CODEDIGEST
Home » Articles
Search
 

Technologies
 

Sponsored links
 

CodeDigest Navigation
 

Technology News
No News Feeds available at this time.
 

Community News
No News Feeds available at this time.
 
Active Directory for FBA in SharePoint using LDAP

By Vimal Kumar.J
Posted On Jul 10,2008
Article Rating:
Be first to rate
this article.
No of Comments: 14
Category: Sharepoint
Print this article.

Active Directory for FBA in SharePoint using LDAP

Introduction

This article explains about how Active Directory can be used in FBA, configure a custom source for profile import, and enable mysite access from primary site without challenged for authentication. We use LdapMembershipProvider and LdapRoleProvider for the same.

 

To enable FBA for Web Application

The following are the steps followed to enable FBA for Web Application

1.      Extend the Web Application for which FBA is required. To do so click in “Create or Extent Web Application” link in Application Management Page in Central Administration. Then click on “Extent an existing Web Application” link.

2.      Click on the Web Application dropdown and select “Change Web Application” link.

3.      Select the Web Application for which FBA has to be configured. (Here its the Enigma Primary - 6000)

4.      Check the Create a new IIS Web Site option and enter Description, Port (where you want the extended web application to run, and path for the same. Also, select the type of authentication provider, For now, select “NTLM” as the “Authentication Provider”, “No” for “Allow Anonymous” and “No” for “Use Secure Sockets Layer (SSL)”.

 

5.      Select the Zone for which you want to extent the Web Application. Click “OK”. This will create the Web Application.

6.      In SharePoint Central Administrator’s “Web.Config” in <system.web> section add the following Membership and Role Providers

<membership>

                  <providers>

                          <add name="ENIGMA" type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="Domain.com" port="389" useSSL="false" userDNAttribute="distinguishedName" userNameAttribute="sAMAccountName" userContainer="DC=Domain,DC=com" userObjectClass="person" userFilter="(|(ObjectCategory=group)(ObjectClass=person))" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn" />

                  </providers>

          </membership>

          <roleManager defaultProvider="AspNetWindowsTokenRoleProvider" enabled="true" cacheRolesInCookie="true" cookieName=".PeopleDCRole">

                  <providers>

                          <add name="ENIGMAROLE" type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="Domain.com" port="389" useSSL="false" groupContainer="DC=Domain, DC=com" groupNameAttribute="cn" groupMemberAttribute="member" userNameAttribute="sAMAccountName" dnAttribute="distinguishedName" groupFilter="(ObjectClass=group)" scope="Subtree" />

                  </providers>

          </roleManager>

 

7.      In the newly created Web Application’s(ENIGMA INTERNET - 6005) “Web.Config” in <system.web> section add the following Membership and Role Providers.

<membership defaultProvider="ENIGMA">

                  <providers>

                          <add name="ENIGMA" type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="domain.com" port="389" useSSL="false" userDNAttribute="distinguishedName" userNameAttribute="sAMAccountName" userContainer="DC=domain,DC=com" userObjectClass="person" userFilter="(|(ObjectCategory=group)(ObjectClass=person))" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn" />

                  </providers>

          </membership>

          <roleManager defaultProvider="ENIGMAROLE" enabled="true" cacheRolesInCookie="true" cookieName=".PeopleDCRole">

                  <providers>

                          <add name="ENIGMAROLE" type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="domain.com" port="389" useSSL="false" groupContainer="DC=domain,DC=com" groupNameAttribute="cn" groupMemberAttribute="member" userNameAttribute="sAMAccountName" dnAttribute="distinguishedName" groupFilter="(ObjectClass=group)" scope="Subtree" />

                  </providers>

          </roleManager>

8.      Click on “Authentication Providers” link in Application Management of Central Administration Page.

9.      Select the Zone for the extended Web Application(Internet). Also, check if the correct Web Application.

 

10.  Select the Authentication Type as “Forms”. Enter the Membership Provider name and Role Manager Name as in the Central Admin “Web.Config” and Save the changes.

 

To give Permissions for Users for Portal Site, MySite and SSP

1.       In the Central Admin Page, in Application Management Click on Policy for Web Application.

2.      Select the appropriate Web Application for which the permissions have to be given (Portal Site, MySite, and SSP) and click on Add users. Note: - For all the three, (Portal Site, MySite and SSP), permissions has to be given for the extended Web Application.

 

 

3.      Select the appropriate Zone, here Intranet.

4.      Click on Browse to Search and Add users.

5.      Give the User ID/Group to add. Note: - If it’s a User ID then, add ENIGMA:Name else if it’s a group then add ENIGMAROLE:GroupName.

 

6.      Give the User ID/Group appropriate permissions for the given Web Application. For Portal site, MySite give Reader permissions to all the users, and for SSP give admin permission only for the Administrators.




To configure profile import with LDAP

1.      In Shared Services Administrator Page click on “User Profiles and Properties” link.

2.      In “User Profiles and Properties” page click on “View import connections”.

3.      In “View import connections” page click on “Create new Connection”

 

4.      In “Create New connection” page enter the values as shown for the “Connection Settings” .(Provider name depends upon which MembershipProvider being used).

 

5.      In “Create New connection” page enter the values as shown for the “Search Settings” and “Authentication Information” and Click “OK”.

 

6.      Click on “Configure Profile Import” link in User Profile and Properties page.

 

 

7.      Select “Custom Source” option in Source.

8.      Click on “Start full import” to start importing profiles using the LDAP Connectivity.

 

To access MySite FBA without authenticating again

 

1.      Ensure WSS site and MySite are running as different Web Application.

2.      Ensure they both are configured to use FBA.

3.      The cookie name for the cookie issued by both sites in web.config (Actual SharePoint site and the Extended Web Application) has to match.

4.      The Machine keys in both the web.config files mentioned above must be the following (or alternatively you can use the Machine key in one of them copied to the another)

 

5.      Ensure that both sites answer to the same domain name as in site1.company.com and site2.company.com. In this case you can send the domain property to be company.com so that the cookie will be presented by the browser to both sites.


If you get 401.1 Access Denied when logging on to your FBA Site


1.      If you get an ERROR like this in the Event Viewer.

Event Type:   Failure Audit

Event Source: Security

Event Category:      Logon/Logoff

Event ID:     534

Date:         7/10/2008

Time:         11:57:02 AM

User:         NT AUTHORITY\SYSTEM

Computer:     01HW102540

Description:

Logon Failure:

Reason:       The user has not been granted the requested

logon type at this machine

User Name:    IUSR_01HW102540

Domain:              01HW102540

Logon Type:   8

Logon Process:       Advapi 

Authentication Package:    Negotiate

Workstation Name:    01HW102540

Caller User Name:    inblrdhrjnjadmin1

Caller Domain:       INDIA

Caller Logon ID:     (0x0,0x16F1D7B5)

Caller Process ID:   4776

Transited Services:  -

Source Network Address:    -

Source Port:  -

2.      Click on the Virtual Directory of the FBA site in IIS Manager and go to the properties of the virtual directory, and in Directory Security section click on Edit for Authentication and access control

3.      Now, change the username and password that is entered there from the IUSR account to the domain account and click ok.

 

Even after adding “Domain Users” group users are getting “Access Denied” when trying to login to FBA

The OOB group “Domain Users” doesn’t work with the LdapMembershipProvider, so you can use any other group or create an equivalent group in AD.

 

References

Introduction to Membership

add Element for providers for membership

Example Web.config files for LDAP forms-based authentication

Authentication samples

ActiveDirectoryMembershipProvider and SharePoint 2007 and Forms Based Authentication

Similar Articles
You can contribute to CodeDiget.Com:
Donate to CodeDigest.com
Article Feedback
Comments
help
good
Change of Domain.com to actual DC
I have found that when changing the domain.com for the server information the best solution is to use a Domain Controller name or an IP address. If you have any question on your DNS giving the IP of the Domain as your domain controller use the actual name.
sharepoint login LDAP
Hello!
I configured sharepoint to authenticate with LDAP, and i am able to get LDAP users and add it in internet site also, but after adding, i 'm unable to login with added username credentials. I get the next error: "The server could not sign you in. Make sure your user name and password are correct, and then try again. "
I tried to remove the following line from the web.config, but I get the same error.

useDNAttribute="false"
FBA 2010 Solutions
If you want to use ready-made solutions for the management of FBA users, you should take a look here:

http://www.devit.eu/products/121-fba-manager-sp2010-forms-based-authentication.aspx
User Profile Import
Great Article, thanks for your kind support.

I did all the step you have given in this post. when i click the Full Import from the custom source. it gives me the error. "The filtering process has been terminated".

would you please help me regard this situation please. i am helpful of your kind response.

thanks,
Mysites
But clicking on a user profile does not work; so how to get mysites work with ldap?
Logon error
I had the same problem as subbulakshmi. Once I removed the following line from the web.config I was able to successfully log in.

useDNAttribute="false"

Odd that removing that line worked. I don't know how many posts I have seen that state clearly that line must be included for FBA leveraging LDAP to work.
error

i have tried by adding defaultProvider in all three web.configs(CA, Extended, actual site) .


i was able to get LDAP users(people picker) and add it in internet site also(but LDAPFBAMembership:username is not accepting and throwing error, only username it has taken). But even after adding, i 'm unable to login with added username credentials and giving following error

"

The server could not sign you in. Make sure your user name and password are correct, and then try again.

"
i even reset the IIS also. What could be wrong?

one little misstake
hi,
very good explanation with on little problem:
step 5. you took Domain Users as example group. By default the group domain users is set as "default group" in Active Directory for a user. When your ldap source is an Active Directory users, who have this group as default group in AD, cannot logon to the page. whenever a group, that you give access to the page, is the default group of an user, this user is not able to logon. Why? The role provider looks up the attribute "member" to compare the user with the group. for the default group this attribute is not set. This is not a bug, its a feature by microsoft ;) the member attribute can only provide x connections between x users and a group and they wanted an AD, that can provide more than x users with the same default group.
so solution for this problem is: do not grant access to the site for a group, which is the default group of a user.
hope it is understandable ... sorry for my bad english :)
hi
actually last time i did it using System.Web.Security.ActiveDirectoryMembershipProvider need to try the way youhave given
Great Post
Much better than the System.Web.Security.ActiveDirectoryMembershipProvider
Thanks, it works like a charm!!!
Hello Vimal, thanks for your detailed article, it help us a lot to implement this LDAP AD FBA authentification in a neat and proper way !!!! Very helpful! Julie
Can't Pass 6 and 7
Article looks promising but it doesn't work... Step 6 and Step 7 gives me an Error when loading the SharePoint Central Admin page and the Intranet site. Are we suppose to change the domain.com to our server name or server hostname?
Thanks!
Thanks for the article vimal. Learnt a lot from it! Cheers!!!