SharePoint 2013 Hosting :: How to Make Form Based Authentication (LDAP)?

In this section, I will discuss about the FBA configuration in Sharepoint 2010 using LDAP. Web Application on Sharepoint 2010 can publish it to a different zone 5 is Default, Intranet, Extranet, Internet and Custom. Each zone can only use one type of Authentication Provider. For example, to use FBA SQL Default zone as the Authentication Provider, and for the Intranet zone used FBA LDAP as the Authentication Provider. We can use the Extend Web Application Web Application so that one can use 2 pieces Authentication Provider. A Web Application can be extended to a different port, or to the same port to port Web Application that early. If the Web Application be extended to the same port, then host headers to be distinguished.

So in this tutorial, we’ll configure LDAP to port 81 FBA Intranet zone.

  •  Extend Web Application

    • Open Central Administration
    • On the Application Management, click Manage Web Application
    • Select Web Application that was created earlier
    • On the ribbon choose “Extend”.
    • In the popup “Extend Web Application”, the Authentication select Claims Based Authentication. In the Port field, enter 81.
    • In the Claims Authentication Types section, select “Enable Windows Authentication” (default) and select “Enable Forms Based Authentication (FBA)”. Fill in the value “ASP.NET Membership provider name” and “ASP.NET Role manager name”. Naming it does not have to adjust to the example below, but the name must be used consistently from beginning to end configuration later.
    • In the “Sign In Page URL”, select “Default Sign In Page” and select the Intranet Zone.
    • Once the process is complete Extend Web Application, select the Authentication Providers.
    • On the Authentication Providers popup can be seen that the Web Application Zone which has had 2 FBA The default for SQL and LDAP Intranet for FBA.
  • Web.config Configuration Central Administration
    • In IIS Manager, right-click on the web “SharePoint Central Administration v4”, then select “Explore”
    • Open the web.config file, and adjust the information “rolemanager” and “membership” of the following:
    • Open the web.config file, and adjust the information “rolemanager” and “membership” of the following:

      <roleManager enabled=”true” defaultProvider=”AspNetWindowsTokenRoleProvider”> <providers> <add name=”aspnetrolemanager” type=”System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a” connectionStringName=”ASPNETConn” applicationName=”MyAppName” /><add name=”ldaprolemanager” type=”Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c” server=”sweet.com” port=”389″ useSSL=”false” groupContainer=”DC=sweet,DC=com” groupNameAttribute=”cn” groupNameAlternateSearchAttribute=”samAccountName” groupMemberAttribute=”member” userNameAttribute=”sAMAccountName” dnAttribute=”distinguishedName” groupFilter=”(ObjectClass=group)” userFilter=”(ObjectClass=person)” scope=”Subtree” /> </providers> </roleManager> <membership defaultProvider=”aspnetmembership”> <providers> <add name=”aspnetmembership” type=”System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a” connectionStringName=”ASPNETConn” enablePasswordReset=”false” enablePasswordRetrieval=”false” passwordFormat=”Hashed” requiresQuestionAndAnswer=”false” requiresUniqueEmail=”false” applicationName=”MyAppName” /> <add name=”ldapMembership” type=”Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server,Version=14.0.0.0, Culture=neutral,PublicKeyToken=71e9bce111e9429c” server=”sweet.com” port=”389″ useSSL=”false” userDNAttribute=”distinguishedName” userNameAttribute=”sAMAccountName” userContainer=”DC=sweet,DC=com” userObjectClass=”(ObjectClass=person)” userFilter=”(ObjectClass=person)”scope=”Subtree” otherRequiredUserAttributes=”sn,givenname,cn” /> </providers> </membership>

      In the above information, it can be seen that the field “rolemanager” and “membership” according to the settings loaded in step 1. In the configuration “ldapmembership” at the top there are some values to note are:
      – Server: active directory server name.
      – UserContainer: user group / organizational unit (OU) of the user who wants to use as an LDAP FBA.In the above example, setting userContainer OU so the user does not use AD to be used as an LDAP FBA is all users in active directory sweet.com. If you want to use the OU, examples of its use are:
      userContainer = “OU = Myou”, DC = sweet, DC = com”

    • Adjust PeoplePicker following information:

      <PeoplePickerWildcards>
      <clear />
      <add key=”AspNetSqlMembershipProvider” value=”%” />
      <add key=”aspnetmembership” value=”%” />
      <add key=”aspnetrolemanager” value=”%” />
      <add key=”ldapmembership” value=”*” />
      <add key=”ldaprolemanager” value=”*” />
      </PeoplePickerWildcards>

      With the addition of this information, the user is contained in LDAP, can be searched by using the People Picker in Sharepoint.

  • Web.config Configuration Security Token Service

    • In IIS Manager, right-click on the web “SecurityTokenServiceApplication”, then select “Explore”.
    • Open the web.config file, and adjust the following information: (C: Program FilesCommon FilesMicrosoft SharedWeb Server Extensions14WebServicesSecurityToken).

      <membership defaultProvider=”aspnetmembership”>
      <providers>
      <add name=”aspnetmembership” connectionStringName=”ASPNETConn”
      applicationName=”MyAppName”type=”System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a” />
      <add name=”ldapmembership”type=”Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c” server=”sweet.com” port=”389″ useSSL=”false” userDNAttribute=”distinguishedName”userNameAttribute=”sAMAccountName” userContainer=”DC=sweet,DC=com” userObjectClass=”person” userFilter=”(ObjectClass=person)” scope=”Subtree” otherRequiredUserAttributes=”sn,givenname,cn” />
      </providers>
      </membership>
      <roleManager enabled=”true” defaultProvider=”aspnetrolemanager”>
      <providers>
      <add name=”aspnetrolemanager” type=”System.Web.Security.SqlRoleProvider,System.Web, Version=2.0.0.0,Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a” connectionStringName=”ASPNETConn” applicationName=”MyAppName” />
      <add name=”ldaprolemanager”type=”Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c” server=”sweet.com” port=”389″ useSSL=”false” groupContainer=”DC=sweet,DC=com”groupNameAttribute=”cn” groupNameAlternateSearchAttribute=”samAccountName” groupMemberAttribute=”member”userNameAttribute=”sAMAccountName” dnAttribute=”distinguishedName” groupFilter=”(ObjectClass=group)”userFilter=”(ObjectClass=person)” scope=”Subtree” />
      </providers>
      </roleManager>

  • Web.config Configuration Web Application (Port 81)

    • In IIS Manager, right-click on a web created in step 1, then select “Explore”.
    • Open the web.config file, and adjust the information “rolemanager” and “membership” of the following:

      <membership defaultProvider=”i”>
      <providers>
      <addname=”i”type=”Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider,Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral,PublicKeyToken=71e9bce111e9429c” />
      <addname=”ldapmembership”type=”Microsoft.Office.Server.Security.LdapMembershipProvider,Microsoft.Office.Server, Version=14.0.0.0,Culture=neutral,PublicKeyToken=71e9bce111e9429c” server=”sweet.com” port=”389″useSSL=”false” userDNAttribute=”distinguishedName”
      userNameAttribute=”sAMAccountName”userContainer=”DC=sweet,DC=com” userObjectClass=”person”userFilter=”(ObjectClass=person)”scope=”Subtree” otherRequiredUserAttributes=”sn,givenname,cn” />
      </providers>
      </membership>
      <roleManager defaultProvider=”c” enabled=”true” cacheRolesInCookie=”false”>
      <providers>
      <add name=”c”type=”Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider,
      Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral,
      PublicKeyToken=71e9bce111e9429c” />
      <add name=”ldaprolemanager”type=”Microsoft.Office.Server.Security.LdapRoleProvider,
      Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral,PublicKeyToken=71e9bce111e9429c” server=”sweet.com” port=”389″useSSL=”false” groupContainer=”DC=sweet,DC=com” groupNameAttribute=”cn”groupNameAlternateSearchAttribute=”samAccountName”groupMemberAttribute=”member” userNameAttribute=”sAMAccountName”dnAttribute=”distinguishedName” groupFilter=”(ObjectClass=group)”userFilter=”(ObjectClass=person)” scope=”Subtree” />
      </providers>
      </roleManager>

    • Adjust PeoplePicker following information:
  • FBA LDAP User Checks in Central Administration.
    In the following step, we want to make sure that the configuration of LDAP FBA has been done in the previous steps have been successful.

    • In Central Administration, select “Manage Web Applications”, then select a web application created in step 1. On the ribbon select “User Policy”.
    • Select “Add User”.
    • Click Next then Browse.
    • Doing a search on one of the LDAP user.If the popup above, LDAP user (user in Active Directory) appears, then the configuration of LDAP FBA has been successful. If it does not appear, there is still your configuration is wrong.Because our goal is only to check the configuration of LDAP FBA, then click Cancel and then close the popup “Add Users”.
  • Access to the Web

    • Access the web has be extended in step 1 (port 81)
    • Log in using Windows Authentication (Site Collection Administrator account), and then open the Site Permissions.
    • Add one to the LDAP user group “FBA Site Members” so that the LDAP user can access the site “FBA Site”.
    • Once added, click the user “Administrator” to see detailed information of the user. On account, it can be seen that the Administrator user using the “ldapmembership”.
    • Log back into the web by selecting the FormsAuthentication using the account “Administrator”.
    • User “Administrator” successfully logged into the web using LDAP FBA.