2007-03-31

Configuring Forms Authentication with AD (Scott Hillier)



Forms authentication allows you to configure a SharePoint page as a login form instead of utilizing Windows authentication directly. SharePoint supports many different providers for authenticating users against other data stores such as SQL Server or an LDAP service. In this exercise, you will make use of the ActiveDirectoryMembershipProvider to configure Forms authentication against Active Directory. In this scenario, users will enter their Windows credentials into the login form to gain access to the secure site.


Follow these steps to set up Forms authentication:


1. Log in to <machine> as the local administrator.

2. Open the File Explorer and navigate to \Inetpub\wwwroot\wss\VirtualDirectories.

3. Under the VirtualDirectories folder, identify the subdirectory that is associated with your site and the folder associated with the Central Administration site.

4. Open the web.config file for both the extranet site and the Central Administration site. The provider information must be added to both files.

5. Directly above the <system.web> tag in both files, add the following section to define a connection to Active Directory:




<connectionStrings>
<add name="ADService" connectionString="LDAP://vspdc.domain.
local/DC=domain,DC=local"
/>

</connectionStrings>


6. Directly underneath the <system.web> tag in both files, add the following section to utilize the ActiveDirectoryMembershipProvider as the authentication provider:



<membership defaultProvider="AD">
<providers>
<add name="AD"
type=
"System.Web.Security.ActiveDirectoryMembershipProvider,
System.Web, Version=2.0.0.0, Culture=neutral,
PublickeyToken=b03f5f7f11d50a3a"

connectionStringName=
"ADService"
connectionUsername=
"DOMAIN\Administrator"
connectionPassword=
"P@ssw0rd"
connectionProtection=
"None"
attributeMapUsername=
"sAMAccountName" />

</providers>
</membership>




7. Save and close both files.

8. Select Start > Run. In the Run dialog, type iisreset and click the Open button.

9. Open the Central Administration site by selecting Start Administrative Tools SharePoint 3.0 Central Administration.

10. In the Central Administration site, click the Application Management tab.

11. Under the Application Security section, click the link titled Authentication Providers.

12. If the correct web application is not already selected, drop down the Web Application selection list and click Change Web Application. Then click the link for the initial web application that you set up.

13. On the Authentication Providers page, click the Windows link associated with the Extranet zone.

14. On the Edit Authentication page, select Forms as the Authentication Type.

15. In the Membership Provider Name field, type AD, which is the name of the provider as it appears in the web.config file.

16. Click the Save button.

17. In the Central Administration site, click the Application Management tab.

18. Under the Application Security section, click the link titled Policy for Web Application.

19. If the correct web application is not already selected, drop down the Web Application selection list and click Change Web Application. Then click the link for the initial web application that you set up.

20. Click the Add Users button.

21. On the Add Users page, select Extranet from the zone list.

22. Click the Next button.

23. On the Add Users page, type Administrator into the Users field and click the Check Names image button.

24. Under the Choose Permissions section, check the box labeled Full Control – Has Full Control.

25. Click the Finish button.

5 comments :

  1. Hi,

    Thanks for a great article. I followed your instructions and was able to get forms authentication setup. However, I kept getting access denied errors, when trying to login. I finally figured out that the user accounts (mine or any AD users) needed to be on the "Policy for Web Application" under Application Management within Central Admin. My attempt to add NT AUTHORITY\Authenticated Users did not go through (it kept saying no matching name for the forms auth zone). I need to forms authentication working for all users within AD without having to enter every single one within "Policy for Web Application"

    Could you please help me resolve this issue. I am sure I am missing a configuration somewhere.

    Thanks!

    Dinesh

    ReplyDelete
  2. Hi Dinesh.

    I haven't got a test environment to replicate this method of authentication, but I'm guessing NT AUTHORITY\Authenticated Users won't be in the LDAP source.

    Do you have another group every user belongs to u can use like DOMAIN\domain users ?

    You should be able to get the NT AUTHORITY\Authenticated Users SID if your FBA app is extended from an normal NTLM AD authentication app...

    So you'll have to have 2 web applications 1 extended from the other.

    Your primary application will be AD, and your extended will be FBA/LDAP.

    ReplyDelete
  3. Hi Ray,

    Thanks for the response. I do have two web apps and the second one was extended from the first which is using window NTLM authentication.

    "You should be able to get the NT AUTHORITY\Authenticated Users SID if your FBA app is extended from an normal NTLM AD authentication app..."

    so I tried your suggestion but I think I am doing something wrong. MS suggests the following format

    LDAP://company.org/<SID=S-1-5-11>,DC=company,DC=org

    found here:
    http://forums.techarena.in/active-directory/80928.htm

    And yes I do have a another group that have all users and its within a seperate container, so here's the ldap connection I came up with

    LDAP://company.org/CN=All_Users,OU=ContainerName,DC=company,DC=org

    I've also tried adding in the groups on the policy for web apps page within central admin with no luck.

    ReplyDelete
  4. Hi,
    is there a way to set up the forms authentication with ad, that users can type in their e-mail addresses instead of the login names?
    Thanks in advance,
    Thomas

    ReplyDelete
  5. thildebrandt: You can use the persons email address as their user name.
    So the UN and Email would be the same.

    ReplyDelete