LdapSettingsConfig settings,
string
userName,
string
password)
NetworkCredential credential =
null
;
if
(settings.ConnectWithLogOnCredentials)
if
(settings.AuthenticationType == AuthType.Ntlm)
credential = CredentialCache.DefaultNetworkCredentials;
else
if
(userName !=
null
)
credential =
new
NetworkCredential(userName, password);
else
SitefinityIdentity identity = Thread.CurrentPrincipal.Identity
as
SitefinityIdentity;
if
(identity !=
null
)
credential = LdapCredentialsCache.GetCredential(identity.Id);
else
credential =
new
NetworkCredential(settings.ConnectionUsername, settings.ConnectionPassword, settings.ConnectionDomain);
return
credential;
This is a few months later, but we're having the same problems establishing a working configuration to connect to our LDAP server (OpenLDAP).
The following works on the same Web site where the Sitefinity instance is installed.
Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
Dim sb As New StringBuilder
Try
Dim dEntry As New DirectoryEntry()
dEntry.Path = "LDAP://[IPaddress]:389/ou=users,dc=web,dc=[domain],dc=com"
dEntry.AuthenticationType = AuthenticationTypes.None
dEntry.Username = "cn=[username],ou=services,dc=web,dc=[domain],dc=com"
dEntry.Password = "[password]"
Dim dSearch As New DirectorySearcher(dEntry)
Dim srchResultColl As SearchResultCollection
Dim srchResult As SearchResult
srchResultColl = dSearch.FindAll
Dim propKey As String
For Each srchResult In srchResultColl
For Each propKey In srchResult.Properties.PropertyNames
Dim prop As Object
For Each prop In srchResult.Properties(propKey)
sb.Append(propKey & ": " & [prop].ToString & "<
br
/>")
Next prop
Next propKey
sb.Append("--------------------------------------------------------------<
br
/>")
Next
lblUsers.Text = sb.ToString
Catch ex As Exception
lblUsers.Text = "An error occurred: " & ex.Message
End Try
End Sub
We get a list of all properties of all items (in this case, users).
However, when we try to configure the Sitefinity LDAP connection, we consistently fail, getting the error message "The distinguished name contains invalid syntax."
Could anyone help us with "translating" what works outside of Sitefinity to the Sitefinity configuration?
Any thoughts or suggestions about ways to test this would be most welcomed.
Hello Chanan,
In the ticket you have opened related to this issue we have replied that most probably the issue is caused due to an incorrect value entered in the field: The domain used in addition to the user name.
I am pasting the reply from the ticket for your convenience:
Jugging by the error message you are getting and the settings on your side, what we assume is that the issue might be caused by the value entered in the following field:
The domain used in addition to the user name
We have also analyzed the source code and what we expect is that the above field contains the domain of the LDAP server and should not contain characters like the following: , =.
We have compared this to the settings we have on our side to connect to our LDAP server and we have entered in the above field the following: telerik.com
What we can suggest is to enter in The domain used in addition to the user name field the domain of the LDAP server on your side.
Thanks a lot for responding.
It is becoming quite obvious that the company's IT guys have badly configured either the LDAP server or the Active Directory domain.
Once they deal with that, we'll try our LDAP connection again.
Thanks again.