2007-03-31

Configuring Forms Authentication with AD (Scott Hillier)



Forms authentication allows you to configure a SharePoint page as a login form instead of utilizing Windows authentication directly. SharePoint supports many different providers for authenticating users against other data stores such as SQL Server or an LDAP service. In this exercise, you will make use of the ActiveDirectoryMembershipProvider to configure Forms authentication against Active Directory. In this scenario, users will enter their Windows credentials into the login form to gain access to the secure site.


Follow these steps to set up Forms authentication:


1. Log in to <machine> as the local administrator.

2. Open the File Explorer and navigate to \Inetpub\wwwroot\wss\VirtualDirectories.

3. Under the VirtualDirectories folder, identify the subdirectory that is associated with your site and the folder associated with the Central Administration site.

4. Open the web.config file for both the extranet site and the Central Administration site. The provider information must be added to both files.

5. Directly above the <system.web> tag in both files, add the following section to define a connection to Active Directory:




<connectionStrings>
<add name="ADService" connectionString="LDAP://vspdc.domain.
local/DC=domain,DC=local"
/>

</connectionStrings>


6. Directly underneath the <system.web> tag in both files, add the following section to utilize the ActiveDirectoryMembershipProvider as the authentication provider:



<membership defaultProvider="AD">
<providers>
<add name="AD"
type=
"System.Web.Security.ActiveDirectoryMembershipProvider,
System.Web, Version=2.0.0.0, Culture=neutral,
PublickeyToken=b03f5f7f11d50a3a"

connectionStringName=
"ADService"
connectionUsername=
"DOMAIN\Administrator"
connectionPassword=
"P@ssw0rd"
connectionProtection=
"None"
attributeMapUsername=
"sAMAccountName" />

</providers>
</membership>




7. Save and close both files.

8. Select Start > Run. In the Run dialog, type iisreset and click the Open button.

9. Open the Central Administration site by selecting Start Administrative Tools SharePoint 3.0 Central Administration.

10. In the Central Administration site, click the Application Management tab.

11. Under the Application Security section, click the link titled Authentication Providers.

12. If the correct web application is not already selected, drop down the Web Application selection list and click Change Web Application. Then click the link for the initial web application that you set up.

13. On the Authentication Providers page, click the Windows link associated with the Extranet zone.

14. On the Edit Authentication page, select Forms as the Authentication Type.

15. In the Membership Provider Name field, type AD, which is the name of the provider as it appears in the web.config file.

16. Click the Save button.

17. In the Central Administration site, click the Application Management tab.

18. Under the Application Security section, click the link titled Policy for Web Application.

19. If the correct web application is not already selected, drop down the Web Application selection list and click Change Web Application. Then click the link for the initial web application that you set up.

20. Click the Add Users button.

21. On the Add Users page, select Extranet from the zone list.

22. Click the Next button.

23. On the Add Users page, type Administrator into the Users field and click the Check Names image button.

24. Under the Choose Permissions section, check the box labeled Full Control – Has Full Control.

25. Click the Finish button.

Delete shared service provider


I can't find a link in CA, so paste the below url replacing the sspID

 

http://server/_admin/deletessp.aspx?sspId=e3b38b19-9d73-4fb0-b248-4ae796b09fc8

System Event Log: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID




System Event log:

The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{61738644-F196-11D0-9953-00C04FD919C1}
 to the user <machine>\SPSharedServicesPool SID (S-1-5-21-974288755-3100551457-677853593-1023).  This security permission can be modified using the Component Services administrative tool.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

 

Cause:

This is caused by SPSharedServicesPool not having rights to start the application

 

Fix:

Give WSS_WPG or the specific user the necessary rights.

Copy the GUID following the CLSID above, and Start-->Run-->regedit


With the registry editor open, ensure that your cursor is on the computer at the beginning of the tree (make sure you are not in the middle of some previous edit session in the registry editor).


Edit-->Find and paste in the GUID. It'll stop at the application entry - and you will want to note the application name on the right side pane. In this example, it was the IIS WAMREG admin service that popped up.


Now, open Component Services (typically, from the server - Start-->Administrative Tools-->Component Services), expand Component Services, Computers, My Computer, DCOM Config. Scroll down and find the application (IIS WAMREG in this case). Right-Click-->Properties and select the Security tab. You'll have some options here - the first block Launch and Activation Permissions - ensure that the Customize radio button is selected, and click Edit. Now, add your service account - giving it launch and activate - and in some requirements - remote launch / activate permission.


Restart IIS and continue on.

Application Event Log: There is no administration site associated with the Shared Services Provider SharedServices1

Cause:

This is caused by there not being a web application specifically for the SSP.

 

Fix:

Click on Shared Services Administration > then edit SharedServices1 and click on the New Web App link.