How to configure Forms Based Authentication – Active Directory (LdapMembership)

 

Enable Forms Based Authentication

This process can be broadly divided into 3 sections:

 

  • Extend the SharePoint Web Application (or create a new SharePoint Web Application)
  • Make entries in the web.config
  • Configure forms authentication in central administration

 

Extend the SharePoint Web Application

We have a SharePoint site present on port 80 which uses NTLM authentication. For our purposes, we will extend the SharePoint Web Application to port 8080 in which we will configure Forms Authentication

(Note: Make sure the port you choose to extend is not already used)

 

  • Go to Central Administration > Application Management > Create or Extend Web Application > Extend an existing Web application
  • Select a Web Application by clicking on No Section and choosing Appropriate Web Application
  • Type in the correct Port i.e. 8080 in our case
  • Make sure "Allow Anonymous" is set to Yes (so that users can browse at least to Forms Login Page)
  • Make a note of Zone being used (Choose Intranet if available) and verify Load Balanced URL looks okay (i.e. https://servername:8080 in our case) and click OK

 

Make Entries in the Web.Config

As a first step to enable forms authentication, you need to make entries in the web.config file of the "SharePoint Central Administration Web application" and of the "SharePoint Web application" you wish to use Forms Authentication (it can be a new SharePoint Web Application or an Extended Web Application).

 

Have the information on following points handy according to your environment -

 

server="DC.Contoso.com"

DC is the server running Active Directory. DC will service all LDAP requests for the SSP (This needs to be changed to reflect one of your Domain Controller which you want SharePoint to use)

port="389"

The default port number used by LDAP is 389. (Generally this doesn’t need to be changed unless you’re using a custom LDAP port)

userContainer=“OU=OrgUsers,DC=contoso,DC=com”

User objects in Active Directory are located inside the OrgUsers OU in the contoso.com domain (This needs to be changed according to where your users – who needs to access SharePoint thru Forms Auth. are stored)

groupContainer="OU=OrgGroups,DC=contoso,DC=com"

Groups in Active Directory are located inside the OrgGroups OU in the contoso.com domain (This needs to be changed according to where your Groups are stored)

 

Complete the following steps on the SharePoint server(s) (all Web Front End Servers).

I personally recommend copying the following excerpts in MS Word, updating the appropriate sections (in Red) and pasting them in the web.config file in appropriate section.

 

  • Locate the web.config file used by the SharePoint Central Administration website
  • Take backup of web.config file by saving it with different name
  • Open the web.config file of the Central Administration Web site in Notepad
  • Paste the copied text under the <system.web> root section in the web.config file. The text you paste should look like the excerpt below. The parameters highlighted in red below are the ones which should be changed according to prepared in Table above:

 

<membership defaultProvider="LdapMembership">

<providers>

<add name="LdapMembership"

 type="Microsoft.Office.Server.Security.LDAPMembershipProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"

 server="DC.Contoso.com"

 port="389"

 useSSL="false"

 userDNAttribute="distinguishedName"

 userNameAttribute="sAMAccountName"

 userContainer="OU=OrgUsers,DC=contoso,DC=com"

 userObjectClass="person"

 userFilter="(|(ObjectCategory=group)(ObjectClass=person))"

 scope="Subtree"

 otherRequiredUserAttributes="sn,givenname,cn" />

</providers>

</membership>

<roleManager defaultProvider="AspNetWindowsTokenRoleProvider" enabled="true" cacheRolesInCookie="true" cookieName=".PeopleDCRole">

<providers>

<add name="LdapRole"

 type="Microsoft.Office.Server.Security.LDAPRoleProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"

 server="DC.Contoso.com"

 port="389"

 useSSL="false"

 groupContainer="OU=OrgGroups,DC=contoso,DC=com"

 groupNameAttribute="cn"

 groupMemberAttribute="member"

 userNameAttribute="sAMAccountName"

 dnAttribute="distinguishedName"

 groupFilter="(ObjectClass=group)"

 scope="Subtree"

/>                                         

</providers>

</roleManager>

 

  • Save the web.config file and exit Notepad 
  • Now, locate the web.config file used by the extended SharePoint Web Application website (i.e. site on port 8080 in our case)
  • Take backup of web.config file by saving it with different name
  • Paste the copied text under the <system.web> root section in the web.config file. The text you paste should look like the excerpt below. The parameters highlighted in red below are the ones which should be changed according to prepared in Table above:

 

<membership defaultProvider="LdapMembership">

<providers>

<add name="LdapMembership"

 type="Microsoft.Office.Server.Security.LDAPMembershipProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"

 server="DC.Contoso.com"

 port="389"

 useSSL="false"

 userDNAttribute="distinguishedName"

 userNameAttribute="sAMAccountName"

 userContainer="OU=OrgUsers,DC=contoso,DC=com"

 userObjectClass="person"

 userFilter="(|(ObjectCategory=group)(ObjectClass=person))"

 scope="Subtree"

 otherRequiredUserAttributes="sn,givenname,cn"

/>

</providers>

</membership>

<roleManager defaultProvider="LdapRole" enabled="true" cacheRolesInCookie="true" cookieName=".PeopleDCRole">

<providers>

<add name="LdapRole"

 type="Microsoft.Office.Server.Security.LDAPRoleProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"

 server="DC.Contoso.com"

 port="389"

 useSSL="false"

 groupContainer="OU=OrgGroups,DC=contoso,DC=com"

 groupNameAttribute="cn"

 groupMemberAttribute="member"

 userNameAttribute="sAMAccountName"

 dnAttribute="distinguishedName"

 groupFilter="(ObjectClass=group)"

 scope="Subtree" />

</providers>

</roleManager>

 

  • Save the web.config file and exit Notepad
  • Open a command prompt window and run IISRESET (do IISRESET all other Web Front Ends if there are more than one web servers) 

 

 

Configure Forms-Based Authentication in Central Administration

  • Go to Central Administration > Application Management > Authentication Providers
  • Ensure you select SharePoint in the Web Application drop down
  • Click on the zone which you noted down earlier (should be Intranet by default)
  • Choose Forms under Authentication Type section and also make sure "Enable anonymous access" is checked
  • Type LdapMembership in the Membership Provider Name section
  • Type in the name of the LDAP role provider as LdapRole in the Role Manager Name text box