Configuring claims and forms based authentication for use with an LDAP provider in SharePoint 2010

Today I worked on configuring forms based authentication for SharePoint 2010. Using forms based authentication automatically means using claims based authentication in Sharepoint 2010.
I tried using both an LDAP provider and a SQL provider. My initial goal was to get them both working in the same environment, but after a lot of hours of staring at XML in web.config files I gave up on that one. Instead I created separate environments for using LDAP and SQL providers. Because of this I will also write two separate blog posts. This one will explain how to set up forms based authentication while using an LDAP provider.
If you want to configure forms based authentication for use with a SQL provider check out my other post here.

Using an LDAP provider with forms based authentication means that users will use their Windows or AD account to log in. However, because forms based authentication will be used they don’t get the usual popup, but they will use a sign-in page to log in.

These are the steps you will need to take to set it up:

Create a new web application

  • Go to Central Administration
  • Go to Application Management
  • Click on Manage Web Applications
  • Click New
  • Select Claims Based Authentication
  • Identity Providers
         * Check the Enable Windows Authentication box or you won’t be able to crawl the site
         * Check the Enable ASP.NET Membership and Role Provider checkbox
              * In the Membership provider name edit box, type LdapMember
              * In the Role provider name edit box, type LdapRole

 CreateWebAppLdap


Create a new site collection

  • Go to Central Administration
  • Go to Application Management
  • Click Create site collections
  • Select the newly created web application
  • Fill in a name and select a template

Adjust the web.config of the Central Administration site

  • Open the Central Administration site's web.config file
  • Find the <system.web> entry
  • Paste the following XML directly below it
<membership>
   <providers>
      <add name="LdapMember" 
         type="Microsoft.Office.Server.Security.LdapMembershipProvider,
Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral,
PublicKeyToken=71e9bce111e9429c
" server="dc.sharepoint.com" port="389" useSSL="false" userDNAttribute="distinguishedName" userNameAttribute="sAMAccountName" userContainer="OU=SPUsers,DC=sharepoint,DC=com" userObjectClass="person" userFilter="(ObjectClass=person)" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn" /> </providers> </membership> <roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider" > <providers> <add name="LdapRole" type="Microsoft.Office.Server.Security.LdapRoleProvider,
Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral,
PublicKeyToken=71e9bce111e9429c
" server="dc.sharepoint.com" port="389" useSSL="false" groupContainer="OU=SPUsers,DC=sharepoint,DC=com" groupNameAttribute="cn" groupNameAlternateSearchAttribute="samAccountName" groupMemberAttribute="member" userNameAttribute="sAMAccountName" dnAttribute="distinguishedName" groupFilter="(ObjectClass=group)" userFilter="(ObjectClass=person)" scope="Subtree" /> </providers> </roleManager>
  • In the above XML the server tag is the server name of the domain controller. The user and group containers are the containers in AD where the users and groups you want to use for authentication reside. If you don’t know what the path to your container is, but you do have access to AD you can find out what the container is.
    • Go to the domain controller
    • Open Active Directory Users and Computers
    • Select a user or a group in the container
    • Right click and select All Tasks => Resultant Set Of Policy (Planning)
    • Click the browse button next to Container and select the container
    • This will give you the path to the container
  • Double check whether the <membership> and <rolemanager> entries only exist ones. Delete any double entries.
  • Paste the following XML below the <PeoplePickerWildcards> entry
<clear />
<add key="AspNetSqlMembershipProvider" value="%" />
<add key="LdapMember" value="*"/>
<add key="LdapRole" value="*"/>

 

Adjust the web.config of the Security Token Service (STS) virtual directory

NB: you will need to make the changes to the Security Token Service virtual directory on each server hosting either Central Administration or the claims based web application

  • Open the Security Token Service (STS) virtual directory's web.config file
  • Find the </system.net> entry
  • Add a <system.web> entry directly below it
  • Paste the following XML directly below the <system.web> entry
<membership>
   <providers>
      <add name="LdapMember" 
         type="Microsoft.Office.Server.Security.LdapMembershipProvider,
Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral,
PublicKeyToken=71e9bce111e9429c
" server="dc.sharepoint.com" port="389" useSSL="false" userDNAttribute="distinguishedName" userNameAttribute="sAMAccountName" userContainer="OU=SPUsers,DC=sharepoint,DC=com" userObjectClass="person" userFilter="(ObjectClass=person)" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn" /> </providers> </membership> <roleManager enabled="true"> <providers> <add name="LdapRole" type="Microsoft.Office.Server.Security.LdapRoleProvider,
Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral,
PublicKeyToken=71e9bce111e9429c
" server="dc.sharepoint.com" port="389" useSSL="false" groupContainer="OU=SPUsers,DC=sharepoint,DC=com" groupNameAttribute="cn" groupNameAlternateSearchAttribute="samAccountName" groupMemberAttribute="member" userNameAttribute="sAMAccountName" dnAttribute="distinguishedName" groupFilter="(ObjectClass=group)" userFilter="(ObjectClass=person)" scope="Subtree" /> </providers> </roleManager>
  • Add a </system.web> entry directly below it

 

Adjust the web.config of the claims based web application

  • Open the claims based web application's web.config file
  • Locate the <membership> entry
  • Paste the following XML directly below the <Providers> entry
<add name="LdapMember" 
   type="Microsoft.Office.Server.Security.LdapMembershipProvider, 
Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral,
PublicKeyToken=71e9bce111e9429c
" server="dc.sharepoint.com" port="389" useSSL="false" userDNAttribute="distinguishedName" userNameAttribute="sAMAccountName" userContainer="OU=SPUsers,DC=sharepoint,DC=com" userObjectClass="person" userFilter="(ObjectClass=person)" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn" />
  • Locate the <roleManager> entry
  • Paste the following XML directly below the <Providers> entry
<add name="LdapRole"
   type="Microsoft.Office.Server.Security.LdapRoleProvider, 
Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral,
PublicKeyToken=71e9bce111e9429c
" server="dc.sharepoint.com" port="389" useSSL="false" groupContainer="OU=SPUsers,DC=sharepoint,DC=com" groupNameAttribute="cn" groupNameAlternateSearchAttribute="samAccountName" groupMemberAttribute="member" userNameAttribute="sAMAccountName" dnAttribute="distinguishedName" groupFilter="(ObjectClass=group)" userFilter="(ObjectClass=person)" scope="Subtree" />
  • Paste the following XML below the PeoplePickerWildcards entry
<clear />
<add key="AspNetSqlMembershipProvider" value="%" />
<add key="LdapMember" value="*"/>
<add key="LdapRole" value="*"/>


Add a user policy to the web application

  • Go to Central Administration
  • Go to Application Management
  • Click on Manage Web Applications
  • Select the claims based web application
  • Click on User Policy
  • Click on the Add Users link
  • Click the Next button.
  • Click the Address Book icon.
  • Type in the NT login name or account name and click the search button. If it’s working correctly you should see at least two entries for the account – one that is for the user’s Active Directory account, and one that is for that same account but which was found using the LDAP provider.
  • Select the account in the User section and click the Add button
  • Click the OK button
  • Check the Full Control checkbox, then click the Finish button

 addPolicyLdap

 

You can now browse to the web application and log in using forms based authentication.

signin

Select Forms Authentication in the dropdown

 signin3

And fill in the appropriate user name and password.

 

I used the following blog posts to get things working, so I would like to thank Steve, Ali and TechNet :-):

http://blogs.technet.com/speschka/archive/2009/11/05/configuring-forms-based-authentication-in-sharepoint-2010.aspx
http://blogs.msdn.com/alimaz/archive/2009/10/30/configuring-fba-in-sharepoint-server-2010-beta-2.aspx
http://technet.microsoft.com/en-us/library/ee806890(office.14).aspx
Comments -
  1. Gravatar

    Hi. Thanks for a nice article. I have followed the same steps explained above for configuring forms authentication. Everything was working fine. But, my site stopped working suddenly while logging in to the site. I'm getting the error message as "The remote server returned an error: (500) Internal Server Error.". And also i didn't do any configuration changes.

    Any help in this greatly appreciated.

      
  2. Gravatar

    Hi,

    The error you are getting is the friendly HTTP error and doesn't actually tell you what's wrong.
    Try turning off the friendly HTTP errors, so you can see the actual message. Also check the SharePoint logs at c:\program files\common files\microsoft shared\web server extensions\14\logs and the event logs of the server(s) running SharePoint.

    This should at least give you an idea of what's happening.

      
  3. Gravatar

    Hi Mirjam,
    Thanks for your reply and I appriciate your valueble time.

    We are not able to see the error details using ULS Viewer tool.

    And also we are getting "System.IO.InvalidData Exception was thrown." error while running SharePoint Configuration Wizard.

    Regards
    Seva

      
  4. Gravatar

    Hi Mirjam,

    We are discussing this on TechNet Forums here too:

    social.technet.microsoft.com/.../c4c4d2c3-a55b-...

    The user is facing problems with Beta version. By the way, did you use Beta or RTM bits for your above post?

      
  5. Gravatar

    Hi,

    This post was written for the RTM version and not the beta version of SharePoint 2010.

      
  6. Gravatar

    Thank you!!! A Good Post to configure Authentication in 2010

      
  7. Gravatar

    Hi SharePointCheck,

    it allready is the second time I try to make that claims-based authentication work for my SharePoint, but once again it doesn't want to make me happy :-(

    At first I found some error messages related to the declared identity providers in the web.config files. I was able to fix them.

    I am using AD LDS to provide a user store and I assume it is not configured as it should be. I build up the AD LDS as it is written on this page:

    www.bloggersbase.com/.../ad-lds-sharepoint-form...

    My current problem is, that it just doesn't find the users I declared in AD LDS when I search for them via people picker on 'Site Permissions' page.

    I really made everything like you have written here. I am almost falling into despair :-(

    Pleeeeeaaaaaase help.

    Thanks in advance
    Martin

      
  8. Gravatar

    Sorry for the typo...SharePointChick :-)

      
  9. Gravatar

    Mirjam,
    Great Post!! Took the mystery out 2010 FBA. One question on the AD containers. What if my AD organization has users in multiple containers? Can I just add the locations to the config files?

    All the best

    TMc

      
  10. Gravatar

    Hi TMc,

    I'm afraid all users have to be in the same OU. You could of course add the top level OU to the config files, but I can imagine that includes more OUs than you're interested in.

    Mirjam

      
  11. Gravatar
    Jag

    Hi Mirjam,
    Very nice article. I have been working on this for last 4 days and have finally got atleast the people picker working. I am able to see the Ldap members in the people picker and I have given them access to the site. I keep getting Access denied message. It does authenticate the user but denies access.

    A user shows up twice in the people picker. Does SharePoint treat them as two separate users even though they are the same users.

    Can you give your valuable insight please

    Jag

      
  12. Gravatar

    The following is more of a general internet security point, although it's still one to be very mindful of. Make sure that your e- mail address on record for the domain has a secure password that is hard (if not near impossible) to guess. It may seem relatively innocent, although having a weak e- mail address password could be a disaster if someone guesses it- they could then try moving your domain to another registrar and you wouldn't get any of the notification e- mails since your account has been compromised. ...

      
  13. Gravatar

    Hi Jag,

    If you use the same account for Windows authentication and claims based authentication SharePoint will see that one account as two different users. So if you grant the Windows user access and not the claims based one, you should indeed get an access denied message.

    Hope that helps.

    Mirjam

      
  14. Gravatar

    Can anyone confirm this works with SharePoint 2010 FOUNDATION?

    When I do all this I get 500 error and logs point out that Microsoft.Office.Server can't be found. This is the DLL we are referencing in our type attribute and since that DLL is part of MOSS/SharePoint 2010 and not part of WSS/SharePoint 2010 FOUNDATION then how do you use an LDAP provider with SharePoint 2010 FOUNDATION server?

      
  15. Gravatar

    Hi Lew,

    You can do claims based authentication and FBA using the SQL provider with SharePoint Foundation, but you can't use the LDAP provider. As you stated yourself the LDAP provider is part of SharePoint Server. If you want to use LDAP using SharePoint Foundation you will need to write your own LDAP provider.

    Mirjam

      
  16. Gravatar

    Hi Mirjam,
    Thanks for the reply. We have created the SP site and have also configured the alternate access mapping for the site. We plan to have two URL. One for the external users who authenticate using FBA -SQL server and the second one for internal users using LDAP-AD. Incase of SQL server - FBA, I grant access to groups - SQL membership and it works great. But in case of LDAP, my people picker does pick up the people but not the AD security groups.

    I would like to grant access to AD security group using LDAP -FBA instead of granting access to individual users. This would make the site management much easier in future.

    Is this doable or am I missing something.

    Jag


      
  17. Gravatar
    Jag

    I could config seeing the AD-Security groups in Ldap -FBA. I did the following modifications in the web.config
    <add name="LdapMember"
    type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
    server="smdi.com"
    port="389"
    useSSL="false"
    userDNAttribute="distinguishedName"
    userNameAttribute="sAMAccountName"
    userContainer="DC=Company,DC=COM"
    userObjectClass="person"
    userFilter="(|(ObjectCategory=group)(ObjectClass=person))"
    scope="Subtree"
    otherRequiredUserAttributes="sn,givenname,cn" />
    </providers>

    The main change is "userFilter="(|(ObjectCategory=group)(ObjectClass=person))""

    But a user in that AD group cannot access SP site. I get a message - Access denied .

    Jag

      
  18. Gravatar

    I followed the same steps but getting error file not found

      
  19. Gravatar

    Hi Jag,

    There was a problem with the default provider in SharePoint 2007 for LDAP and authenticating users using AD groups. Your story makes me think that this problem might still exist in SharePoint 2010..

      
  20. Gravatar
    Dan

    Mirjam: AWESOME post.

    Have you found a way so that, after configuring FBA, the WELCOME CONTROL (in the upper-right corner of the page) shows a friendly name rather than something like:
    0#.f|LdapMember|Dan ?

      
  21. Gravatar

    Hi Dan,

    Thank you!

    The easiest way to fix the name is by creating a user profile for the user. You can create the profile manually or by using custom code. Filling in a proper name in the profile will (after it’s synced to the site collection of course) fix the name in the welcome control.
    I didn’t test this myself, but I think that if you do a normal user profile sync instead of creating the user profile manually that SharePoint won’t recognize that the synced account is the same account as the claims user account.

    Mirjam

      
  22. Gravatar

    I have tried following the directions here, but I am having a lot of issues. I have tried all of these guides:

    technet.microsoft.com/.../ee806890.aspx#section2

    jaminquimby.com/.../294-sharepoint-2010-and-lda...

    And a third one. I changed the server name to domaincontrollername.domainname.com and set up the OUs accordingly.

    I used to get the 500 error, but now I get the generic sharepoint error.

    Central administration tells me my secure token service isn't running, and my event logs say:
    An exception occurred when trying to issue security token: Could not connect to localhost:32843/.../actas. TCP error code 10061: No connection could be made because the target machine actively refused it 127.0.0.1:32843. .

    I have been all over the internet, and have several threads on the MSDN forums, which are rarely any help. Does anyone here have any suggestions?

      
  23. Gravatar

    excelent info, keep it coming

      
  24. Gravatar

    I finally got my membership and role providers to work. I can see the users when I go to add users under central administration, so I know my configuration is correct in that regard. However, I still can't authenticate. Central Administration says the security token service is not available, and when I look at my event logs, this seems to be the case. I have tried recycling the application pool, and have been all over the internet. It's looking like I am going to have to call microsoft, and I am really not looking forward to that. Has anyone had any luck with this?

      
  25. Gravatar

    excelent post, keep it coming

      
  26. Gravatar

    Excellent Post!, it helped me in no time to get a proof of concept ready for the client.

    Couple of gotchas though.. when updating the web.config for the Security Token Service virtual directory, make sure you select the correct web.config file, is not straight specified the location, usually is under [...\14\WebServices\SecurityToken]

    Make sure your RESTful (just type http://<your site>/_vti_bin/ListData.svc, you'll either get an error or see something) services are working, if not a patch is needed.

    Other than that PERFECT!

      
  27. Gravatar

    I am not able to find the ADLDS users for add user policy, I have followed all the steps you provided.

      
  28. Gravatar

    Hi Mirjam,

    First of all great post, unfortunatly after following it step by step I don't see any accounts provided by LDAP, I only see my NT Login name (Authentication with that account through the form works fine) Any ideas what could be the cause of not seeing the LDAP accounts?

      
  29. Gravatar

    I have this working for FBA users but when I limit a People Picker field to only pick from a SharePoint Group containing my FBA users then the search for users in people picker does not work. Any idea why this would be the case?

      
  30. Gravatar

    Have you had any problems with the search engine and access denied?

    I have a claims setup and I cannot get my search access user any permissions...for some reason.

      
  31. Gravatar

    Hi,
    I had initially set FBA using ASPNETDB users. I had created a custom login page. Now the LDAP users are not able to login. Only the FBA users are getting logged in.
    Any suggestions on this.

      
  32. Gravatar

    Will your configurations switch the entire farm over to forms authentication or only for the web application. I want wanting to do form auth but only for one web application. Thoughts?

      
  33. Gravatar

    Hi Kipp,

    This will only switch a single web application over to forms based authentication, not the entire farm.

    Mirjam

      
  34. Gravatar
    geo

    Hi,

    I followed step by step your article but i have the following error when i want to authenticate my user:

    Message:
    Unexpected exception occurred, please contact administrator to resolve this issue.

    trace:
    [FaultException`1: Unexpected exception occurred, please contact administrator to resolve this issue.]
    Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.ReadResponse(Message response) +1161013
    Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr) +73
    Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst) +36
    Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext(Uri context, Boolean bearerToken, SecurityToken onBehalfOf, SecurityToken actAs, SecurityToken delegateTo) +26062081
    Microsoft.SharePoint.SPSecurityContext.SecurityTokenForFormsAuthentication(Uri context, String membershipProviderName, String roleProviderName, String username, String password) +26061068
    Microsoft.SharePoint.IdentityModel.Pages.FormsSignInPage.GetSecurityToken(Login formsSignInControl) +188
    Microsoft.SharePoint.IdentityModel.Pages.FormsSignInPage.AuthenticateEventHandler(Object sender, AuthenticateEventArgs formAuthenticateEvent) +123
    System.Web.UI.WebControls.Login.AttemptLogin() +152
    System.Web.UI.WebControls.Login.OnBubbleEvent(Object source, EventArgs e) +124
    System.Web.UI.Control.RaiseBubbleEvent(Object source, EventArgs args) +70
    System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) +29
    System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +2981




    Just more info:
    I can get my users with the user picker for example when i create my collection site, to assign the administrator of my collection, so ldapprovider works fine.
    Next, when i edit a wrong password, the login page informs me of a wrong password. So the autentication works fine to.

    any idea?

    Geo

      
  35. Gravatar
    Kai

    Hi Mirjam

    great Post.

    It works for me perfectly with the forms based authentication. I can add a user from "forms auth". but If I'm searching for particular AD groups, the peoplepicker does only return groups from Active Directory and the "froms auth" is empty. So unfortunately as you stated above these are two different accounts for SharePoint.

    But I do not want to add users to SharePoint, I would like to have only groups there. Any Guess what is wrong?


    Regards

    Kai

      
  36. Gravatar
    Anj

    Hi,
    I have followed all the steps as mentioned but I am not able to see the Form Auth users in the userpolicy step.
    Could you please help.

    Regards,
    Anji

      
  37. Gravatar
    Anj

    in continuation to my previous comment.
    I also donot get the results from the active directory. I get it from Organisations!
    Any clues? please help

      
  38. Gravatar

    I have tried this multiple times now, but the people picker never gives me any results for FBA. I'm not getting any error message, and I am able to log in via a windows account just fine.

      
  39. Gravatar

    I figured out my issue. The following entries in my web.config files:

    userContainer="OU=SPUsers,DC=sharepoint,DC=com"


    needed to be

    userContainer="CN=SPUsers,DC=sharepoint,DC=com"

      
  40. Gravatar

    Mirjam,

    Wonderful post, but as many others are having the same issue I was curious if you knew of a fix for CBA to work with AD LDS. I can get the person to come up in People Picker and get logged into the site but getting an error after logging in so the Authentication is working, but an error with the Security Token Service. Have you had any success with connecting an AD LDS via this format?

      
  41. Gravatar

    Thank you so much!!.. you helped me figure out the last setting I was missing. I was receiving the 500 Error others have mentioned above. I found I had a typo in the Central Admin web.config. Once I fixed that it worked. I have spent hours trying to get this working, none of the examples I found included adding the defaultProvider value you specify in the central admin web.config. Wish I located this page earlier.

      
  42. Gravatar

    I followed the same steps... but after login i am getting below error: please help
    The server was unable to process the request due to an internal error. For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the <serviceDebug> configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework 3.0 SDK documentation and inspect the server trace logs.

      
  43. Gravatar

    Hi very helpfulArticle,

    One question can this web.config be adjusted so the PeoplePicker for the Claims FBA will return results based on a first or last name search not just the samaccount name?

      
  44. Gravatar

    Hi Glen,

    I must admit that I don't know, but if you have already set it up you should be able to test it yourself by adjusting the web.config.
    I hope you succeed, let me know if you do!

    Mirjam

      
  45. Gravatar

    I was able to use this instructions with OpenLDAP only partly. I was able to find a user in the Forms auth part, but I was not able to login.
    Don't know if this helps but here is the configuration of the user in OpenLDAP:
    cn mps1
    dialupAccess true
    gecos mps1
    gidNumber 500
    givenName mps
    homeDirectory /home/guests/mps1
    loginShell /bin/bash
    mail mps1@imsa.edu<mailto:mps1@imsa.edu>
    mailRoutingAddress mps1@staffmail.imsa.edu<mailto:mps1@staffmail.imsa.edu>
    objectClass radiusprofile
    objectClass imsaPerson
    objectClass mailRecipient
    objectClass top
    objectClass person
    objectClass organizationalPerson
    objectClass inetOrgPerson
    objectClass shadowAccount
    objectClass posixAccount
    organizationalStatus Sharepoint Consultant
    shadowInactive 0
    shadowLastChange 15139
    shadowMax 180
    shadowMin 1
    shadowWarning 14
    sn 1
    uid mps1
    uidNumber 2029
    userPassword

    Thanks for any help

      
  46. Gravatar

    This post provides PowerShell script to easily configure forms based authentication using LDAP in SharePoint

      
  47. Gravatar

    You can purchase online game cards by various merchants

      
  48. Gravatar

    Okay then- are not able to throw gals out because they are female- that has to be blaming the particular victim

      
  49. Gravatar

    In cases where the expected mind-blowing material is assumed is when this military initially sends the unmanned RC model like these minimal helicopters to the site to get together crucial details needed to disarm these devices

      
  50. Gravatar

    Configuring claims and forms based authentication for use with an LDAP provider in SharePoint 2010

      
Comments have been closed on this topic.