Is using ActiveDirectoryMembershipProvider for authentication with a non-SSL LDAP connection secure?

Question

User389879187 posted

Hi everyone.  I am learning ASP.net development and I have just made my site authenticate users by using the ActiveDirectoryMembershipProvider with an LDAP:// connection string.  This connection string is not using SSL.  I was curious if this authentication process is fairly secure between IIS and the AD server, or if I should be concerned about plain text user credentials being sent over the network the AD server?  I tried using Wireshark to sniff the traffic and I did not find any credentials in plain text, but I am not a very experienced sniffer here.  Any idea what this is doing under the hood?

Thanks!

Answer 1

User665608656 posted

Hi gtzpower2,

According to your description, which authentication does your web.config use? form authentication or windows authentication?

If you are using Windows authentication, you do not need to worry about sending plain text user credentials over the network through the AD server.

Because if you use windows authentication, the browser encrypts the credentials you enter and then transfers them.

Best Regards,

YongQing.

Answer 2

User389879187 posted

Thanks for the reply.  This is using forms authentication to support MacOS and Mobile users

Answer 3

User665608656 posted

Hi gtzpower2,

I was curious if this authentication process is fairly secure between IIS and the AD server

This is safe.

or if I should be concerned about plain text user credentials being sent over the network the AD server? 

This does not exist.

Because you are using form authentication, it is not secure that the browser passes to iis if it is not https, and iis passes to aad is secure.

Best Regards,

YongQing.