Credentials for an Active Directory Profile Data Source

Article
11/12/2009

You can use the Profiles resource to configure the authentication type that the Profile Service uses to connect an underlying data source that is Active Directory. When you configure the data source, it is recommended that you specify credentials that have permissions to perform the operations on the container in Active Directory. On the System Attributes dialog box, you can select the Use the same credentials for all users option, which forces the Profile Service to use of the specified credentials.

When you select this option, the Profile Service uses the user name and password stored in the LDAPv3 binding credentials when binding to the Active Directory Store. This user name and password pair is stored in the database in clear text.

For example, a user logs on to your site, the credentials are read from the SQL Server database, and then the Profile Service binds to Active Directory using those credentials.

If you do not select Use the same credentials for all users, then you are using the Integrated Windows Authentication mode of the Profiling System for Active Directory. This means that the Profiling System uses the security context of the calling thread to make the call to Active Directory, and Active Directory accepts or rejects the call on the basis of that security context.

To effectively use the Profile Service this way with a customer self-registering site would mean giving the IIS anonymous user account permissions to do create operations on the Active Directory container where your user data is stored.

Credentials for an Active Directory Profile Data Source

See Also

Additional resources