Active Directory Implementation

Active Directory User Authentication Process

05-Sept-2011
Md. Fazlur Rahman
 Sambe Software 2
www.sambesoftware.com
TABLE OF CONTENTS

Introduction......................................................................................................................................................3
Implementation...............................................................................................................................................3
Active Directory Configuration...................................................................................................................3
Active Directory Implementation Logic....................................................................................................4
Conclusion........................................................................................................................................................4

By Md. Fazlur Rahman, Senior Software Engineer, Sambe Software

 Sambe Software 3
www.sambesoftware.com

Introduction
There are three types of user authentication in asp.net. These are
1. Form Authentication
2. Windows Authentication
3. Passport Authentication
Elixtra supports Form Authentication. User authentication detail is stored in asp.net membership tables in database.
ASP.NET login controls has been used for user login. Now authentication from Active Directory can be done in 2 ways
1. Change Form Authentication To Windows Authentication
2. By Pass User Authentication To Use Active Directory
The first one requires database change in deep level and thats why is not feasible. The second one has been
implemented to achieve the goal.

Implementation

Active Directory Configuration

Active directory configuration detail has been saved in web.config file. The configuration section is

<configSections>
<section name="ldapConfiguration"
type="HRMS.BusinessFacade.Configuration.ActiveDirectoryConfiguration, HRMS.BusinessFacade, Version=1.0.0.0,
Culture=neutral" allowLocation="true" allowDefinition="Everywhere"/>
</configSections>

<ldapConfiguration enabled="false" logEnabled="false" isaInegrated="false" pageLevelSecurityCheck="false"

server="192.168.240.128" domain="test.com" userName="" password="" directoryPath="DC=test,DC=com"
groupName="elixtrauser" filter="(and(objectCategory=person)(objectClass=user)(samaccountname=usertosearch))"
filterReplace="usertosearch"></ldapConfiguration>

Here is the description of each property of the configuration

enabled: The possible values are true and false. It is used to enable or disable active directory integration.
logEnabled: The possible values are true and false. It is used to write log entry to hrms.log file in every step of
active directory integration to trace if its properly integrated or no.
isaIntegrated: Its not used anymore.
pageLevelSecurityCheck : The possible values are true and false. This allows to check if the loggedin user is an
active directory user on every page life cycle.
server : The possible values are the ip address or the machine name of the active directory server.
domain : It contains the domain name of the active directory.
userName : It contains the user name if any specific user authentication has been used to contact with active
directory.
password : It contains the password if any specific user authentication has been used to contact with active directory.
directoryPath : It contains the root directory path in active directory where all the users reside.
groupName : It contains the group name of the users who are eligible to access elixtra. groupName="elixtrauser"
means the user of the group elixtrauser will be able to login to elixtra.
filter : This is used to search the user in the directory.
filterReplace : This is the keyword to replace in code to search an user.

By Md. Fazlur Rahman, Senior Software Engineer, Sambe Software

 Sambe Software 4
www.sambesoftware.com

This configuration is mapped to ActiveDirectoryConfiguration class which resides in Faade project.

Active Directory Implementation Logic

The logic has been implemented in ActiveDirectoryConnector class. The algorithm is
1. If ActiveDirectoryConfiguration.Enabled==true, register Authenticate event of the login control in
Page_Load event of Login.aspx page to bypass the authentication process.
2. Take the User Name and Password from login control and pass to
ActiveDirectoryConnector.IsUserLoggedIn function.
3. If User Name==elixtraadmin@naseba.com where elixtraadmin@naseba.com is the super admin user name
then authentication is required for both active directory and membership. So the password format is
activedirectorypassword~membershippassword
4. Pass the user name and password to active directory if the user exists or no.
5. If the user exist then check if the user is active or no
6. If the user is active then check if the user is the member of the desired group.
7. Return true if 4,5,6 are true, otherwise false.
8. Allow the user to login to elixtra if 7 is true.

Conclusion
This process will not work if any of the following is true
enabled="false" in active directory configuration
Server name provided in configuration is not valid.
Directory path is not valid
Group name is not valid
Filter option is not valid
User name and password provided while login are not valid, or the user is not active or the user is not a
member of the provided user group.

By Md. Fazlur Rahman, Senior Software Engineer, Sambe Software