Setting up FBA Claims in SharePoint 2010 with Active Directory Membership Provider

Similar documents
Configuring Claims Based FBA with Active Directory store 1

Single sign-on for ASP.Net and SharePoint

OTP Server Integration Module

Sitecore Ecommerce Enterprise Edition Installation Guide Installation guide for administrators and developers

Tool Tip. SyAM Management Utilities and Non-Admin Domain Users

R i o L i n x s u p p o r r i o l i n x. c o m 1 / 3 0 /

ImageNow Interact for Microsoft SharePoint Installation, Setup, and User Guide

Integrating Business Portal 3.0 with Microsoft Office SharePoint Portal Server 2003: A Natural Fit

Installing the ASP.NET VETtrak APIs onto IIS 5 or 6

AGILEXRM REFERENCE ARCHITECTURE

HOWTO: Installation of Microsoft Office SharePoint Server 2007

Add in Guide for Microsoft Dynamics NAV May 2012

To install Multifront you need to have familiarity with Internet Information Services (IIS), Microsoft.NET Framework and SQL Server 2008.

GoDaddy (CentriqHosting): Data driven Web Application Deployment

Outlook Profile Setup Guide Exchange 2010 Quick Start and Detailed Instructions

USER GUIDE Deploying Your Application to WinHost

Setting up Sharp MX-Color Imagers for Inbound Fax Routing to or Network Folder

Video Administration Backup and Restore Procedures

IBM Business Process Manager Version IBM Business Process Manager for Microsoft SharePoint Add-On Installation Guide

Jive Connects for Microsoft SharePoint: Troubleshooting Tips

EMC Documentum Connector for Microsoft SharePoint

R i o L i n x s u p p o r r i o l i n x. c o m 3 / 5 /

metaengine DataConnect For SharePoint 2007 Configuration Guide

Tableau Server Trusted Authentication

FBA Migration Guide XTRASHARE INSTALLATION GUIDE. This is the XtraShare installation guide

MindGenius SharePoint Integration

AUTHENTICATION... 2 Step 1:Set up your LDAP server... 2 Step 2: Set up your username... 4 WRITEBACK REPORT... 8 Step 1: Table structures...

Weather Web Part. Enterprise Version with Active Directory Support. AMREIN ENGINEERING AG Version 2.4. June 2015

Bitrix Site Manager ASP.NET. Installation Guide

CRM Migration Manager for Microsoft Dynamics CRM. User Guide

Chapter 2 Editor s Note:

A SharePoint Developer Introduction

McAfee One Time Password

GO!NotifyLink. Database Maintenance. GO!NotifyLink Database Maintenance 1

Security Assertion Markup Language (SAML) Site Manager Setup

InfoRouter LDAP Authentication Web Service documentation for inforouter Versions 7.5.x & 8.x

Single Sign-on Configuration for SharePoint Integration

Technical Bulletin. SQL Express Backup Utility

Microsoft Dynamics CRM Security Provider Module

Print Release, Accounting, and My e- Task for Lexmark Solutions Platform On Premise version 1.3. Installation Guide

Active Directory Integration

Hands-On Lab. Web Development in Visual Studio Lab version: Last updated: 12/10/2010. Page 1

Eylean server deployment guide

Connector for Microsoft Office SharePoint Server. ados.com Therefore Corporation, all rights reserved.

Windows Clients and GoPrint Print Queues

Nintex Workflow for Project Server 2010 Help

Ingenious Testcraft Technical Documentation Installation Guide

Migrating MSDE to Microsoft SQL 2008 R2 Express

How To Install Hoteltv2 On A Pc Or Mac Or Mac (For Mac)

TECHNICAL NOTE. The following information is provided as a service to our users, customers, and distributors.

Migrating helpdesk to a new server

Delegated Administration Quick Start

Installation of IR under Windows Server 2008

Tableau Server Trusted Authentication

Building a Scale-Out SQL Server 2008 Reporting Services Farm

SARANGSoft WinBackup Business v2.5 Client Installation Guide

SP Term Cloud Installation

Using SMIGRATE to Backup, Restore and Migrate Team Sites in SharePoint Products and Technologies 2003

Administrator's Guide

Microsoft Project Server Integration with SharePoint 2010

How to Configure a Stress Test Project for Microsoft Office SharePoint Server 2007 using Visual Studio Team Suite 2008.

ACTIVE DIRECTORY WEB SERVICE USER GUIDE LAST UPDATED: January 4, 2013

Microsoft Business Intelligence 2012 Single Server Install Guide

Integration Package for Microsoft Office SharePoint3

Timesheet Installation Guide

BSDI Advanced Fitness & Wellness Software

STK Terrain Server Installation Guide

Installation Guide v3.0

Cloud Tools Reference Guide. Version: GA

1. CONFIGURING REMOTE ACCESS TO SQL SERVER EXPRESS

Click Studios. Passwordstate. Installation Instructions

RoomWizard Synchronization Software Manual Installation Instructions

Click Studios. Passwordstate. Installation Instructions

QUANTIFY INSTALLATION GUIDE

Moving a Romexis Database to an Existing SQL Instance

QUERY DATA FROM ACTIVE DIRECTORY

DEPLOYMENT GUIDE Version 2.1. Deploying F5 with Microsoft SharePoint 2010

ProSystem fx Document

AutoMerge for MS CRM 3

Integrating LANGuardian with Active Directory

Use Enterprise SSO as the Credential Server for Protected Sites

Workflow Conductor for SharePoint 2010

Installing Autodesk Vault Server 2012 on Small Business Server 2008

Web Deployment on Windows 2012 Server. Updated: August 28, 2013

versasrs HelpDesk quality of service

Egnyte Single Sign-On (SSO) Configuration for Active Directory Federation Services (ADFS)

Windows XP Exchange Client Installation Instructions

System Area Management Software Tool Tip: Integrating into NetIQ AppManager

FieldIT Limited FieldIT CRM. Installation Manual v1.3.i3 (Enterprise Install)

escan SBS 2008 Installation Guide

PORTAL ADMINISTRATION

Using Microsoft Windows Authentication for Microsoft SQL Server Connections in Data Archive

Colligo Manager 6.0. Offline Mode - User Guide

How to integrate RSA ACE Server SecurID Authentication with Juniper Networks Secure Access SSL VPN (SA) with Single Node or Cluster (A/A or A/P)

External Authentication with Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

SelectSurvey.NET Developers Manual

Safewhere*ADFS2Logging

IPRO Viewer. Installation

Transcription:

Setting up FBA Claims in SharePoint 2010 with Active Directory Membership Provider sridhara2 7 Jan 2010 3:30 AM 19 This is a walk-through on setting up FBA Claims in SharePoint 2010 using the Active Directory Membership Provider. The very first step is to create a web application AND create that with claims authentication mode. I am going to provision a web application with claims auth mode enabled at a URL http://moss.claims.contoso.com. Another important section in this Create New Web Application screen is the Identity Providers section. Once we select the authentication mode to be claims, Windows Authentication is also plugged in as one of the provider. Check the Enable Windows Authentication check box if you d like Windows Authentication ALSO enabled for this web application. We can also choose to enable ASP.NET Membership and Role Provider here. In this case, we ll need to provide the corresponding provider names in the text boxes. The web.config file entries can be added later. Those are the important parts. You can choose the other values as you d normally would and create the new web application. Once the web application is created, we ll first configure this web application for claims authentication using Active Directory Membership Provider and then create a site collection. There are 3 web.config files we need to edit for enabling claims: 1. The config file of the Central Administration site. 2. The config file of the Web Application. msdn.com/ /setting-up-fba-claims-i 1/9

3. The config file of the STS (SecurityTokenService) Application. This is important because it is this service that will ensure claims tokens are being passed correctly between the provider (in our case AD) and the consumer (CA and our Web Application). Further, we can have multiple providers plugged in. STS Application manages all of these interaction for us. Central Administration web.config changes Open the web.config file of your SharePoint 2010 Central Administration site and add the following entries (NOTE: The value you need to change according to your environment are presented in red). First the connection string: <connectionstrings> <add name="adconn" connectionstring="ldap://anomaly.com/dc=anomaly,dc=com" /> </connectionstrings> And then the provider: <membership defaultprovider="admembers"> <providers> <add name="admembers" type="system.web.security.activedirectorymembershipprovider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionstringname="adconn" enablesearchmethods="true" attributemapusername="samaccountname" /> </providers> </membership> NOTE: The connection string element should be present outside of the <system.web></system.web> section and the provider element should be present within <system.web></system.web> section of the web.config file. After this change, the web.config file of the Central Administration site should look like what s shown in Image3. Web Application web.config changes Open the web.config file of the newly created web application and add the following entries First the connection string: <connectionstrings> <add name="adconn" connectionstring=ldap://anomaly.com/dc=anomaly,dc=com /> </connectionstrings> NOTE: This entry should be made outside of <system.web></system.web> section in the web application s web.config file. Just like the one for Central Administration site. And then the provider: <membership defaultprovider="admembers"> <providers> <add name="admembers" type="system.web.security.activedirectorymembershipprovider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionstringname="adconn" enablesearchmethods="true" attributemapusername="samaccountname" /> </providers> </membership> NOTE: This one is a bit different. In the web application s web.config file search for <membership (without ). You will find there s already a membership and role provider plugged in (shown in Image4). SPClaimsAuthMembershipProvider & SPClaimsAuthRoleProvider in Microsoft.SharePoint.Administration. Claims implements the default claims provider and Windows authentication type is plugged in through HTTPModule (shown in Image5). msdn.com/ /setting-up-fba-claims-i 2/9

Now, we will plug in our Active Directory membership provider to this by adding our provider entry shown above to the <providers> element (shown in Image4). The result should look like Image6. Save and close this web.config file. STS Application web.config changes The next thing to do is to get your provider entry in the STS application s web.config file. Open Internet Information Services (IIS) Manager on your SharePoint 2010 box. And find the STS application (shown in Image7). Right-click > Explore to open the files within this application in explorer. You should now be in this path: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\WebServices\SecurityToken. And you will find a web.config file in there. That s the Security Token Service Application s web.config you need to add your provider and connection information to. Open this web.config file. If this is the first time you are configuring claims, you ll not find <system.web> </system.web> section in it. That s not a problem, just add that section yourself. What works out for me, is to go to the end of this web.config file and do the following: First add the connection information just before </configuration>. And then after the <connectionstrings> </connectionstrings> section, add a <system.web></system.web> section and add our provider information into it. The result should look like Image8. msdn.com/ /setting-up-fba-claims-i 3/9

After this doing an IISRESET might be a good idea. You are good now with regards to web.config file entries. Now you have to get some configuration done through UI to wire-up our provider to the web application. First, go to the Web Applications Management page in Central Administration site, click the web application you want to enable FBA claims on and choose Authentication Providers from the ribbon. From the Authentication Providers dialog, choose Default. Scroll a bit down to find Identity Providers section. Check Enable ASP.NET Membership and Role Provider (NOTE: You can also do this at the time of creating this web application) and type in the name of your provider. In my case, it is admembers. After you do this, UI should like Image9. Hit Save. Close the Authentication Providers Dialog UI. Now, hit User Policy ribbon option in the Web Applications Management page having selected your web application. Hit Add Users in the Policy for Web Application dialog. Hit Next in Add Users dialog. Use the Browse button in the Choose Users people picker control. Notice the Select People and Groups dialog that comes up is changed. Noticeable difference is that there are sections like Active Directory, All Users, Forms Auth & Organizations. Type in an active directory user alias and search. There should be 2 results for the same user. One identified through NTLM authentication and the other through FBA Claims authentication that s using Active Directory membership provider (refer Image10). msdn.com/ /setting-up-fba-claims-i 4/9

Select the user from Forms Auth result. In my case, it s the first user displayed in Image10. Hit Add and then OK in the Select People and Groups dialog. In the Add Users dialog, check Full Control - Has full control for the Choose Permissions section and hit Finish. NOTE: If you want to provide full control to other users either from FBA Claims authentication or NTLM authentication, you can do that here. Now, your Policy for Web Application dialog should look like Image11. Hit OK. Now, you can create your top-level site collection in this web application. Click Application Management from the left navigation in Central Administration site. Click Create Site Collections. Ensure that your web application plugged in with FBA Claims is selected in the Web Applications drop-down. Provide a title, description and pick up a template of your choice. In the Primary Site Collection Administrator section, type in the alias of the site collection administrator. This should be the NTLM authenticated user. The entries should look like Image12. Hit OK to create the site collection. Once the site collection is created, browse to it. A page as shown in Image13 will be displayed. msdn.com/ /setting-up-fba-claims-i 5/9

Choose Windows Authentication from the drop-down and you ll log into the newly created site collection using Windows Authentication. Now, you need to add another site collection administrator. But this must be from the active directory membership provider. You can login through forms authentication using the user you added with full control in user policy settings above. If you choose to not do that (which most customers do), you can do one of the following steps to add another site collection administrator to this FBA Claims Authentication enabled site. 1. Go to Central Administration site > Application Management from left navigation > Change site collection administrators > add the alias of the user from FBA Claims Authentication as the secondary site collection administrator and click the Check Names button to resolve it. 2. Login to the Claims Authentication enabled site using Windows Authentication. Site Actions > Site Settings > Site collection administrators > type the alias of the user from FBA Claims Authentication in the Site Collection Administrators and click the Check Names button to resolve it. This is shown in Image 14. After this, you should be able to login to this site using the same URL with both Windows and Forms Authentication (Forms Authentication login shown in Image15) msdn.com/ /setting-up-fba-claims-i 6/9

WARNING: Take utmost care when making the web.config file entries because that s where thing go wrong. And if it does, identifying and fixing it might be a herculean task trust me :) Hope this post was helpful! In my next post on FBA Claims, I ll cover configuring Office LDAP Claims with some tips on Claims itself. Comments eyeman 12 Jan 2010 10:51 PM can u show how to setting FBA Claims in sharepoint 2010 using SQL Server??? Lucarbeta 12 Feb 2010 7:55 AM Que pasa con "My Profile" NO funciona. Esto parece suceder porque mi aplicacion web esta sobre el puerto xxxx y "My Profile" sobre el 80. Entonces tambien es necesario configurar Claims sobre el puerto 80?? Mr.Furious 4 Mar 2010 8:14 PM Okay this is strange. I can see the usernames when I add users. But when I go to the site I get an error message 500.19 "configuration file is not well formed xml" related to the web.config connection string: connectionstring=ldap://mydomain.net/dc=mydomain,dc=net /> It's the same code in the other two and successfully connects me in the Central Administration. Any suggestions? Mr.Furious 4 Mar 2010 8:19 PM Sorry. False alarm. Must be getting a little punchy and forgot to enclose it in quotes. LOL Mr.Furious 4 Mar 2010 8:44 PM I think this is my last question. I'm still getting an error after resolving my problem. Unable to establish secure connection to the server. If my OUs that contain my users are farther down, do I have to supply more information in the connection string? mel 29 Apr 2010 5:06 AM Great article! I came to the same conclusions when setting up a sql memberhip provider with mixed authentication. msdn.com/ /setting-up-fba-claims-i 7/9

I have however run into one additional problem: I can search for roles in the "Select People and Groups" form. The search is case sensitive, but they do show up in the results under the Forms Auth group. However, when I select a role, add it and press ok it is not recognized as valid in the web page. Is there a solution for this issue? Pascal 3 May 2010 6:19 PM Very Interesting article. Once this FBA Claims is in place, you can get an example of utilization here: http://www.pascalbonheur.com/2010/03/claims-based-authorization-in-sharepoint-2010-real-lifeexample-part-1/ haens 1 Jun 2010 8:20 AM Thats great. To bad, MS Live Writer (for blogging) will not login anymore if FBA or claims authentication is enabled. Hope for the next version of it! Thanks for that blog!! jmvvliet 30 Jun 2010 10:55 AM when adding users it could be possible you do not see both users (forms and AD). This could be due to different search algorithms. The forms authentication requires a complete name to be found (e.g. 'administrators'). Only then both ad and forms will find the (same) user. if you search for e.g. 'administr' it only will find ad account. Deano 22 Jul 2010 4:45 PM Hi there, Great post and thanks for the information. I was just wondering whether this can also apply to a workgroup server (standalone - not in the domain) or does the server need to be part of the domain before this will work? cheers and thanks!! Dilip 11 Sep 2010 3:16 AM I have created my custome Membership Provider. For the User Validate i want to send one more extar parameter witch is application Name. My default provider used for 3 diffrent web applications. So i need to Application Name in my custom membership provider class for passing param to SQL query. can you pls guid me...? Saji 27 Sep 2010 1:06 PM I'm planning to implement mixed mode authentication for my web application. Integrated authentication while accessing from inside the network and forms based authentication (to the same web application) while accessing it from outside the network. All the users are present in the AD. So, I'll configure FBA with AD for external access. Is there any way I can avoid entering the same user twice (one for integrated authentication and one for FBA) by somehow mapping the same user to both the authentication providers? Because in my case, both integrated and FBA users are the same (present in AD) and they will have same permissions into their sites while accessing both from inside network and from outside network. Any suggestions will be appreciated. Tim 4 Oct 2010 11:43 AM When I do the Ldap search for users I get the following error in the Application Log: An exception occurred in Forms Auth claim provider when calling SPClaimProvider.FillSearch(): Could not load file or assembly 'Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c' or one of its dependencies. The system cannot find the file specified. (C:\inetpub\wwwroot\wss\VirtualDirectories\3617\web.config line 152). Event ID:8307 Anyone any ideas? sowmyancs 12 Oct 2010 7:40 AM Another detailed post...excellent Sri! msdn.com/ /setting-up-fba-claims-i 8/9

Venkatesh Basi 25 Oct 2010 11:20 PM Hi I am unable to see any users under Forms Auth according to image 10. Do I need to explicitly add user into database? 1 2 msdn.com/ /setting-up-fba-claims-i 9/9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information