Is it possible to use mixed-mode authentication with LDAP if my machine is not on the same domain?

Stephen, I believe if your code attempts to connect to both (or multiple) domains with multiple Connection Strings it would be possible, or if one of your Domain Controllers has been joined to the other Domain (or vice versa) you might be able to get away with only asking one for the authentication and it would check both (not 100% on this to be honest, it's been awhile...).

The error you have stated makes me think the code is having issues connecting to the LDAP endpoint (domain controller). Have you specified the fully qualified domain in the LDAP connection string? As in typcially you would see LDAP://Domain/DC=Domain but sometimes you need the whole thing LDAP://Domain.local/DC=Domain,DC=local.

If you use ADExplorer on your windows server that is hosting the IIS Site (assuming you are on premise) can you view both domains from that tool on that server ?

Brian, I am not attempting to use both domains. The IIS server IS connected to a local domain, but I only want to authenticate users from the remote domain. My server is NOT connected to that domain, I only want to use it for user authentication.

In my connection string, I am using the entire LDAP string. LDAP://Domain.local/DC=Domain,DC=local and are using a domain admin password for the domain in the connection string.

I guess the real question is, is it possible to use an external domain solely for user authentication.

Ok, sorry I misinterpreted it.

I mean the simple answer is yes, it should be possible. The more complicated part is how. Without knowing all the variables it would be hard to point you to the exact solution.

Brian

One question I had regarding the LDAP lookup. What port does it use? I've asked Kentico support, but they didn't seem to know. And I don't see anything concrete in the documentation. I assumed it uses 389 and can verify that I can reach that port from my server, but if it uses another, more secure port, I will need to open that on my firewall.

Any ideas?

Yeah I think it is default 389. You can force it to be sure I believe

"LDAP://" + LDAP_ServerAddress + ":389/"

Hi Stephen Can you check is port 636 is open if they are using secure ldap? link text

Also, port 445 did the trick for a lot of people based on link text

"Opening up port 445 did the trick for me. I could connect via System.DirectoryServices.DirectoryEntry(...) just fine using my LDAP connection string, but any attempts to connect via the ActiveDirectoryMembershipProvider would yield the following error: The specified domain or server could not be contacted. Opening up this port resolved the issue. "