Easiest way to setup Form Based Authentication with Active Directory LDAP in Claims Based Web Apps for SharePoint 2010

In this post, I am going to explain the quickest possible way to enable Form Based Authentication with Active Directory which will use the new Claims Based Authentication. First thing to be aware of that, we cannot modify an existing web app which was created using Classic Mode Authentication. If we see any existing web app which uses only Windows Authentication in Classic Mode, we will see that FBA option is disabled there. So, in order to achieve our goal, we need to create a new web application and choose the following Claims Based instead of Classic Mode:

Go to Central Admin –> Application Management –> Manage Web Application –> Click New:

image

When we select Claims Based Authentication from the above figure, a new section opens up in the screen

image

In the above figure, you can see I have enabled both Windows Authentication and Form Based Authentication. I could mention the ASP.NET membership provider name here too. But, As I need to configure few things beforehand, I chose to configure this later. So, we now need to modify three web.config files for the following three applications:

1. Central Administration Site

2. The Web Application which we will be used for Claims Based Authentication.

3. Security Token Web Service Application

Go to IIS 7 of your SharePoint Web Server. Select the Central Administration Website. Right click and select “Explore” which will open up a WIndows Explorer where you will find the web.config file. Open up the configuration file using a notepad or Visual Studio and look for <system..web>.

Right before the beginning of <system.web>, Add the following section:

<connectionStrings>
   <add name="adconn"
        connectionString="LDAP://kfupm.edu.sa:389/dc=kfupm,dc=edu,dc=sa" />
</connectionStrings>
Here, “adconn” is my connection string name and connectionString holds the URL of my LDAP. After <system.web>, add the following:
<membership defaultProvider="admembers">
   <providers>
      <add name="admembers"
           type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
           connectionStringName="adconn"
           enableSearchMethods="true"
           attributeMapUsername="sAMAccountName" />
   </providers>
</membership>
I have given my provider name as admembers and mentioned the connectionStringName which I declared before.
Now, we need to follow the same for rest of the two web.config files.
Now, Right Click the Web App for which we are trying to configure FBA and click “Explore” which will open up a location like “C:\inetpub\wwwroot\wss\VirtualDirectories\[PortNumber]” where you will see the web.config file for your web app. Open this file in the same manner as you did for central admin site and make the same changes:
Now, for the first section it will be the same (connectionStrings section). For the membership part, a membership provider is automatically added when we created this web app selecting Claims Based Authentication. So, we will look for <membership tag and edit the section as following:
<membership defaultProvider="i">
      <providers>
        <add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
        <add name="admembers" type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="adconn" enableSearchMethods="true" attributeMapUsername="sAMAccountName" />
      </providers>
    </membership>

In the above snippet, notice that, I only added an entry for membership provider admembers. The other settings were created when we created the web app. Right after this, you will find another settings for roleManager where you can add any active directory role. As I didn’t create any role for my purpose, I am not going to enter anything in that section here. This completes the second part.

Finally, we need to do the same for Security Token Web Service App’s web.config file. To do this, expand the SharePoint Web Services site from IIS and you will see the SecurityTokenServiceApplication.
image

Right Click and select “Explore” to open up the directory where you will find the web.config file for this application. Here, you will not find any <system.web> sections. So what you need to do is, go to the bottom of this file where you will find </configuration> and right before this tag, add the following:

<connectionStrings>
  <add name="adconn"
       connectionString="LDAP://kfupm.edu.sa:389/dc=kfupm,dc=edu,dc=sa" />
/connectionStrings>
system.web>
<membership defaultProvider="admembers">
  <providers>
     <add name="admembers"
          type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
          connectionStringName="adconn"
          enableSearchMethods="true"
          attributeMapUsername="sAMAccountName" />
  </providers>
/membership>
/system.web>

Do not forget to change the connection string for your Active Directory LDAP.

Now, go to the central admin and go to Application Management –> Manage Web App. Select your web app we created before for Claims Based authentication and choose Authentication Providers from the ribbon. From the pop up window, click on Default under zone and you will get the following window:

image

Note that, I have mentioned the provider name under ASP.NET Membership provider settings. There are other options here as well like to choose whether to use the default sign in page or to use a custom page for Forms Based Authentication. Now, my web application is ready to use both Windows and Form based authentication which will utilize the new Claims Based Authentication technology.

Let us now create a site collection to see for real. Go to Application Management –> SIte Collections –> Create Site Collection page. After setting the name and template for the new site collection, while choosing to  Site Collection Administrator, if you search for users you should get something like the following window:

image

As expected, I now get two instances for one name (one in Active Directory and another one is getting pulled by the new form based configuration to use with Forms Authentication). After creating this site, if I try to sign in the new site collection, I will get the following window:

image

You can see that two different authentications are now coming under the drop down box inside the default sign in page for my web application. If I now choose Forms Authentication, I will get the following window:

image

After that, if I click Sign In, I can successfully login to my new site collection. The following is the screenshot of it:

image

That’s it. In the next post, I will explain how you can create a custom Login Page for this Form Based Authentication and also how to create a custom Login Web Part for the same purpose which will enhance the functionality and provide better user experience in real life scenario.

Advertisements

How to install SharePoint 2010 Server Farm Setup without Active Directory on Windows Server 2008?

In SharePoint 2010, there are two types of installations: Farm  and Standalone. If you want to install SP 2010 on a single machine, it will not allow you to install farm set up out of the box as by default it requires Active Directory which means your machine needs to join a domain where Microsoft Active Directory has been already setup. To workaround this problem for Windows Server 2008 machine, you could do the following:

1. Install SQL Server 2008 R2 Development/Enterprise edition.

2.  Install SharePoint 2010 Installation using Farm Setup.

3. Before proceeding to launch the SP2010 Configuration Wizard, open the SP2010 PowerShell and run this command:

New-SPConfigurationDatabase

After that, you will get the following window:

image

Enter a Database Name (i.e SharePoint_Config_Db)

Next:

Enter a Database Server: (Your Database server name, if the database is hosted on the same machine, type in your machine name)

After that you will get a login prompt to enter your Farm Credentials:

image

Important Thing to note here, while entering your username in the credentials window, use this format : [Your machine Name]\[User Name]

(i.e TeamRadiant\Morshed)

You will be prompted to enter password again in the PowerShell. Type in your password again. That’s it. You are done!!

Now, run the SharePoint 2010 Configuration Wizard, where you will get the following window:

image

 

You will see your newly created Database Name appearing here.

After getting this window, click “Next” and your wizard will complete all the necessary actions to complete your farm setup. After that, you can launch the “Central Admin” site and you will be presented with the wizard which you may choose to run or you may configure it manually without running wizard.