Support Thread

Active Directory Membership Provider Integration

📅 👤 ASP Playground
Active Directory Membership Provider Integration — APG vNext Guide

This archived community thread from the APG vNext support forum discusses: Active Directory Membership Provider Integration.

About This Topic

In order to use the Active Directory Membership Provider, you need complete the following steps:Update ~/config/appSettings.config: <add key="EnableMember...

Getting Help with APG vNext

APG vNext is a powerful ASP.NET forum and community platform. For questions related to this topic:

If you need direct assistance, the support team is active in the community forum.

Integrating Active Directory with APG vNext via Custom MembershipProvider

APG vNext's provider architecture allows replacing the built-in membership system with a custom implementation that authenticates against Active Directory. This enables employees to log into the community forum with their existing Windows credentials — no separate forum password to manage. The integration is implemented as a custom class that inherits from System.Web.Security.MembershipProvider and wraps AD authentication calls.

Project Setup

Create a new Class Library project in Visual Studio targeting the same .NET Framework version as your APG vNext installation (typically 4.8). Add references to System.DirectoryServices and System.DirectoryServices.AccountManagement.

using System.DirectoryServices.AccountManagement;

public class ADMembershipProvider : MembershipProvider
{
    private string _ldapDomain;
    private string _ldapContainer;

    public override void Initialize(string name,
        System.Collections.Specialized.NameValueCollection config)
    {
        _ldapDomain    = config["ldapDomain"]    ?? "yourdomain.com";
        _ldapContainer = config["ldapContainer"] ?? "DC=yourdomain,DC=com";
        base.Initialize(name, config);
    }

    public override bool ValidateUser(string username, string password)
    {
        using var ctx = new PrincipalContext(
            ContextType.Domain, _ldapDomain, _ldapContainer);
        return ctx.ValidateCredentials(username, password);
    }
}

Registering the Custom Provider

<membership defaultProvider="ADMembershipProvider">
  <providers>
    <clear />
    <add name="ADMembershipProvider"
         type="YourNamespace.ADMembershipProvider, YourAssembly"
         ldapDomain="yourdomain.com"
         ldapContainer="DC=yourdomain,DC=com"
         enablePasswordReset="false"
         requiresQuestionAndAnswer="false" />
  </providers>
</membership>

Handling First-Time Login — Auto-Provisioning Forum Accounts

When a user authenticates via AD for the first time, APG vNext creates a forum member record automatically. To pre-populate the profile from AD attributes, override GetUser in your custom provider to pull display name, email, and department from the directory:

public override MembershipUser GetUser(string username, bool userIsOnline)
{
    using var ctx = new PrincipalContext(ContextType.Domain, _ldapDomain);
    var user = UserPrincipal.FindByIdentity(ctx,
        IdentityType.SamAccountName, username);
    if (user == null) return null;

    return new MembershipUser(
        providerName:  Name,
        name:          username,
        providerUserKey: user.Guid,
        email:         user.EmailAddress,
        passwordQuestion: null,
        comment:       user.Department,
        isApproved:    true,
        isLockedOut:   user.IsAccountLockedOut(),
        creationDate:  user.WhenCreated ?? DateTime.Now,
        lastLoginDate: DateTime.Now,
        lastActivityDate: DateTime.Now,
        lastPasswordChangedDate: DateTime.MinValue,
        lastLockoutDate: DateTime.MinValue);
}

Testing the Integration

Pre-deployment Checklist

  • Service account (svc-apg) has read access to the target OU in AD
  • Firewall allows TCP 389 (LDAP) or 636 (LDAPS) from the IIS server to the domain controller
  • Test ValidateUser with a known AD account before going live
  • Verify first-time login creates a forum member record with correct email and display name
  • Confirm locked-out AD accounts cannot log in to the forum

Handling Password Changes and Resets with AD Integration

When using Active Directory as the membership provider, password management is handled by AD — not APG vNext. The "Forgot Password" and "Change Password" flows in APG vNext must be disabled or redirected to your organisation's self-service password reset (SSPR) portal.

<!-- Disable APG vNext's built-in password features when using AD -->
<add key="APG.Member.AllowPasswordChange" value="false" />
<add key="APG.Member.AllowPasswordReset"  value="false" />
<!-- Redirect to corporate SSPR instead -->
<add key="APG.Member.PasswordResetURL"    value="https://sspr.company.com" />

Members who click "Forgot Password" on the APG vNext login form will be redirected to the corporate SSPR URL. This prevents confusion from members receiving an APG vNext-generated reset email when their AD password is managed centrally.

Deprovisioning — Handling Account Deletions and Terminations

When an employee leaves and their AD account is disabled or deleted, their APG vNext forum access should be revoked automatically. The AD MembershipProvider checks AD status on each login attempt, so disabled AD accounts cannot log in. However, existing active sessions are not terminated when an AD account is disabled.

<!-- Force session expiry check on each request -->
<add key="APG.AD.ValidateSessionOnRequest" value="true" />
<!-- APG vNext re-validates AD account status every N requests -->
<add key="APG.AD.ValidationInterval"       value="10" />

With ValidateSessionOnRequest=true, APG vNext checks the AD account status every 10 requests (configurable). If the account is now disabled, the user's session is terminated and they are redirected to the login page. This limits the window between AD account disable and forum access revocation to approximately 10 page views rather than the full session timeout.

Performance Impact of AD Integration

Each AD authentication call makes an LDAP round-trip to the domain controller. For high-traffic forums, this adds latency to every login request. Mitigate with connection pooling (configured in the LDAP provider settings) and by caching AD group membership data in the APG vNext session after the initial authentication:

<add key="APG.AD.CacheGroupsInSession" value="true" />
<!-- Groups are cached for the session duration -->
<!-- Set to false if group changes must be reflected immediately -->

Related Resources


Looking for more help? Browse the support forum or check the Knowledge Base.