13.1. Supported Directory Architectures

Because the ActiveDirectoryMembershipProvider uses a directory store, you should understand the various domain architectures that it supports. The ActiveDirectoryMembershipProvider can work against either an Active Directory (AD) domain (Windows 2000, Windows Server 2003, and Windows Server 2008) or against what is called an application partition deployed in an Active Directory Lightweight Directory Service (ADLDS) on Windows Server 2008 or Active Directory Application Mode (ADAM) on Windows Server 2003. Of the two directory server types, AD is the one with more varied options and, thus, requires a little more preplanning on your part.

The most important thing to keep in mind when using the AD/ADLDS-based provider is that the provider treats AD and ADLDS as Lightweight Directory Access Protocol (LDAP) servers. In essence, the provider is talking to these "databases" using LDAP commands. The provider does not interact with AD as an NT LAN Manager (NTLM) or Kerberos authentication service. This means that the provider does not return any kind of authenticated domain principal, and the provider cannot be used to generate a login token. It simply makes LDAP calls and LDAP binds to a directory server, and it returns the results of those calls. This behavior is sometimes a point of confusion for folks who think that ActiveDirectoryMembershipProvider generates security tokens and sets the security context on a thread. Because the provider is implementing ...

Get Professional ASP.NET 3.5 Security, Membership, and Role Management with C# and VB now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.