Home > administration and configuartion, SharePoint Server 2010 > Configuring claims and forms based authentication for use with an LDAP provider in SharePoint 2010

Configuring claims and forms based authentication for use with an LDAP provider in SharePoint 2010

Configuring claims and forms based authentication for use with an LDAP provider in SharePoint 2010

Using an LDAP provider with forms based authentication means that users will use their Windows or AD account to log in. However, because forms based authentication will be used they don’t get the usual popup, but they will use a sign-in page to log in.
How to set up forms based authentication while using an LDAP provider?
When you want to create your web application:-
1) Select Claims Based Authentication and Identity Providers: –
* Check the Enable Windows Authentication box or you won’t be able to crawl the site
* Check the Enable ASP.NET Membership and Role Provider checkbox
– In the Membership provider name edit box, type LdapMember.
– In the Role provider name edit box, type LdapRole.

2) Create a new site collection.
3) Adjust the web.config of the Central Administration site:-
* Open the Central Administration site’s web.config file
* Find the entry

<membership>

   <providers>

      <add name=”LdapMember”

         type=”Microsoft.Office.Server.Security.LdapMembershipProvider,
 Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral,
 PublicKeyToken=71e9bce111e9429c”

         server=”SERVER NAME”

         port=”389″

         useSSL=”false” 

userDNAttribute=”distinguishedName”

         userNameAttribute=”sAMAccountName”

         userContainer=”OU=SPUsers,DC=sharepoint,DC=com”

         userObjectClass=”person”

         userFilter=”(ObjectClass=person)”

         otherRequiredUserAttributes=”sn,givenname,cn” />

   </providers>

</membership>

<roleManager enabled=”true” defaultProvider=”AspNetWindowsTokenRoleProvider” >

   <providers>

      <add name=”LdapRole”

         type=”Microsoft.Office.Server.Security.LdapRoleProvider,
Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral,
PublicKeyToken=71e9bce111e9429c”

         server=” SERVER NAME”

         port=”389″

         useSSL=”false”

         groupContainer=”OU=SPUsers,DC=sharepoint,DC=com”

         groupNameAttribute=”cn”

         groupNameAlternateSearchAttribute=”samAccountName”

         groupMemberAttribute=”member”

         userNameAttribute=”sAMAccountName”

         dnAttribute=”distinguishedName”

         groupFilter=”(ObjectClass=group)”

         userFilter=”(ObjectClass=person)”

         scope=”Subtree”  />

   </providers>

</roleManager>

Note:
The user and group containers are the containers in AD where the users and groups you want to use for authentication reside:-
• Go to the domain controller
• Open Active Directory Users and Computers
• Select a user or a group in the container
• Right click and select All Tasks => Resultant Set Of Policy (Planning)
• Click the browse button next to Container and select the container
• This will give you the path to the container
4) Check whether the and entries only exist ones. Delete any double entries.
5) Edit the entry

<clear />
      <add key="AspNetSqlMembershipProvider" value="%" />
      <add key="LdapMember" value="*"/>
  <add key="LdapRole" value="*"/>

6) Adjust the web.config of the Security Token Service (STS) virtual directory:-
* Open the Security Token Service (STS) virtual directory’s web.config file
* Find the entry
* Add a </system.web>  entry directly below it

<membership>

   <providers>

      <add name=”LdapMember”

         type=”Microsoft.Office.Server.Security.LdapMembershipProvider,
 Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral,
PublicKeyToken=71e9bce111e9429c”

server=”SERVER NAME”

         port=”389″

         useSSL=”false”

         userDNAttribute=”DISTINGUISHEDNAME”

         userNameAttribute=”SAMACCOUNTNAME”

         userContainer=”OU=SPUSERS,DC=SHAREPOINT,DC=COM”

         userObjectClass=”person”

         userFilter=”(ObjectClass=person)”

         otherRequiredUserAttributes=”SN,GIVENNAME,CN” />

   </providers>

</membership>

<roleManager enabled=”true”>

   <providers>

      <add name=”LdapRole”

         type=”Microsoft.Office.Server.Security.LdapRoleProvider,
 Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral,
PublicKeyToken=71e9bce111e9429c”

         server=” SERVER NAME”

         port=”389″

         useSSL=”false”

         groupContainer=”OU=SPUSERS,DC=SHAREPOINT,DC=COM”

         groupNameAttribute=”cn”

         groupNameAlternateSearchAttribute=”SAMACCOUNTNAME”

         groupMemberAttribute=”member”

         userNameAttribute=”SAMACCOUNTNAME”

         dnAttribute=”DISTINGUISHEDNAME”

         groupFilter=”(ObjectClass=group)”

         userFilter=”(ObjectClass=person)”

         scope=”Subtree” />

   </providers>

</roleManager>

*Add a </system.web>  entry directly below it

7) Adjust the web.config of the claims based web application
* Locate the <Providers> entry
* Edit the following XML directly below the entry

<add name=”LdapMember”

   type=”Microsoft.Office.Server.Security.LdapMembershipProvider,
Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral,
 PublicKeyToken=71e9bce111e9429c”

   server=” SERVER NAME”

   port=”389″

   useSSL=”false”

   userDNAttribute=”DISTINGUISHEDNAME”

userNameAttribute=”SAMACCOUNTNAME”

   userContainer=”OU=SPUSERS,DC=SHAREPOINT,DC=COM”

   userObjectClass=”person”

   userFilter=”(ObjectClass=person)”

   otherRequiredUserAttributes=”SN,GIVENNAME, CN” />

* Edit  <roleManager>  the entry

<add name=”LdapRole”

   type=”Microsoft.Office.Server.Security.LdapRoleProvider,
Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral,
PublicKeyToken=71e9bce111e9429c”

   server=” SERVER NAME “

   port=”389″

   useSSL=”false”

   groupContainer=”OU=SPUsers,DC=sharepoint,DC=com”

   groupNameAttribute=”cn”

   groupNameAlternateSearchAttribute=”samAccountName”

   groupMemberAttribute=”member”

   userNameAttribute=”sAMAccountName”

   dnAttribute=”distinguishedName”

   groupFilter=”(ObjectClass=group)”

   userFilter=”(ObjectClass=person)”

   scope=”Subtree” />

8) Edit the <PeoplePickerWildcards> entry

<clear />
      <add key="AspNetSqlMembershipProvider" value="%" />
      <add key="LdapMember" value="*"/>
  <add key="LdapRole" value="*"/>

9) Add a user policy to the web application
* Go to Central Administration
* Go to Application Management
* Click on Manage Web Applications
* Select the claims based web application
* Click on User Policy
* Click on the Add Users link
* Click the Next button.
* Click the Address Book icon.
* Type in the NT login name or account name and click the search button. If it’s working correctly you should see at least two entries for the account – one that is for the user’s Active Directory account, and one that is for that same account but which was found using the LDAP provider.
* Select the account in the User section and click the Add button
* Click the OK button
* Check the Full Control checkbox, and then click the Finish button.

References:-
http://www.sharepointchick.com/archive/2010/05/06/configuring-claims-and-forms-based-authentication-for-use-with-an.aspx

http://blogs.technet.com/b/speschka/archive/2009/11/05/configuring-forms-based-authentication-in-sharepoint-2010.aspx
http://kbochevski.blogspot.com/2011/01/setup-fba-for-sharepoint-2010-using-vs.html

Advertisements
  1. November 14, 2011 at 5:01 am

    This makes great sense to me..

  2. now
    November 19, 2011 at 3:31 pm

    This makes perfect sense to me..

  3. April 28, 2013 at 6:34 am

    If you desire to increase your familiarity only keep visiting this web page and be updated
    with the latest information posted here.

  4. Johna16
    June 28, 2014 at 6:01 pm

    Hey very nice web site!! Man.. Beautiful.. Wonderful.. I’ll bookmark your web site and take the feeds alsoKI am satisfied to seek out a lot of helpful information here in the publish, we want work out extra techniques in this regard, thank you for sharing eekeaddfdded

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: