tabs

Wednesday, March 16, 2011

ADAM-Forms Based Authentication in SharePoint 2010

Basically Forms Based Authentication is a part of ASP.NET. So, it supports in all versions of SharePoint which are released after ASP.NET 2.0. In SharePoint 2010 it is the same process as what we did in earlier versions like WSS 3.0 and MOSS 2007 except one thing. In SharePoint 2010 while creating a web application we have an option to choose the application authentication mode Claims Based and Classic Mode.

Creating a web application which uses Claims Based Authentication:

This is pretty much straight forward,

·        Open Central Administration

·        From Application Management - > Manage Web Applications

·        From the top ribbon bar, select New

·        From the create web application page, chose the authentication mode to “Claims Based Authentication”

·        Give the name of web application, chose port number, path of web application.

·        Chose security configuration

·        From Claims Authentication Types, enable both WA and FBA.

·        In FBA section we have to give ASP.NET Membership provider name. In my case I have used “ADAMProvider” and I am not using any roles so I left it blank.  

·        Enter Sign in page url [default one], public url and other information and click OK.

·        Once web application is created, then create a site collection.

·        Now go to Manage Web application and from the list of web applications chose the option “Authentication Providers” from the ribbon.

·        From the dialog box you will see the Default zone set to the Claims authentication mode. Click the Default zone link where you can see the settings.

clip_image001[4]

·        OK, application is ready and browse the application, you will see the below screen which gives you the option to choose either Windows Authentication or Forms authentication.

clip_image002[4]

·        The remaining part is linking our application and ADAM.

Give specific permissions to the service accounts:

·        The service account or application pool user account of our FBA application,

·        application pool account [service account] of central administration and

·        security token service application pool user account

 

should have access to the ADAM to go and get information of the users and roles. Almost in all environments the system administrators creates the service accounts we have to use in our applications. If you are not following those base rules in using service accounts then you may use different service accounts for all the three applications. In that case you have to go through all the three application we have mentioned above and give them access to ADAM. If you are following the rules of using service accounts then may be only one service account used for all the three applications and give the service account access to ADAM.

Modify web.config files of applications to communicate with ADAM using providers

1.      To get the users from ADAM to central administration site we have to change web.config of Central Administration site.

2.      To get the users from ADAM to web application which we created to work FBA, we have to change its web.config.

3.      To login to the site using claims based authentication, it uses security token service application. So, we have to change its configuration file.

So, the site we created for FBA to work using forms authentication we have to change 3 web.config files totally.

Note: Before you are making any changes to the web.config file of any application please take the backup of it.

The main changes include connection string and providers.

       i.          Modify web.config of web application we created:

Adding providers for membership and role [if needed]

Before you add any providers find are there any membership or rolemanager tags in the web.config file. And add the providers [<rolemanager> and <membership>] to the <System.Web> tag. Make sure that you are not doing any changes to the existing providers. By default there are providers with name “C” and “I”. So, do not touch them and add only the providers which we are adding like “SQLRoleManager” and “SqlMembershipProvider”. Finally the <rolemanager> section and <membership> section as shown below. Highlighted in red tags are I added to web.config.

<membership defaultProvider="i">

      <providers>

        <add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />

<add name="ADAMProvider"

type="Microsoft.Office.Server.Security.LDAPMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral,

PublicKeyToken=71E9BCE111E9429C" server="SP2010-ADAM"

port="50389" useSSL="false"

userDNAttribute="distinguishedName"

userNameAttribute="userPrincipalName"

userContainer="DC=Northwind,DC=extranet"

userObjectClass="user" userFilter="(ObjectClass=user)"

scope="Subtree" otherRequiredUserAttributes="cn" />

      </providers>

    </membership>

    <roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false">

      <providers>

        <add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />

      </providers>

    </roleManager>

Save all your changes and we are done with configuration changes for FBA site.

 

     ii.          Modify web.config of Central Administration site

Adding providers for membership and role [if needed]

Before you add any providers find are there any membership or rolemanager tags in the web.config file. And add the providers [<rolemanager> and <membership>] to the <System.Web> tag. Make sure that you are not doing any changes to the existing providers. Finally the <rolemanager> section and <membership> section as shown below. Highlighted in red tags are I added to web.config.

<roleManager defaultProvider="AspNetWindowsTokenRoleProvider" enabled="true" cacheRolesInCookie="false">

<providers>

</providers>

</roleManager>

<membership defaultProvider="ADAMProvider">

<providers>

<add name="ADAMProvider"

type="Microsoft.Office.Server.Security.LDAPMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral,

PublicKeyToken=71E9BCE111E9429C" server="SP2010-ADAM"

port="50389" useSSL="false"

userDNAttribute="distinguishedName"

userNameAttribute="userPrincipalName"

userContainer="DC=Northwind,DC=extranet"

userObjectClass="user" userFilter="(ObjectClass=user)"

scope="Subtree" otherRequiredUserAttributes="cn" />

</providers>

</membership>

Save the web.config file and we are done with configuration changes for CA.

   iii.          Modify web.config of Security Token Service Application

Open inetmgr from run command and open IIS. From the list of sites available expand “SharePoint Web Services” and find SecurityTokenServiceApplication.

clip_image004[4]

Right click on the application and explore, which will opens the file system file location of the application. By default it will be in “%programfiles%\common files\Microsoft Shared\web server extensions\14\WebServices\SecurityToken”. Find the web.config of the application and modify it.

Adding providers for membership and role [if needed]

Before you add any providers find are there any membership or rolemanager tags in the web.config file. And add the providers [<rolemanager> and <membership>] to the <System.Web> tag. Make sure that you are not doing any changes to the existing providers. By default there are providers with name “C” and “I”. So, do not touch them and add only the providers which we are adding like “SQLRoleManager” and “SqlMembershipProvider”. Finally the <rolemanager> section and <membership> section as shown below. Highlighted in red tags are I added to web.config.

               <roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false">

<providers>

<add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />

</providers>

</roleManager>

<membership defaultProvider="i">

<providers>

<add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />

<add name="ADAMProvider"

type="Microsoft.Office.Server.Security.LDAPMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral,

PublicKeyToken=71E9BCE111E9429C" server="SDP2010-ADAM"

port="50389" useSSL="false"

userDNAttribute="distinguishedName"

userNameAttribute="userPrincipalName"

userContainer="DC=Northwind,DC=extranet"

userObjectClass="user" userFilter="(ObjectClass=user)"

scope="Subtree" otherRequiredUserAttributes="cn" />

</providers>

</membership>

 

 

If everything goes well, then in central administration site and your FBA application people picker able to find the users in the ADAM. And you will successfully logged-in to the site without any issues.

1 comment:

  1. after doing this all steps i received following error ,

    "The server was unable to process the request due to an internal error. For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework 3.0 SDK documentation and inspect the server trace logs. "

    please help me to find soln

    ReplyDelete