Using the Active Directory Membership Provider with Forms Authentication in MOSS 2007

Because MOSS 2007 supports the ASP.NET membership provider model there are new worlds in which SharePoint can tread that it has not be able to in the past. Specifically, MOSS 2007 represents a fantastic platform for the presentation of a public internet web presence. In fact, there is a site template that allows for the establishment of a public web site. In order to successfully present a public site, there are several considerations that had to be added to MOSS to enable this. Foremost is the degree of integration with ASP.NET 2.0 features. Specifically, for a internet web site that presents secure content, MOSS will support Forms authentication with ASP.NET 2.0 Membership and Role providers. Whenever there is an established Active Directory in the DMZ (as is becoming really populare for auditability, group and user membership and provisioning and management, etc.) MOSS can use Active Directory as its ASP.NET Membership provider store thorugh the ActiveDirectoryMembershipProvider found in ASP.NET 2.0.

Challenge: Allowing public internet users to connect to a public web site hosted in MOSS 2007 using Forms authentication and Active Directory as the information store

Solution: Configure MOSS 2007 to support forms authentication with the Active Directory Membership provider

Result: Users can now log into a public web site without NTLM prompts and using a custom login page and have their security credentials established using Active Directory

TODO: Determine if the full MOSS user profile is available. It seems that some of it is, but further testing and customization testing is required.

 

Implementation Details: 

 

  • Modify the web.config of the site collection
    • For the specified site collection which should use Forms/Active Directory authentication (assuming you have already created a Web Application and an Site Collection), browse to and open the web.config (This file can be found by interrogating the IIS web site for the web application's virtual directory home directory)
    • Insert the following sesctions into the web.config
      • After the configSections section insert the following (be sure to replace the ldap string with a valid one for your domain)

<connectionStrings>
 <add connectionString=LDAP://win2003eebase.charrandev.com/CN=Users,DC=charrandev,DC=com
      name="ADServices"/>
</connectionStrings>

      • In the system.web section insert the following (note the version of the ActiveDirectoryMemberShipProvider class found in the GAC by looking at c:\Windows\Assembly)

<membership defaultProvider="ADProvider">
   <providers>
      <add name="ADProvider"
         type="System.Web.Security.ActiveDirectoryMembershipProvider,
         System.Web, Version=2.0.0.0, Culture=neutral,
         PublicKeyToken=b03f5f7f11d50a3a"
         connectionStringName="ADConnString"
         connectionUsername="charrandev.com\Administrator"
         connectionPassword="password"
         attributeMapUsername="SAMAccountName"/>

  </providers>
</membership>

    • Do this for the default SharePoint Administration Site as well. This will allow you to add the first site collection administrator.
      • Note the attributeMapUserName attribute because it allows you to enter just the username and not the UPN (format of account@domain.com)
  • Go To SharePoint Central Administration and change the Authentication Provider for the Web Application

    • In SharePoint Central Administration, select Authentication Providers under Applation Management's Application Security section.
    • Click the Defaul provider and modify the authentication Type to be Forms authenitcation (make sure you have the right web application selected)
    • Enable anonymous access and specify the name of the provider we placed into the web.config file (in this case "ADProvider")
    • For public sites, I usually disable client integration
    • Go to to the site collection administrators on Aplication Management and select the first administrators for the site from the domain specified in the ldap connection string of the ADProvider

You should now be able to visit the site and get prompted for forms authentication based on a standard login form that MOSS/WSS maintains for forms authentication. Ostensibly, you can modify this page, or supplant another page using SharePoint Designer 2007.