Unable to load authentication provider - Event 6143 (SharePoint 2010 Products)

 

Applies to: SharePoint Server 2010, SharePoint Foundation 2010

Alert Name:   Unable to load authentication provider

Event ID:   6143

Summary:   To authenticate users, Microsoft SharePoint 2010 Products uses the authentication providers that are provided by Windows Server 2008 R2 — such as forms authentication or Web single sign-on (SSO) authentication — by other versions of Windows, and by third-party vendors.

When using Kerberos v5 authentication, the service account used by the Internet Information Services (IIS) application pool for your Web application must be registered in Active Directory as a Service Principal Name (SPN) on the domain on which the front-end Web server is a member.

This error indicates that the role manager or membership provider that is specified for a particular Web application is incorrectly configured.

Symptoms:   One or more of the following symptoms might appear:

  • User authentication fails to work correctly, which prevents users from accessing content.

  • User tokens are not updated by using correct role memberships, which prevents users from accessing content that they would expect to have access to, based on their roles.

  • Event 6143 might appear in the event log with one of the following descriptions:

    • Description: Cannot get Membership Provider with name <Membership Provider Name>. The membership provider for this process was not properly configured. You must configure the membership provider in the .config file for every SharePoint process.

    • Description: Cannot get Role Manager with name <Role Manager Name>. The role manager for this process was not properly configured. You must configure the role manager in the .config file for every SharePoint process.

Cause:   The role manager or membership provider specified for a particular Web application may be incorrectly configured.

Resolution:   Verify the authentication mode

  1. On the Central Administration Home page Quick Launch, click Security.

  2. On the Security page, in the General Security section, click Specify authentication providers.

  3. On the Authentication Providers page, ensure that the correct Web application is selected. If it is not, select the Web application that you want to review.

  4. On the Authentication Providers page, click the zone for which you want to change authentication settings.

  5. On the Edit Authentication page, in the Authentication Type section, review the selected authentication type.

  6. If Windows is selected, review the settings in the IIS Authentication Settings section. If Forms or Web Single Sign-On is selected, review the settings in the Membership Provider Name and Role Manager Name sections.

  7. Click Cancel to close without saving changes.

Resolution:   Configure Kerberos v 5 authentication mode

  1. You only need to perform this procedure if you are using Kerberos v  5 authentication.

  2. You must be a member of the SharePoint Administrators group to perform this task.

  3. Contact a domain administrator and ensure that the service account used by the application pool is the registered SPN for all domains listed with the Web application.

    Note

    If you do not have a specific need for Kerberos v5 authentication, or if you cannot configure the SPN, use NTLM authentication instead. If you use Kerberos v5 authentication and cannot configure the SPN, only server administrators will be able to authenticate to the site. To change the authentication type, see the "Configure NTLM authentication mode" procedure later in this article

    For more information about how to configure SharePoint 2010 Products to use Kerberos v5 authentication, see the Microsoft Knowledge Base article 832769, How to configure a Windows SharePoint Services virtual server to use Kerberos v5 authentication and how to switch from Kerberos v5 authentication back to NTLM authentication.

Resolution:   Configure NTLM authentication mode

  1. On the Central Administration Home page Quick Launch, click Security.

  2. On the Security page, in the General Security section, click Specify authentication providers.

  3. On the Authentication Providers page, ensure that the correct Web application is selected. If it is not, select the Web application that you intend to review.

  4. On the Authentication Providers page, click the zone for which you want to change authentication settings.

  5. On the Edit Authentication page, in the Authentication Type section, select Windows authentication.

  6. Under IIS Authentication Settings, ensure that the Integrated Windows authentication check box is selected, and then click NTLM.

  7. Click OK to save changes.

Resolution:   Configure Forms or Web Single Sign-On authentication mode

  1. You only need to perform this procedure if you are using Kerberos v  5 authentication.

  2. You must be a member of the SharePoint Administrators group to perform this task.

  3. Review the documentation for the forms or Web SSO provider. Ensure that the correct components for the provider are installed on the server and that the settings for the provider are correctly set up in the Web.config file of the IIS directory for the Web application. Record the membership provider name and role manager from the Web.config file.

  4. On the Central Administration Home page Quick Launch, click Security.

  5. On the Security page, in the General Security section, click Specify authentication providers.

  6. On the Authentication Providers page, click on the correct zone.

  7. On the Edit Authentication page, in the Claims Authentication section, record the ASP.NET Membership provider name. Make sure that this is the same name specified in the Web.config file.

  8. Record the ASP.NET Role manager name. Make sure that this is the same name specified in the Web.config file.