none
ActiveDirectoryMembershipProvider class across multiple domains RRS feed

  • Question

  • Hi,

    I have a WCF authentication service that uses active directory membership provider class and provides AD login function and we have this working for one domain A. There is another domain B which is behind the firewall and there is a one way trust relationship between domain A and B. Users from domain B can log onto the domain controller of domain A but not vice versa. The WCF service is on Domain A. I tried to authenticate users from domain B using the service and I received the unknown username or bad password error.

    I am wondering if anyone know if the active directory membership provider works across multiple domain with one way trust relationship? I have tried changing the LDAP connection string to point to domain A's domain controller but specify the DC parameter to Domain B and set the connectionUser to DomainB\Username but I received the same error. If I have everything pointing to DomainA I receives the same error too. The domain controllers for A and B can see each other. Does anyone know a solution?

    (We can't point the LDAP string to domain B as its behind firewalls)

    Does this scenario requires a particular type of trust or trust relationship?

    I think we are using one way forest trust.

    The authentication is working for a single domain but not across the domain.

    We are using standard ASP.NET 2.0 Active Directory Membership provider, so there is no custom implementations in the WCF service. We wanted to achieve authentication across a one-way trust. The following is the WCF's web.config file:
    <connectionStrings>
        <add name="ADProviderConnection" connectionString="LDAP://DC=DomainA"/>
      </connectionStrings>
      
      <system.web>
        <compilation debug="true" targetFramework="4.0" />
        <membership defaultProvider="ADMembershipProvider" >
          <providers>
            <clear/>
            <add name="MembershipProvider"
                 type="Membership.MembershipProvider" />
            <add name="TokenProvider"
                 type="Membership.TokenProvider" />
            <add name="ADMembershipProvider"
            type="System.Web.Security.ActiveDirectoryMembershipProvider"
            enableSearchMethods="true"
            connectionStringName="ADProviderConnection"
            connectionUsername="DomainA\serviceAccount"
            connectionPassword="password"
            connectionProtection="None"
    
                 
                 />
          </providers>
        </membership>

    As you can see from the config file, we are using a service account from domain A to connect to domain A's domain controller, this all works great when we are authenticating domain A users, but when we tried to authenticate domain B users, the authentication fails.

    My questions is if the trust is set up correctly, the membership provider should work given the LDAP string to domain A and service account of domain A, the provider should be able to resolve and authenticate domain B users through the trust relationship, although we are connecting to domain controller of domain A?

    Does the membership provider support this? If not what should the LDAP string and connectionUser account be changed to?

    We have also tried to use a Domain B account for the connectionUser and keep the LDAP connection string the same, but we were not able to get it to work. Is it correct to assume that having a domain B account but with a LDAP string pointing to domain A should work because we have a trust relationship set up?? It will automagically forward the authentication request to domain B?

    If we use domain A account do we need to setup permissions for that account in domain B so that it can access domain B?

    How does windows authentication work in situation like this?

    Does the membership provider uses the same mechanism as windows authentication underneath?


    • Edited by Jerry_Hsi Thursday, August 9, 2012 9:33 PM
    Thursday, August 9, 2012 9:31 PM

Answers

  • I ended up writing my own membership provider which authenticates users against AD directly using .NET directory services library through the trust.

    The out of the box membership provider doesn't support referral chasing across forests or GC querying. It can only be used for a single domain scenario.

    • Marked as answer by Jerry_Hsi Tuesday, September 11, 2012 4:22 AM
    Tuesday, September 11, 2012 4:22 AM

All replies

  • Hi Jerry,

    Welcome to the MSDN Forum.

    This is a quick note to let you know I am trying to involve some other one is familiar with AD in different domains.

    Thank you for your patience.

    Best regards,


    Mike Feng
    MSDN Community Support | Feedback to us
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Friday, August 10, 2012 8:15 AM
    Moderator
  • Thanks Mike, looking forward to any help.
    Sunday, August 12, 2012 9:03 PM
  • The Active Directory and LDAP forum which discusses questions about Active Directory is a better forum for your question, you may try this question there for a better support.

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Regards,
    Eric Yang
    Microsoft Online Community Support

    Thursday, August 23, 2012 12:36 PM
  • Hi Jerry_Hsi,

    Please checkout this:

    http://stackoverflow.com/questions/54364/using-activedirectorymembershipprovider-with-two-domain-controllers


    Regards, http://www.shwetalodha.blogspot.in/

    Thursday, August 23, 2012 5:29 PM
  • Hi Mike,

    Just wondering if you had any luck finding someone who can help. I have created a few virtual machines with domain controllers for testing and it seems that the Active Directory Membership Provider does not support trust traversal across forests.

    We have two forests each with its own domain controller, GC and DNS. The one way trust is working as I can log into the trusting domain with the trusted domain account. But membership provider doesn't seem to be able to forward any authentication request to the target domain through the trust.

    I tried the following:

    LDAP://DCA.domainA.local/DC=domainB,DC=local - This gives me a container not found error.

    LDAP://DCA/ - This works for domainA account but not domainB accounts. Domain B is the trusted domain for domain A.

    Is there a way to specify a LDAP connection string that can search across forests?

    Monday, August 27, 2012 1:59 AM
  • I ended up writing my own membership provider which authenticates users against AD directly using .NET directory services library through the trust.

    The out of the box membership provider doesn't support referral chasing across forests or GC querying. It can only be used for a single domain scenario.

    • Marked as answer by Jerry_Hsi Tuesday, September 11, 2012 4:22 AM
    Tuesday, September 11, 2012 4:22 AM
  • Hi Jerry_Hsi,

    can you please share code how did you define custom membership provider to get the access of trusted forest domain?

    Thank you,

    Sri.

    Friday, December 7, 2012 9:06 PM
  • Hi Jerry,

    Can you please share the how to define custom membership provider, if possible?

    Thanks,

    Sri.

    Monday, December 10, 2012 4:08 PM