Configuring Forms Authentication in SharePoint 2010 Using ADLDS


 
In this article I am demonstrating how to create a claims-based web application using Active Directory Lightweight Directory Services (ADLDS) and SharePoint 2010. Forms-based authentication provides custom identity management in Microsoft SharePoint 2010 by implementing a membership provider, which defines interfaces for identifying and authenticating individual users, and a role manager, which defines interfaces for grouping individual users into logical groups. I found an article in the internet for the same purpose; most of the author's explainations are with the IIS configuration wizard to create a connection, providers etc. But here I am explainining a very manual approach and I didn't find many articles that explains forms with ADLDS.

This approach has two major parts:

  1. Configure ADLDS
  2. Configure Forms authentication with web application

Install and Configure ADLDS

Click on Start / Administrative Tools / Server Manager. Click on Roles and then elect Add Roles on the right navigation pane. Check the box beside Active Directory Lightweight Directory Services then follow the wizard until the end. AD LDS is now installed and ready to be configured with your first data store. In order to do so, click on Start / Administrative Tools / Active Directory Lightweight Directory Services Setup as shown below.

         1.gif

The following setup wizard welcome screen appears. Click Next.

         2.gif

Select a unique instance and then click on Next.

         3.png

In the next screen give the instance name and description:

         4.gif

In the next screen give a convenient LDAP port number and SSL Port Number:

         5.gif

Select yes; create an application directory partition. Specify your Partition Name. Please make a note of this as you will need it at the end to connect the partition through ADSI Edit. Click Next.

         6.gif

Select your File Locations. Click Next.

         7.gif

Select this account (in my case), Network service account. Should be sufficient in most cases. Select Next:

         8.gif

Select your administrator account. Click Next:

         9.gif

Click on the below options. Click Next:

         10.gif

Summary selections screen. Review and then click Next:

         11.gif

         12.gif

Now that our instance is complete, we are required to connect to this instance via ADSI Edit MMC snap in. Click on Start / Administrative Tools / ADSI Edit. Once the MMC is loaded, right click on the ADSI Edit Note and select Connect to.

Fill in the Connection Settings.
  • Name: Enter a friendly name.
     
  • Connection Point: Click on Select or type a Distinguished Name and type in your Partition Name that you entered in earlier when creating the application directory partition.
     
  • Computer: The machine that AD LDS is installed and the port number you specified earlier.
    Then click OK.

    13.gif

Click Connect to and fill in the below details and click OK:

        14.gif

Once done it will look like the screen below:

        15.gif

        16.gif

We now need to create a container to store our users. This is equivalent to an Organizational Unit in Active Directory. Right Click on your CN entry and select New / Object and select your class as container. Click Next.

        17.gif

Type Users as your value, Next and Finish.

       18.gif

Right Click on CN=Users and select New / Object, and select your class as user.

       19.gif

       20.gif

Type the username:

       21.gif

Then select (right-click) the user and reset the password:
      
       22.gif

Right-click on your newly created user object and select properties. Scroll down and locate the msDS-UserAccountDisabled attribute and set it to False:

       23.gif

Grant your SharePoint service account permission in the AD LDS store.
Expand your AD LDS connection within ADSI Edit and click on the CN=Roles container. Right-click on CN=Readers listed on the right Navigation Pane and select properties.

       24.gif

Locate the member attribute and select edit.

       25.gif

Then select Add Windows Account and browse for your SharePoint Service Account and click OK.

      26.gif

Once done you get the screen below:

      27.gif

Creating a SharePoint Web Application

To create a SharePoint Web application:
  1. Browse to the SharePoint 2010 Central Administration page.
     
  2. In the Application Management section, click Manage web applications.
     
  3. On the ribbon, click New.
     
  4. In the Create New Web Application dialog box, under Authentication, click Claims Based Authentication.
     
  5. In the IIS Web Site section, under Create a new IIS web site, change the Name field to SharePoint – ADLDS FBA.
     
  6. Change the Port number to 200.
     
  7. In the Claims Authentication Types section, do the following:

    - Select Enable Forms Based Authentication (FBA).

    - I recommended to keep Windows so you get multiple authentication.
     
  8. In the membership provider and role manager fields, enter the following names:

    - ASP.NET membership provider name: ADLDSMembership
     
  9. In the Database Name and Authentication section, change the database name to be WSS_Content_200.
     
  10. Leave other settings as their defaults.
     
  11. Click OK to create the web application

Configuring a Membership and Role Provider for the SharePoint Web Application

There are three web.config files that you must modify:
  • Central Administration: To allow picking for site collections.
     
  • Security Token Service: To allow sign in, and for issuing tokens.
     
  • FBA Web Application: To allow picking on the local web application.

Find the <system.web> entry.

Then find out
<membership>  tag and paste the following lines inside provider tag:

<add name="ADLDSMembership" type="Microsoft.Office.Server.Security.LDAPMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" server="ServerName" port="60000" useSSL="false" userDNAttribute="distinguishedName" userNameAttribute="cn" userContainer="CN=SPFBAStore,DC=Destinitesting,DC=COM" userObjectClass="user" userFilter="(ObjectClass=user)" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn" />


Repeat the above steps to FBA web application that we created.

Adjust the web.config of the Security Token Service (STS) virtual directory

The SecurityTokenServiceApplication website is located under the SharePoint Web Services website, as shown in the figure. Go to your IIS and find the SecurityTokenServiceApplication and open it:

         28.gif

Find the <system.web> entry.

Then find out
<membership> tag and paste the following lines inside the provider tag:

<add name="ADLDSMembership" type="Microsoft.Office.Server.Security.LDAPMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" server="ServerName" port="60000" useSSL="false" userDNAttribute="distinguishedName" userNameAttribute="cn" userContainer="CN=SPFBAStore,DC=Destinitesting,DC=COM" userObjectClass="user" userFilter="(ObjectClass=user)" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn" />

Add a user policy to the web application

  1. Go to Central Administration
     
  2. Go to Application Management
     
  3. Click on Manage Web Applications
     
  4. Select the claims based web application
     
  5. Click on User Policy
     
  6. Click on the Add Users link
     
  7. Click the Next button.
     
  8. Click the Address Book icon.
     
  9. Type in the NT login name or account name and click the search button. If it's working correctly you should see at least two entries for the account – one that is for the user's Active Directory account, and one that is for that same account but which was found using the LDAP provider.
     
  10. Select the account in the User section and click the Add button
     
  11. Click the OK button
     
  12. Check the Full Control checkbox, then click the Finish button
     
  13. If you have configured dual mode then you can even go to your claim based web application and can add ADLDS user directly there

    29.gif

You have added your user then open your claims web application in Forms mode

        30.gif

Type your user ID and password. You are able to login:
     
        31.gif