“401 - Unauthorized: Access is denied”, when tusers is trying to login to my asp.net intranet web application

Question

I have the following :-

1. Our Internal network contains both DomainA & DomainB.
2. Both domains can communicate with each other , but there is no trust between them and ADFS is disabled.
3. I have an asp.net mvc web application deployed under IIS 7.5 on domainA.
4. I have the authentication type for my asp.net mvc as windows-authentication

My current situation is as follow:-

1. Users which are defined under domainA (where the asp.net MVC is deployed) can access the asp.net mvc web application using their username and password, entered insde the browser pop-up.
2. While users defined under domainB , will get “401 - Unauthorized: Access is denied,” when they enter their domain username and password (they will enter the username and password three times before getting 401 error).

So my question is :-

1. I am unable to know what are the steps either inside the web.config file or the insdie IIS , which I need t follow, to allow my aspnet mvc intranet web application to authenticate users from both domains. So if the user enter domainA\\username then the asp.net should look for the users inside the AD in domainA, while if the user enter domainB\\username , then the asp.net should look inside domainB

Answer 1

You need to add 2 sets of <providers> in your web.config, 1 for each domain, as follows.

Steps to configure ASP.NET Membership providers for multiple domains

1) In the Web.config file, add connection strings similar to those shown in the following example that point to your Active Directory user database for each domain.

<connectionStrings>
  <add name="TestDomain1ConnectionString" connectionString="LDAP://testdomain1.test.com/CN=Users,DC=testdomain1,DC=test,DC=com" />
  <add name="TestDomain2ConnectionString" connectionString="LDAP://testdomain2.test.com/CN=Users,DC=testdomain2,DC=test,DC=com" />
.
..
...
</connectionStrings>

2) In the Web.config file, configure the <membership> element with ActiveDirectoryMembershipProvider instances pointing to each domain as shown here.

<membership >
  <providers>
    <add
      name="TestDomain1ADMembershipProvider"
      type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, 
            Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
      connectionStringName="TestDomain1ConnectionString"
      connectionUsername="testdomain1\administrator" 
      connectionPassword="password"/>
    <add
      name="TestDomain2ADMembershipProvider"
      type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, 
            Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
      connectionStringName="TestDomain2ConnectionString"  
      connectionUsername="testdomain2\administrator" 
      connectionPassword="password"/>
  </providers>
</membership>

Make sure you set the connectionStringName attribute to the correct connection string name specified earlier in your <connectionStrings> section.

For detailed walkthrough of setting this up and making sure it works, see here.