ASP.NET membership provider – identifying users in a multi-domain Active Directory

Hello there,

in a case when using ASP.NET membership provider against Active Directory (System.Web.Security.ActiveDirectoryMembershipProvider), and when there is more than one domain within the directory, one may encounter a trouble distinctly identifying users. E.g. DOMAIN1userXY is a different user than DOMAIN2userXY. Thus, the users must not be confused and should be treated with caution.

In the web.config entry for the membership provider we can specify which field of the AD object should be checked in order to precisely find the user we mean. The attribute „attributeMapUsername” has two possible values:

  1. sAMAccountName
  2. userPrincipalName

As of the first case, we have only the username – without domain – hence we cannot identify precisely which user is referenced. The second option gives us exactly what we need: the username with domain is used here (UserName@DomainName), thus we have the distinct identification of the users.

If you’re using the membership provider’s methods in codebehind, in this blog post you’ll find the explanation on how to fetch the needed properties of an Active Directory user needed as provider’s method parameters. They are stored in the UserPrincipal object.

Hope this helps,

Dodaj komentarz

Twój adres email nie zostanie opublikowany. Pola, których wypełnienie jest wymagane, są oznaczone symbolem *