
During the Sharepoint development courses I often get the question how to use Forms Authentication. There are a lot of walkthroughs available on the net telling you how to use FA combined with a SQL Server DB, but it's also possible to do FA against your own Active Directory.
This blogpost described just how you would accomplish such a thing. For those of you who have a demo installation like I described in the setup post (click here), this is also build using the same installation.
Step 1: Change web.config for Central Administration
Add between </authorization> and <httpModules> the following tags:
<membership> <providers> <add name="ADProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider,System.Web, Version=2.0.0.0, Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="ADServices" /> </providers> </membership>
Add between the </system.web> and <runtime> the following tags:
<connectionStrings> <add connectionString="LDAP://bartg03_moss.moss.contoso.com/OU=contoso users,DC=moss,DC=contoso,DC=com" name="ADServices" /> </connectionStrings>
This contains the LDAP connectionstring where the users are stored
- Start Central Administration, Browse to the Application Management page.
- Click on ‘Authentication providers’
- Select the Web Application which needs to be AD provider enabled
- Click on ‘Default’
- Select ‘Forms’ as Authentication type
- Type ‘ADProvider’ as Authentication Provider (Case sensitive!!)
- Set Enable Client Integration to ‘No’ (client integration only works with Windows authentication’
- Select ‘Save’
- Select ‘Site Collection Administrators’ from the ‘Application management’ tab on Central Administration
- Select the AD Provider enabled web application and add a new site administrator here.
- Open the web.config file from the Web Application which needs to be AD provider enabled
- Add between </authorization> and <httpModules> the following tags:
<providers>
<add name="ADProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider,
</providers>
</membership>
Add between the </system.web> and <runtime> the following tags:
<connectionStrings> <add connectionString="LDAP://bartg03_moss.moss.contoso.com/OU=contoso users,DC=moss,DC=contoso,DC=com" name="ADServices" /> </connectionStrings>
This contains the LDAP connectionstring where the users are stored
Last step:
Log on to the AD provided web application using your AD Credentials.
You can set up a lot more information using the ActiveDirectoryMembershipProvider, check http://msdn2.microsoft.com/en-us/library/system.web.security.activedirectorymembershipprovider.aspx for more information.
17 comments
Interesting – but why? Under what scenario would you want to use forms auth (and not NTLM/Kerberos) against AD? Curious….
Oskar Austegard
why? Well, we use WSS in a hosted environment. This means multiple clients on the same AD. We would like to have our clients log on by using there SPN adress instead of the usual acocuntname. This way, you can.
And by using the AD Provider, I can specifically target a single OU or container in the AD to authenticate against per Web Application.
Hope this clarifies it a bit.
bartg
I have 2 problems. One is that when I add the membership part to the web.config my SharePoint Services v3 site gives an error. The second is I’m not sure how I fill the LDAP connection string exactly.
When I remove the part from the web.config of my site where I want forms authentication I can see the loginform.
Any idea?
Barend
Barend,
The web.config file is case sensitive so make sure it is absolutely the same. Also, copy-pasting directly from a web-page could lead to incorrect characters inserted in the web.config. First, paste it into notepad, from there copy-paste it into the web.config.
I cannot help you with your second problem, this LDAP string is different for each AD. Mine looks like this:
LDAP://bartg03_moss.moss.contoso.com/OU=TESTUSERS,DC=MOSS,DC=CONTOSO,DC=COM
Good luck!
Bart
bartg
Thanks, it really helps to find out exact error
Indranil
Thank you for this article.
For me everything works fine.
I was able to add users from AD to my sharepoint group,
but I was not able to find AD group even it is inside users directory.
Sharepoint user
Bart,
Thanks for putting this together! I have been looking for detailed instructions on how to setup FBA with AD membership provider.
I am running into an error when trying to add a site collection administrator. The people picker cannot seem to find any users.
Any help would be greatly appreciated!
Thanks,
EJ
EJ
Hello, I have been able to successfully hook up the ActiveDirectoryMembershipProvider and my site successfully uses forms authentication. However, I cannot find out how to add security groups to my sharepoint groups. I can add AD users all day long, but it never sees security groups. How do I add security groups?
Thanks a ton,
Robby
Robby
Hi Robby
I was having same problem.
If you find the solution please post here.
I will do the same.
Thanks
Sharepoint user
I am sucessfully able to configure form based authentication with active doirectory using LDAP , but my site link doen’t come up when i logged in into the webapplication with form based authentication using AD users.
shekhar
I am sucessfully able to configure form based authentication with active doirectory using LDAP , but my site link doen’t come up when i logged in into the webapplication with form based authentication using AD users
hotman
Hi, just a follow-up to a couple of the requests above. I have also managed to get FBA working with the AD provider, but I also need to access security groups.
I’ve tried adding a roleManager using the Windows ASP provider, but that doesn’t work.
Any ideas?
Mat
hi…
I’m not sure how I fill the LDAP connection string exactly.
can someone describe what exactly each field is? what should be entered here::::
LDAP://bartg03_moss.moss.contoso.com/OU=TESTUSERS,DC=MOSS,DC=CONTOSO,DC=COM
supposing i use an ip instead of a site name, what should be my OU,DC???
someone kindly help me out.
Thanx.
george mathews
Hi George,
an LDAP connection is set up like: LDAP:/// so you should have a look in your Active Directory to determin which OU, DC you should use.
Regards,
Bart
bartg
Thanx a lot Bart.
Will ask you if i face any other problem.
george mathews
hi…
Inside Policy for web application, i need to add users. so, when I click on browse directory icon, i need to enter the user names which i need to add right?
what is the format in which i need enter the user name?
is it anything like membershipprovidername:username or just the username or is there anything else?
kindly help me out.
thanx.
george mathews
George, you can just type the username, it should show two users;
One being
the other being
Emma