This post is a close mirror to my other post SharePoint 2010: Claims Based Authentication using .Net SQL Membership Provider, just tweaked to use AD instead of SQL. In this post I want to use Active Directory instead of SQL, and allow users to login using a friendly form instead of the ugly Windows grey authentication window.
SharePoint 2010 has a great feature called Claims Based Authentication. You specify this when you create your web application. If you created a web application as Classic Mode Authentication, you can change it to Claims Based Authentication, see this blog post http://weblogs.asp.net/sreejukg/archive/2011/03/25/change-sharepoint-authentication-from-classic-mode-to-claims-based.aspx on how to change it.
Our plan of attack is
- Modify your web application, central admin and the web services’ web.config files.
- Update web application to use forms.
- Install free feature to add user management to SharePoint.
Modify your web application, central admin and the web services’ web.config files. This part can be a little tricky. We need to modify the web.config file for your
- Web Application so your web app can authenticate users
- Central Administration so users are recognized
- Web Services so users can log in.
Update the web application’s web.config file.
IMPORTANT: These steps will have to be completed on every web front end in your farm.
- Go to C:\inetpub\wwwroot\wss\virtualdirectories\appname.
- Copy the web.config to web.config_preCBA as a backup.
- Open the web.config file.
- Find <roleManager add the following provider highlighted below. Change the items in green to match your domain.
<roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false">
<providers>
<add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider,
Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
<add name="CONTOSOROLE" type="Microsoft.Office.Server.Security.LdapRoleProvider,
Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="contoso.com" port="389" useSSL="false" groupContainer="DC=contoso,DC=com" groupNameAttribute="cn" groupMemberAttribute="member" userNameAttribute="sAMAccountName" dnAttribute="distinguishedName" groupFilter="(ObjectClass=group)" scope="Subtree" /> </providers>
</roleManager>
- Find <membership and add the following provider highlighted
<membership defaultProvider="i">
<providers>
<add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider,
Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
<add name="CONTOSO" type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="contoso.com" port="389" useSSL="false" userDNAttribute="distinguishedName" userNameAttribute="sAMAccountName" userContainer="DC=contoso,DC=com" userObjectClass="person" userFilter="(|(ObjectCategory=group) (ObjectClass=person))" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn" />
</providers>
</membership>
Update central admin’s web.config file
IMPORTANT: These steps will have to be performed on all servers hosting central admin.
- Go to C:\inetpub\wwwroot\wss\virtualdirectories\portnum.
- Copy the web.config to web.config_preCBA as a backup.
- Open the web.config file.
-
Perform the same steps above on this web.config file.
- The roleManager and membership sections may look a little different. You’re only adding the highlighted elements, not modifying it to match.
And that should take care of your Central Admin.
Update web services’ web.config file
IMPORTANT: These steps will have to be completed on every web front end in your farm.
- Go to C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\WebServices\SecurityToken.
- Copy the web.config to web.config_preCBA as a backup.
- Open the web.config file.
- Find </configuration> (bottom of page) and add the following right above it
<system.web>
<roleManager enabled="true" cacheRolesInCookie="false" cookieName=".ASPXROLES" cookieTimeout="30"
cookiePath="/" cookieRequireSSL="false" cookieSlidingExpiration="true" cookieProtection="All"
createPersistentCookie="false" maxCachedResults="25">
<providers>
<add name="CONTOSOROLE" type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="contoso.com" port="389" useSSL="false" groupContainer="DC=contoso,DC=com" groupNameAttribute="cn" groupMemberAttribute="member" userNameAttribute="sAMAccountName" dnAttribute="distinguishedName" groupFilter="(ObjectClass=group)" scope="Subtree" /> </providers></roleManager>
<membership userIsOnlineTimeWindow="15" hashAlgorithmType="">
<providers>
<add name="CONTOSO" type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="contoso.com" port="389" useSSL="false" userDNAttribute="distinguishedName" userNameAttribute="sAMAccountName" userContainer="DC=contoso,DC=com" userObjectClass="person" userFilter="(|(ObjectCategory=group) (ObjectClass=person))" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn" /> </providers>
</membership>
</system.web>
And now we’re done with the tricky part.
Update web application to use forms. Next we’re going to tell Central Admin about our desires and tell the web application to use our configured authentication.
- Go to Central Administration > Manage Web Applications.
- Select your web application and click Authentication Providers.
- Click the zone marked as Claims Based Authentication
- Scroll down to Claims Authentication Type.
- Check Enable Forms Based Authentication, and enter SQLMembershipProvider and SQLRoleManager in the two options
- Scroll to the bottom and click Save.
- Close the Authentication Providers window.
Browse to your site and if you’re lucky, you should see a login prompt, and you should be able to login as the user we created before or a Windows account.
Pretty plain eh? Check out my other blog post on how to customize this page some more.