World is now on Opti ID! Learn more

AI OnAI Off
Daniel Ovaska
Daniel Ovaska
Feb 20, 2013
  10305
(0 votes)

How to solve problems with the ActiveDirectoryMembershipProvider and similar ldap integrations

The basics is already handled in the EPiServer SDK about membershipprovider. But what do you do when that doesn’t work? Here are some ideas and tools how to get that integration up and running when the night is getting darker and the coffee is running out…

Basic setup of ActiveDirectoryMembershipProvider

Ok, so you read the guide above and you got a server adress to the customer AD and a user in AD to use to connect with. You have modified the web.config on the site similar to this:

web.config_membershipprovider

…and you added the connectionstring with IP or server name to connectionStrings.config like this:

ConnectionString

…but it doesn’t work? Example of errors are:


”Unable to establish secure connection with the server” or the more evil one
”The specified domain or server could not be contacted”.

Why? Ok, let’s get this article going.

Check that ip adress is reachable

My first simple step would be to ping that adress or IP. Maybe they gave you an internal server name instead of a reachable ip or reachable url?

pingIt

If ping fails, get back to the customer and let them hand you the correct ip or url.

Ok, so you get the correct ip adress of the server that you can ping. But it’s still not working? Now is the time to start downloading some additional tools. I would recommend starting with Softerra’s LDAP browser. Google it and download it. Maybe you have made some mistake on your LDAP connectionstring or the user credentials are wrong?

Testing connection to AD with Softerra LDAP browser

Booting up Softerra will give you a similar view to this. Fill in IP to test against…

IPtoAD

and user details…


FillInUserToTestWith

If you can browse in the AD with this tool, you now know that the both the IP and the user detail are correct.

If you got
InvalidCredentialsToAD
then you need to get in touch with the AD administrator and let him hand you the correct credentials.

You also know that the LDAP port 389 that this tool (and the ActiveDirectoryMembershipProvider) uses is open if you are able to browse in the AD at this time. It’s now time to check again if the website is able to login correctly. If not, maybe you are getting this error?

”The specified domain or server could not be contacted”

Nmap for solving firewall problems

Now it’s time to download your second tool, nmap with it’s gui part Zenmap. Google it, download it. Starting it will present you with a view similar to this

NetworkScanMogulAD

Insert your server adress at the top and hit scan. This will display a list of open ports that you can connect to on that server. The important ones that needs to be open for ActiveDirectoryMembershipProvider I’ve marked in yellow. They are 389 and 445 and yes, you need both of them.

If you don’t see port 445 in this list, this will likely generate the error
”The specified domain or server could not be contacted” when trying to login to your website.

Eureka! Contact your firewall administrators on your side and customer side and tell them to open this port, and lo, it works!

 

Conclusion

There are a couple of walls, some made of fire, that you can run into when setting up this type of integration. Hopefully the tools and information above should save a few hours for someone. Nmap is, by the way, also a most useful tool to locate similar integration problems when you have firewalls blocking your happiness.

The short checklist to success:

  • Make sure you get a valid server adress and not an internal one. Use ping to see if the server even exist from your point of view.
  • Check that both ports (389 and 445) are open between the servers (TCP). Use nmap to validate that this is true.
  • Test ldap user credentials and url using LDAP browser

Happy coding!

Feb 20, 2013

Comments

Please login to comment.
Latest blogs
Make Global Assets Site- and Language-Aware at Indexing Time

I had a support case the other day with a question around search on global assets on a multisite. This is the result of that investigation. This co...

dada | Jun 26, 2025

The remote server returned an error: (400) Bad Request – when configuring Azure Storage for an older Optimizely CMS site

How to fix a strange issue that occurred when I moved editor-uploaded files for some old Optimizely CMS 11 solutions to Azure Storage.

Tomas Hensrud Gulla | Jun 26, 2025 |

Enable Opal AI for your Optimizely products

Learn how to enable Opal AI, and meet your infinite workforce.

Tomas Hensrud Gulla | Jun 25, 2025 |

Deploying to Optimizely Frontend Hosting: A Practical Guide

Optimizely Frontend Hosting is a cloud-based solution for deploying headless frontend applications - currently supporting only Next.js projects. It...

Szymon Uryga | Jun 25, 2025

World on Opti ID

We're excited to announce that world.optimizely.com is now integrated with Opti ID! What does this mean for you? New Users:  You can now log in wit...

Patrick Lam | Jun 22, 2025

Avoid Scandinavian Letters in File Names in Optimizely CMS

Discover how Scandinavian letters in file names can break media in Optimizely CMS—and learn a simple code fix to automatically sanitize uploads for...

Henning Sjørbotten | Jun 19, 2025 |

See all blogs