Authentication samples

The following table provides examples of Web.config file entries for using ASP.NET forms authentication to connect to a SQL membership provider.

Configuration steps	Description and example Web.config file entries
Turn on ASP.NET forms authentication.	You can set the authentication type for a particular zone to forms authentication on the Edit Authentication page on the SharePoint Central Administration Web site. This automatically changes the mode specified in the authentication element of the Web.config file for that zone to forms. For example: <authentication mode="Forms"> </authentication>
Register the membership provider.	If you are using Microsoft SQL Server database software on the local server as your membership provider database, and you specify AspNetSqlMembershipProvider for the membership provider name, you might not need to make any additional changes to the Web.config file. In this scenario, if the machine.config file has the correct configuration for the AspNetSqlMembershipProvider, you can use it for Windows SharePoint Services without making any changes. If the default configuration in the machine.config file does not apply (for example, if you want to use a SQL Server database on a remote server), you must edit the Web.config files for both the Web application and the Central Administration Web site to specify the connection information in the `connectionStrings` element for the membership provider database. For example: `<connectionStrings>` `<add name="SqlProviderConnection" connectionString="server=SQLSERVERMACHINE;database=aspnetdb;Trusted_Connection=True" />` `</connectionStrings>` Replace SQLSERVERMACHINE with the name of server computer on which you have installed the SQL Server membership database. Next, add the `membership` and `providers` elements to register the membership provider in the Web.config file. Because a default provider is already registered in the machine.config file, you must include a `<remove>` element prior to the `<add>` element. For example: `<membership defaultProvider="AspNetSqlMembershipProvider">` `<providers>` `<remove name="AspNetSqlMembershipProvider" />` `<add connectionStringName="SqlProviderConnection" name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />` `</providers>` `</membership>` The `membership` element must be included within the `system.web` element of the Web.config file for both the Web application and the Central Administration site.
Register the role manager (optional).	You can use the default role provider for ASP.NET by adding a `roleManager` element to the `system.web` element of the Web.config file. For example: <roleManager enabled="true" /> The preceding syntax uses the AspNetSqlRoleProvider, which is defined in the machine.config file. This role manager can connect to the ASPNETDB database in either the local or remote instance of SQL Server. If you want to use a SQL Server database on a remote server as your role provider database, you must edit the Web.config file to specify the connection information for the remote database server. For example: `<connectionStrings>` `<add` `name="SqlProviderConnection"` `connectionString="server=SQLSERVERMACHINE; database=aspnetdb; Trusted_Connection=True"` `/>` `</connectionStrings>` Replace SQLSERVERMACHINE with the name of the remote server that hosts the SQL database. You can specify the same `connectionStringName` element value for both the membership provider and role manager, so you do not need to add a new `connectionStrings` element for the role provider. However, if you want to use a different database for the role provider, you must add a separate `connectionStrings` element for the role provider. Next, you need to add the `roleManager` and `providers` elements to register the `roleManager` provider in the Web.config. Because a default provider is already registered in the machine.config file, you must include a `<remove>` element prior to the `<add>` element. For example: `<roleManager enabled="true" defaultProvider="AspNetSqlRoleProvider">` `<providers>` `<remove name="AspNetSqlRoleProvider" />` `<add connectionStringName="SqlProviderConnection" applicationName="/" description="Stores and retrieves roles data from the local Microsoft SQL Server database" name="AspNetSqlRoleProvider" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />` `</providers>` `</roleManager>` The `roleManager` element must be included within the `system.web` element of the Web.config file for both the Web application and the Central Administration Web site.
Register the HTTP module.	Not applicable

The following table provides examples of Web.config file entries for using ASP.NET forms authentication to use an Active Directory directory service membership provider.

Note:
This will only work in a scenario with a single domain.

Configuration steps	Description and example Web.config file entries
Turn on ASP.NET forms authentication.	You can set the authentication type for a particular zone to forms authentication on the Edit Authentication page in Central Administration. This automatically changes the mode specified in the authentication element of the Web.config file for that zone to forms. For example: <authentication mode="Forms"> </authentication> You can also specify the login page URL in the forms element, for example: <authentication mode="Forms"> <forms loginUrl="/_layouts/login.aspx"></forms> </authentication>
Register the membership provider.	If you want to use an Active Directory server for a membership provider, you must edit the Web.config file to register the membership provider. To do this, you must specify the connection information to the Active Directory server in the `connectionStrings` element. For example: `<connectionStrings>` `<add name="ADConnectionString"` `connectionString=` `"LDAP://DirectoryServer/CN=Users,DC=DirectoryServer " />` `</connectionStrings>` Replace DirectoryServer with the name of membership directory server. `<membership defaultProvider="MembershipADProvider">` `<providers>` `<add name="MembershipADProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"` `connectionStringName="ADConnectionString"/></providers>` `</membership>` Note: The preceding example does not specify account credentials. If you do not specify account credentials, your application's process identity is used to access Active Directory. If another account is required to access Active Directory, you can specify different account credentials in the `connectionUsername` and `connectionPassword` attributes, which means you are supplying the user name and password in plaintext. As a result, we recommend that you encrypt this configuration section. For more information, see the following articles: How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI (http://go.microsoft.com/fwlink/?LinkId=78123&clcid=0x409) How To: Encrypt Configuration Sections in ASP.NET 2.0 Using RSA (http://go.microsoft.com/fwlink/?LinkId=76778&clcid=0x409)
Register the role manager (optional).
Register the HTTP module.	Not applicable

The following table provides examples of Web.config file entries for using ASP.NET forms authentication with a Lightweight Directory Access Protocol (LDAP) membership provider.

Configuration steps	Description and example Web.config file entries
Turn on ASP.NET forms authentication.	You can set the authentication type for a particular zone to forms authentication from the Edit Authentication page in Central Administration. This automatically changes the mode specified in the authentication element of the Web.config file for that zone to forms. <system.web> <!-mode=[Windows\|Forms\|Passport\|None]> <authentication mode="Forms" /> </system.web>
Register the membership provider.	The `membership` element must be included within the `system.web` element of the Web.config file. `<membership defaultProvider="LdapMembershipProvider">` `<providers>` `<add` `name="LdapMembership"` `type="Microsoft.Office.Server.Security.LDAPMembershipProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"` `server="DC"` `port="389"` `useSSL="false"` `userDNAttribute="distinguishedName"` `userNameAttribute="sAMAccountName"` `userContainer="CN=Users,DC=userName,DC=local"` `userObjectClass="person"` `userFilter="(\|(ObjectCategory=group)(ObjectClass=person))"` `scope="Subtree"` `otherRequiredUserAttributes="sn,givenname,cn"` `/>` `</providers>` `</membership>` You will need to change the values specified for the `server` and `userContainer` attributes to match your environment.
Register the role manager (optional).	`<roleManager defaultProvider="LdapRoleProvider" enabled="true" cacheRolesInCookie="true" cookieName=".PeopleDCRole">` `<providers>` `<add` `name="LdapRoleProvider"` `type="Microsoft.Office.Server.Security.LDAPRoleProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"` `server="DC"` `port="389"` `useSSL="false"` `groupContainer="DC=userName,DC=local"` `groupNameAttribute="cn"` `groupMemberAttribute="member"` `userNameAttribute="sAMAccountName"` `dnAttribute="distinguishedName"` `groupFilter="(ObjectClass=group)"` `scope="Subtree"` `/>` `</providers>` `</roleManager>` You will need to change the values specified for the `server` and `groupContainer` attributes to match your environment.
Register the HTTP module.	Not applicable

The Microsoft Windows Server 2003 R2 operating system introduces Active Directory Federation Services (AD FS), which enables organizations to securely share a user's identity information. AD FS provides Web single sign-on (SSO) technologies to authenticate a user to multiple Web applications during a single online session.

The following two membership and role provider pairs are included with AD FS:

SingleSignOnMembershipProvider/SingleSignOnRoleProvider The standard membership provider and role provider included with Windows Server 2003 R2.
SingleSignOnMembershipProvider2/SingleSignOnRoleProvider2 The membership provider and role provider that operate in partial trust environments. These providers are included in Service Pack 2 of Windows Server 2003 R2.

SingleSignOnMembershipProvider/SingleSignOnRoleProvider

The following table provides examples of Web.config file entries for a Web SSO AD FS environment that uses the standard provider.

Configuration steps	Description and example Web.config file entries
Turn on ASP.NET forms authentication.	<system.web> <!-mode=[Windows\|Forms\|Passport\|None]> <authentication mode="Forms" /> </system.web>
Register the membership provider.	`<membership defaultProvider="SingleSignOnMembershipProvider">` `<providers>` `<add` `name="SingleSignOnMembershipProvider"` `type="System.Web.Security.SingleSignOn.SingleSignOnMembershipProvider, System.Web.Security.SingleSignOn, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"` `fs="https://FEDERATIONSERVER/adfs/fs/federationserverservice.asmx"` `/>` `</providers>` `</membership>` For the `fs` attribute, replace FEDERATIONSERVER with the actual server name. The `membership` element must be included within the `system.web` element of the Web.config file.
Register the role manager (optional).	`<roleManager enabled="true" defaultProvider="SingleSignOnRoleProvider">` `<providers>` `<add` `name="SingleSignOnRoleProvider"` `type="System.Web.Security.SingleSignOn.SingleSignOnRoleProvider, System.Web.Security.SingleSignOn, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"` `fs="https://FEDERATIONSERVER/adfs/fs/federationserverservice.asmx"` `/>` `</providers>` `</roleManager>` For the `fs` attribute, you will need to replace FEDERATIONSERVER with the actual server name.
Register the HTTP module.	`<httpModules>` `<add name="Identity Federation Services Application Authentication Module" type="System.Web.Security.SingleSignOn.WebSsoAuthenticationModule, System.Web.Security.SingleSignOn, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, Custom=null" />` `</httpModules>`

SingleSignOnMembershipProvider2/SingleSignOnRoleProvider2

If you are implementing the second AD FS provider set, the settings for registering the membership provider and role manager are different. The following table provides examples of Web.config file entries for a Web SSO AD FS environment that uses the provider that operates in partial trust environments.

Configuration steps	Description and example Web.config file entries
Turn on ASP.NET forms authentication.	<system.web> <!-mode=[Windows\|Forms\|Passport\|None]> <authentication mode="Forms" /> </system.web>
Register the membership provider.	`<membership defaultProvider="SingleSignOnMembershipProvider2">` `<providers>` `<add name="SingleSignOnMembershipProvider2"` `type="System.Web.Security.SingleSignOn.SingleSignOnMembershipProvider2, System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"` `fs=https://FEDERATIONSERVER/adfs/fs/federationserverservice.asmx` `/>` `</providers>` `</membership>` For the `fs` attribute, replace FEDERATIONSERVER with the actual server name. The `membership` element must be included within the `system.web` element of the Web.config file.
Register the role manager (optional).	`<roleManager enabled="true" defaultProvider="SingleSignOnRoleProvider2">` `<providers>` `<add` `name="SingleSignOnRoleProvider2"` `type="System.Web.Security.SingleSignOn.SingleSignOnRoleProvider2, System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"` `fs="https://FEDERATIONSERVER/adfs/fs/federationserverservice.asmx"` `/>` `</providers>` `</roleManager>` For the `fs` attribute, you will need to replace FEDERATIONSERVER with the actual server name.
Register the HTTP module.	`<httpModules>` `<add name="Identity Federation Services Application Authentication Module" type="System.Web.Security.SingleSignOn.WebSsoAuthenticationModule, System.Web.Security.SingleSignOn, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, Custom=null" />` `</httpModules>`

This topic is included in the following downloadable book for easier reading and printing:

Planning and architecture for Office SharePoint Server 2007, part 2

See the full list of available books at Downloadable content for Office SharePoint Server 2007.

SQL membership provider

Active Directory membership provider

LDAP membership provider

Web SSO with AD FS

SingleSignOnMembershipProvider/SingleSignOnRoleProvider

SingleSignOnMembershipProvider2/SingleSignOnRoleProvider2

Download this book