LDAP Authentication in ASP.Net MVC

I want to be able to authenticate a user by using their domain UserId and Password, but the default ASP.Net MVC application allows the user to register a userId and password and then log in. How can I do this?

I don't want the user to be able to register; however, he should be able to enter his windows domain userId and password and be authenticated by the domain server.

The solutions I have seen (for example here on Mike's Blog) do not require the user to enter his/her UserId or password.

How can I get my ASP.Net MVC application to show a log on form and authenticate the user against the windows domain?

Please explain with a sample if possible


Solution 1:

This is how to do it in web Apps forms authentication so it may need some adapting for MVC. Use the asp.net membership and roles engine. Setup the provider to use the Active Directory Membership provider AND ALSO use forms for authentication.

<authentication mode="Forms">
  <forms name=".ADAuthCookie" 
         timeout="10"                     
         loginUrl="Login.aspx" 
         defaultUrl="Default.aspx">            
  </forms>

or something like it....

The provider setup will look something like this:

<membership defaultProvider="DomainLoginMembershipProvider">
  <providers>
    <add name="DomainLoginMembershipProvider"           
             type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0,Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"           
         connectionStringName="ADConnectionString"
         connectionProtection="Secure"
         connectionUsername="domainuser"
         connectionPassword="pwd"
         attributeMapUsername="sAMAccountName" 
         enableSearchMethods="false"/>
  </providers>
</membership>

The connection protection, user name and pwd are for the account that has access to query AD on behalf of the system. Depending on the security of your network this may have to be setup or you won't be able to query AD to authenticate the user.

Your connection string will look something like:

<connectionStrings>
  <add name="ADConnectionString"
       connectionString="LDAP://servername:port#/DC=domainname"/>
</connectionStrings>

The connection string can take many forms so you may have to research it for your environment.

For the login page you might have to execute the authentication method and test...

    e.Authenticated = Membership.ValidateUser(username, password);
    if (e.Authenticated == false)...

Stephen Shackow's book "Professional ASP.Net 2.0 Security, Membership, and Role Management" has a good coverage on using AD Membership (Chapter 12). It's not in the context of MVC but the configuration and setup would be the same.

Solution 2:

thanks for pointing me the right direction, this is what i ended up doing

        <authentication mode="Forms">
              <forms loginUrl="~/Account/LogOn" timeout="10"/>
        </authentication>                  

 public bool ValidateUser(string userName, string password)
        {
            bool validation;
            try
            {
                LdapConnection ldc = new LdapConnection(new LdapDirectoryIdentifier((string)null, false, false));
                NetworkCredential nc = new NetworkCredential(userName, password, "DOMAIN NAME HERE");
                ldc.Credential = nc;
                ldc.AuthType = AuthType.Negotiate;
                ldc.Bind(nc); // user has authenticated at this point, as the credentials were used to login to the dc.
                validation = true;
            }
            catch (LdapException)
            {
                validation = false;
            }
            return validation;
        }

I don't like the fact that I am using the catch on the try block to determine if the users validation was successful, but I couldn't find another way around it.