Project Server 2007 with LDAP Authentication


For customers that used Project Server 2003 and made use of the “ProjectServer” accounts (non-Windows authenticated) they have a few choices in Project Server 2007. The first consideration I suggest is “why were you using ProjectServer accounts?”. If the answer is that you don’t have Windows domains but use some other authentication method, and LDAP is that other method – then I have good news! LDAP is a supported authentication provider for Windows SharePoint Services v3, and therefore Microsoft Office Project Server 2007 as well.

I can see this being a popular authentication method for those customers who do not use Windows Authentication but have some other directory as it enables them to re-use the directory they have – rather than have to create a whole new set of users in some other place (such as the ASP.NET SQL Membership Provider database).

For my tests with LDAP I used Microsoft ADAM (Active Directory Application Mode) to be my Lightweight Directory Access Protocol service – but you should be able to use any LDAP compliant service. 

The basic steps once you have a LDAP source to authenticate against is:-

  1. Extend your port 80/443 site to another port (and I would strongly recommend this extended site use SSL!) and zone – such as Intranet
  2. Set the Authentication Provider for this new zone to LDAPMembership – through Central Administration, Operations, Authentication Providers (this is just a name and needs to match the provider you add to the web.config files
  3. Edit the web.config(s) for the SharePoint Central Administration and also our newly extended site to add our membership provider LDAPMembership
  4. Add a Windows SharePoint Services user through Central Administration, Operations, Policy for Web Application for our Intranet zone using the format LDAPMembership:User1
  5. Add a Project Web Access user with forms authentication again using the format LDAPMembership:User1

There is a blog from Matt at Pointbridge that gives more in-depth details – thanks Matt.  As the trickiest piece I found was getting the format of the addition to the web.config to match the structure of your LDAP directory I will just go into more detail on that step.

The section needs to go into the top level <system.web>…</system.web> section – just make sure not to break any existing XML.  I usually put it at the end, just before </system.web>.  Also be aware that there are some other <system.web> sections that are lower down the hierarchy – under the <location> section I think.  Don’t put it in these!

So a sample membership section may look like this:-

<membership defaultProvider=”LDAPMembership”>
    <add name=”LDAPMembership” type=”Microsoft.Office.Server.Security.LDAPMembershipProvider, Microsoft.Office.Server, Version=, Culture=neutral, PublicKeyToken=71E9BCE111E9429C”
    otherRequiredUserAttributes=”sn,givenname,cn” />

and this would match up to a directory where the LDAP server was called “nondomain” and was set to use port 50000 (port 389 is the default LDAP would normally use) and this would authenticate against any objects in the userContainer that matched the userFilter – and use the distinguished name as the name to match.  So in this case all items in the container defined by CN=Users,OU=WSS,O=nondomain,C=US that have an object class of user.  LDP.exe is a good toll that you can find in the Windows 2003 Support tools that helps to understand the containers and filters.

Another more complex example would be:-

<membership defaultProvider=”LDAPMembership”>
<add server=”ps2007ldap” port=”50000″ useSSL=”false”   userDNAttribute=”distinguishedName”
userNameAttribute=”cn” userContainer=”CN=Users,OU=Support,O=fabricam,C=US”
userObjectClass=”user” userFilter=”(ObjectClass=user)” scope=”Subtree”
otherRequiredUserAttributes=”sn,givenname,cn” name=”LDAPMembership”
type=”Microsoft.Office.Server.Security.LDAPMembershipProvider, Microsoft.Office.Server, Version=, Culture=neutral, PublicKeyToken=71E9BCE111E9429C” />
<add server=”ps2007ldap” port=”50000″ useSSL=”false” userDNAttribute=”distinguishedName”
userNameAttribute=”cn” userContainer=”CN=Users,OU=Extranet,O=fabricam,C=US”
userObjectClass=”user” userFilter=”(&amp;(memberOf=CN=ProjectUsers,OU=Extranet,O=fabricam,C=US)(memberOf=CN=WSSUsers,OU=Extranet,O=fabricam,C=US))” scope=”Subtree”
otherRequiredUserAttributes=”sn,givenname,cn” name=”LDAPMembership2″
type=”Microsoft.Office.Server.Security.LDAPMembershipProvider, Microsoft.Office.Server, Version=, Culture=neutral, PublicKeyToken=71E9BCE111E9429C” />

and in this case there are two providers (this would be in the Central Admin web.config – each of the 2 extended sites in this case would just have either the LDAPMembership or LDAPMembership2 section) authenticating for two different zones – such as Intranet and Extranet. 

LDAPMembership is authenticating against users in the CN=Users,OU=Support,O=fabricam,C=US container.

LDAPMembership2 is authenticating against users in the same container, but this time using the filter with the filter =”(&amp;(memberOf=CN=ProjectUsers,OU=Extranet,O=fabricam,C=US)(memberOf=CN=WSSUsers,OU=Extranet,O=fabricam,C=US))”  which will only authenticate users in both the ProjectUsers and WSSUsers groups defined in the directory.  Please note the &amp; – which replaces the usual & used in LDAP queries.

You will also see format of these sections is different from the one above – but still contains exactly the same attributes – just in a different order.  This is as a result of editing through the InetMgr interface.  Please be aware of a potential break caused by using the InetMgr UI – the <configuration> element gets re-written as <configuration xmlns=”″> and this will give an application error in WSS.  See KB 917238 for details.

Have fun with LDAP – I think this may be the most popular of the additional authentication providers – and this time the “projectserver” users will be able to get at all the SharePoint content such as risks, issues and documents – as well as the new feature – deliverables. However, like the 2003 “projectserver” users, these forms based users would still need a Windows account to use the Data Analysis (OLAP Cube) features that SQL Server Analysis Services provides.

Technorati Tags:

Comments (29)

  1. Charley says:

    You would’nt happen to have instruction on what the web.config file would like connecting to Sun One Server?


  2. LDAP is standard so the web.config looking at Sun One Server should not need to be any different from one that connects to ADAM or any other LDAP conformant directory. The syntax is very particular though so easy to make typos with any server.

  3. Ron says:

    I follow the instuctions as specified but I just could not get my ADAM users authenticated in the project server using the newly created PWA using form authentication. Verify communication with the LDAP directory is fine using the Sharepoint Central Administration.

    Do you have any suggestions what I should do to get it work?

  4. Hi Ron,

    If the verification is working OK then your settings in the web.config for Central Admin must be OK – perhaps they are not right in the web.config for your extended site?  Or possibly the entry of the user in PWA does not match the providername:username format.

    What error do you get?

    Best regards,


  5. Ron says:

    I am using WSS3.0 and I found from other website that LDAPMembershipProvider is only supported in MOSS. Is that correct? If that is the case how would I proceed with LDAP authentication with Project Server 2007?

    Thanks and Best Regards


  6. Hi Ron,

    LDAPMembershipProvider is certainly supported for Project Server 2007 and also for WSS 3.0 – as this forms the backbone of Project.  Which site says it is only supported for MOSS?  The notes above do not assume MOSS is present and once working the only thing required in Project Server 2007 is to add a user using the format LDAPMembership:Username – assuming LDAPMembership is the term you have used to name the sections in the web.configs as in the above examples.  Have you found the recent TechNet article at which is specific to Project Server?

    Best regards,


  7. Ron says:

    Hi Brian,

    Thanks for your quick response, All the while I have been following the TechNet article that you referred for the setting up of the project web access site using form based authentication against LDAP (ADAM) store. I have completed all the steps but was having problem with the authentication on LDAP-authenticated site.

    The errlog obtained is as follows:

    “Event Viewer for ADAM instance:

    Internal event: The LDAP server returned an error.

    Additional Data

    Error value:

    000004DC: LdapErr: DSID-0C09062B, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece

    For more information, see Help and Support Center at”

    As for the information that LDAPMembershipProvider is only supported in MOSS, I got it from the comments of and

  8. Ron says:

    Hi Brian,

    After working further, I found that the LDAP(ADAM) server is receiving from a ANONYMOUS_LOGON from the PWA authenication. To proceed further, I enabled anonymous binding in ADAM by modifying the dsHeuristics attribute and tried logging on again, it was still unsuccessful. Now the event log says the following:

    Event Type: Information

    Event Source: ADAM [ADAMTest] LDAP

    Event Category: (16)

    Event ID: 1535

    Date: 8/29/2007

    Time: 9:31:20 AM


    Computer: xxxxxxx


    Internal event: The LDAP server returned an error.

    Additional Data

    Error value:

    0000208D: NameErr: DSID-031521D2, problem 2001 (NO_OBJECT), data 0, best match of:


    My web.config for the Project Server extension site is as follows:

       <membership defaultProvider=”ADAMMembership”>


           <add name=”ADAMMembership” type=”Microsoft.Office.Server.Security.LDAPMembershipProvider, Microsoft.Office.Server, Version=, Culture=neutral, PublicKeyToken=71E9BCE111E9429C” server=”epm2007test” port=”389″ useSSL=”false” useDNAttribute=”false” userDNAttribute=”distinguishedName” userNameAttribute=”cn” userContainer=”CN=users,OU=ADAMTest,O=ADAM,C=US” userObjectClass=”user” userFilter=”(ObjectClass=user)” scope=”Subtree” otherRequiredUserAttributes=”sn,givenname,cn” />



    Would appreciate if you could provide more pointers.

  9. Hi Ron,

    So it does seem to be getting to the LDAP server.  Are you using local service accounts perhaps within your Project Server installation that cannot get to the LDAP server?  Or perhaps the user has been added to ADAM as an admin.  I’m sure as part of the setup for ADAM there are some details on this.

    Best regards,


  10. Ron says:

    Hi Brian,

    For your info, my ADAM and Project Server are installed on the same machine and the Project Server is run using a local administrator account.

    Since the last message, I’ve finally managed to get the PWA authentication to work. However, it is only after granting read access to ANONYMOUS_LOGON from ADAM (the setup instruction is to grant to Project Server’s farm administrator). What puzzled me was that I was using the local (also farm) administrator’s account to run Project Server. Yet the communication between Project Server and ADAM was through a anonymous logon. Is there anything wrong with that?



  11. Interesting Ron.  So if you look at task manager which accounts are running OWSTIMER, and also the instance of the Project Queue service?

    Best regards,


  12. Ron says:

    Hi Brian,

    I’ve checked. Both processes are run by local administrator accounts. Are there any consequences if the communicator is through ANONYMOUS_LOGON account?



  13. Ron says:

    Both OWSTIMER and the Project Queue service run using local administrator account.

    For your information, I have tried setting up another LDAP server (OpenOLAP) on the PC and the result is similar; need to set anonymous logon to have authentication permission for user password on the OpenLDAP server.

    Anyway I think as long as I could setup LDAP for projectserver 2007, that should be fine.

    By the way do you know whether Projectserver 2007 support single sign-on with LDAP form-authentication?

    Thanks and Best Regards


  14. Hi Ron,

    I have this working on my server without ANONYMOUS LOGON given any rights in ADAM.  The account making the requests in my case is the admin account for the farm, which also happens to be the identity for all the app pools and the admin for the SSP.  Take a look at your app pools and see which identity they are running uner.

    The other thing I came across today was that by default users added to ADAM are disabled.  You need to set the msDS-UserAccountDisabled to FALSE before you can authenticate.  Not sure when this changed – I’m sure you didn’t need to do this when I first played with ADAM.

    For SSO I’m not the best person to ask.  The SharePoint blogs may be better – but are you asking if you can log on through LDAP forms and make use of single sign on provider to then go to other places?  I would think this should be supported.

    Best regards,


  15. Ron says:

    Hi Brian,

    Thanks for your continuous support. I am ok with setting the ANONYMOUS LOGON with auth rights in ADAM.

    Really appreciate your help and quick response for the past few days.



  16. Charlie says:

    Hi Brian,

    I have one query is it possible to integrate Novell’s eDirectory with project server 2007 in place windows active directory for authentication of user. If yes then how it can be done If have any documentation or URL link please provide. Please help

    Waiting in anticipation

    In Regards


  17. Hi Charlie,

    I don’t know Novell’s eDirectory but if it supports LDAP (which I would assume it would) then the configuration detailed for using ADAM should apply to eDirectory too.  Not sure exactly what the web.config settings would look like – this very much depends on your directory structure.  It would not be possible to use the Active Directory sync options to eDirectory though.

    Best regards,


  18. Dougmcc says:

    This is driving me crazy!!! I’ve followed all instructions and have ADAM installed locally on my project server, app pool and farm accounts authenticate through ldp.exe but when I go to the add users in central admin and specify LDAPMembership:user1 it finds nothing!!




  19. Mike says:

    I followed all instructions and It works fine thanks

    But when I try to create Import Profile connection using ADAM store it fails. Do you know how to use ADAM to setup import user profile connection.



  20. Hi Doug,

    I would double check the web.configs – typos tend to be the leading cause of problems I have seen – or check that the right accounts can access the ADAM directory.

    Hi Mike,

    What do you mean by Import Profile connection?  Do you mean the formsauthupgrade or something else?  FormsAuthUpgrade only supports the AspNetSqlMembershipProvider.

    Best regards,


  21. Michelle says:

    Hi Brian:

    We have LDAP working with Forms Authentication in our customer’s environment, and I happy to report that it is working well!  The only issue that we are experiencing, and cannot get any information on, or help with, is how to grant OLAP/Data Analysis View access to users?

    Is there any way to do this with LDAP and FA?  If not, do you have any suggested work arounds?

    Thank you, Brian.  We have tried everything that we can think of to get this to work.


  22. Hi Alan (Michelle?),

    I am not aware of a direct way to acheive this.  You coulod make the cube available via http – and then use basic authentication and give the users a generic Windows account on the server that will allow them access.  This is how we recommended Project Server 2003 users with the "forms-like" ProjectServer accounts to use OLAP.  See for details on getting the SQL end working.

    Best regards,


  23. Hi Baz,

    I haven’t been able to find a resolution that enables the UseSSL="true" option so that the authentication uses SSL, but if the site is using SSL then the entry and passing of the password will be using SSL (but the connection from the server to the LDAP server will not).  I will see if I can get an answer on any change in this in SP1.

    Best regards,


  24. Ray says:

    Hi Brian,

    Thanks for the lovely post, I was trying to set up the LDAP authentication with Sun Java System, I managed to have the people picker in Central Administration to connect and retrieve info from LDAP, however, in my extended site (Intranet), the authenticated users are not able to log in. I double checked with Sun Java System administrator, he told me that there is connection to the LDAP provider, and it is returning the Distinguished name.

    (my central admin, default and intranet sites all have the same ldap membership provider in the web.config)

    Any help is appreciated.

  25. Hi Ray,

    Is there any clue in the ULS logs?  From what you say the permissions to read the LDAP directoy seem OK as the admin can see this traffic.  Perhaps it is the validation against the password in LDAP that is failing?  Also I guess you have double checked the syntax in the Intranet web.config (or copy/pasted from one of the others?) – although the setting to enable the people picker doesn’t do the same as validating the password.

    Let me know if the ULS gives any clues – or any logging from the LDAP server.

    Best regards,


  26. raj says:

    the post was great.

    But i face an issue even after all correct configurations.  

    I have modified the web.config for both the applications and my LDAP user is also getting identified. I have added this user as Site administrator of the WebApplication and also added using Policy for web application.

    But when i try to login to site using this LDAP user, the site gives me an error " make sure your user name and password are correct". i have cross verified the credentials and wat i have given are right.

    I have also tried adding UseDNAttribute=false to the web.config files but it dint help. Am using SUN ONE DIrectory server. do let me know what i have to do.

  27. Hi Raj,

    Have you added the user in PWA itself?  You need the user to have a PWA account as well as having access to the WSS site.  Or are you saying you get this for the WSS site and not PWA?  The LDAP sounds as if it is configured correctly if you were able to add in the Policy for Web Applications – as that validates that the user exists.  The web.config is probably OK.

    Best regards,


  28. Nikky says:

    Hi Brian,

    I am working on MOSS2010 on win2k8 R2. I have to provide FBA using LdapMembershipProvider.

    I have provided required changes into web.config of central admin and MOSS site and able to see users available in LDAP directory server.

    As I try to access home page URL of MOSS site and after providing user credentials(Here the form login page is available), it can't able to validate them.

    Could you please provide me the resolution of this issue.

  29. Max says:

    Very good article. I have an additional question: If I wanted to do the opposite? That is, change the LDAP authentication to Active Directory, what are the implications?