Setup SharePoint Forms Based Authentication (FBA) with Active Directory

This Article will explain how to set up Forms Based Authentication using an Active Directory backend.

Your default site is required to be a Windows Authentication provider. This is due to the fact that you the search and backup process will break if the default is anything other than a standard Windows provider.  This will require you to extend the existing site. Here is an example.

portal.domain.com —> extended to —> fba.domain.com

Windows login: portal.domain.com
FBA login: fba.domain.com

In our example we will be using the following typical variables which you will have to change to suit your particular needs in the appropriate web.config files.

Membership Provider name=”ENIGMA”
Role manager name=”ENIGMAROLE”
server=”domain.com”
userContainer=”DC=Domain,DC=com”

1. Add the follwing the web.config file of the Central Admin inbetween the entry “<machineKey validationKey=” and “</system.web>”

<membership>
<providers>
<add name=”ENIGMA” type=”Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c” server=”Domain.com” port=”389″ useSSL=”false” userDNAttribute=”distinguishedName” userNameAttribute=”sAMAccountName” userContainer=”DC=Domain,DC=com” userObjectClass=”person” userFilter=”(|(ObjectCategory=group)(ObjectClass=person))” scope=”Subtree” otherRequiredUserAttributes=”sn,givenname,cn” />
</providers>
</membership>
<roleManager defaultProvider=”AspNetWindowsTokenRoleProvider” enabled=”true” cacheRolesInCookie=”true” cookieName=”.PeopleDCRole”>
<providers>
<add name=”ENIGMAROLE” type=”Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c” server=”Domain.com” port=”389″ useSSL=”false” groupContainer=”DC=Domain, DC=com” groupNameAttribute=”cn” groupMemberAttribute=”member” userNameAttribute=”sAMAccountName” dnAttribute=”distinguishedName” groupFilter=”(ObjectClass=group)” scope=”Subtree” />
</providers>
</roleManager>

2. Add the follwing the web.config file of the FBA site inbetween the entry”<machineKey validationKey=” and “</system.web>”.

<membership defaultProvider=”ENIGMA“>
<providers>
<add name=”ENIGMA” type=”Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c” server=”domain.com” port=”389″ useSSL=”false” userDNAttribute=”distinguishedName” userNameAttribute=”sAMAccountName” userContainer=”DC=domain,DC=com” userObjectClass=”person” userFilter=”(|(ObjectCategory=group)(ObjectClass=person))” scope=”Subtree” otherRequiredUserAttributes=”sn,givenname,cn” />
</providers>
</membership>
<roleManager defaultProvider=”ENIGMAROLE” enabled=”true” cacheRolesInCookie=”true” cookieName=”.PeopleDCRole”>
<providers>
<add name=”ENIGMAROLE” type=”Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c” server=”domain.com” port=”389″ useSSL=”false” groupContainer=”DC=domain,DC=com” groupNameAttribute=”cn” groupMemberAttribute=”member” userNameAttribute=”sAMAccountName” dnAttribute=”distinguishedName” groupFilter=”(ObjectClass=group)” scope=”Subtree” />
</providers>
</roleManager>

3. Go to the central admin site and change the “Authentication Providers” in Application management. Select the zone of the extended site and chang the authentication type to “Forms”.

4. Add the appropriate membership provider to the appropriate name. In our example we used “ENIGMA”.

5. Add the appropriate role manager name to the appropriate name. In our example we used “ENIGMAROLE”.

6. Click SAVE.

7. You will next need to click ‘Policy for web application’ in application management.

8. Select the extended site zone.

9. Search and add the ‘sp_admin’ user with Full control.

10. Click Finish.

Once you have completed these steps verify that you can now log into the site using the ‘sp_admin’ account and add the ‘site_admin’ with appropriate site permissions.

Source: Active Directory for FBA in SharePoint using LDAP

About the Author

1 thought on “Setup SharePoint Forms Based Authentication (FBA) with Active Directory

Leave a Reply

%d bloggers like this: