Configure forms-based authentication for a claims-based Web application (SharePoint Server 2010)

 

Applies to: SharePoint Server 2010, SharePoint Foundation 2010

Procedures in this article illustrate how to configure a forms-based Web application to use an LDAP provider.

The procedures in this article provide guidance to enable you to configure forms-based authentication for a Microsoft SharePoint Server 2010 claims-based Web application. If you need to migrate an existing Microsoft Office SharePoint Server 2007 Web application from forms-based authentication to claims-based authentication in SharePoint Server 2010, see Migrate from forms-based authentication to claims-based authentication (SharePoint Server 2010).

  • Configure a forms-based Web application to use an LDAP provider by using Central Administration

  • Configure the LDAP Web.Config files

  • Configure a forms-based Web application to use an LDAP provider by using Windows PowerShell

Configure a forms-based Web application to use an LDAP provider by using Central Administration

Perform the steps in the following procedure to use Central Administration to configure forms-based authentication for a claims-based Web application.

To configure forms-based authentication for a claims-based Web application by using Central Administration

  1. Verify that the user account that is performing this procedure is a site collection administrator.

  2. In Central Administration, in the Application Management section, click Manage web applications.

  3. In the Contribute group of the ribbon, click New.

  4. In the Authentication section of the Create New Web Application dialog box, click Claims Based Authentication.

  5. In the Claims Authentication Types section, select Enable Forms Based Authentication (FBA).

  6. Type a membership provider name and a role manager name. In the example Web.Config file depicted in this article, the name of the membership provider is membership, and the name of the role manager is rolemanager.

  7. Click OK to create the Web application.

Configure the LDAP Web.Config files

After you have successfully created the Web application (described in the preceding procedure), modify the following Web.Config files:

  • The Central Administration Web application Web.Config file

  • The Security Token Service Web.Config file

  • The forms-based authentication claims-based Web application Web.Config file

To configure the Central Administration Web.Config file

  1. Start IIS Manager by typing INETMGR at a command prompt.

  2. Go to the SharePoint Central Administration site in IIS.

  3. Right-click SharePoint Central Administration and then click Explore.

  4. Open the Web.Config file.

  5. Find the <Configuration> <system.web> section and add the following entry:

<membership defaultProvider="AspNetSqlMembershipProvider">
      <providers>
        <add name="membership" 
             type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" 
             server="yourserver.com" 
             port="389" 
             useSSL="false" 
             userDNAttribute="distinguishedName" 
             userNameAttribute="sAMAccountName" 
             userContainer="OU=UserAccounts,DC=internal,DC=yourcompany,DC= distinguishedName (of your userContainer)" 
             userObjectClass="person" 
             userFilter="(ObjectClass=person)" 
             scope="Subtree" 
             otherRequiredUserAttributes="sn,givenname,cn" />
      </providers>
    </membership>
    <roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider" > 
      <providers>
        <add name="roleManager" 
             type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
             server="yourserver.com" 
             port="389"
             useSSL="false"
             groupContainer="DC=internal,DC=yourcompany,DC= distinguishedName (of your groupContainer)"
             groupNameAttribute="cn"
             groupNameAlternateSearchAttribute="samAccountName"
             groupMemberAttribute="member"
             userNameAttribute="sAMAccountName"
             dnAttribute="distinguishedName"
             groupFilter="(ObjectClass=group)"
             userFilter="(ObjectClass=person)"
             scope="Subtree" />
      </providers>
 </roleManager>

Important

After you have added the preceding entry, save and close the Web.Config file.

To configure the Security Token Service Web.Config file

  1. Start IIS Manager by typing INETMGR at a command prompt.

  2. Go to the SharePoint Web Services site.

  3. Go to the SecurityTokenServiceApplication sub-site.

  4. Right-click SecurityTokenServiceApplication and then click Explore.

  5. Open the Web.Config file.

  6. Find the <Configuration> <system.web> section and add the following entry:

<membership>
      <providers>
        <add name="membership" 
             type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" 
             server="yourserver.com" 
             port="389" 
             useSSL="false" 
             userDNAttribute="distinguishedName" 
             userNameAttribute="sAMAccountName" 
             userContainer="OU=UserAccounts,DC=internal,DC=yourcompany,DC=com" 
             userObjectClass="person" 
             userFilter="(ObjectClass=person)" 
             scope="Subtree" 
             otherRequiredUserAttributes="sn,givenname,cn" />
      </providers>
    </membership>
    <roleManager enabled="true" > 
      <providers>
        <add name="rolemanager" 
             type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
             server="yourserver.com" 
             port="389"
             useSSL="false"
             groupContainer="DC=internal,DC=yourcompany,DC=com"
             groupNameAttribute="cn"
             groupNameAlternateSearchAttribute="samAccountName"
             groupMemberAttribute="member"
             userNameAttribute="sAMAccountName"
             dnAttribute="distinguishedName"
             groupFilter="(ObjectClass=group)"
             userFilter="(ObjectClass=person)"
             scope="Subtree" />
      </providers>
    </roleManager>

Important

After you have added the preceding entry, save and close the Web.Config file.

To configure the forms-based authentication claims-based Web application Web.Config file

  1. Start IIS Manager by typing INETMGR at a command prompt.

  2. Go to the Claims Forms site.

  3. Right-click Claims Forms and then click Explore.

  4. Open the Web.Config file.

  5. Find the <Configuration> <system.web> section.

  6. Find the <membership defaultProvider="i"> section and add the following entry:

<add name="membership" 
             type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" 
             server="yourserver.com" 
             port="389" 
             useSSL="false" 
             userDNAttribute="distinguishedName" 
             userNameAttribute="sAMAccountName" 
             userContainer="OU=UserAccounts,DC=internal, DC=yourcompany,DC=com" 
             userObjectClass="person" 
             userFilter="(&amp;(ObjectClass=person))" 
             scope="Subtree" 
             otherRequiredUserAttributes="sn,givenname,cn" />

Find the <roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false"> section and add the following entry:

<add name="roleManager" 
             type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
             server="yourserver.com" 
             port="389"
             useSSL="false"
             groupContainer="DC=internal,DC=yourcompany,DC=com"
             groupNameAttribute="cn"
             groupNameAlternateSearchAttribute="samAccountName"
             groupMemberAttribute="member"
             userNameAttribute="sAMAccountName"
             dnAttribute="distinguishedName"
             groupFilter="(&amp;(ObjectClass=group))"
             userFilter="(&amp;(ObjectClass=person))"
             scope="Subtree" />

Important

After you have added the preceding entry, save and close the Web.Config file.

Warning

Do not overwrite any existing entries in this Web.Config file.

Configure a forms-based Web application to use an LDAP provider by using Windows PowerShell

Perform the steps in the following procedure to use Windows PowerShell to configure forms-based authentication for a claims-based Web application.

To configure a forms-based Web application to use an LDAP provider by using Windows PowerShell

  1. Verify that you meet the following minimum requirements: See Add-SPShellAdmin.

  2. On the Start menu, click All Programs.

  3. Click Microsoft SharePoint 2010 Products.

  4. Click SharePoint 2010 Management Shell.

  5. From the Windows PowerShell command prompt, type the following:

    $ap = New-SPAuthenticationProvider -Name "ClaimsForms" -ASPNETMembershipProvider "membership" -ASPNETRoleProviderName "rolemanager"
    $wa = New-SPWebApplication -Name "Claims Windows Web App" -ApplicationPool "Claims App Pool" -ApplicationPoolAccount "internal\appool"
      -Url https://servername -Port 80 -AuthenticationProvider $ap
    

    Note

    The value of the ApplicationPoolAccount parameter must be a managed account on the farm.

  6. After you have successfully created an authentication provider and a Web application, modify the following Web.Config files by using the sample entries provided in the Configure the LDAP Web.Config files section of this article:

    • The Central Administration Web application Web.Config file

    • The Security Token Service Web.Config file

    • The forms-based authentication claims-based Web application Web.Config file

  7. After you have modified the Web.Config files, create a SPClaimsPrincipal and a site collection, as shown in the following example:

    $cp = New-SPClaimsPrincipal -Identity "membership:SiteOwner" -IdentityType FormsUser
    $sp = New-SPSite http://servername:port -OwnerAlias $cp.Encode() -Template "STS#0"
    

    For more information, see New-SPClaimsPrincipal.

Note

We recommend that you use Windows PowerShell when performing command-line administrative tasks. The Stsadm command-line tool has been deprecated, but is included to support compatibility with previous product versions.

See Also

Concepts

Migrate from forms-based authentication to claims-based authentication (SharePoint Server 2010)

Other Resources

Resource Center: Security and Authentication for SharePoint Server 2010