Export (0) Print
Expand All

Configure forms-based authentication for a claims-based web application in SharePoint 2013

SharePoint 2013
 

Applies to: SharePoint Foundation 2013, SharePoint Server 2013

Topic Last Modified: 2014-12-02

Summary: Learn how to configure forms-based authentication with an LDAP provider for a new SharePoint 2013 web application.

This article provides guidance for configuring forms-based authentication for a SharePoint 2013 web application that uses a Lightweight Directory Access Protocol (LDAP) membership provider. Forms-based authentication is an identity management system that is based on ASP.NET membership and role provider authentication. Forms-based authentication in SharePoint 2013 is a claims-based authentication method. For more information about the use of forms-based authentication, see the “Implementing forms-based authentication” section of Plan for user authentication methods in SharePoint 2013.

ImportantImportant:
The steps in this article apply to SharePoint Server 2013.

For a version of these procedures that are configured in a standardized test lab, see Test Lab Guide: Demonstrate forms-based claims authentication for SharePoint Server 2013.

Before you begin this operation, you should be familiar with the concepts in Plan for user authentication methods in SharePoint 2013.

NoteNote:
Because SharePoint 2013 runs as websites in Internet Information Services (IIS), administrators and users depend on the accessibility features that browsers provide. SharePoint 2013 supports the accessibility features of supported browsers. For more information, see the following resources:

This configuration has the following phases that must be performed in consecutive order:

Within each phase, the set of procedures must also be performed in consecutive order.

For an alternative to creating the new web application by using Central Administration, see Create a new web application that uses forms-based authentication with Windows PowerShell.

Perform the steps in the following procedure to create a web application that uses forms-based authentication with Central Administration.

To create a new web application that uses forms-based authentication with Central Administration
  1. Verify that the user account that is performing this procedure is a site collection administrator.

  2. Start SharePoint 2013 Central Administration.

    • For Windows Server 2008 R2:

      • Click Start, click Microsoft SharePoint 2013 Products, and then click SharePoint 2013 Central Administration.

    • For Windows Server 2012:

      • On the Start screen, click SharePoint 2013 Central Administration.

        If SharePoint 2013 Central Administration is not on the Start screen:

      • Right-click Computer, click All apps, and then click SharePoint 2013 Central Administration.

    For more information about how to interact with Windows Server 2012, see Common Management Tasks and Navigation in Windows Server 2012.

  3. In Central Administration, in the Application Management section, click Manage web applications.

  4. In the Contribute group of the ribbon, click New.

  5. In the Claims Authentication Types section of the Create New Web Application dialog box, select Enable Forms Based Authentication (FBA).

  6. Type a membership provider name in ASP.NET Membership provider name and a role manager name in ASP.NET Role manager name.

    In the example Web.Config files depicted in this article, the membership provider is membership and the role manager is rolemanager.

  7. Configure the other settings for this new web application as needed, and then click OK to create it.

  8. When prompted with the Application Created dialog box, click OK.

After you successfully create the new web application, modify the following Web.Config files in every web front-end server in the farm:

The following procedure configures the Central Administration web site to recognize and use the new forms-based membership provider and role manager.

To configure the Central Administration Web.Config file
  1. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.

  2. In the console tree, open the server name, and then Sites.

  3. Right-click the SharePoint Central Administration v4 site, and then click Explore.

  4. In the folder window, double-click the Web.Config file.

  5. In the <Configuration> section, find the <system.web> section and add the following example entry:

    <membership defaultProvider="AspNetSqlMembershipProvider">
          <providers>
            <add name="membership" 
                 type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" 
                 server="yourserver.com" 
                 port="389" 
                 useSSL="false" 
                 userDNAttribute="distinguishedName" 
                 userNameAttribute="sAMAccountName" 
                 userContainer="OU=UserAccounts,DC=internal,DC=yourcompany,DC=distinguishedName (of your userContainer)" 
                 userObjectClass="person" 
                 userFilter="(ObjectClass=person)" 
                 scope="Subtree" 
                 otherRequiredUserAttributes="sn,givenname,cn" />
          </providers>
        </membership>
        <roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider" > 
          <providers>
            <add name="roleManager" 
                 type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
                 server="yourserver.com" 
                 port="389"
                 useSSL="false"
                 groupContainer="DC=internal,DC=yourcompany,DC=distinguishedName (of your groupContainer)"
                 groupNameAttribute="cn"
                 groupNameAlternateSearchAttribute="samAccountName"
                 groupMemberAttribute="member"
                 userNameAttribute="sAMAccountName"
                 dnAttribute="distinguishedName"
                 groupFilter="(ObjectClass=group)"
                 userFilter="(ObjectClass=person)"
                 scope="Subtree" />
          </providers>
     </roleManager>
    

    In the preceding entry, substitute the following:

    • The name of your membership provider in <add name="membership".

    • The fully qualified domain name (FQDN) of your domain controller (your LDAP server) in server="yourserver.com".

    • The distinguished name of your user container in userContainer="OU=UserAccounts,DC=internal,DC=yourcompany,DC=distinguishedName (of your userContainer)".

    • The name of your role manager in <add name="roleManager".

    • The distinguished name of your group container in groupContainer="DC=internal,DC=yourcompany,DC=distinguishedName (of your groupContainer)".

    After you add this entry, save and close the Web.Config file.

The following procedure configures the Security Token Service to recognize and use the new forms-based membership provider and role manager.

To configure the Security Token Service Web.Config file
  1. In the console tree of Internet Information Services (IIS) Manager, open the SharePoint Web Services site.

  2. In the console tree, right-click SecurityTokenServiceApplication, and then click Explore.

  3. In the folder window, double-click the Web.Config file.

  4. In the <Configuration> section, create a new <system.web> section and add the following example entry:

    <membership>
          <providers>
            <add name="membership" 
                 type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" 
                 server="yourserver.com" 
                 port="389" 
                 useSSL="false" 
                 userDNAttribute="distinguishedName" 
                 userNameAttribute="sAMAccountName" 
                 userContainer="OU=UserAccounts,DC=internal,DC=yourcompany,DC=com" 
                 userObjectClass="person" 
                 userFilter="(&amp;(ObjectClass=person))" 
                 scope="Subtree" 
                 otherRequiredUserAttributes="sn,givenname,cn" />
          </providers>
        </membership>
        <roleManager enabled="true" > 
          <providers>
            <add name="rolemanager" 
                 type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
                 server="yourserver.com" 
                 port="389"
                 useSSL="false"
                 groupContainer="DC=internal,DC=yourcompany,DC=com"
                 groupNameAttribute="cn"
                 groupNameAlternateSearchAttribute="samAccountName"
                 groupMemberAttribute="member"
                 userNameAttribute="sAMAccountName"
                 dnAttribute="distinguishedName"
                 groupFilter="(ObjectClass=group)"
                 userFilter="(ObjectClass=person)"
                 scope="Subtree" />
          </providers>
        </roleManager>
    

    In the preceding entry, substitute the following:

    • The name of your membership provider in <add name="membership".

    • The FQDN of your domain controller (your LDAP server) in server="yourserver.com".

    • The distinguished name of your user container in userContainer="OU=UserAccounts,DC=internal,DC=yourcompany,DC=com".

    • The name of your role manager in <add name="roleManager".

    • The distinguished name of your group container in groupContainer="DC=internal,DC=yourcompany,DC=com".

    After you add this entry, save and close the Web.Config file.

The following procedure configures the new web application to recognize and use the new forms-based membership provider and role manager.

To configure the new web application Web.Config file
  1. In the console tree of Internet Information Services (IIS) Manager, right-click the site that corresponds to the name of the web applications that you just created, and then click Explore.

  2. In the folder window, double-click the Web.Config file.

  3. In the <Configuration> section, find the <system.web> section.

  4. Find the <membership defaultProvider="i"> section and add the following example entry to the <Providers> section:

    <add name="membership" 
                 type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" 
                 server="yourserver.com" 
                 port="389" 
                 useSSL="false" 
                 userDNAttribute="distinguishedName" 
                 userNameAttribute="sAMAccountName" 
                 userContainer="OU=UserAccounts,DC=internal,DC=yourcompany,DC=com" 
                 userObjectClass="person" 
                 userFilter="(&amp;(ObjectClass=person))" 
                 scope="Subtree" 
                 otherRequiredUserAttributes="sn,givenname,cn" />
    

    In the preceding entry, substitute the following:

    • The name of your membership provider in <add name="membership".

    • The FQDN of your domain controller (your LDAP server) in server="yourserver.com".

    • The distinguished name of your user container in userContainer="OU=UserAccounts,DC=internal,DC=yourcompany,DC=com".

  5. Find the <roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false"> section and add the following example entry to the <Providers> section:

    <add name="roleManager" 
                 type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
                 server="yourserver.com" 
                 port="389"
                 useSSL="false"
                 groupContainer="DC=internal,DC=yourcompany,DC=com"
                 groupNameAttribute="cn"
                 groupNameAlternateSearchAttribute="samAccountName"
                 groupMemberAttribute="member"
                 userNameAttribute="sAMAccountName"
                 dnAttribute="distinguishedName"
                 groupFilter="(&amp;(ObjectClass=group))"
                 userFilter="(&amp;(ObjectClass=person))"
                 scope="Subtree" />
    

    In the preceding entry, substitute the following:

    • The name of your role manager in <add name="roleManager".

    • The FQDN of your domain controller (your LDAP server) in server="yourserver.com".

    • The distinguished name of your group container in groupContainer="DC=internal,DC=yourcompany,DC=com".

    After you add the preceding entry, save and close the Web.Config file.

    WarningWarning:
    Do not overwrite any existing entries in this Web.Config file.

Perform the following procedure to create a web application that uses forms-based authentication with Windows PowerShell.

To create a new web application that uses forms-based authentication with Windows PowerShell
  1. Verify that you have the following memberships:

    • securityadmin fixed server role on the SQL Server instance.

    • db_owner fixed database role on all databases that are to be updated.

    • Administrators group on the server on which you are running the Windows PowerShell cmdlets.

    • Add memberships that are required beyond the minimums above.

    An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint 2013 Products cmdlets.

    NoteNote:
    If you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about Windows PowerShell permissions, see Add-SPShellAdmin.
  2. Start the SharePoint 2013 Management Shell.

    • For Windows Server 2008 R2:

      • In the SharePoint 2013 environment, on the Start menu, click All Programs, click Microsoft SharePoint 2013 Products, and then click SharePoint 2013 Management Shell.

    • For Windows Server 2012:

      • In the SharePoint 2013 environment, on the Start screen, click SharePoint 2013 Management Shell.

        If SharePoint 2013 Management Shell is not on the Start screen:

      • Right-click Computer, click All apps, and then click SharePoint 2013 Management Shell.

    For more information about how to interact with Windows Server 2012, see Common Management Tasks and Navigation in Windows Server 2012.

  3. From the Windows PowerShell command prompt, type the following:

    $ap = New-SPAuthenticationProvider  -ASPNETMembershipProvider <Membership Provider Name> -ASPNETRoleProviderName <Role Manager Name>
    
    $wa = New-SPWebApplication -Name <Name> -ApplicationPool <ApplicationPool> -ApplicationPoolAccount <ApplicationPoolAccount> -Url <URL> -Port <Port> -AuthenticationProvider $ap
    

    Example

    $ap = New-SPAuthenticationProvider -Name "ClaimsForms" -ASPNETMembershipProvider "membership" -ASPNETRoleProviderName "rolemanager"
    
    $wa = New-SPWebApplication -Name "FBA Web App" -ApplicationPool "Claims App Pool" -ApplicationPoolAccount "internal\appool" -Url http://contoso.com -Port 1234 -AuthenticationProvider $ap
    
    NoteNote:
    The value of the ApplicationPoolAccount parameter must be a managed account on the farm.
  4. After you successfully create the new web application, modify the following Web.Config files:

  5. After you change the Web.Config files, create a SPClaimsPrincipal and a site collection, as shown in the following example:

    $cp = New-SPClaimsPrincipal -Identity "membership:SiteOwner" -IdentityType FormsUser
    $sp = New-SPSite http://servername:port -OwnerAlias $cp.Encode() -Template "STS#0"
    

    For more information, see New-SPClaimsPrincipal.

NoteNote:
We recommend that you use Windows PowerShell when performing command-line administrative tasks. The Stsadm command-line tool has been deprecated, but is included to support compatibility with previous product versions.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft