aspnet2securityfaq0034

Question: How do I enable forms authentication to work with multiple Active Directory domains?

Answer:

Configure ActiveDirectoryMembershipProvider for each domain. Create a custom login form using a TextBox server control to obtain user credentials and domain information. Depending upon the domain information, use the domain specific ActiveDirectoryMembershipProvider instance for manually authenticating the user.
Note that membership by default works with a single domain only (configured as the defaultProvider). Also you cannot use the login controls in a multiple domain scenario, because they work with only the configured default membership provider. So you need to create a custom login form using TextBox server controls.

To use forms authentication with multiple domains
* Configure your application for Forms Authentication in the Web.config file as follows

		 	<authentication mode="Forms">

* Configure your application to deny access to unauthenticated users in the Web.config file as follows

		 	<authorization> 
		  	  <deny users="?"/>
		 	</authorization>

* Configure multiple connections strings for multiple domains in the Web.config file as shown here.
<connectionStrings>
<add name="TestDomain1ConnectionString"

		                connectionString="LDAP://testdomain1.test.com/CN=Users,
		                                 DC=testdomain1,DC=test,DC=com" />

<add name="TestDomain2ConnectionString"

		                connectionString="LDAP://testdomain2.test.com/CN=Users,
		                DC=testdomain2,DC=test,DC=com" />

<add name="TestDomain3ConnectionString"

		 	       connectionString="LDAP://testdomain3.test.com/CN=Users,
		                                  DC=testdomain3,DC=test,DC=com" />

</connectionStrings>
* Configure one ActiveDirectoryMembershipProvider for each domain in the Web.config file specifying at least the connection string name and optionally the credentials (by using connectionUserName and connectionPassword attributes) of an account with permissions necessary to access Active Directory. If you do not specify account credentials, your application's process identity is used to access Active Directory, regardless of whether your application uses impersonation.
* Ensure that the defaultProvider attribute is set to the domain provider which you are going to use as default domain (if any).

		 <membership>
		  <providers>
		    <add
		      name="TestDomain1ADMembershipProvider"
		      type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, 
		            Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
		      connectionStringName="TestDomain1ConnectionString"
		      connectionUsername="testdomain1\administrator" 
		      connectionPassword="password"/>
		    <add
		      name="TestDomain2ADMembershipProvider"
		      type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, 
		            Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
		      connectionStringName="TestDomain2ConnectionString"  
		      connectionUsername="testdomain2\administrator" 
		      connectionPassword="password"/>
		      <add
		        name="TestDomain3ADMembershipProvider"
		        type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, 
		            Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
		        connectionStringName="TestDomain3ConnectionString"
		        connectionUsername="testdomain3\administrator" 
		        connectionPassword="password"/>
		  </providers>
		 </membership>

* On the login page (login.aspx) instead of using login control provided by ASP.NET 2.0, use TextBox server controls to obtain the domain, username and password. Depending upon the domain information get the instance of specific provider and use membership APIs to validate the user as follows.

		   // Get the specific provider
		   [MembershipProvider] domainProvider = Membership.Providers["TestDomain1ADMembershipProvider"];
		   // validate the user
		   Bool [IsValidate] = [domainProvider.ValidateUser(]
		                                       [UserNameTextBox.Text,] [PasswordTextBox.Text);]

* Encrypt the connectionStrings section in the Web.config file by using protected configuration. Also if you specify user credentials in the ActiveDirectoryMembershipProvider configuration encrypt the membership configuration section as well.

More Information

For more information on using forms authentication with multiple domains in active directory, see “How To: Use Forms Authentication with Active Directory in Multiple Domains in ASP.NET 2.0” at http://msdn.microsoft.com/library/en-us/dnpag2/html/PAGHT000021.asp

Return to HomePage, ASPNET2SecurityFAQs