Category Archives: FBA

Forms Based Authentication FBA by AD in SharePoint 2010

22 Friday Jul 2011

Posted by in FBA, Form Based Authentication, SharePoint 2010

20 Comments

Tags

, ,


Interesting, isn’t it???

Why would you want to authenticate by your AD account from FBA while you can still do by Windowns Authentication..

Actually i didn’t find a reason but i was giving SharePoint course, when a Trainee told me one reason, its better User Interface for the end user, seems that end user does not like the windows authentication… well okay

So we did this lab, but if you find more reasons why would you do it, please write a comment… 🙂

So here is the steps:

First let me tell you we will edit in 3 web.config files…

1- Of our web app.

2- Central administration

3- STS Secure token Service

so lets start:

Step 1:

Go to web.config of your web app, and add those lines:

<membership defaultProvider=”i”>
      <providers>
        <add name=”i” type=”Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c” />
<add name=”admembers”
           type=”System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a”
           connectionStringName=”adconn”
           enableSearchMethods=”true”
           attributeMapUsername=”sAMAccountName” />

</providers>
    </membership>

    <roleManager defaultProvider=”c” enabled=”true” cacheRolesInCookie=”false”>
      <providers>
        <add name=”c” type=”Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c” />
      </providers>
    </roleManager>

</system.web>

<connectionStrings>
   <add name=”adconn”
        connectionString=”LDAP://crmdemo.com/DC=crmdemo,DC=com” />
</connectionStrings>

Note: I am highlighting </system.web> as it already exists, you will add the membership above it and below it, you will add the connection string.

Step 2:

Open Central administration web.config:

<membership defaultProvider=”admembers”>
   <providers>
      <add name=”admembers”
           type=”System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a”
           connectionStringName=”adconn”
           enableSearchMethods=”true”
           attributeMapUsername=”sAMAccountName” />
   </providers>
</membership>

  </system.web>

<connectionStrings>
   <add name=”adconn”
        connectionString=”LDAP://crmdemo.com/DC=crmdemo,DC=com” />
</connectionStrings>

Note: I am highlighting </system.web> as it already exists, you will add the membership above it and below it, you will add the connection string.

Step 3:

Now we add the same to STS Secure Token Service web.config,

To open it, open IIS 7 or if you have win 2008 R2 then your IIS is 7.5, anyway in both it is same steps:

sts1

Right Click on it and click explore, there are 3 files, we only want the web.config: now to the end of web.config

after </system.net> we will add the connection string:

</system.net>

<connectionStrings>
   <add name=”adconn”
        connectionString=”LDAP://crmdemo.com/DC=crmdemo,DC=com” />
</connectionStrings>

<system.web>  there was not system.web but we will add it

<membership defaultProvider=”admembers”>  
<providers>
<add name=”admembers”
           type=”System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a”
           connectionStringName=”adconn”
           enableSearchMethods=”true”
           attributeMapUsername=”sAMAccountName” />
</providers>
</membership>

</system.web>

</configuration>

…… Last but not least 🙂

This depends: if you created your web app. and kept the default selection of Classic Authentication selected, then we need to convert it to use Claims, to do this, Open SharePoint PowerShell an write the following:

$w = Get-SPWebApplication http://servername:port

$w.UseClaimsAuthentication = “True”;

$w.Update()

before this PS, go to CA > manage web app > select your web app and from ribbon > click Authentication provider >

dimmedforms

You will see Forms dimmed, after the PS command it will be enabled, and you can write your membership name as it was in web.config, and as below…..

membershipinca

Now try…. yes try it, open your site, if you tried to login using FBA and wrote Administrator, you will get access denied while this is Farm administrator account….

One last Step:

we need to the administrator of FBA as Secondary administrator:

go to CA > Manage web app > click site collection administrators > in secondary:

scadmin

There is administrator from AD and from FBA….. 🙂

add it, it should be like below: add administrator and any user you want from AD.

secondary

Now try to login to your site again using Forms authentication:

FBA2

Next Post, i will tell you how to see only FBA without choosing, and still by AD account.

Good Luck, don’t forget it to write comment to tell me about another reason..