<< Wrap up: DIWUG event at VX Company | Home | Configuring claims and forms based authentication for use with a SQL provider in SharePoint 2010 >>

Configuring claims and forms based authentication for use with an LDAP provider in SharePoint 2010

Today I worked on configuring forms based authentication for SharePoint 2010. Using forms based authentication automatically means using claims based authentication in Sharepoint 2010.
I tried using both an LDAP provider and a SQL provider. My initial goal was to get them both working in the same environment, but after a lot of hours of staring at XML in web.config files I gave up on that one. Instead I created separate environments for using LDAP and SQL providers. Because of this I will also write two separate blog posts. This one will explain how to set up forms based authentication while using an LDAP provider.
If you want to configure forms based authentication for use with a SQL provider check out my other post here.

Using an LDAP provider with forms based authentication means that users will use their Windows or AD account to log in. However, because forms based authentication will be used they don’t get the usual popup, but they will use a sign-in page to log in.

These are the steps you will need to take to set it up:

Create a new web application

  • Go to Central Administration
  • Go to Application Management
  • Click on Manage Web Applications
  • Click New
  • Select Claims Based Authentication
  • Identity Providers
         * Check the Enable Windows Authentication box or you won’t be able to crawl the site
         * Check the Enable ASP.NET Membership and Role Provider checkbox
              * In the Membership provider name edit box, type LdapMember
              * In the Role provider name edit box, type LdapRole

 CreateWebAppLdap


Create a new site collection

  • Go to Central Administration
  • Go to Application Management
  • Click Create site collections
  • Select the newly created web application
  • Fill in a name and select a template

Adjust the web.config of the Central Administration site

  • Open the Central Administration site's web.config file
  • Find the <system.web> entry
  • Paste the following XML directly below it 
<membership>
   <providers>
      <add name="LdapMember" 
         type="Microsoft.Office.Server.Security.LdapMembershipProvider,
 Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral,
 PublicKeyToken=71e9bce111e9429c" 
         server="dc.sharepoint.com" 
         port="389" 
         useSSL="false" 
         userDNAttribute="distinguishedName" 
         userNameAttribute="sAMAccountName" 
         userContainer="OU=SPUsers,DC=sharepoint,DC=com" 
         userObjectClass="person" 
         userFilter="(ObjectClass=person)" 
         scope="Subtree" 
         otherRequiredUserAttributes="sn,givenname,cn" />
   </providers>
</membership>

<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider" > 
   <providers>
      <add name="LdapRole"
         type="Microsoft.Office.Server.Security.LdapRoleProvider, 
Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, 
PublicKeyToken=71e9bce111e9429c"
         server="dc.sharepoint.com" 
         port="389"
         useSSL="false"
         groupContainer="OU=SPUsers,DC=sharepoint,DC=com"
         groupNameAttribute="cn"
         groupNameAlternateSearchAttribute="samAccountName"
         groupMemberAttribute="member"
         userNameAttribute="sAMAccountName"
         dnAttribute="distinguishedName"
         groupFilter="(ObjectClass=group)"
         userFilter="(ObjectClass=person)"
         scope="Subtree" />
   </providers>
</roleManager>
  • In the above XML the server tag is the server name of the domain controller. The user and group containers are the containers in AD where the users and groups you want to use for authentication reside. If you don’t know what the path to your container is, but you do have access to AD you can find out what the container is.
    • Go to the domain controller
    • Open Active Directory Users and Computers
    • Select a user or a group in the container
    • Right click and select All Tasks => Resultant Set Of Policy (Planning)
    • Click the browse button next to Container and select the container
    • This will give you the path to the container
  • Double check whether the <membership> and <rolemanager> entries only exist ones. Delete any double entries.
  • Paste the following XML below the <PeoplePickerWildcards> entry 
<clear />
<add key="AspNetSqlMembershipProvider" value="%" />
<add key="LdapMember" value="*"/>
<add key="LdapRole" value="*"/>

 

Adjust the web.config of the Security Token Service (STS) virtual directory

NB: you will need to make the changes to the Security Token Service virtual directory on each server hosting either Central Administration or the claims based web application

  • Open the Security Token Service (STS) virtual directory's web.config file
  • Find the </system.net> entry
  • Add a <system.web> entry directly below it
  • Paste the following XML directly below the <system.web> entry 
<membership>
   <providers>
      <add name="LdapMember" 
         type="Microsoft.Office.Server.Security.LdapMembershipProvider,
 Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, 
PublicKeyToken=71e9bce111e9429c" 
         server="dc.sharepoint.com" 
         port="389" 
         useSSL="false" 
         userDNAttribute="distinguishedName" 
         userNameAttribute="sAMAccountName" 
         userContainer="OU=SPUsers,DC=sharepoint,DC=com" 
         userObjectClass="person" 
         userFilter="(ObjectClass=person)" 
         scope="Subtree" 
         otherRequiredUserAttributes="sn,givenname,cn" />
   </providers>
</membership>

<roleManager enabled="true"> 
   <providers>
      <add name="LdapRole"
         type="Microsoft.Office.Server.Security.LdapRoleProvider,
 Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, 
PublicKeyToken=71e9bce111e9429c"
         server="dc.sharepoint.com" 
         port="389"
         useSSL="false"
         groupContainer="OU=SPUsers,DC=sharepoint,DC=com"
         groupNameAttribute="cn"
         groupNameAlternateSearchAttribute="samAccountName"
         groupMemberAttribute="member"
         userNameAttribute="sAMAccountName"
         dnAttribute="distinguishedName"
         groupFilter="(ObjectClass=group)"
         userFilter="(ObjectClass=person)"
         scope="Subtree" />
   </providers>
</roleManager>
  • Add a </system.web> entry directly below it

 

Adjust the web.config of the claims based web application

  • Open the claims based web application's web.config file
  • Locate the <membership> entry
  • Paste the following XML directly below the <Providers> entry 
<add name="LdapMember" 
   type="Microsoft.Office.Server.Security.LdapMembershipProvider, 
Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral,
 PublicKeyToken=71e9bce111e9429c" 
   server="dc.sharepoint.com" 
   port="389" 
   useSSL="false" 
   userDNAttribute="distinguishedName" 
   userNameAttribute="sAMAccountName" 
   userContainer="OU=SPUsers,DC=sharepoint,DC=com" 
   userObjectClass="person" 
   userFilter="(ObjectClass=person)" 
   scope="Subtree" 
   otherRequiredUserAttributes="sn,givenname,cn" />
  • Locate the <roleManager> entry
  • Paste the following XML directly below the <Providers> entry 
<add name="LdapRole"
   type="Microsoft.Office.Server.Security.LdapRoleProvider, 
Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, 
PublicKeyToken=71e9bce111e9429c"
   server="dc.sharepoint.com" 
   port="389"
   useSSL="false"
   groupContainer="OU=SPUsers,DC=sharepoint,DC=com"
   groupNameAttribute="cn"
   groupNameAlternateSearchAttribute="samAccountName"
   groupMemberAttribute="member"
   userNameAttribute="sAMAccountName"
   dnAttribute="distinguishedName"
   groupFilter="(ObjectClass=group)"
   userFilter="(ObjectClass=person)"
   scope="Subtree" />
  • Paste the following XML below the PeoplePickerWildcards entry 
<clear />
<add key="AspNetSqlMembershipProvider" value="%" />
<add key="LdapMember" value="*"/>
<add key="LdapRole" value="*"/>


Add a user policy to the web application

  • Go to Central Administration
  • Go to Application Management
  • Click on Manage Web Applications
  • Select the claims based web application
  • Click on User Policy
  • Click on the Add Users link
  • Click the Next button.
  • Click the Address Book icon.
  • Type in the NT login name or account name and click the search button. If it’s working correctly you should see at least two entries for the account – one that is for the user’s Active Directory account, and one that is for that same account but which was found using the LDAP provider.
  • Select the account in the User section and click the Add button
  • Click the OK button
  • Check the Full Control checkbox, then click the Finish button

 addPolicyLdap

 

You can now browse to the web application and log in using forms based authentication.

signin

Select Forms Authentication in the dropdown

 signin3

And fill in the appropriate user name and password.

 

I used the following blog posts to get things working, so I would like to thank Steve, Ali and TechNet :-):

http://blogs.technet.com/speschka/archive/2009/11/05/configuring-forms-based-authentication-in-sharepoint-2010.aspx
http://blogs.msdn.com/alimaz/archive/2009/10/30/configuring-fba-in-sharepoint-server-2010-beta-2.aspx
http://technet.microsoft.com/en-us/library/ee806890(office.14).aspx

Print | posted @ Thursday, May 06, 2010 8:31 PM

Comments on this entry:

Gravatar # re: Configuring claims and forms based authentication for use with an LDAP provider in SharePoint 2010
by seva naik Bhukya at 6/22/2010 5:24 AM
Hi. Thanks for a nice article. I have followed the same steps explained above for configuring forms authentication. Everything was working fine. But, my site stopped working suddenly while logging in to the site. I'm getting the error message as "The remote server returned an error: (500) Internal Server Error.". And also i didn't do any configuration changes.

Any help in this greatly appreciated.
  
Gravatar # re: Configuring claims and forms based authentication for use with an LDAP provider in SharePoint 2010
by mirjam at 6/22/2010 7:55 AM
Hi,

The error you are getting is the friendly HTTP error and doesn't actually tell you what's wrong.
Try turning off the friendly HTTP errors, so you can see the actual message. Also check the SharePoint logs at c:\program files\common files\microsoft shared\web server extensions\14\logs and the event logs of the server(s) running SharePoint.

This should at least give you an idea of what's happening.
  
Gravatar # re: Configuring claims and forms based authentication for use with an LDAP provider in SharePoint 2010
by Seva at 6/22/2010 10:12 AM
Hi Mirjam,
Thanks for your reply and I appriciate your valueble time.

We are not able to see the error details using ULS Viewer tool.

And also we are getting "System.IO.InvalidData Exception was thrown." error while running SharePoint Configuration Wizard.

Regards
Seva
  
Gravatar # re: Configuring claims and forms based authentication for use with an LDAP provider in SharePoint 2010
by Kamlesh at 6/22/2010 12:32 PM
Hi Mirjam,

We are discussing this on TechNet Forums here too:

social.technet.microsoft.com/.../c4c4d2c3-a55b-...

The user is facing problems with Beta version. By the way, did you use Beta or RTM bits for your above post?

  
Gravatar # re: Configuring claims and forms based authentication for use with an LDAP provider in SharePoint 2010
by mirjam at 6/22/2010 3:05 PM
Hi,

This post was written for the RTM version and not the beta version of SharePoint 2010.
  
Gravatar # re: Configuring claims and forms based authentication for use with an LDAP provider in SharePoint 2010
by velmurugans at 7/6/2010 4:38 PM
Thank you!!! A Good Post to configure Authentication in 2010
  
Gravatar # re: Configuring claims and forms based authentication for use with an LDAP provider in SharePoint 2010
by Martin at 7/19/2010 9:58 AM
Hi SharePointCheck,

it allready is the second time I try to make that claims-based authentication work for my SharePoint, but once again it doesn't want to make me happy :-(

At first I found some error messages related to the declared identity providers in the web.config files. I was able to fix them.

I am using AD LDS to provide a user store and I assume it is not configured as it should be. I build up the AD LDS as it is written on this page:

www.bloggersbase.com/.../ad-lds-sharepoint-form...

My current problem is, that it just doesn't find the users I declared in AD LDS when I search for them via people picker on 'Site Permissions' page.

I really made everything like you have written here. I am almost falling into despair :-(

Pleeeeeaaaaaase help.

Thanks in advance
Martin
  
Gravatar # re: Configuring claims and forms based authentication for use with an LDAP provider in SharePoint 2010
by Martin at 7/19/2010 12:49 PM
Sorry for the typo...SharePointChick :-)
  
Gravatar # re: Configuring claims and forms based authentication for use with an LDAP provider in SharePoint 2010
by Tmcnulty at 8/1/2010 4:43 PM
Mirjam,
Great Post!! Took the mystery out 2010 FBA. One question on the AD containers. What if my AD organization has users in multiple containers? Can I just add the locations to the config files?

All the best

TMc
  
Gravatar # re: Configuring claims and forms based authentication for use with an LDAP provider in SharePoint 2010
by mirjam at 8/2/2010 5:17 PM
Hi TMc,

I'm afraid all users have to be in the same OU. You could of course add the top level OU to the config files, but I can imagine that includes more OUs than you're interested in.

Mirjam
  
Gravatar # re: Configuring claims and forms based authentication for use with an LDAP provider in SharePoint 2010
by Jag at 8/5/2010 10:37 PM
Hi Mirjam,
Very nice article. I have been working on this for last 4 days and have finally got atleast the people picker working. I am able to see the Ldap members in the people picker and I have given them access to the site. I keep getting Access denied message. It does authenticate the user but denies access.

A user shows up twice in the people picker. Does SharePoint treat them as two separate users even though they are the same users.

Can you give your valuable insight please

Jag
  
Gravatar # 
by Pingback/TrackBack at 8/6/2010 12:51 AM
The following is more of a general internet security point, although it's still one to be very mindful of. Make sure that your e- mail address on record for the domain has a secure password that is hard (if not near impossible) to guess. It may seem relatively innocent, although having a weak e- mail address password could be a disaster if someone guesses it- they could then try moving your domain to another registrar and you wouldn't get any of the notification e- mails since your account has been compromised. ...
  
Gravatar # re: Configuring claims and forms based authentication for use with an LDAP provider in SharePoint 2010
by mirjam at 8/6/2010 11:26 AM
Hi Jag,

If you use the same account for Windows authentication and claims based authentication SharePoint will see that one account as two different users. So if you grant the Windows user access and not the claims based one, you should indeed get an access denied message.

Hope that helps.

Mirjam
  
Gravatar # re: Configuring claims and forms based authentication for use with an LDAP provider in SharePoint 2010
by Lew Grant at 8/6/2010 8:54 PM
Can anyone confirm this works with SharePoint 2010 FOUNDATION?

When I do all this I get 500 error and logs point out that Microsoft.Office.Server can't be found. This is the DLL we are referencing in our type attribute and since that DLL is part of MOSS/SharePoint 2010 and not part of WSS/SharePoint 2010 FOUNDATION then how do you use an LDAP provider with SharePoint 2010 FOUNDATION server?
  
Gravatar # re: Configuring claims and forms based authentication for use with an LDAP provider in SharePoint 2010
by mirjam at 8/7/2010 12:26 AM
Hi Lew,

You can do claims based authentication and FBA using the SQL provider with SharePoint Foundation, but you can't use the LDAP provider. As you stated yourself the LDAP provider is part of SharePoint Server. If you want to use LDAP using SharePoint Foundation you will need to write your own LDAP provider.

Mirjam
  
Gravatar # re: Configuring claims and forms based authentication for use with an LDAP provider in SharePoint 2010
by Jagdish at 8/11/2010 5:23 PM
Hi Mirjam,
Thanks for the reply. We have created the SP site and have also configured the alternate access mapping for the site. We plan to have two URL. One for the external users who authenticate using FBA -SQL server and the second one for internal users using LDAP-AD. Incase of SQL server - FBA, I grant access to groups - SQL membership and it works great. But in case of LDAP, my people picker does pick up the people but not the AD security groups.

I would like to grant access to AD security group using LDAP -FBA instead of granting access to individual users. This would make the site management much easier in future.

Is this doable or am I missing something.

Jag


  
Gravatar # re: Configuring claims and forms based authentication for use with an LDAP provider in SharePoint 2010
by Jag at 8/11/2010 8:58 PM
I could config seeing the AD-Security groups in Ldap -FBA. I did the following modifications in the web.config
<add name="LdapMember"
type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="smdi.com"
port="389"
useSSL="false"
userDNAttribute="distinguishedName"
userNameAttribute="sAMAccountName"
userContainer="DC=Company,DC=COM"
userObjectClass="person"
userFilter="(|(ObjectCategory=group)(ObjectClass=person))"
scope="Subtree"
otherRequiredUserAttributes="sn,givenname,cn" />
</providers>

The main change is "userFilter="(|(ObjectCategory=group)(ObjectClass=person))""

But a user in that AD group cannot access SP site. I get a message - Access denied .

Jag
  
Gravatar # re: Configuring claims and forms based authentication for use with an LDAP provider in SharePoint 2010
by Dhani at 8/31/2010 2:24 PM
I followed the same steps but getting error file not found
  
Gravatar # re: Configuring claims and forms based authentication for use with an LDAP provider in SharePoint 2010
by mirjam at 9/1/2010 6:43 PM
Hi Jag,

There was a problem with the default provider in SharePoint 2007 for LDAP and authenticating users using AD groups. Your story makes me think that this problem might still exist in SharePoint 2010..
  

Your comment:

Title:
Name:
Email:
Website:
 
Italic Underline Blockquote Hyperlink
 
 
Please add 5 and 1 and type the answer here: