Setting Up SharePoint 2010 forms-based authentication for claims based web applications


The steps in the most simplistic form are the following:


1. Create a forms-based\claims Web application to use an LDAP Provider using Central Admin


2. Configure the LDAP Web.Config files for the Central Administrator (web application), Security Token Service (web service), and FBA claims-based (web application).


3. Within User Policy for the newly created FBA\Claims Web Application, Add site collection owner and grant full control.


4. Finally, login to FBA site as site collection owner and grant user permissions to access site


We released a technet article “beta 2” version of how to accomplish this setup using the OfficeServer Ldap Provider. I created this blog in order to fill the gaps and provide some further insight on how to set this up properly. The technet article which covers the first two steps above is located here:


http://technet.microsoft.com/en-us/library/ee806890(office.14).aspx#section2


Note: This has been tested on Beta 2 version. I’ll update the blog when later builds are released to general public if changes are required.


 


FBA Setup Gotcha’s (three of them)



Gotcha # 1: Steps 3 and 4 are required


I will discuss steps 3 and 4 above in more detail now since they are missing from the article. Once you finish step 1 and 2 from the article, follow step 3 and 4 here:


 


Step 3 – Within User Policy for the newly created FBA\Claims Web Application, Add site collection owner and grant full control. Steps for this are the following:


1. Launch Central Administrator and select “Manage web applications” under Application Management


2. Select the FBA-Claims based web application and select User Policy from the ribbon


clip_image002


3. Select Add Users, select default zone and hit Next


4. Select the Address book button and add the site owner “Add the account under “User: ”


clip_image004


Note: These are both the same account. You are only required to add the account under “User:” since it’s the one enumerating via the LDAP provider.


5. Grant “Full Control under Permissions and hit Finish button.


 


Step 4: Login to FBA site as site owner and grant users access to the site.


1. Login to FBA site as site owner


2. Select Site Actions\Site Permissions


3. Select the Group you want


4. Select New, Add users to group and hit the address book


5. Select the ldap account, Add, and hit OK


clip_image006clip_image008clip_image008[1]




 


 


Gotcha # 2: Web.Config setup


The Technet article walks you through the setup nicely but a couple of things I want to point out. Mainly, misconfigured web.config files. First, treat each web.config file your configuring unique. Not all web.config files are the same. Don’t copy output of one and paste it into another one and expect it to work.


Attributes to be aware of when configuring ldap provider in each web.config:


UserContainer – This attribute should look like: userContainer=”CN=Users,DC=domain,DC=com”



If UserContainer attribute doesn’t contain a valid DN, you might see the following in the ULS logs during failed logon attempt:


12/29/2009 14:04:54.15  w3wp.exe (0x1118)        0x1374  Office Server     Shared Services                olgq       Exception                System.DirectoryServices.DirectoryServicesCOMException (0x80072030): There is no such object on the server.       at System.DirectoryServices.SearchResultCollection.ResultsEnumerator.MoveNext()     at System.DirectoryServices.DirectorySearcher.FindOne()     at Microsoft.Office.Server.Security.LDAP.FindOneObject(DirectoryEntry searchRoot, String filter, SearchScope scope, String[] propertiesToLoad, ResultPropertyCollection& entryProperties)     at Microsoft.Office.Server.Security.LdapMembershipProvider.GetUserAttributeBySearchProperty(String searchValue, String searchProperty, String returnAttribute)


 


groupFilter and userFilter – These two attributes sit under the LdapRoleProvider.


In the technet article, these use different filters within different web.config files.


For example:


Setting these two attributes in the Central Admin web.config looks like:


groupFilter=”((ObjectClass=group)”


userFilter=”((ObjectClass=person)”


Setting these two attributes within the Claims based FBA Web Application web.config looks like:


groupFilter=”(&(ObjectClass=group))”


userFilter=”(&(ObjectClass=person))”


It’s easy to see the difference in these filters. If your ldap filters are invalid, you will typically get the following exception within the corresponding ULS log during a failed attempt to login via FBA:


12/29/2009 11:52:19.43  w3wp.exe (0x0B04)        0x0F28  Office Server     Shared Services                olgz        High                LdapRoleProvider.GetRolesFor() exception: {0}.System.ArgumentException: The (&(((ObjectClass=group))(member=CN=userx,CN=Users,DC=Domain,DC=com)) search filter is invalid.     at System.DirectoryServices.SearchResultCollection.ResultsEnumerator.MoveNext()     at Microsoft.Office.Server.Security.LdapRoleProvider.GetRolesFor(String userOrGroupDN, DirectoryEntry groupContainer, LdapDistinguishedNameManager ldapDnManager, List`1& userRoles)   


 


 


Gotcha # 3: Additional step required for Standalone installs


If you run through the above steps with Standalone installs, you need to add one additional step or you will see this in the corresponding ULS log during a failed attempt to login via FBA:


12/29/2009 11:50:02.81 w3wp.exe (0x1868) 0x1AB4 Office Server Shared Services olgq Exception System.DirectoryServices.DirectoryServicesCOMException (0x80072020): An operations error occurred. at System.DirectoryServices.SearchResultCollection.ResultsEnumerator.MoveNext() at System.DirectoryServices.DirectorySearcher.FindOne() at Microsoft.Office.Server.Security.LDAP.FindOneObject(DirectoryEntry searchRoot, String filter, SearchScope scope, String[] propertiesToLoad, ResultPropertyCollection& entryProperties) at Microsoft.Office.Server.Security.LdapMembershipProvider.GetUserAttributeBySearchProperty(String searchValue, String searchProperty, String returnAttribute)


One additional step is required and that is adding a couple of entries to the STS (Security Token Service) web.config file. You will need to add both connectionUserName and connectionPassword.


For example (see Red bold entries below)


  <system.web>
    <membership>
      <providers>
        <add name=”membership”
             type=”Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=94de0004b6e3fcc5″
             server=”newyearDC.contoso.com”
             port=”389″
             useSSL=”false”
             userDNAttribute=”distinguishedName”
             userNameAttribute=”sAMAccountName”
             userContainer=”CN=Users,DC=Contoso,DC=com”
             userObjectClass=”person”
             userFilter=”(&amp;(ObjectClass=person))”
             scope=”Subtree”
             otherRequiredUserAttributes=”sn,givenname,cn”
             connectionUsername=”contoso\administrator”
             connectionPassword=”password” />
      </providers>
    </membership>
    <roleManager enabled=”true” >
      <providers>
        <add name=”rolemanager”
             type=”Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=94de0004b6e3fcc5″
             server=”newyearDC.contoso.com”
             port=”389″
             useSSL=”false”
             groupContainer=”DC=Contoso,DC=com”
             groupNameAttribute=”cn”
             groupNameAlternateSearchAttribute=”samAccountName”
             groupMemberAttribute=”member”
             userNameAttribute=”sAMAccountName”
             dnAttribute=”distinguishedName”
             groupFilter=”(&amp;(ObjectClass=group))”
             userFilter=”(&amp;(ObjectClass=person))”
             scope=”Subtree”
             connectionUsername=”Contoso\Administrator”
             connectionPassword=”password” />

      </providers>
    </roleManager>
  </system.web>


 


Good Luck!


Russ Maxwell, MSFT


Comments (17)

  1. Patrick Imboden says:

    Thanks Russ for the Article.

    Very usefull.

    But I didn’t really got to solve the groupFilter and userFilter problem. I get that exception and I tried to set the config as you wrote. But I still get the exception. On the other hand what about the Security Token Service Web.Config?

    Could you breafly clarify exactly what should stand on these filters on the 3 web.config files, also pecifying the value of the filter in the membership provider?

    Thanks

  2. Russ Maxwell says:

    Sure, here is what groupFilter and userFilter should be set to on each web.config:

    Central Admin web.config:

    groupFilter=”((ObjectClass=group)”                                     userFilter=”((ObjectClass=person)”

    Security Token Service web.config:

    groupFilter=”(&amp;(ObjectClass=group))”                                                userFilter=”(&amp;(ObjectClass=person))”

    Claims-based Web application using FBA’s web.config:

    groupFilter=”(&amp;(ObjectClass=group))”                                      

    userFilter=”(&amp;(ObjectClass=person))”                                                         

    These live under the roleManager section…

    The rest of the settings are documented here:

    http://technet.microsoft.com/en-us/library/ee806890(office.14).aspx#section2

    Thx,

    -Russ

  3. PatrickImboden says:

    Thx Man.It’s working now!

  4. David Martos says:

    Great article, and extremelly useful! By the way, do you know if there is any LiveID provider for Claims-Based authentication to be used on SharePoint 2010? I’ve seen we can still use classic mode and 2007 developments to achieve this but I wonder if there is any improvement in this area.

    Thanks!

  5. Rahul says:

    Hi,

    This is great article.

    It’s mentioned to use connectionUsername and connectionPassword in the web.config file for STS. Do we need connectionString as well?

    Please suggest.

  6. horaf says:

    is there a way to add .NET users programmatically?

  7. Tony says:

    Do you have a domain controller for this?  I only have one server, and want to authenticate off of local users.

    Thanks!

  8. Tim says:

    Hi Russ,

    Thanks walking through this setup. Other information I have found has been confusing and some what conflicting. I have ran into a problem with my specific configuration and was hoping that you or someone else reading this blog might be able to help me out. I have been able to enable FBA for LDAP with some success, but I am having some problems with the user container. I have not been able to add users when the user container is anything other than an OU. The DN of:

    userContainer="CN=Users,DC=mydomain,DC=mycom" – does not work (resolves names), however if I just use the root I can find users just fine. For example: userContainer="DC=mydomain,DC=mycom"

    The problem is that I can't get users to authenticate with FBA while the userContainer is pointed at the root. If I change the userContainer to a specific OU like userContainer="OU=SiteBUsers,DC=mydomain,DC=mycom" the user is authenticated and everything works just fine. My problem is that I am connecting to a flat OU structure that does not have all of my users in one container, which is why the CN=Users,DC=mydomain,DC=mycom is preferable.

    Here is an example of my WAS webconfig:

    <membership defaultProvider="myldapdomain">

    <providers>

    <add name="myldapdomain"

       type="Microsoft.Office.Server.Security.LDAPMembershipProvider,

       Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral,

       PublicKeyToken=71E9BCE111E9429C"

       server="myldapserver"

       port="389"

       useSSL="false"

       useDNAttribute="false"

       userNameAttribute="cn"

       userContainer="dc=mydomain,dc=mycom"

       userObjectClass="user"

       userFilter="(ObjectClass=user)"

       scope="Subtree"

       otherRequiredUserAttributes="cn,displayName"

       />

     </providers>

    </membership>

    Any help would be appreciated!

    Thanks,

    Tim

  9. Stephen K says:

    Just superb, simple and easy to follow! GOOD WORK!

  10. Nikky says:

    Hi Russ,

    Nice article!!!

    I am working on MOSS2010 site to enable FBA with LdapMembershipProvider.

    Completed all changes in corresponding web.config and reached till step #4 -Login mentioned above.

    In this stage I am getting here form login but as I provide user credentials, it can't able to validate them.

    getting error:

    The server could not sign you in. Make sure your user name and password are correct, and then try again.

    (user added successfully under user policy fot MOSS2010 site)

    Could you please provide some hints on this issue.

    Thanks.

  11. Lew Grant says:

    Can anyone confirm this works with SharePoint 2010 FOUNDATION?

    When I do all this I get 500 error and logs point out that Microsoft.Office.Server can't be found. This is the DLL we are referencing in our type attribute and since that DLL is part of MOSS/SharePoint 2010 and not part of WSS/SharePoint 2010 FOUNDATION then how do you use an LDAP provider with SharePoint 2010 FOUNDATION server?

  12. Jag says:

    Very good article.How do I add a AD security group instead of individual users. Can you point me to the right direction

  13. Venkatesh Basi says:

    I am not seeing any users according to the Step 4: Login to FBA site as site owner and grant users access to the site.

    Do I need to add users explicitly in database ?

  14. Sergio Gallego says:

    I get the same error that Lew Gant got, please, can anyone confirm if this works with Sharepoint 2010 Foundation?, because Microsoft.Office.Server is not in the GAC and neither in the folder C:Program FilesCommon FilesMicrosoft SharedWeb Server Extensions14ISAPI.

    Thanks

  15. Merill Fernando says:

    Making the web.config changes becomes really tiring. Especially when you have multiple dev, test and prod environments.

    I've created a utility as well as a PowerShell script to automate the changes. Hope you find it useful. The source is available on CodePlex. See I've created utility that automates updating the three config files.

    See: merill.net/…/fba-configuration-manager-for-sharepoint-2010

  16. vvgopal says:

    Thanks its realy a good article

    we have a similar requirment. It will be interesting for thinkin minds like you. This is how it is.

    ——:)

    We want to have "both" LDAP provider and SQL provider to use in forms based authentication.

    Is this possible. I came to know, this can be done Extending the web application into another zone. But, problem is with web.config, membership providers.

    how to configure both providers in web.config of Central Admin and SecurityToken..?

    ——- any ideas are most welcome.

  17. selcuk yazar says:

    Hi,

    when we select user policy fro FBA applicaion, user search dialog don't search in ldap groups.

    why do i give permission for all users one by one.

    thanks.

Skip to main content