Thursday, January 8, 2009

Forms authentication using the AD

I am setting up an extranet site where the customer wants the user to be logged out after a certain idle time. Since there is no way to make the user logged out using windows authentication, for logical reasons, then I must activate forms authentication. But I dont want to have yet another user register like in a SQL db, so therefore I must activate it against the AD. So this is what I did:

Locate the web.config file that belongs to your site in the virtual directory (you find the path in your IIS site):



Make sure you backup your web.config file first! Locate the configSections tag. You can remark the authentication mode for windows, and instead enter this code:


These steps must be performed both in your sites web.config, and also in the web.config that belongs to the Central Admin site. Locate the tag system.web and add the following LDAP connection string to your Active Directory:


Also add the following section under the system.web tag:


Actually, I removed the connectionUsername and connectionPassword lines from my web.config since that file is quite unprotected on the server and you don't want the Administrator password out!! So if you remove those lines, the application pool user account will be used instead. So you must make sure that the account has rights on your AD.

Then in CA you go to the Authentication Provider link, select your site, click on the zone you would like to activate it on, and select "Forms" instead of "Windows".

Do an iisreset and you should have a login page on your site now:

No comments: