This article provides guidance for configuring forms-based authentication for a SharePoint 2010/2013 web application that uses a Lightweight Directory Access Protocol (LDAP) membership provider. Using a LDAP provider with forms-based authentication means that users will be using their Windows or Active Directory (AD) accounts to log in.
The steps in this article apply to both SharePoint Server 2010 and 2013. |
This configuration has the following phrases that must be performed in consecutive order:
Create a new Web application that uses forms-based authentication
Configure the Web.Config files for an LDAP membership provider
Within each phase, the set of procedures must also be performed in consecutive order.
Enter "LdapMember" in the ASP.NET Membership provider name box
Enter "LdapRole" in the ASP.NET Role manager name box
Configure other settings for this new web application as needed, and then click OK to create it.
After you have successfully created the new web application, modify the following Web.Config files in every web front-end server in the farm:
Launch Internet Information Services (IIS) Manager
In the console tree, open the server name, and then Sites
Right-click the SharePoint Central Administration site, and then click Explore.
In the folder window, double-click the Web.Config file.
In the <Configuration>
section, find the <system.web>
section and add the following example entry:
<membership defaultProvider="AspNetSqlMembershipProvider"> <providers> <add name="LdapMember" type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="dc.yourdomain.com" port="389" useSSL="false" userDNAttribute="distinguishedName" userNameAttribute="sAMAccountName" userContainer="DC=yourdomain,DC=com" userObjectClass="person" userFilter="(ObjectClass=person)" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn" /> </providers> </membership> <roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider" > <providers> <add name="LdapRole" type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="dc.yourdomain.com" port="389" useSSL="false" groupContainer="DC=yourdomain,DC=com" groupNameAttribute="cn" groupNameAlternateSearchAttribute="samAccountName" groupMemberAttribute="member" userNameAttribute="sAMAccountName" dnAttribute="distinguishedName" groupFilter="(ObjectClass=group)" userFilter="(ObjectClass=person)" scope="Subtree" /> </providers> </roleManager> |
In the preceding entry, substitute the following:
The fully qualified domain name (FQDN) of your domain controller (your LDAP server) in server="dc.yourdomain.com"
.
The distinguished name of your user container in userContainer
="dc=yourdomain,dc=com"
.
The distinguished name of your group container in groupContainer
="dc=yourdomain,dc=com"
.
<system.web> <membership> <providers> <add name="LdapMember" type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="dc.yourdomain.com" port="389" useSSL="false" userDNAttribute="distinguishedName" userNameAttribute="sAMAccountName" userContainer="DC=yourdomain,DC=com" userObjectClass="person" userFilter="(ObjectClass=person)" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn" /> </providers> </membership> <roleManager enabled="true" > <providers> <add name="LdapRole" type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="dc.yourdomain.com" port="389" useSSL="false" groupContainer="DC=yourdomain,DC=com" groupNameAttribute="cn" groupNameAlternateSearchAttribute="samAccountName" groupMemberAttribute="member" userNameAttribute="sAMAccountName" dnAttribute="distinguishedName" groupFilter="(ObjectClass=group)" userFilter="(ObjectClass=person)" scope="Subtree" /> </providers> </roleManager> </system.web> |
In the preceding entry, substitute the following:
The fully qualified domain name (FQDN) of your domain controller (your LDAP server) in server="dc.yourdomain.com"
.
The distinguished name of your user container in userContainer
="dc=yourdomain,dc=com"
.
The distinguished name of your group container in groupContainer
="dc=yourdomain,dc=com"
.
In the console tree of Internet Information Services (IIS) Manager, right-click the site that corresponds to the name of the web applications that you just created, and then click Explore.
In the folder window, double-click the Web.Config file.
In the <Configuration>
section, find the <system.web>
section.
Find the <membership defaultProvider="i">
section and add the following example entry to the <Providers>
section:
<add name="LdapMember" type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="dc.yourdomain.com" port="389" useSSL="false" userDNAttribute="distinguishedName" userNameAttribute="sAMAccountName" userContainer="DC=yourdomain,DC=com" userObjectClass="person" userFilter="(ObjectClass=person)" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn" /> |
Find the <roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false">
section and add the following example entry to the <Providers>
section:
<add name="LdapRole" type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="dc.yourdomain.com" port="389" useSSL="false" groupContainer="DC=yourdomain,DC=com" groupNameAttribute="cn" groupNameAlternateSearchAttribute="samAccountName" groupMemberAttribute="member" userNameAttribute="sAMAccountName" dnAttribute="distinguishedName" groupFilter="(ObjectClass=group)" userFilter="(ObjectClass=person)" scope="Subtree" /> |
In the preceding entry, substitute the following:
The fully qualified domain name (FQDN) of your domain controller (your LDAP server) in server="dc.yourdomain.com"
.
The distinguished name of your user container in userContainer
="dc=yourdomain,dc=com"
.
The distinguished name of your group container in groupContainer
="dc=yourdomain,dc=com"
.
http://technet.microsoft.com/en-us/library/ee806890(v=office.15).aspx