Configuring Claims Based FBA with Active Directory store 1 Create a new web application in claims based authentication mode 1. From Central Administration, Select Manage Web Applications and then create a new web application Figure 1 - Manage Web Applications page in Central Administration
Configuring Claims Based FBA with Active Directory store 2 Figure 2 - Selecting claims based authentication 2. Select Claims Based Authentication 3. Check Enable ASP.NET Membership and Role Provider 4. Type a name in the Membership provider name field, FBA_AD_MP for example 5. Click OK, the section should look like Figure 3
Configuring Claims Based FBA with Active Directory store 3 Figure 3 - Configuring Role Providers 6. Create a new site collection 7. Select its type to be Publishing Portal, and assign your account as a primary administrator Edit the web.config files Edit the web.config file for the web application On each Web Front End Server, edit the web.config file for the claims based web application. Inside the membership providers element add the following element: So it looks like this <membership defaultprovider="i"> <providers> <add name="i" type="microsoft.sharepoint.administration.claims.spclaimsauthmembershipprovid er, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
Configuring Claims Based FBA with Active Directory store 4 </providers> </membership> At the very bottom, before the close of the configuration tag </configuration> add the following: <connectionstrings> <add name="adfbaconnectionstring" connectionstring="ldap://corp.contoso.com/dc= corp,dc=contoso,dc=com" /> </connectionstrings> </configuration> Edit the web.config file for the Security Token web application On each Web Front End Server and on the Central Administration server, edit the web.config file for the Security Token web application located normally at C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\WebServices\SecurityToken. Add the following to the bottom of the web.config file before the close of the configuration element tag <system.web> <membership defaultprovider="fba_ad_mp"> <providers> </providers> </membership> </system.web> <connectionstrings> <add name="adfbaconnectionstring" connectionstring="ldap://corp.contoso.com/dc=corp,dc=contoso,dc=com" /> </connectionstrings> </configuration> Edit the web.config file for the Central Administration web application On each Central Administration Server, edit the web.config file for the Central Administration web application. Inside the membership providers element, add the following element and set it as the default provider: So it looks like this <membership defaultprovider="fba_ad_mp"> <providers>
Configuring Claims Based FBA with Active Directory store 5 </providers> </membership> At the very bottom before the close of the configuration tag </configuration> add the following: <connectionstrings> <add name="adfbaconnectionstring" connectionstring="ldap://corp.contoso.com/dc=corp,dc=contoso,dc=com" /> </connectionstrings> </configuration> Granting permissions from Central Administration 1. Navigate to Manage web applications in Central Administration 2. Select the claims based web application and click User Policy Figure 4 - Selecting web application 3. Click Add Users, hit Next
Configuring Claims Based FBA with Active Directory store 6 Figure 5 - Granting permissions 4. Open the people picker, search for an account name 5. You should see the account now appearing twice, from Active Directory and Forms Auth 6. Add the account appearing under Forms Auth and give it Full Control permission
Configuring Claims Based FBA with Active Directory store 7 Figure 6 - User selection dialog Test the site 1. Navigate to the claims based authentication site
Configuring Claims Based FBA with Active Directory store 8 Figure 7 - Select Sign In method 2. Select Forms Based from the drop down menu 3. Enter the username (without the domain part) and password for the windows login you gave permissions to on the site
Configuring Claims Based FBA with Active Directory store 9 Figure 8 - Enter credentials 4. You can now add new users to the Viewer/Contributor/Owner groups from within the Site Settings->People and Groups option 5. Sign out from the claims based authentication site Figure 9 - Sign Out 6. Navigate to the claims based authentication site 7. Select Windows Authentication from the drop down, you should be authenticated and redirected to the home page automatically