Interesting, isn’t it???
Why would you want to authenticate by your AD account from FBA while you can still do by Windowns Authentication..
Actually i didn’t find a reason but i was giving SharePoint course, when a Trainee told me one reason, its better User Interface for the end user, seems that end user does not like the windows authentication… well okay
So we did this lab, but if you find more reasons why would you do it, please write a comment… 🙂
So here is the steps:
First let me tell you we will edit in 3 web.config files…
1- Of our web app.
2- Central administration
3- STS Secure token Service
so lets start:
Step 1:
Go to web.config of your web app, and add those lines:
<membership defaultProvider=”i”>
<providers>
<add name=”i” type=”Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c” />
<add name=”admembers”
type=”System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a”
connectionStringName=”adconn”
enableSearchMethods=”true”
attributeMapUsername=”sAMAccountName” />
</providers>
</membership>
<roleManager defaultProvider=”c” enabled=”true” cacheRolesInCookie=”false”>
<providers>
<add name=”c” type=”Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c” />
</providers>
</roleManager>
</system.web>
<connectionStrings>
<add name=”adconn”
connectionString=”LDAP://crmdemo.com/DC=crmdemo,DC=com” />
</connectionStrings>
Note: I am highlighting </system.web> as it already exists, you will add the membership above it and below it, you will add the connection string.
Step 2:
Open Central administration web.config:
<membership defaultProvider=”admembers”>
<providers>
<add name=”admembers”
type=”System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a”
connectionStringName=”adconn”
enableSearchMethods=”true”
attributeMapUsername=”sAMAccountName” />
</providers>
</membership>
</system.web>
<connectionStrings>
<add name=”adconn”
connectionString=”LDAP://crmdemo.com/DC=crmdemo,DC=com” />
</connectionStrings>
Note: I am highlighting </system.web> as it already exists, you will add the membership above it and below it, you will add the connection string.
Step 3:
Now we add the same to STS Secure Token Service web.config,
To open it, open IIS 7 or if you have win 2008 R2 then your IIS is 7.5, anyway in both it is same steps:
Right Click on it and click explore, there are 3 files, we only want the web.config: now to the end of web.config
after </system.net> we will add the connection string:
</system.net>
<connectionStrings>
<add name=”adconn”
connectionString=”LDAP://crmdemo.com/DC=crmdemo,DC=com” />
</connectionStrings>
<system.web> there was not system.web but we will add it
<membership defaultProvider=”admembers”>
<providers>
<add name=”admembers”
type=”System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a”
connectionStringName=”adconn”
enableSearchMethods=”true”
attributeMapUsername=”sAMAccountName” />
</providers>
</membership>
</system.web>
</configuration>
…… Last but not least 🙂
This depends: if you created your web app. and kept the default selection of Classic Authentication selected, then we need to convert it to use Claims, to do this, Open SharePoint PowerShell an write the following:
$w = Get-SPWebApplication http://servername:port
$w.UseClaimsAuthentication = “True”;
$w.Update()
before this PS, go to CA > manage web app > select your web app and from ribbon > click Authentication provider >
You will see Forms dimmed, after the PS command it will be enabled, and you can write your membership name as it was in web.config, and as below…..
Now try…. yes try it, open your site, if you tried to login using FBA and wrote Administrator, you will get access denied while this is Farm administrator account….
One last Step:
we need to the administrator of FBA as Secondary administrator:
go to CA > Manage web app > click site collection administrators > in secondary:
There is administrator from AD and from FBA….. 🙂
add it, it should be like below: add administrator and any user you want from AD.
Now try to login to your site again using Forms authentication:
Next Post, i will tell you how to see only FBA without choosing, and still by AD account.
Good Luck, don’t forget it to write comment to tell me about another reason..
Mai Omar Desouki 
Hi,
i having client requirement to to create FBA with AD.
Scenario is just like:
1) Client login with their gmail id & Password.
2)Authenticate gmail id & Password with google api code(Code is already available for google authentication).
3)if id is valid then check in userMaster list where AD username is mapping with gmail id
(userMaster list having 2 column userName(type:users or groups) & email (type:singleline of text) ).
4)from userMaster list it will find valid AD user name(on base of gmail ID) & logged in through AD user.
i am using sharepoint 2010, please suggest me way for developing custom login page for this requirement.
Thanks,
Kuldip Thakkar
Hi! I know this is kinda off topic nevertheless I’d figured I’d ask.
Would you be interested in trading links or maybe guest authoring a blog post or vice-versa?
My site discusses a lot of the same subjects as yours and I think we could greatly
benefit from each other. If you’re interested feel free to send me an e-mail. I look forward to hearing from you! Awesome blog by the way!
It’s not my first time to go to see this web page, i am browsing this web page dailly and obtain pleasant information from here all the time.
Thank you v much
I am extremely impressed with your writing skills and also with the
layout on your blog. Is this a paid theme
or did you modify it yourself? Either way keep up the nice quality writing,
it is rare to see a great blog like this one today.
What’s up, yes this piece of writing is in fact pleasant and I have learned lot of
things from it about blogging. thanks.
Thank you. Great you like it 🙂
Hi May , Great Post,
Does the same applies to SP2013
Thank you Muneer.
Yes, it does.
Hey there would you mind letting me know which webhost
you’re working with? I’ve loaded your blog in 3 completely different internet browsers and I must say
this blog loads a lot faster then most. Can you recommend a good web hosting provider at a fair price?
Thanks a lot, I appreciate it!
Greetings from Carolina! I’m bored to death at work so I decided
to browse your site on my iphone during lunch break. I enjoy the info you provide here and can’t
wait to take a look when I get home. I’m surprised at how quick your
blog loaded on my cell phone .. I’m not even using WIFI, just 3G ..
Anyhow, superb blog!
Thanks.
Hi, i think that i saw you visited my website thus i came
to “return the favor”.I’m trying to find things to
improve my web site!I suppose its ok to use some
of your ideas!
What????
I am not sure where you are getting your information,
but good topic. I needs to spend some time learning more or understanding more.
Thanks for magnificent info I was looking for this info for my
mission.
I am glad it helped you. Any questions just email me.. Good luck
I believe that is one of the so much vital info for me. And i
am glad studying your article. However should observation on few general things, The web
site style is wonderful, the articles is truly excellent : D.
Excellent task, cheers
well done, great post, i tried the steps above, its working fine for the administrator, however users are getting access denied (Sorry, this site hasn’t be shared with you) page once they pass the login page.
well done, great post, applied the above steps and its working fine for administrator, however users are getting access denied (sorry, the site hasn’t been shared with you) once they complete the login process
What I did not thats mine