Thursday, March 1, 2012

How to setup FBA Claims in SharePoint 2010 with A D Membership Provider

In this post I am going to explain how to set up a SharePoint 2010 claims base authentication from Active Directory Membership Provider.

There are several posts which follow certain config changes and some other entries to achieve the same. But, after following atleast 10 of them, I was still stuck. I have finally figured out the sequence of events to be done to achieve the desired output.

Step1: Create web application with Claims Authentication Mode. Go to Central Admin, Create new web application. Choose Claims Based Authentication.
Now, here when you reach the identity providers section, you can also choose windows also as your identity provider along with forms. For testing purposes, I started with taking both windows and forms as my provider.
Enter the name of your membership provider. I am taking the name as 'admember'.

Step2: Next you need to make changes in three web.config entries:
1. Web config of Central Admin.
2. Web config of your newly created web application.
3. Web config of STS (Security Token Service) application.

Open the web config of Central Admin and add the below entries:
First the connection string,
'connectionStrings'
'add name="adconn"'
'connectionString="LDAP://logimindz.net/CN=Users,DC=logimindz,DC=net"/
/connectionStrings'

Here, connecton strin represents the below:
LDAP://abc.com/cn=users,dc=abc,dc=com/ This will change according to your organisation.

Then the provider
add name="admembers"
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="adconn"
enableSearchMethods="true"
attributeMapUsername="sAMAccountName" /

Make sure the connection string is placed outside the 'System.Web' section and the 'provider' is placed within the System.web section.

Make sure the provider admembers is the default provider against your membership tag.

Open the web config of the web application

First the connection string:
connectionstrings>
add name="adconn" connectionString="LDAP://logimindz.net/CN=Users,DC=logimindz,DC=net"/
/connectionStrings

Next search the word 'membership' in your config file. You will find there is already a membership declared with the name 'i'. Add the below to the membership tag.

add name="admembers"
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="adconn"
enableSearchMethods="true"
attributeMapUsername="sAMAccountName" /

Make sure the provider i is the default provider against your membership tag.

Save and close the web.config.

Open the web.config of your STS:

You can do this in two ways - Go to inetmgr - Sites - Sharepoint web services - SecurityTokenServiceApplication. Click on explore and open the web.config.
Or go to c:/program files/common files/ microsoft shared/ web server extensions/web services/security token and open the web.config

First add the connection string:
connectionStrings>
add name="adconn" connectionString="LDAP://logimindz.net/CN=Users,DC=logimindz,DC=net"/
/connectionStrings

Then add the provider entry:
add name="admembers"
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="adconn"
enableSearchMethods="true"
attributeMapUsername="sAMAccountName" /

You will probably need to add the 'System.Web' tag also. The below tags will need to be added:

'System.Web'
'Membership'
'Providers'
'Add name='

Next do an iisreset.

Step3: Wire up provider to the web application

1. Go to CA - Web application management page, select your web application and choose 'Authentication Providers' from the ribbon.
2. Choose 'Default' and go the 'Identity Providers' section.
3. Select 'Enable ASP.net membership and role provider' and type the name of your provider in the text box.

Step4: Add users for the web application

1. Select your web application.
2. Hit User policy in the ribbon above.
3. Hit the browse users button in the people picker web part.
4. Notice the dialog box is changed, there are sections like 'Active Directory', 'All Users', 'Form Auth', 'Organization'.
5. Type in an AD user name and search.
6. There should be two results for the same user - one through NTLM and one through form auth. Select the user from form auth result and hit finish.

Step5: Create top level site in the web application

Now you can create the desired top level site in the web application. You will get two options while trying to log in - Windows and Form based authentication.

You can either use both or disable windows auth from the web application settings to get only form based login.

No comments:

Post a Comment