ActiveDirectoryMembershipProvider "The specified domain or server could not be contacted."

asp.net asp.net-membership ldap activedirectorymembership
Scott Ivey picture Scott Ivey · Aug 12, 2009 · Viewed 9.4k times · Source

I have an application that is using ActiveDirectoryMembershipProvider to grant access to users. The application is hosted on a non-domain machine, with a firewall between the application server and the domain controller.

We've opened the LDAP port to the DC on the inside network - yet no matter what we try, we end up with an error that says "The specified domain or server could not be contacted."

Does anyone have any suggestions on how I can resolve this? We've tried everything we can think of and just aren't getting anywhere.

My connection string is:

<add name="ADConnectionString"
    connectionString="LDAP://10.5.3.7:389/DC=MyTestDomain,DC=local"/>

And my provider is:

<add name="ActiveDirectoryMembershipProvider"
    type="System.Web.Security.ActiveDirectoryMembershipProvider"
    connectionStringName="ADConnectionString"
    attributeMapUsername="SAMAccountName"
    connectionProtection="None"
    connectionUsername="LdapUser"
    connectionPassword="LdapPassword"   />

Answer

ewall picture ewall · Sep 16, 2009

The application is hosted on a non-domain machine, with a firewall between the application server and the domain controller.

Since you could query directly using an LDAP tool, that suggests that the firewall is open correctly. However, keep in mind that the ActiveDirectoryMembershipProvider is not using plain old LDAP, it's using Microsoft technologies. For example, if you set connectionProtection="Secure", ADMP will try using SSL and port 636, if that fails, it will use Microsoft's built-in IPSec signing (see this article for more details).

Anyway, this makes me wonder about a couple things:

  1. Does the AD domain have an IPSec "required" policy which refuses connections from non-domain/non-configured computers? (Probably not, since you connected with plain LDAP, but it's worth investigating.)
  2. Have you added the domain controller's NetBIOS name to your lmhosts file, and its DNS name to your hosts file? (Many protocols check that their target's reported name matches the name you tried to connect to.)
  3. A lot of people have noted problems using ADMP between different domains, and the solution required that a one-way trust be created. Since it sounds like your client computer is not in a domain, you can't have that trust--unless either (a) it is a member of a different domain with a one-way trust or (b) it is a member of the same domain and thus client-server trust is implicit.

Related questions

ActiveDirectoryMembershipProvider - "Unable to establish secure connection"

I am trying to configure an ActiveDirectoryMembershipProvider but I keep getting the message "Unable to establish secure connection with the server". I have seen online at the MSDN website that I should configure the trust level to unrestricted on my …

Read More
SQL Network Interfaces, error: 26 - Error Locating Server/Instance Specified

Well i have a big problem that i'm trying for days to solve but i could not do it, so i need your help. I have a web application in asp.net 4.0 where i implemented custom membership and role providers. …

Read More
Why is <deny users="?" /> included in the following example?

The ? wildcard represents unauthenticated users while * represents all users, authenticated and unauthenticated. My book shows the following example of URL authorization: <authorization> <deny users="?" /> <allow users="dan,matthew" /> <deny users="*" /> </authorization&…

Read More