Dirk Van den Berghe SharePoint Admin Blog

real admins use stsadm.

Forms Based Authentication ( FBA) in WSS 3.0 / MOSS 2007 (by MeySun)

I had an issue this week that I was unable to sign in to my personal WSS site. for some reason the popup login screen never showed. I know that my company laptop is heavily secured as well as the network. So if it was a firewall blocking or my IE settings that did not allow the logon, I didn't care. All I needed was being able to logon to my site.

This brought me to the idea of implementing FBA for my site. I didn't want to manage users in a SQL database etc. I just needed FBA to authenticato to Active Directory. I stumbled upon a great blog post by meysun (aka Meyyappan Meenakshisundaram).

Here is what he wrote:

1. Configure SharePoint Central Admin 

  • Login to SharePoint Central Admin
  • Go to Application Management / Application Security / Authentication Providers and Change the Web Application to the one which needs to be configured for Forms Based Authentication
  • Click zone / default, change authentication type to forms and enter ActiveDirectoryMembershipProvider under membership provider name ( for example , "ADMembershipProvider") and save this change

2.Update the web.config of SharePoint Central admin site
 

under <configuration> node

<connectionStrings>
<add name="ADConnectionString" connectionString="LDAP://DynamicsAX.local/CN=Users,DC=DynamicsAX,DC=local" />
</connectionStrings>

under <system.web> node

<membership defaultProvider="ADMembershipProvider">
<providers>
<add name="ADMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider,System.Web,Version=2.0.0.0,Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="ADConnectionString"
connectionUsername="xxx" connectionPassword="yyy"
enableSearchMethods="true"
attributeMapUsername="sAMAccountName"/>
</providers>
</membership>

replace the connectionstring to the one matching your encvironment and replace"xxx" with domainname\username and "yyy" with password

 

3.Update the web.config of SharePoint Web application

  •  Repeat step 2 for the web.config of the SharePoint webapplication to be configured for Forms Based Authentication
  •  Change the authentication in web.config to
    <authentication mode="Forms">
        <forms loginUrl="/_layouts/login.aspx"></forms>
    </authentication>

For more details
http://technet2.microsoft.com/Office/en-us/library/23b837d1-15d9-4621-aa0b-9ce3f1c7153e1033.mspx?mfr=true
http://msdn2.microsoft.com/en-us/library/ms998360.aspx

So, Thanks meysun for your post. It really helped me out !

Posted: Oct 02 2008, 01:01 AM by Dirk | with 4 comment(s)
Filed under: , ,

Comments

Cedric said:

Dirk,

A little remark. In your connection string part, you have forgotten the closing quote. It must be: <connectionStrings>

<add name="ADConnectionString" connectionString="LDAP://DynamicsAX.local/CN=Users,DC=DynamicsAX,DC=local" />

</connectionStrings>

I know it's a detail ! Still nice post.

# October 4, 2008 2:21 AM

Dirk said:

Cedric,

nice catch :)

The worst part is that I have implemented this already twice and each time I had a xml web.config formatting error because of the missing double quote ....

# October 5, 2008 1:29 AM

Noel said:

Hello Dirk,

How are you?

I tried the above steps and configured a site as per the instructions. It gives me an error as below:

The container specified in the connection string does not exist. (C:\Inetpub\wwwroot\wss\VirtualDirectories\testmercury.jumeirah.com80\web.config line 112)

testmercury.jumeirah.com is the name of the sharepoint web app.

My web.config around the above mentioned line numbers is as follows:

108: <membership defaultProvider="ADMembershipProvider">

109:   <providers>

110:     <add

111:         name="ADMembershipProvider"

112:  type="System.Web.Security.ActiveDirectoryMembershipProvider,System.Web,Version=2.0.0.0,Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a"  

113: connectionStringName="ADConnectionString"

114: connectionUsername="domainname\username"  

115: connectionPassword="password"  

116: enableSearchMethods="true"  

117: attributeMapUsername="sAMAccountName"/>

118:  </providers>

119: </membership>

# October 14, 2008 4:38 AM

Dirk said:

Hi Noel,

been there, done that :)

The error message is pointing you in the wrong direction. As a matter of fact the error is located in the line:

<add name="ADConnectionString" connectionString="LDAP://DynamicsAX.local/CN=Users,DC=DynamicsAX,DC=local" />

It means that the LDAP path that is specified is incorrect. The most common reason for that is when you are using another OU container instead of the Users container in your domain. This is because of the fact that the LDAP path for the Users container is slightly differnet as a normal OU container.

My suggestion to you is to look at the correct LDAP path for your container using ADSIEDIT (which is part of the support tools package)

The correct ldap path for you depends on how your Active Directory is set up.

E.g. let's say you have an Active Directory domain called contoso.com and you want to authenticate your FBA users that who are all located in the default Users conatiner in AD, then your LDAP path should be LDAP://contoso.com/CN=Users,DC=contoso,DC=com

If you have all your users in another OU that you have created yourself e.g. MyUsers then your LDAP path would be LDAP://contoso.com/OU=MyUsers,DC=contoso,DC=com

Notice that the name of your OU is now preceded by OU= instead of CN=. Which is exactly what I meant by the different LDAP path for the Users container.

I hope this helps you out and best of luck

# October 14, 2008 5:55 AM
Leave a Comment

(required) 

(required) 

(optional)

(required)