.png)
Configure forms-based authentication for a claims-based Web application (SharePoint Server 2010)
Published: May 12, 2010
Procedures in this article illustrate how to configure a forms-based Web application to use an LDAP provider.
The procedures in this article provide guidance to enable you to configure forms-based authentication for a Microsoft SharePoint Server 2010 claims-based Web application. If you need to migrate an existing Microsoft Office SharePoint Server 2007 Web application from forms-based authentication to claims-based authentication in SharePoint Server 2010, see Migrate from forms-based authentication to claims-based authentication (SharePoint Server 2010).
-
Configure a forms-based Web application to use an LDAP provider by using Central Administration
-
Configure a forms-based Web application to use an LDAP provider by using Windows PowerShell
Configure a forms-based Web application to use an LDAP provider by using Central Administration
Perform the steps in the following procedure to use Central Administration to configure forms-based authentication for a claims-based Web application.
To configure forms-based authentication for a claims-based Web application by using Central Administration
-
Verify that the user account that is performing this procedure is a site collection administrator.
-
In Central Administration, in the Application Management section, click Manage web applications.
-
In the Contribute group of the ribbon, click New.
-
In the Authentication section of the Create New Web Application dialog box, click Claims Based Authentication.
-
In the Claims Authentication Types section, select Enable Forms Based Authentication (FBA).
-
Type a membership provider name and a role manager name. In the example Web.Config file depicted in this article, the name of the membership provider is membership, and the name of the role manager is rolemanager.
-
Click OK to create the Web application.
Configure the LDAP Web.Config files
After you have successfully created the Web application (described in the preceding procedure), modify the following Web.Config files:
-
The Central Administration Web application Web.Config file
-
The Security Token Service Web.Config file
-
The forms-based authentication claims-based Web application Web.Config file
To configure the Central Administration Web.Config file
-
Start IIS Manager by typing INETMGR at a command prompt.
-
Go to the SharePoint Central Administration site in IIS.
-
Right-click SharePoint Central Administration and then click Explore.
-
Open the Web.Config file.
-
Find the
<Configuration> <system.web>section and add the following entry:
<membership defaultProvider="AspNetSqlMembershipProvider">
<providers>
<add name="membership"
type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="yourserver.com"
port="389"
useSSL="false"
userDNAttribute="distinguishedName"
userNameAttribute="sAMAccountName"
userContainer="OU=UserAccounts,DC=internal,DC=yourcompany,DC= distinguishedName (of your userContainer)"
userObjectClass="person"
userFilter="(ObjectClass=person)"
scope="Subtree"
otherRequiredUserAttributes="sn,givenname,cn" />
</providers>
</membership>
<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider" >
<providers>
<add name="roleManager"
type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="yourserver.com"
port="389"
useSSL="false"
groupContainer="DC=internal,DC=yourcompany,DC= distinguishedName (of your groupContainer)"
groupNameAttribute="cn"
groupNameAlternateSearchAttribute="samAccountName"
groupMemberAttribute="member"
userNameAttribute="sAMAccountName"
dnAttribute="distinguishedName"
groupFilter="((ObjectClass=group)"
userFilter="((ObjectClass=person)"
scope="Subtree" />
</providers>
</roleManager>
Important:
|
|---|
|
After you have added the preceding entry, save and close the Web.Config file. |
To configure the Security Token Service Web.Config file
-
Start IIS Manager by typing INETMGR at a command prompt.
-
Go to the SharePoint Web Services site.
-
Go to the SecurityTokenServiceApplication sub-site.
-
Right-click SecurityTokenServiceApplication and then click Explore.
-
Open the Web.Config file.
-
Find the
<Configuration> <system.web>section and add the following entry:
<membership>
<providers>
<add name="membership"
type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="yourserver.com"
port="389"
useSSL="false"
userDNAttribute="distinguishedName"
userNameAttribute="sAMAccountName"
userContainer="OU=UserAccounts,DC=internal,DC=yourcompany,DC=com"
userObjectClass="person"
userFilter="(&(ObjectClass=person))"
scope="Subtree"
otherRequiredUserAttributes="sn,givenname,cn" />
</providers>
</membership>
<roleManager enabled="true" >
<providers>
<add name="rolemanager"
type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="yourserver.com"
port="389"
useSSL="false"
groupContainer="DC=internal,DC=yourcompany,DC=com"
groupNameAttribute="cn"
groupNameAlternateSearchAttribute="samAccountName"
groupMemberAttribute="member"
userNameAttribute="sAMAccountName"
dnAttribute="distinguishedName"
groupFilter="(&(ObjectClass=group))"
userFilter="(&(ObjectClass=person))"
scope="Subtree" />
</providers>
</roleManager>
|
Important:
|
|---|
|
After you have added the preceding entry, save and close the Web.Config file. |
To configure the forms-based authentication claims-based Web application Web.Config file
-
Start IIS Manager by typing INETMGR at a command prompt.
-
Go to the Claims Forms site.
-
Right-click Claims Forms and then click Explore.
-
Open the Web.Config file.
-
Find the
<Configuration> <system.web>section. -
Find the
<membership defaultProvider="i">section and add the following entry:
<add name="membership"
type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="yourserver.com"
port="389"
useSSL="false"
userDNAttribute="distinguishedName"
userNameAttribute="sAMAccountName"
userContainer="OU=UserAccounts,DC=internal, DC=yourcompany,DC=com"
userObjectClass="person"
userFilter="(&(ObjectClass=person))"
scope="Subtree"
otherRequiredUserAttributes="sn,givenname,cn" />
Find the <roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false"> section and add the following entry:
<add name="roleManager"
type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="yourserver.com"
port="389"
useSSL="false"
groupContainer="DC=internal,DC=yourcompany,DC=com"
groupNameAttribute="cn"
groupNameAlternateSearchAttribute="samAccountName"
groupMemberAttribute="member"
userNameAttribute="sAMAccountName"
dnAttribute="distinguishedName"
groupFilter="(&(ObjectClass=group))"
userFilter="(&(ObjectClass=person))"
scope="Subtree" />
|
Important:
|
|---|
|
After you have added the preceding entry, save and close the Web.Config file. |
|
Warning:
|
|---|
|
Do not overwrite any existing entries in this Web.Config file. |
Configure a forms-based Web application to use an LDAP provider by using Windows PowerShell
Perform the steps in the following procedure to use Windows PowerShell to configure forms-based authentication for a claims-based Web application.
To configure a forms-based Web application to use an LDAP provider by using Windows PowerShell
-
Verify that you meet the following minimum requirements: See Add-SPShellAdmin.
-
On the Start menu, click All Programs.
-
Click Microsoft SharePoint 2010 Products.
-
Click SharePoint 2010 Management Shell.
-
From the Windows PowerShell command prompt, type the following:
$ap = New-SPAuthenticationProvider -Name "ClaimsForms" -ASPNETMembershipProvider "membership" -ASPNETRoleProviderName "rolemanager" $wa = New-SPWebApplication -Name "Claims Windows Web App" -ApplicationPool "Claims App Pool" -ApplicationPoolAccount "internal\appool" -Url http://servername -Port 80 -AuthenticationProvider $ap
Note:
The value of the ApplicationPoolAccount parameter must be a managed account on the farm.
-
After you have successfully created an authentication provider and a Web application, modify the following Web.Config files by using the sample entries provided in the Configure the LDAP Web.Config files section of this article:
-
After you have modified the Web.Config files, create a SPClaimsPrincipal and a site collection, as shown in the following example:
$cp = New-SPClaimsPrincipal -Identity "membership:SiteOwner" -IdentityType FormsUser $sp = New-SPSite http://servername:port -OwnerAlias $cp.Encode() -Template "STS#0"
For more information, see New-SPClaimsPrincipal.
|
Note:
|
|---|
|
We recommend that you use Windows PowerShell when performing command-line administrative tasks. The Stsadm command-line tool has been deprecated, but is included to support compatibility with previous product versions. |
