ActiveDirectoryMembershipProvider and SharePoint 2007 and Forms Based Authentication

Posted on 7/11/2007 @ 5:07 PM in #SharePoint by | Feedback | 7580 views

I have written previously about enabling custom authentication on SharePoint 2007.

Most of the articles online, including mine, talk about using a membership provider that is something on the lines of the AspNetSqlmembership provider. In a rare circumstance however, you may have to end up using the ActiveDirectoryMembershipProvider, and that is where you are in for some (hopefully not) major pain. This is so, because the ActiveDirectoryMembershipProvider needs more rights than god himself to work properly, seriously, IMO it is a peice of crap. Not only that, using it in SharePoint gives you weird cryptic error messages like "Something bad happened!", which are really no that useful. 

But if you had to use it with SharePoint, here are the recommended ways.

1. Create your own provider that inherits from System.Web.Security.ActiveDirectoryMembershipProvider, and throw that assembly in GAC (full-trust), and use that instead.

2. Create your own provider that inherits from System.Web.Security.ActiveDirectoryMembershipProvider, and throw that assembly in bin and give it full trust or DirectoryServices permission, and then use that instead.

3. Screw AD Provider, and write your own membership provider using this code here. Frankly, option #3 is the best because the ADProvider, even on a good day, needs a username/password with more rights than god himself.

Sound off but keep it civil:

Older comments..


On 7/11/2007 9:26:04 PM Doug Seelinger said ..
I wish I had time to use Reflector to just step through the MS ActiveDirectoryMembershipProvider, since it has stolen days away from my life as well. I'd like to know what's going on in there just to better understand the minds of the insane.


On 7/11/2007 9:41:18 PM Sahil Malik said ..
I bet it makes calls out to Kernel32.dll, or something silly like that. No wonder it needs full-trust. Ya think they'd thunk of a way around it eh? :)