SharePoint 2010: Forms Based Authentication using Active Directory

This post is a close mirror to my other post SharePoint 2010: Claims Based Authentication using .Net SQL Membership Provider, just tweaked to use AD instead of SQL. In this post I want to use Active Directory instead of SQL, and allow users to login using a friendly form instead of the ugly Windows grey authentication window.

SharePoint 2010 has a great feature called Claims Based Authentication. You specify this when you create your web application. If you created a web application as Classic Mode Authentication, you can change it to Claims Based Authentication, see this blog post http://weblogs.asp.net/sreejukg/archive/2011/03/25/change-sharepoint-authentication-from-classic-mode-to-claims-based.aspx on how to change it.

Our plan of attack is

  • Modify your web application, central admin and the web services’ web.config files.
  • Update web application to use forms.
  • Install free feature to add user management to SharePoint.

Modify your web application, central admin and the web services’ web.config files. This part can be a little tricky. We need to modify the web.config file for your

  • Web Application so your web app can authenticate users
  • Central Administration so users are recognized
  • Web Services so users can log in.

Update the web application’s web.config file.
IMPORTANT: These steps will have to be completed on every web front end in your farm.

  • Go to C:\inetpub\wwwroot\wss\virtualdirectories\appname.
  • Copy the web.config to web.config_preCBA as a backup.
  • Open the web.config file.
  • Find <roleManager add the following provider highlighted below. Change the items in green to match your domain.
<roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false"> 
<providers> 
<add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, 
Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" /> 
<add name="CONTOSOROLE" type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, 
Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="contoso.com" port="389" 
useSSL="false" groupContainer="DC=contoso,DC=com" groupNameAttribute="cn" groupMemberAttribute="member" 
userNameAttribute="sAMAccountName" dnAttribute="distinguishedName" groupFilter="(ObjectClass=group)" 
scope="Subtree" /> </providers> 
</roleManager> 
  • Find <membership and add the following provider highlighted
<membership defaultProvider="i"> 
 <providers> 
<add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, 
Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" /> 
<add name="CONTOSO" type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, 
Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="contoso.com" port="389" 
useSSL="false" userDNAttribute="distinguishedName" userNameAttribute="sAMAccountName" 
userContainer="DC=contoso,DC=com" userObjectClass="person" userFilter="(|(ObjectCategory=group)
(ObjectClass=person))" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn" /> 
 </providers> 
</membership> 

Update central admin’s web.config file
IMPORTANT: These steps will have to be performed on all servers hosting central admin.

  • Go to C:\inetpub\wwwroot\wss\virtualdirectories\portnum.
  • Copy the web.config to web.config_preCBA as a backup.
  • Open the web.config file.
  • Perform the same steps above on this web.config file.
    • The roleManager and membership sections may look a little different. You’re only adding the highlighted elements, not modifying it to match.

And that should take care of your Central Admin.

Update web services’ web.config file
IMPORTANT: These steps will have to be completed on every web front end in your farm.

  • Go to C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\WebServices\SecurityToken.
  • Copy the web.config to web.config_preCBA as a backup.
  • Open the web.config file.
  • Find </configuration> (bottom of page) and add the following right above it
<system.web> 
<roleManager enabled="true" cacheRolesInCookie="false" cookieName=".ASPXROLES" cookieTimeout="30" 
cookiePath="/" cookieRequireSSL="false" cookieSlidingExpiration="true" cookieProtection="All" 
createPersistentCookie="false" maxCachedResults="25"> 
<providers> 
<add name="CONTOSOROLE" type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"  server="contoso.com" port="389" useSSL="false" groupContainer="DC=contoso,DC=com" groupNameAttribute="cn" groupMemberAttribute="member" userNameAttribute="sAMAccountName" dnAttribute="distinguishedName" groupFilter="(ObjectClass=group)" scope="Subtree" /> </providers> 
</roleManager> 
<membership userIsOnlineTimeWindow="15" hashAlgorithmType=""> 
<providers> 
<add name="CONTOSO" type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="contoso.com" port="389" useSSL="false" userDNAttribute="distinguishedName" userNameAttribute="sAMAccountName" userContainer="DC=contoso,DC=com" userObjectClass="person" userFilter="(|(ObjectCategory=group) (ObjectClass=person))" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn" /> </providers> 
</membership> 
</system.web> 

And now we’re done with the tricky part.

Update web application to use forms. Next we’re going to tell Central Admin about our desires and tell the web application to use our configured authentication.

  1. Go to Central Administration > Manage Web Applications.
  2. Select your web application and click Authentication Providers.
  3. Click the zone marked as Claims Based Authentication
  4. Scroll down to Claims Authentication Type.
  5. Check Enable Forms Based Authentication, and enter SQLMembershipProvider and SQLRoleManager in the two options
  6. Scroll to the bottom and click Save.
  7. Close the Authentication Providers window.

Browse to your site and if you’re lucky, you should see a login prompt, and you should be able to login as the user we created before or a Windows account.

Pretty plain eh? Check out my other blog post on how to customize this page some more.

About these ads

11 thoughts on “SharePoint 2010: Forms Based Authentication using Active Directory

  1. Great Tutorial, but how can I login?
    When I try to login using the form, I just get an access denied. No matter what user I type in.

    Can you give me a hint how to debug it more and solve it?

    Do I have to change more than the yellow marked areas? Probably you can explain a bit more what these parts in the web.config exactly do.

    Would be very useful, at least for my-self.

    Thank you very much.

    • Hi Aleks,

      The important pieces are the highlights for the names and accounts, those have to match what you entered in the web application settings. Also the domain info contoso.com should match your active directory, yours may be more like contoso.local (normal for most ADs).

      Check the ULS logs for errors, I think they’ll be reported in there.

  2. Hi David,

    thanks for you reply.
    I got it working just a few minutes ago.

    It has to do with the users that are allowed to access the site.
    At the moment I can not explain it exactly, but I know how to get a user in to the site.

    Perhaps you have an explenation for (because you´ve had the same thing).

    When I add a user to the website with i. E. full control, I usually enter domain\username into the user / group field. After applying the form, I get back to the user / group listing where all permissions are listed. Now I can see there the new user but with a strange writing.

    Is it possible that I have to add users twice, when they should be able to login via windows auth an FBA?
    And is it correct that the user that authenticates through FBA shows up with its username in the top right corner an not with its real first and lastname? Can I change this behavior?

    So many questions, hope you can help me with a little startup support.
    The topic CBA and FBA is pretty new to me at the moment.

    • Oh yes, you’ll need to add the FBA account to SharePoint. You don’t have to add the windows account unless they will be logging in using the windows method, which I’d guess they aren’t.

      • Hi David,

        1- What is the difference b/w adding users in User Policy and adding users in site permissions?

        I can add users in User Policy and people picker is working fine but I can’t use any of those users unless I add them in the site permission.

        2- Session timeout is not working in SP 2010 even I have set the session time out to 5 mins in two different places.

        - In IIS under the website session properties
        - Under Website general Settings (Central Administrator)

      • Hi Steve,

        1. Where exactly are you adding them in User Policy? Is this via Central Admin? Or in the site collection?

        2. I’ve been unsuccessful in changing session timeouts in SharePoint. I’ve tried shorter and longer with no luck. If your users are using computers that are on the domain, I don’t think there is a timeout, since Windows will auto-authenticate the users. Sorry, I can’t be of more help on this one.

        Thanks,
        David

  3. David, thanks for your reply.

    I am adding users in user policy via Central Admin but when i access the FBA site i get Access Denied error. Thats why i have to add them in the site (user permissions)

    Regarding session timeout, my only concern is about extrenal users (outside our domain). I would try to test the site from my home pc to see if session times out.

    • Oooo. You shouldn’t be adding users in User Policy, as that affects the entire web application (unless you really want to), and it’s harder to manage. If FBA users work in CA and not in your site, then something wasn’t configured correctly. You should’ve modified the web.config for your web app, for the security service (in 14 folder) and for central admin. Looks like you did for CA. Confirm you modified the correct web app config file.

  4. Pingback: SharePoint Claims Authentication problems with Active Directory | Lionadi's Tunking Blog :)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s