
Now since we also have password expiry policy on the domain and for other reasons, as administrator we used to receive a lot of requests for password resets. we thought of providing the users with a Forgot password functionality, but the challenge was as how to provide this in the current scenario as Windows authentication does provide much flexibility in terms of customizing the authentication mechanism and to provide link such as forgot password etc.
Therefore we decided to switch from Windows Authentication to Form Based Authentication so we can have a login page where we can put the forgot password functionality, but at the same time we had to make sure we do not introduce new user names & password or simply putting we had to use the existing user store which was Active Directory.
The solution for forgot password functionality is not part of this article and I will try to put that in a separate post
Since there is only one zone for our web app we didn't find the need to extend the application. Below are the steps we took to achieve this.
1. We put the following configuration in the web.config (System.Web Section) of our web application.
<membership defaultprovider="LdapMembership">
<providers><add name="LdapMembership" type="Microsoft.Office.Server.Security.LDAPMembershipProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" server="DomainControllerIP" port="389" usessl="false" userdnattribute="distinguishedName" usernameattribute="sAMAccountName" usercontainer="DC=XYZ,DC=COM" userobjectclass="person" userfilter="(ObjectClass=person)" scope="Subtree" otherrequireduserattributes="sn,givenname,cn">
</add>
</providers>
<rolemanager enabled="true" defaultprovider="LdapRoleProvider" cacherolesincookie="false" cookiename=".PeopleDCRole">
<providers>
<add name="LdapRoleProvider" type="Microsoft.Office.Server.Security.LDAPRoleProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" server="DomainControllerIP" port="389" usessl="false" groupcontainer="DC=XYZ,DC=COM" groupnameattribute="cn" groupmemberattribute="member" usernameattribute="sAMAccountName" dnattribute="distinguishedName" groupfilter="(ObjectClass=group)" scope="Subtree">
</add>
></providers>
</rolemanager></membership>
* Please change the Server, Port, UserContainer and GroupContainer according to your environment.
2. Now We put the following configuration in the web.config (System.Web Section) of Central Administration web application.
<membership defaultprovider="LdapMembership">
<providers>
<add name="LdapMembership" type="Microsoft.Office.Server.Security.LDAPMembershipProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" server="DomainControllerIP" port="389" usessl="false" userdnattribute="distinguishedName" usernameattribute="sAMAccountName" usercontainer="DC=XYZ,DC=COM" userobjectclass="person" userfilter="(|(ObjectCategory=group)(ObjectClass=person))" scope="Subtree" otherrequireduserattributes="sn,givenname,cn">
</add>
</providers>
<rolemanager enabled="true" defaultprovider="AspNetWindowsTokenRoleProvider">
<providers>
<add name="LdapRoleProvider" type="Microsoft.Office.Server.Security.LDAPRoleProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" server="DomainControllerIP" port="389" usessl="false" groupcontainer="DC=XYZ,DC=COM" groupnameattribute="cn" groupmemberattribute="member" usernameattribute="sAMAccountName" dnattribute="distinguishedName" groupfilter="(ObjectClass=group)" scope="Subtree">
</add>
</providers>
></rolemanager></membership>
* Please change the Server, Port, UserContainer and GroupContainer according to your environment.
3. Next thing we did, was to go to Central Administration -> Application Management -> Application Security -> Authentication Provider

5. Click on the existing zone name , Default in this case.
6. Do the following Settings in the next screen
- Authentication Type = Forms
- Membership Provider Name = LdapMembership
- Role Manager Name = LdapRoleProvider

8. Now the last step left is to reconfigure the SharePoint Security settings you have applied, i.e. where ever you have assigned security to the AD User/Group you have to replace them with the same users but using the new membership and role provider.
9. You are all good to go now, simple access the web application now, and you will be welcomed by a login page.

* The only thing changes in this case is that you no longer need to put domain name in user name, it will be simple username instead of domain\username

Hello,
ReplyDeleteGreat article!! One question though; Do you create a new web application in MOSS or did you refer to MOSS as a web application in step 1? I was a bit confused by your phrasing.
-Patrick
No i created a new web application, or the web.config of the existing web application you have where you want to configure the form based authentication
ReplyDeleteVerifEyed is the world leading technology capable of determining whether digital images are original or modified (e.g., Photoshoped). VerifEyed divides the world of digital images into two groups: those having a genuineness verification (trustworthy) and the others.
ReplyDeleteimage authentication software
image verificiation software
image forensic software