How to configure Forms Based Authentication – Active Directory (LdapMembership)


 

Enable Forms Based Authentication

This process can be broadly divided into 3 sections:

 

  • Extend the SharePoint Web Application (or create a new SharePoint Web Application)
  • Make entries in the web.config
  • Configure forms authentication in central administration

 

Extend the SharePoint Web Application

We have a SharePoint site present on port 80 which uses NTLM authentication. For our purposes, we will extend the SharePoint Web Application to port 8080 in which we will configure Forms Authentication

(Note: Make sure the port you choose to extend is not already used)

 

  • Go to Central Administration > Application Management > Create or Extend Web Application > Extend an existing Web application
  • Select a Web Application by clicking on No Section and choosing Appropriate Web Application
  • Type in the correct Port i.e. 8080 in our case
  • Make sure “Allow Anonymous” is set to Yes (so that users can browse at least to Forms Login Page)
  • Make a note of Zone being used (Choose Intranet if available) and verify Load Balanced URL looks okay (i.e. http://servername:8080 in our case) and click OK

 

Make Entries in the Web.Config

As a first step to enable forms authentication, you need to make entries in the web.config file of the “SharePoint Central Administration Web application” and of the “SharePoint Web application” you wish to use Forms Authentication (it can be a new SharePoint Web Application or an Extended Web Application).

 

Have the information on following points handy according to your environment –

 

server=”DC.Contoso.com

DC is the server running Active Directory. DC will service all LDAP requests for the SSP (This needs to be changed to reflect one of your Domain Controller which you want SharePoint to use)

port=”389

The default port number used by LDAP is 389. (Generally this doesn’t need to be changed unless you’re using a custom LDAP port)

userContainer=“OU=OrgUsers,DC=contoso,DC=com

User objects in Active Directory are located inside the OrgUsers OU in the contoso.com domain (This needs to be changed according to where your users – who needs to access SharePoint thru Forms Auth. are stored)

groupContainer=“OU=OrgGroups,DC=contoso,DC=com”

Groups in Active Directory are located inside the OrgGroups OU in the contoso.com domain (This needs to be changed according to where your Groups are stored)

 

Complete the following steps on the SharePoint server(s) (all Web Front End Servers).

I personally recommend copying the following excerpts in MS Word, updating the appropriate sections (in Red) and pasting them in the web.config file in appropriate section.

 

  • Locate the web.config file used by the SharePoint Central Administration website
  • Take backup of web.config file by saving it with different name
  • Open the web.config file of the Central Administration Web site in Notepad
  • Paste the copied text under the <system.web> root section in the web.config file. The text you paste should look like the excerpt below. The parameters highlighted in red below are the ones which should be changed according to prepared in Table above:

 

<membership defaultProvider=”LdapMembership”>

<providers>

<add name=”LdapMembership”

 type=”Microsoft.Office.Server.Security.LDAPMembershipProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C”

 server=”DC.Contoso.com

 port=”389

 useSSL=”false”

 userDNAttribute=”distinguishedName”

 userNameAttribute=”sAMAccountName”

 userContainer=”OU=OrgUsers,DC=contoso,DC=com

 userObjectClass=”person”

 userFilter=”(|(ObjectCategory=group)(ObjectClass=person))”

 scope=”Subtree”

 otherRequiredUserAttributes=”sn,givenname,cn” />

</providers>

</membership>

<roleManager defaultProvider=”AspNetWindowsTokenRoleProvider” enabled=”true” cacheRolesInCookie=”true” cookieName=”.PeopleDCRole”>

<providers>

<add name=”LdapRole”

 type=”Microsoft.Office.Server.Security.LDAPRoleProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C”

 server=”DC.Contoso.com

 port=”389

 useSSL=”false”

 groupContainer=”OU=OrgGroups,DC=contoso,DC=com

 groupNameAttribute=”cn”

 groupMemberAttribute=”member”

 userNameAttribute=”sAMAccountName”

 dnAttribute=”distinguishedName”

 groupFilter=”(ObjectClass=group)”

 scope=”Subtree” 

/>                                         

</providers>

</roleManager>

 

  • Save the web.config file and exit Notepad 
  • Now, locate the web.config file used by the extended SharePoint Web Application website (i.e. site on port 8080 in our case)
  • Take backup of web.config file by saving it with different name
  • Paste the copied text under the <system.web> root section in the web.config file. The text you paste should look like the excerpt below. The parameters highlighted in red below are the ones which should be changed according to prepared in Table above:

 

<membership defaultProvider=”LdapMembership”>

<providers>

<add name=”LdapMembership”

 type=”Microsoft.Office.Server.Security.LDAPMembershipProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C”

 server=”DC.Contoso.com

 port=”389

 useSSL=”false”

 userDNAttribute=”distinguishedName”

 userNameAttribute=”sAMAccountName”

 userContainer=”OU=OrgUsers,DC=contoso,DC=com

 userObjectClass=”person”

 userFilter=”(|(ObjectCategory=group)(ObjectClass=person))”

 scope=”Subtree”

 otherRequiredUserAttributes=”sn,givenname,cn”

/>

</providers>

</membership>

<roleManager defaultProvider=”LdapRole” enabled=”true” cacheRolesInCookie=”true” cookieName=”.PeopleDCRole”>

<providers>

<add name=”LdapRole”

 type=”Microsoft.Office.Server.Security.LDAPRoleProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C”

 server=”DC.Contoso.com

 port=”389

 useSSL=”false”

 groupContainer=”OU=OrgGroups,DC=contoso,DC=com

 groupNameAttribute=”cn”

 groupMemberAttribute=”member”

 userNameAttribute=”sAMAccountName”

 dnAttribute=”distinguishedName”

 groupFilter=”(ObjectClass=group)”

 scope=”Subtree” />

</providers>

</roleManager>

 

  • Save the web.config file and exit Notepad
  • Open a command prompt window and run IISRESET (do IISRESET all other Web Front Ends if there are more than one web servers) 

 

 

Configure Forms-Based Authentication in Central Administration

  • Go to Central Administration > Application Management > Authentication Providers
  • Ensure you select SharePoint in the Web Application drop down
  • Click on the zone which you noted down earlier (should be Intranet by default)
  • Choose Forms under Authentication Type section and also make sure “Enable anonymous access” is checked
  • Type LdapMembership in the Membership Provider Name section
  • Type in the name of the LDAP role provider as LdapRole in the Role Manager Name text box 
Comments (41)

  1. Anonymous says:

    @Prerona: After first set of changes if Central Admin is inaccessible, that means some potentially incorrect changes are done in web.config. Please revert to backup of web.config and start again. Note: I cannot see a screenshot of query which you meant
    to put.

  2. Anonymous says:

    Hi Satish,

    You need to modify both Central Admin web.config and Web Application web.config in order to configure forms authentication.

    Users in Windows Authentication and users in Forms Authentication are considered different and unique, so for the first time when you configure Forms Authentication, none of the users have access to login to the SharePoint site using Forms Authentication and thats why you need to add at-least 1 user thru Policy for Web App (or change one of the site collection Admin) and then login with that user and manage permissions for other users…

    I recommend following the blog step-by-step and you should be able to get it right. Making correct changes in the web.config is the key to Forms Auth.

    You can read more at –

    http://technet.microsoft.com/en-us/library/cc288043.aspx

    Also, if you need to implement different type of Forms Auth then this one, samples available at

    http://technet.microsoft.com/en-us/library/cc288259.aspx

    HTH.

    Regards,

    Nishant

  3. Anonymous says:

    @ mcpsspa: You would need to have the User accounts under a single OU which needs to use LdapMembershipProvider. Our scenario here is limited to have one OU for users and one OU for Groups. Its fine even if you dont extend the application and just want to make use of LdapMembership entirely to avoid Windows Authentication.

  4. Anonymous says:

    @Prerona: As you mentioned you extended this site, I assume you have a custom solution by Nintex for workflows which is not activated for the extended web application and hence this error?

  5. Anonymous says:

    @Sravan: I just changed most of the steps today to make it even more clear, you should add only a user in Authentication Providers and add the other users / groups after logging in with the user which you added in Auth Providers. HTH.

    @ Adrian: Not sure if I understand your question correctly but the steps are similar for IIS 7 as well although IIS 7 interface is different, however we are not making any IIS site level changes so that shouldnt matter, if this doesnt answer your question, please re-post the question with more clarity.

  6. Anonymous says:

    @Sohaib: I just changed most of the steps today to make it even more clear. Pls go thru the blog again and let me know if you are able to 1) Find the Ldap user in CA 2) Login to FBA site

    @Onions: Answered Sravan's query above, pls refer.

    @Nutan: By the looks of string you provided, I think you're trying to configure ADMembership Provider (generally used for WSS) however this blog talks about LdapMembership Provider (which is a better option if you have MOSS as ADMembership cannot make use of LdapRole).

  7. Anonymous says:

    @Ganesh: Please look at
    http://msdn.microsoft.com/en-us/library/office/bb975135(v=office.12).aspx

  8. Anonymous says:

    Hello Vivek,

    Central Admin would not stop working unless there is an error in web.config changes (for Central Admin). Please verify the same and ensure there are no errors.

    Microsoft.Office.Server.Security.LDAPMembershipProvider is a class defined in Microsoft.office.server.dll

    Ref:
    msdn.microsoft.com/…/microsoft.office.server.security.ldapmembershipprovider%28v=office.12%29.aspx

  9. Anonymous says:

    @Suchak: See the above comment to Tim. (Could you check Alternate Access Mappings and ensure you are browsing to one of the servers where you have Web Application Service running?)

  10. Anonymous says:

    @Ganesh: Please verify your web.config changes for Central Admin

  11. Anonymous says:

    @Syed: Yes, this is an old blog post meant for SP 2007 🙂

  12. Anonymous says:

    Hi Vivek,

    Correct. Microsoft.Office.Server assembly is only available in MOSS and not in WSS.

    You may want to use ADMembershipProvider instead.

    Ref:
    technet.microsoft.com/…/cc262069(office.12).aspx

    Note: AFAIK, you’ll not be able to use LdapMembershipProvider for WSS as RoleManager cannot be configured on WSS (and hence you cant use groups and you must add users directly)

  13. Anonymous says:

    @Tim: Could you check Alternate Access Mappings and ensure you are browsing to one of the servers where you have Web Application Service running?

  14. Anonymous says:

    Dear Nishant,

    I followed your post on FBA (Ldap) in moss 2007. i am able to proceed upto login screen. but here i m not able to login.

    and also users arre not listing in peoplepicker. please help me i got stuck here only.

  15. Anonymous says:

    Thanks Nishant, it's working now 🙂

  16. Anonymous says:

    Hi Simran,

    I think you’re missing out on correct configuration entries in web.config files. Have you added the above entries (after making relevent changes according to your domain and OU) to both Central Admin & Web Application’s web.config?

    Regards,

    Nishant

  17. Tuy Vu says:

    Thank you so much for your code.  I have searched wide and far and apparently this your documentation/code were clear and precise and well, it works!

  18. SATISH says:

    You mentioned the centradmin default website also to be modified to Forms authentication I did not see any provision for that .

    I changed the central admin web config also the application web config to point it to the right LDAP

    But one thing I did not get is what is this spsadmin account you mentioned in the end ?

    I was not able to get  the login screeen after I changed the central admin web config alone and the application web config change and authentication to Forms

    Please advise if you can

  19. Simran says:

    Hi Nishant,

    I have made the required changes to both the web.config files in central administration site and application site. I am able to see the forms authentication form as well but when I go to Policy for Web Application -> Add Users, I get the form to add users but I am not able to find any of the users in my domain. Not sure if you have seen this before or if I am missing out something.

    Would really appreciate your help on this.

    thanks

  20. Sravan says:

    I have configured FBA properly and it works. In the 10th Step(policy for web application) of your article, instead of having One user(admin) i have bunch of users who are administrators. I have created a security group in AD and it holds all the users. When i add that particular AD group in the 10th step that you mentioned, i am getting “access denied” error. What do you think might be the problem. Instead of AD Group, if i add AD User it works fine. Any help would be greatly appreciated. My email id is sravankasyapk@gmail.com

  21. Adrian Blackshire says:

    I was wondering how I can correctly a configure a web configuration file so that all applications are accepted within Microsoft IIS7?

  22. Sohaib Khan says:

    Hi Nishant,

    I've done all the steps without any issue but still i am not able to login in the FBA enabled site.

    Any idea ?

    Thanks,

    Sohaib

  23. Onions says:

    Got this working with (attributeMapUsername="sAMAccountName" ) for both central admin & internet site. However I got the same issue as sravan has. The site lets you login, when we add individual AD users in the policy for web application. Does not work for AD groups. Should be a setting in the membership provider

  24. Nutan says:

    Hi Nishant,

    I read your article and made all the changes. I have the LDAp path that looks like this..

    LDAP://infinmumcfac.inf.com OU=Infotech,DC=inf,DC=com

    I am also able to see the forms authentication form as well but when I go to Policy for Web Application -> Add Users, I get the form to add users but I am not able to find any of the users in my domain

    I could not fit this into the sample entry provided by you. Could you please modify your text as per these entries and reply me. Please.

    Thanks..Nutan

  25. mcpsspa says:

    Nishant, Can you tell me how this can be applied to the situation where the membership provider needs to see AD built in service accounts (farm account for CA) as well as a specific security group and the AD Users object?  I can't seem to get this to see all of those at the same time in order to specify the primary and secondary site collection admins.  Note I did not extend an existing application as you specified.  My goal is to simply eliminate the Windows security dialog for our users.  — Thanks!

  26. Tim Wagner says:

    Nishant, great guide. I am having an issue with the FBA site. I can add a user with Full Control and as a Site Collection Admin, and they resolve as ldapmembership:username, but when I go to log in, I just keep getting the login page. I don't even get an Access Denied page. Any thoughts?

    Thanks!

  27. Abhishek Saigal says:

    Excellent! I was searching my old data to get the steps and suddenly it stuck my mind that my dear friend has already created a blog then why should I waste my time.

    Thanks dude for such clear and precise blog!

  28. Suchak says:

    Hey Nishant,

    People picker is working but i am not able to log in to the FBA sites. Checked all the web.config entries. not sure whats going on. any thoughts.

  29. Vivek says:

    Hi Nishant,

    I have followed your documents and made all the necessary changes to enable Active Directory Authentication for my Share Point Site.

    But once i made all these changes my Central Administration stopped working.

    I dont think i have this provided in my system.

    "Microsoft.Office.Server.Security.LDAPMembershipProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"

    Is there anyway i can check if this provider exists in my system or network?

    Thanks,

    Vivek

  30. Vivek says:

    Hi Nishant,

    Thanks for replying so quickly for my post. I found out that there were some special characters at the start of the web.config files and it was because i used Visual studio to change them. I used Notepad/UltraEdit to make these changes again but now I am getting this error.

    Could not load file or assembly 'Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c' or one of its dependencies. The system cannot find the file specified.

    Is it because I am using WSS 3.0 not MOSS?

    Thanks,

    Vivek

  31. ganesh says:

    Dear Nishant,

    As per code you mentioned here, i am getting log-in page, but after that i am not able login by  any user.

    Please can you help me out and provide your email address so  that  can i explain my problem in FBA. my email address is ganesh.deshmukh@ecocert.com.

    Thank you,

    ganesh

  32. Ryan Hilliker says:

    Thanks! This really helped us, excellent work.

  33. Prerona guha says:

    Hi Nishant,

    I have done all the necssary changes as done by you. But after doing the changes I am not able to access Central admin to do the changes in Policy for web applications. Kindly suggest what needs to done. My query looks like this

  34. Prerona Guha says:

    Thanks a ton 🙂 I am able to add users now from Ldapmembership. But while trying to login to the extended site page..getting error – Error: Failure in loading assembly: Nintex.Workflow.ServerControls, Version=1.0.0.0, Culture=neutral, PublicKeyToken=913f6bae0ca5ae12.
    Any Idea?

  35. Syed Yahya says:

    A bit too late as we have already moved to 2013, but this is a very valuable lesson for me. Good writing and explanation. Thanks a zillion!

  36. Ganesh says:

    Dear Nishant, Can you guide me on how to change default login page with customized page with minimum coding. I just want to add logo on login page but I am not able to edit the login page.

  37. Atul says:

    Hi Nishant, nice post.
    One question – is it possible to authenticate users on SP if this user exist in Active Directory Group? I am not adding or giving permission to user directly on the SP Site, instead would like to give permission to an AD Group. Would it work? Please advise.

  38. Sjm says:

    Hi, If I have users across several OU's, how do I add them?

  39. @Atul: Yes, via LdapRole. ContosoGroupA and LdapRole:GroupA is different so you will still need to login using LdapMembership:Administrator and then grant add LdapRole:GroupA as Reader / Contributor. After this you should be able to login via a group
    member using FBA

  40. Roby says:

    Hello Nishant –

    Thanks for the writeup. It really helped.

    A question to you –
    Is it possible to setup FBA in a way that SharePoint treats the FBA User as the same Domain User (NTLM/Kerberos), once logged in?

    I have a setup, where the users who already have access to the Web App in NTLM/Kerberos Mode of Authentication, need to get access to the FBA extended Web App (which connects to the same AD Domain, using LDAP, as you mentioned in your article), without adding
    them again, using their FBA Accounts.

    For example, since domainUser1, already has Site Owner rights to a Site, within the Web App, I want to prevent adding membership:User1, to the Owners group, when mapping to a FBA Extended Web App.

    Is there anyway around this?

    Please help. Thank you.

  41. @Roby: Not as far as I know. DomainUser is NOT equal to LdapMembership:User due to AuthN methods are different hence AuthZ cannot consider them as same users.