This article provides guidance for configuring forms-based authentication for a SharePoint 2010/2013 web application that uses a Lightweight Directory Access Protocol (LDAP) membership provider. Using a LDAP provider with forms-based authentication means that users will be using their Windows or Active Directory (AD) accounts to log in.

The steps in this article apply to both SharePoint Server 2010 and 2013.

Process Overview

This configuration has the following phrases that must be performed in consecutive order:

  1. Create a new Web application that uses forms-based authentication

  2. Configure the Web.Config files for an LDAP membership provider

  3. Create a new Site collection

Within each phase, the set of procedures must also be performed in consecutive order.

Phrase 1:  Create a web application that uses forms-based authentication 

  1. Launch SharePoint 2013 Central Administration
  2. In the Application Management section, click Manage web applications
  3. In the toolbar, click New
  4. In the Create New Web Application dialog box:
    1. De-select Enable Windows Authentication.
    2. Select Enable Forms Based Authentication (FBA)

    3. Enter "LdapMember" in the ASP.NET Membership provider name box

    4. Enter "LdapRole" in the ASP.NET Role manager name box

  5. Configure other settings for this new web application as needed, and then click OK to create it. 

Phrase 2: Configure the Web.Config files for an LDAP membership provider

After you have successfully created the new web application, modify the following Web.Config files in every web front-end server in the farm:

  • The Central Administration web application Web.Config file
  • The Security Token Service Web.Config file
  • The new web application Web.Config file

Configure the Central Administration Web.Config file

  1. Launch Internet Information Services (IIS) Manager

  2. In the console tree, open the server name, and then Sites

  3. Right-click the SharePoint Central Administration site, and then click Explore.

  4. In the folder window, double-click the Web.Config file.

  5. In the <Configuration> section, find the <system.web> section and add the following example entry:

web.config
<membership defaultProvider="AspNetSqlMembershipProvider">
      <providers>
        <add name="LdapMember" 
             type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" 
             server="dc.yourdomain.com" 
             port="389" 
             useSSL="false" 
             userDNAttribute="distinguishedName" 
             userNameAttribute="sAMAccountName" 
             userContainer="DC=yourdomain,DC=com" 
             userObjectClass="person" 
             userFilter="(ObjectClass=person)" 
             scope="Subtree" 
             otherRequiredUserAttributes="sn,givenname,cn" />
      </providers>
</membership>
<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider" > 
      <providers>
        <add name="LdapRole" 
             type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
             server="dc.yourdomain.com" 
             port="389"
             useSSL="false"
             groupContainer="DC=yourdomain,DC=com" 
             groupNameAttribute="cn"
             groupNameAlternateSearchAttribute="samAccountName"
             groupMemberAttribute="member"
             userNameAttribute="sAMAccountName"
             dnAttribute="distinguishedName"
             groupFilter="(ObjectClass=group)"
             userFilter="(ObjectClass=person)"
             scope="Subtree" />
      </providers>
</roleManager>

In the preceding entry, substitute the following:

  • The fully qualified domain name (FQDN) of your domain controller (your LDAP server) in server="dc.yourdomain.com".

  • The distinguished name of your user container in userContainer="dc=yourdomain,dc=com".

  • The distinguished name of your group container in groupContainer="dc=yourdomain,dc=com".

Configure the Security Token Service Web.Config file

  1. In the console tree of Internet Information Services (IIS) Manager, open the SharePoint Web Services site.
  2. In the console tree, right-click SecurityTokenServiceApplication, and then click Explore.
  3. In the folder window, double-click the Web.Config file.
  4. In the <Configuration> section, create a new <system.web> section and add the following example entry:
web.config
<system.web>
	<membership>
	      <providers>
		<add name="LdapMember" 
		     type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" 
		     server="dc.yourdomain.com" 
		     port="389" 
		     useSSL="false" 
		     userDNAttribute="distinguishedName" 
		     userNameAttribute="sAMAccountName" 
		     userContainer="DC=yourdomain,DC=com" 
		     userObjectClass="person" 
		     userFilter="(ObjectClass=person)" 
		     scope="Subtree" 
		     otherRequiredUserAttributes="sn,givenname,cn" />
	      </providers>
	</membership>
	<roleManager enabled="true" > 
	      <providers>
		<add name="LdapRole" 
		     type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
		     server="dc.yourdomain.com" 
		     port="389"
		     useSSL="false"
		     groupContainer="DC=yourdomain,DC=com"
		     groupNameAttribute="cn"
		     groupNameAlternateSearchAttribute="samAccountName"
		     groupMemberAttribute="member"
		     userNameAttribute="sAMAccountName"
		     dnAttribute="distinguishedName"
		     groupFilter="(ObjectClass=group)"
		     userFilter="(ObjectClass=person)"
		     scope="Subtree" />
	      </providers>
	</roleManager>
</system.web>

In the preceding entry, substitute the following:

  • The fully qualified domain name (FQDN) of your domain controller (your LDAP server) in server="dc.yourdomain.com".

  • The distinguished name of your user container in userContainer="dc=yourdomain,dc=com".

  • The distinguished name of your group container in groupContainer="dc=yourdomain,dc=com".

Configure the new web application Web.Config file

  1. In the console tree of Internet Information Services (IIS) Manager, right-click the site that corresponds to the name of the web applications that you just created, and then click Explore.

  2. In the folder window, double-click the Web.Config file.

  3. In the <Configuration> section, find the <system.web> section.

  4. Find the <membership defaultProvider="i"> section and add the following example entry to the <Providers> section:

    web.config
    <add name="LdapMember" 
   type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" 
   server="dc.yourdomain.com" 
   port="389" 
   useSSL="false" 
   userDNAttribute="distinguishedName" 
   userNameAttribute="sAMAccountName" 
   userContainer="DC=yourdomain,DC=com" 
   userObjectClass="person" 
   userFilter="(ObjectClass=person)" 
   scope="Subtree" 
   otherRequiredUserAttributes="sn,givenname,cn" />

  5. Find the <roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false"> section and add the following example entry to the <Providers> section:

    web.config
    <add name="LdapRole"
   type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
   server="dc.yourdomain.com" 
   port="389"
   useSSL="false"
   groupContainer="DC=yourdomain,DC=com"
   groupNameAttribute="cn"
   groupNameAlternateSearchAttribute="samAccountName"
   groupMemberAttribute="member"
   userNameAttribute="sAMAccountName"
   dnAttribute="distinguishedName"
   groupFilter="(ObjectClass=group)"
   userFilter="(ObjectClass=person)"
   scope="Subtree" />

    In the preceding entry, substitute the following:

  • The fully qualified domain name (FQDN) of your domain controller (your LDAP server) in server="dc.yourdomain.com".

  • The distinguished name of your user container in userContainer="dc=yourdomain,dc=com".

  • The distinguished name of your group container in groupContainer="dc=yourdomain,dc=com".

Phrase 3: Create a new site collection

  1. Click Application Management
  2. In the Site Collections section, click Create site collections
  3. Select the newly created web application
  4. Fill in a Title, Web site address and select a template
  5. In the Primary Site Collection Administrator section, click the address book icon
  6. In the Select People popup window, enter a user name in the Find box, click the search icon



    You should see search result in Forms Auth, e.g "Form Auth (1)". If there is no search result in the Form Auth, then it indicates that FBA has not been successfully configured. 

  7. Select the user(s) to be the primary administrator, then click OK to save it.
  8. Configure other settings for this new site collection as needed, and then click OK to create it. 

http://technet.microsoft.com/en-us/library/ee806890(v=office.15).aspx

http://www.sharepointchick.com/archive/2010/05/06/configuring-claims-and-forms-based-authentication-for-use-with-an.aspx

 

Content by label

There is no content with the specified labels