Achieving FBA with ADLDS & SharePoint 2010
FBA or Form Based Authentication is a method used when user/s who are not part of your company, such as business vendors or customers, would like to access your SharePoint Site and you want some kind of authentication for them.
We can use SQL database or seperate AD or ADLDS to store the external users and have them authenticated. This article talks about how to configure ADLDS ( Active Directory Lightweight Directory Services) to work with SharePoint 2010.
For people interested in SQL database being used for authentication check this.
For ADLDS follow the following steps:
Step1: Install ADLDS Server Role (https://technet.microsoft.com/en-us/library/cc754486(WS.10).aspx)
Step2: Configure ADLDS Instance.
Click Next
You can give your own instance name. For Example instance name can be SPADLDS. Click Next after you put the instance name.
Leave the default ports. If you are doing it for the first time the LDAP port will be 389. Remember the LDAP port that is displayed here and click next on this screen.
Choose the option :Yes, create an application directory partition.
The partition name can be CN=somthing, DC=domainname, DC=com or O=something, C=Local/com. I used the later one.
Choose which account you would want to use as ADLDS administrator. I choosed the default logged in account.
Click next on the above screen. Next is the summary screen, click next and its gets configured.
Below are the details that I provided during the configuration wizard.
Instance name : SPADLDS
LDAP Port Number : 389
Application Directory Partition : O=SPADLDS,C=LOCAL
Step3: Access ADLDS Instance
Click Start->Run->mmc and then clikc on File->add/remove snap-in and add ADSI
Right Click on ADSI Edit and click "Connect To"
- In the Connection Settings windows under Connection Point choose "Select or type a Distinguished Name or Naming Context". I added O=SPADLDS,C=LOCAL
- Under Computer choose " Select or type a domain or Server". I added FQDN of the server on which ADLDS was installed ( which in my case is sp2010.gpso365.com)
- Click ok (Below is the screen Shot)
Step 4:
- Create Container – CN for Groups and Users (https://technet.microsoft.com/en-us/library/cc730701(WS.10).aspx)
- Create CN (e.g. WPSCN)
- Create Users (e.g. WPSCNAdminUser, WPSCNMemberUser, WPSCNReaderUser)
- Reset Passwords of all Users
- Enable Users
- Set ms-DS-UserAccountDisabled = FALSE
- Set ms-DS-UserDontExpirePassword = FALSE
- Set ms-DS-UserPasswordNotRequired = FALSE
- Make Sure User’s cn, distinguishedName, and userPrincipalName is filled out
- Make Sure userPrincipalName has no spaces.
Step5: Create New Web Application with Forms Based Authentication
- Create a new web application choosing Claims based Authentication the the Authentication section
- In case you are using host header, specify it under the Host Header section
- Under the Claim Authentication types, do as shown in the below snapshot
- Complete the rest of the wizard by providing Application pool account, Database name.
- Create a Site collection using any template.
Step6 : Grant “Application Pool” accounts READ Permission on ADLDS instance
- Add Content SharePoint Web Application “Application Pool”, Central Administration Web Application “Application Pool”, and Security Token Service “Application Pool” accounts READERS Roles on ADLDS instance. This would allow SharePoint to browse ADLDS store in least privileged scenario.
- In My Sandbox, both ADLDS Administrators and SharePoint Application Pool accounts are same so, there is no need for explicit setting of permissions but in real world least privileged environment, these application pool accounts will be different and must be granted permission on the ADLDS. Failure of granting permissions for STS application Pool account may cause login failure issues. Failure of granting permissions for Web Application Pool accounts may cause people picker failure.
Step7 : Update Web Config Files– Content Web App, Central Admin Web App, and STS
Before you make any modification to any of the web.config file, please do take a backup of the web.config file.
- Below is the code that you need to insert into the newly created Claims Based Web application web.config file.
a. Search for <PeoplePickerWilcards> and insert the underlined code in it
<PeoplePickerWildcards>
<clear />
<add key="AspNetSqlMembershipProvider" value="%" />
<add key="LdapMember" value="*" />
<add key="LdapRole" value="*" />
</PeoplePickerWildcards>
b. Locate the <membership> entry and Replace everything from <membership> to </membership> with the following XML
<membership defaultProvider="i">
<providers>
<clear />
<add name="LdapMember" type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="sp2010.gpso365.com" port="389" useSSL="false" userDNAttribute="distinguishedName" userNameAttribute="userPrincipalName" userContainer="CN=WPSCN,O=SPADLDS,C=LOCAL" userObjectClass="user" userFilter="(ObjectClass=user)" scope="Subtree" otherRequiredUserAttributes="cn" />
<add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
</providers>
</membership>
c. Locate the <roleManager> entry and Replace everything from <roleManager> to </roleManager> with the following XML
<roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false">
<providers>
<clear />
<add name="LdapRole" type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="sp2010.gpso365.com" port="389" useSSL="false" groupContainer="CN=WPSCN,O=SPADLDS,C=LOCAL" groupNameAttribute="cn" groupMemberAttribute="member" dnAttribute="distinguishedName" userNameAttribute="userPrincipalName" groupFilter="(ObjectClass=group)" userFilter="(ObjectClass=user)" scope="Subtree" />
<add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
</providers>
</roleManager>
Changes to the newly created claims based web application is done. Save the web.config file.
Step8: Central Admin Web Application
Update Central Admin Web Application web.config file (to find central admin web.config – go to the IIS, select central admin, and click Explore to find contents)
a. Replace the <PeoplePickerWildcards> entry with following XML
<PeoplePickerWildcards>
<clear />
<add key="AspNetSqlMembershipProvider" value="%" />
<add key="LdapMember" value="*" />
<add key="LdapRole" value="*" />
</PeoplePickerWildcards>
b. Search for <system.web> and add the below code below it. By default, there should be 1 blank Membership or RoleManager entry. Double check whether the <membership> and <rolemanager> entries only exist ones. Remove any double entries.
<membership defaultProvider="i">
<providers>
<clear />
<add name="LdapMember"
type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="sp2010.gpso365.com"
port="389"
useSSL="false"
userDNAttribute="distinguishedName"
userNameAttribute="userPrincipalName"
userContainer="CN=WPSCN,O=SPADLDS,C=LOCAL"
userObjectClass="user"
userFilter="(ObjectClass=user)"
scope="Subtree"
otherRequiredUserAttributes="cn" />
<add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
</providers>
</membership>
<roleManager defaultProvider="AspNetWindowsTokenRoleProvider" enabled="true" cacheRolesInCookie="false">
<providers>
<clear />
<add name="LdapRole"
type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="sp2010.gpso365.com"
port="389"
useSSL="false"
groupContainer="CN=WPSCN,O=SPADLDS,C=LOCAL"
groupNameAttribute="cn"
groupMemberAttribute="member"
dnAttribute="distinguishedName"
userNameAttribute="userPrincipalName"
groupFilter="(ObjectClass=group)"
userFilter="(ObjectClass=user)"
scope="Subtree" />
<add applicationName="/"
name="AspNetWindowsTokenRoleProvider"
type="System.Web.Security.WindowsTokenRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</roleManager>
Step9 : Modify STS web.config file : From the IIS, select the SecurityTokenServiceApplication under SharePoint Web Services and click Explore – it should take you to the C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\WebServices\SecurityToken
- Find the </system.net> entry and add the following XML directly below it
<system.web>
<membership defaultProvider="i">
<providers>
<clear />
<add name="LdapMember"
type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="sp2010.gpso365.com"
port="389"
useSSL="false"
userDNAttribute="distinguishedName"
userNameAttribute="userPrincipalName"
userContainer="CN=WPSCN,O=SPADLDS,C=LOCAL"
userObjectClass="user"
userFilter="(ObjectClass=user)"
scope="Subtree"
otherRequiredUserAttributes="cn" />
<add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
</providers>
</membership>
<roleManager defaultProvider="c" enabled="true">
<providers>
<clear />
<add name="LdapRole"
type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="SP2010.gpso365.com"
port="389"
useSSL="false"
groupContainer="CN=WPSCN,O=SPADLDS,C=LOCAL"
groupNameAttribute="cn"
groupMemberAttribute="member"
dnAttribute="distinguishedName"
userNameAttribute="userPrincipalName"
groupFilter="(ObjectClass=group)"
userFilter="(ObjectClass=user)"
scope="Subtree" />
<add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
</providers>
</roleManager>
</system.web>
All the coding part is done!!...
Step10 : Go to your Central Adminstration Site and refresh it. It might take couple of seconds to refresh as the web.config file is being read. Once successfully refreshed, go to Manage web applications and choose the web application that was created for ADLDS authentication (the newly created claims based web application). Click on User Policy in the Ribbon
Click on Add Users and you will see the next screen
Click next
Under the users box, click on browse symbol to search for users.
As you see all the three users are being displayed in the search results. Choose the user and click Add and then click OK.
Give the user Full Control permission and click Finish.
Step11: Go to the newly created site collection in the claims based web application. In my case the URL is https://sp2010 . You will see the Sign-In Page displayed.
Hit the drop down and choose Form Based Authentication.
& enter the username and password of the user to whom Full Control permission was given . In our case its WPSCNAdmin User.
Click Sign-In and SharePoint will contact ADLDS in the background to check if the username and password matches. Only if it matches, then the ADLDS user is given access to SharePoint Site.
Thats it!!... User is able to Log in and since we have given him Full Control he will be able to give other required access to the site.
Thanks for Reading this article... Hope it was helpful!!..
Cheers!!...