11 November 2010

MOSS 2007 - Windows Authentication to FBA using LDAP Authentication Provider

I am managing a web application based on SharePoint 2007, The web application works in an extranet model where users access the application over the internet, There is no anonymous access allowed any only the authenticated user is granted access. We are using the default Windows authentication and Active Directory is the user store. When the users accesses the site the users are given the default Windows Authentication Dialog for username and password as one below



Now since we also have password expiry policy on the domain and for other reasons, as administrator we used to receive a lot of requests for password resets. we thought of providing the users with a Forgot password functionality, but the challenge was as how to provide this in the current scenario as Windows authentication does provide much flexibility in terms of customizing the authentication mechanism and to provide link such as forgot password etc.

Therefore we decided to switch from Windows Authentication to Form Based Authentication so we can have a login page where we can put the forgot password functionality, but at the same time we had to make sure we do not introduce new user names & password or simply putting we had to use the existing user store which was Active Directory.

The solution for forgot password functionality is not part of this article and I will try to put that in a separate post

Since there is only one zone for our web app we didn't find the need to extend the application. Below are the steps we took to achieve this.

1. We put the following configuration in the web.config (System.Web Section) of our web application.



<membership defaultprovider="LdapMembership">
<providers><add name="LdapMembership" type="Microsoft.Office.Server.Security.LDAPMembershipProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" server="DomainControllerIP" port="389" usessl="false" userdnattribute="distinguishedName" usernameattribute="sAMAccountName" usercontainer="DC=XYZ,DC=COM" userobjectclass="person" userfilter="(ObjectClass=person)" scope="Subtree" otherrequireduserattributes="sn,givenname,cn">
</add>
</providers>
<rolemanager enabled="true" defaultprovider="LdapRoleProvider" cacherolesincookie="false" cookiename=".PeopleDCRole">
<providers>
<add name="LdapRoleProvider" type="Microsoft.Office.Server.Security.LDAPRoleProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" server="DomainControllerIP" port="389" usessl="false" groupcontainer="DC=XYZ,DC=COM" groupnameattribute="cn" groupmemberattribute="member" usernameattribute="sAMAccountName" dnattribute="distinguishedName" groupfilter="(ObjectClass=group)" scope="Subtree">
</add>
></providers>

</rolemanager></membership>




* Please change the Server, Port, UserContainer and GroupContainer according to your environment.

2. Now We put the following configuration in the web.config (System.Web Section) of Central Administration web application.



<membership defaultprovider="LdapMembership">
<providers>
<add name="LdapMembership" type="Microsoft.Office.Server.Security.LDAPMembershipProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" server="DomainControllerIP" port="389" usessl="false" userdnattribute="distinguishedName" usernameattribute="sAMAccountName" usercontainer="DC=XYZ,DC=COM" userobjectclass="person" userfilter="(|(ObjectCategory=group)(ObjectClass=person))" scope="Subtree" otherrequireduserattributes="sn,givenname,cn">
</add>
</providers>

<rolemanager enabled="true" defaultprovider="AspNetWindowsTokenRoleProvider">
<providers>
<add name="LdapRoleProvider" type="Microsoft.Office.Server.Security.LDAPRoleProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" server="DomainControllerIP" port="389" usessl="false" groupcontainer="DC=XYZ,DC=COM" groupnameattribute="cn" groupmemberattribute="member" usernameattribute="sAMAccountName" dnattribute="distinguishedName" groupfilter="(ObjectClass=group)" scope="Subtree">
</add>
</providers>
></rolemanager></membership>



* Please change the Server, Port, UserContainer and GroupContainer according to your environment.

3. Next thing we did, was to go to Central Administration -> Application Management -> Application Security -> Authentication Provider

4. Select the web application from the right hand side to be your web application.
5. Click on the existing zone name , Default in this case.
6. Do the following Settings in the next screen
  • Authentication Type = Forms
  • Membership Provider Name = LdapMembership
  • Role Manager Name = LdapRoleProvider
7. Next thing you need to do is to reconfigure the Site Collection administrator for your site based on the new membership provider you just configured. For this goto Central Administration -> Application Management -> SharePoint Site Management -> Site Collection Administrators

8. Now the last step left is to reconfigure the SharePoint Security settings you have applied, i.e. where ever you have assigned security to the AD User/Group you have to replace them with the same users but using the new membership and role provider.

9. You are all good to go now, simple access the web application now, and you will be welcomed by a login page.


* The only thing changes in this case is that you no longer need to put domain name in user name, it will be simple username instead of domain\username