blog community
Welcome to blog community Sign in | Join | Help
in Search
Home Blogs Photos Downloads

Portals & Integration blog

Robert te Kaat and Bart Gunneman on Office, SharePoint, Team System and other random .NET related stuff :)

Step-by-Step guide, installing AD Provider on WSS v3

During the Sharepoint development courses I often get the question how to use Forms Authentication. There are a lot of walkthroughs available on the net telling you how to use FA combined with a SQL Server DB, but it's also possible to do FA against your own Active Directory.

This blogpost described just how you would accomplish such a thing. For those of you who have a demo installation like I described in the setup post (click here), this is also build using the same installation.

Step 1: Change web.config for Central Administration

Add between </authorization> and <httpModules> the following tags: 

<membership>
    <providers>
    <add name="ADProvider" 
    type="System.Web.Security.ActiveDirectoryMembershipProvider,System.Web, 
    Version=2.0.0.0, Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a" 
    connectionStringName="ADServices" />
    </providers>
</membership>

Add between the </system.web> and <runtime> the following tags: 

<connectionStrings> 
    <add connectionString="LDAP://bartg03_moss.moss.contoso.com/OU=contoso users,
		DC=moss,DC=contoso,DC=com" name="ADServices" /> 
</connectionStrings>

This contains the LDAP connectionstring where the users are stored

  • Start Central Administration, Browse to the Application Management page.
  • Click on ‘Authentication providers’
  • Select the Web Application which needs to be AD provider enabled
  • Click on ‘Default’
  • Select ‘Forms’ as Authentication type
  • Type ‘ADProvider’ as Authentication Provider (Case sensitive!!)

  • Set Enable Client Integration to ‘No’ (client integration only works with Windows authentication’
  • Select ‘Save’
  • Select ‘Site Collection Administrators’ from the ‘Application management’ tab on Central Administration
  • Select the AD Provider enabled web application and add a new site administrator here.
  • Open the web.config file from the Web Application which needs to be AD provider enabled
  • Add between </authorization> and <httpModules> the following tags:

 

<membership defaultProvider="ADProvider">
    <providers>
        <add name="ADProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider,
System.Web, Version=2.0.0.0, Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="ADServices" />
    </providers>
</membership>

Add between the </system.web> and <runtime> the following tags: 
<connectionStrings> 
<add connectionString="LDAP://bartg03_moss.moss.contoso.com/OU=contoso users,DC=moss,
DC=contoso,DC=com" name="ADServices" /> 
</connectionStrings>

This contains the LDAP connectionstring where the users are stored

Last step:

Log on to the AD provided web application using your AD Credentials.

You can set up a lot more information using the ActiveDirectoryMembershipProvider, check http://msdn2.microsoft.com/en-us/library/system.web.security.activedirectorymembershipprovider.aspx for more information.

Published Monday, May 07, 2007 10:09 AM by Bart Gunneman

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

 

" + title + " said:

PingBack from http://www.virtual-generations.com/2007/05/08/sharepoint-2007-link-love-5-8-2007/

May 8, 2007 10:19 AM
 

Oskar Austegard said:

Interesting - but why?  Under what scenario would you want to use forms auth (and not NTLM/Kerberos) against AD?  Curious....

May 11, 2007 6:04 PM
 

Bart Gunneman said:

why? Well, we use WSS in a hosted environment. This means multiple clients on the same AD. We would like to have our clients log on by using there SPN adress instead of the usual acocuntname. This way, you can.

And by using the AD Provider, I can specifically target a single OU or container in the AD to authenticate against per Web Application.

Hope this clarifies it a bit.

May 11, 2007 9:01 PM
 

Barend said:

I have 2 problems. One is that when I add the membership part to the web.config my SharePoint Services v3 site gives an error. The second is I'm not sure how I fill the LDAP connection string exactly.

When I remove the <membership> part from the web.config of my site where I want forms authentication I can see the loginform.

Any idea?

October 19, 2007 12:34 PM
 

Bart Gunneman said:

Barend,

The web.config file is case sensitive so make sure it is absolutely the same. Also, copy-pasting directly from a web-page could lead to incorrect characters inserted in the web.config. First, paste it into notepad, from there copy-paste it into the web.config.

I cannot help you with your second problem, this LDAP string is different for each AD. Mine looks like this:

LDAP://bartg03_moss.moss.contoso.com/OU=TESTUSERS,DC=MOSS,DC=CONTOSO,DC=COM

Good luck!

Bart

October 19, 2007 12:38 PM
 

Indranil said:

Thanks, it really helps to find out exact error

November 19, 2007 8:32 AM
 

Sharepoint user said:

Thank you for this article.

For me everything works fine.

I was able to add users from AD to my sharepoint group,

but I was not able to find AD group even it is inside users directory.

January 29, 2008 10:16 PM
 

EJ said:

Bart,

Thanks for putting this together! I have been looking for detailed instructions on how to setup FBA with AD membership provider.

I am running into an error when trying to add a site collection administrator. The people picker cannot seem to find any users.

Any help would be greatly appreciated!

Thanks,

EJ

February 2, 2008 6:21 AM
 

Robby said:

Hello, I have been able to successfully hook up the ActiveDirectoryMembershipProvider and my site successfully uses forms authentication.  However, I cannot find out how to add security groups to my sharepoint groups.  I can add AD users all day long, but it never sees security groups.  How do I add security groups?

Thanks a ton,

Robby

February 6, 2008 6:35 PM
 

Sharepoint user said:

Hi Robby

I was having same problem.

If you find the solution please post here.

I will do the same.

Thanks

February 7, 2008 6:53 PM
 

shekhar said:

I am sucessfully able to configure form based authentication with active doirectory using LDAP , but my site link doen't come up when i logged in into the webapplication with form based authentication using AD users.

February 25, 2008 10:21 AM
 

hotman said:

I am sucessfully able to configure form based authentication with active doirectory using LDAP , but my site link doen't come up when i logged in into the webapplication with form based authentication using AD users

February 27, 2008 1:38 PM
 

Mat said:

Hi, just a follow-up to a couple of the requests above. I have also managed to get FBA working with the AD provider, but I also need to access security groups.

I've tried adding a roleManager using the Windows ASP provider, but that doesn't work.

Any ideas?

June 18, 2008 3:14 PM
 

george mathews said:

hi...

I'm not sure how I fill the LDAP connection string exactly.

can someone describe what exactly each field is? what should be entered here::::

LDAP://bartg03_moss.moss.contoso.com/OU=TESTUSERS,DC=MOSS,DC=CONTOSO,DC=COM

supposing i use an ip instead of a site name, what should be my OU,DC???

someone kindly help me out.

Thanx.

November 5, 2008 1:53 PM
 

Bart Gunneman said:

Hi George,

an LDAP connection is set up like: LDAP://<machinename>/<Active directory structure> so you should have a look in your Active Directory to determin which OU, DC you should use.

Regards,

Bart

November 5, 2008 2:06 PM
 

george mathews said:

Thanx a lot Bart.

Will ask you if i face any other problem.

November 5, 2008 5:40 PM
 

george mathews said:

hi...

Inside Policy for web application, i need to add users. so, when I click on browse directory icon, i need to enter the user names which i need to add right?

what is the format in which i need enter the user name?

is it anything like            membershipprovidername:username    or    just the username or is there anything else?

kindly help me out.

thanx.

November 6, 2008 12:10 PM

Leave a Comment

(required) 
(optional)
(required) 
Submit

This Blog

Syndication

Recent Posts

Tags

News

Contact

Bart's online status:
If I am online, click to send me a message!
(No messenger needed)

Blog Information Profile for bartg

Quick links

Creating a MOSS / Office Demo setup
Using a AD provider on WSS v3

Stats



Statcounter:

Interesting blogs

Links

Archives
Powered by Community Server, by Telligent Systems