AD Membership Provider Can't See User Attributes

  • Thread starter Thread starter John F. Holliday
  • Start date Start date
J

John F. Holliday

I need to use the ActiveDirectoryMembershipProvider in my application.
I have setup the provider in the web config, etc. When I use the ASP.NET
configuration utility and select the Security tab, it throws an
exception saying that the attribute 'userPasswordQuestion' specified for
the attributeMapPasswordQuestion property is not an attribute of the
user class.



I extended the AD attributes and mapped them to the 'user' class. To
validate them, I used ADSIEdit to add simple editing functions to the
context menu of the AD Users and Computers console. Sure enough, when I
right-click on any user in any OU, I see the 5 attributes listed and the
console calls my custom VB script that displays the current value of the
attribute and lets me set the value to anything I want. Bottom line -
the attributes do exist and are indeed associated with the user class.



I rebooted the machine and ran the application again. Now the exception
is different. It says that the userPasswordQuestion attribute must be
of type 'Directory String'. All of the documentation I have read says
to set it to "Context Insensitive String". I went back to the AD schema
and tried to create an attribute of type 'Directory String', but no such
type exists.



What is going on? And why is this so difficult?
 
I added another couple of attributes named 'pwdQuestion' and
'pwdAnswer', both of type 'Unicode String'. At first, the only
attribute it recognized was pwdQuestion. Although both attributes are
the same type, it took about 10 minutes before it started recognizing
pwdAnswer. This tells me there was some sort of system-wide indexing
that needed to complete before the app would recognize the attribute as
being associated with the user class.



After it recognized both attributes, I was able to see the users in the
designated OU. So far - so good. But when I try to create a user, it
throws a huge exception saying there was a problem with the _InvokeFast
method. No additional details. Apparently, it is trying to store the
question and the answer and hitting a problem. I'm guessing security?
I'm using a domain administrator account to connect to LDAP. Should I
be using a different account?

--

John F. Holliday | Principal Architect - Information Worker Solutions

Idea Integration, A MPS Group Company





<
I need to use the ActiveDirectoryMembershipProvider in my application.
I have setup the provider in the web config, etc. When I use the ASP.NET
configuration utility and select the Security tab, it throws an
exception saying that the attribute 'userPasswordQuestion' specified for
the attributeMapPasswordQuestion property is not an attribute of the
user class.



I extended the AD attributes and mapped them to the 'user' class. To
validate them, I used ADSIEdit to add simple editing functions to the
context menu of the AD Users and Computers console. Sure enough, when I
right-click on any user in any OU, I see the 5 attributes listed and the
console calls my custom VB script that displays the current value of the
attribute and lets me set the value to anything I want. Bottom line -
the attributes do exist and are indeed associated with the user class.



I rebooted the machine and ran the application again. Now the exception
is different. It says that the userPasswordQuestion attribute must be
of type 'Directory String'. All of the documentation I have read says
to set it to "Context Insensitive String". I went back to the AD schema
and tried to create an attribute of type 'Directory String', but no such
type exists.



What is going on? And why is this so difficult?
 
Back
Top