Friday 28 November 2008

Active Directory Forms Based Authentication

Recently we needed to use Forms Based Authentication with Active Directory from an Extranet. This is how we got it to work.

1. Extend the Web Application
Instead of tweaking the internal web app, Extend the web application you want to expose to the Extranet, giving it the required host headers etc.

2. Configure SharePoint Central Admin to use FBA for the "new" Web Applications

Login to SharePoint Central Admin
Go to Application MBoldanagement / Application Security / Authentication Providers and Change the Web Application to the one which needs to be configured for Forms Based Authentication
Click zone / default, change authentication type to forms and enter ActiveDirectoryMemebershipProvider under membership provider name ( for example , "ADMembershipProvider") and save this change

3. Update the web.config of SharePoint Central admin site
under configuration node
<connectionStrings>
<add name="ADConnectionString" connectionString="LDAP://DynamicsAX.local/CN=Users,DC=DynamicsAX,DC=local />
</connectionStrings>

under system.web node
<membership defaultProvider="ADMembershipProvider">
<providers>
<add name="ADMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider,System.Web,Version=2.0.0.0,Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="ADConnectionString"
connectionUsername="xxx" connectionPassword="yyy"
enableSearchMethods="true"
attributeMapUsername="sAMAccountName"/>
</providers>
</membership>

4.Update the web.config of SharePoint Web application
Repeat step 3 for the web.config of the SharePoint webapplication to be configured for Forms Based Authentication
Change the authentication in web.config to
<authentication mode="Forms">
<forms loginUrl="/_layouts/login.aspx"></forms>
</authentication>

5. Grant Access on the extended Web Application
Your extranet web application is now configured to use FBA. However, until users, who will be accessing the site via FBA, are given permissions for the site, it will be inaccessible to them.

To get started, open your browser and navigate to your farm’s Central Administration site. Click on Application Management and then click on Policy for Web Application. Make sure that you are working on the extranet web application. Do the following steps:
Click on Add Users.
In the Zones drop down, select the appropriate Extranet zone. IMPORTANT: If you select the incorrect zone, you may not be able to resolve user names. Hence, the zone you select must match the zone of the web application that is configured to use FBA.
Click the Next button.
In the Users edit box, type the name of the FBA user whom you wish to have full control for the site.
Click the Resolve link next to the Users edit box. If the web application's FBA information has been configured correctly, the name will resolve and become underlined.
Check the Full Control checkbox.
Click the Finish button.

Resources:
http://blogs.msdn.com/solutions/archive/2007/08/27/forms-based-authentication-fba-in-wss-3-0-moss-2007.aspx
http://blogs.msdn.com/sharepoint/archive/2006/08/16/702010.aspx