This is a walk-through on setting up FBA Claims in SharePoint 2010 using the Active Directory Membership Provider.
The very first step is to create a web application AND create that with claims authentication mode. I am going to provision a web application with claims auth mode enabled at a URL http://moss.claims.contoso.com.
Another important section in this “Create New Web Application” screen is the “Identity Providers” section. Once we select the authentication mode to be claims, Windows Authentication is also plugged in as one of the provider. Check the “Enable Windows Authentication” check box if you’d like Windows Authentication ALSO enabled for this web application.
We can also choose to enable ASP.NET Membership and Role Provider here. In this case, we’ll need to provide the corresponding provider names in the text boxes. The web.config file entries can be added later.
Those are the important parts. You can choose the other values as you’d normally would and create the new web application.
Once the web application is created, we’ll first configure this web application for claims authentication using Active Directory Membership Provider and then create a site collection.
There are 3 web.config files we need to edit for enabling claims:
Central Administration web.config changes
Open the web.config file of your SharePoint 2010 Central Administration site and add the following entries (NOTE: The value you need to change according to your environment are presented in red).
First the connection string:
<connectionStrings> <add name="adconn" connectionString="LDAP://anomaly.com/DC=anomaly,DC=com" /> </connectionStrings>
And then the provider:
<membership defaultProvider="admembers"> <providers> <add name="admembers" type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=220.127.116.11, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="adconn" enableSearchMethods="true" attributeMapUsername="sAMAccountName" /> </providers> </membership>
NOTE: The connection string element should be present outside of the <system.web></system.web> section and the provider element should be present within <system.web></system.web> section of the web.config file.
After this change, the web.config file of the Central Administration site should look like what’s shown in Image3.
Web Application web.config changes
Open the web.config file of the newly created web application and add the following entries
<connectionStrings> <add name="adconn" connectionString=LDAP://anomaly.com/DC=anomaly,DC=com /> </connectionStrings>
NOTE: This entry should be made outside of <system.web></system.web> section in the web application’s web.config file. Just like the one for Central Administration site.
NOTE: This one is a bit different. In the web application’s web.config file search for “<membership” (without “”).
You will find there’s already a membership and role provider plugged in (shown in Image4). SPClaimsAuthMembershipProvider & SPClaimsAuthRoleProvider in Microsoft.SharePoint.Administration. Claims implements the default claims provider and Windows authentication type is plugged in through HTTPModule (shown in Image5).
Now, we will plug in our Active Directory membership provider to this by adding our provider entry shown above to the <providers> element (shown in Image4). The result should look like Image6.
Save and close this web.config file.
STS Application web.config changes
The next thing to do is to get your provider entry in the STS application’s web.config file. Open Internet Information Services (IIS) Manager on your SharePoint 2010 box. And find the STS application (shown in Image7).
Right-click > Explore to open the files within this application in explorer.
You should now be in this path: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\WebServices\SecurityToken. And you will find a web.config file in there. That’s the Security Token Service Application’s web.config you need to add your provider and connection information to.
Open this web.config file. If this is the first time you are configuring claims, you’ll not find <system.web></system.web> section in it. That’s not a problem, just add that section yourself. What works out for me, is to go to the end of this web.config file and do the following:
First add the connection information just before </configuration>. And then after the <connectionStrings></connectionStrings> section, add a <system.web></system.web> section and add our provider information into it. The result should look like Image8.
After this doing an IISRESET might be a good idea.
You are good now with regards to web.config file entries. Now you have to get some configuration done through UI to wire-up our provider to the web application. First, go to the Web Applications Management page in Central Administration site, click the web application you want to enable FBA claims on and choose Authentication Providers from the ribbon. From the Authentication Providers dialog, choose Default. Scroll a bit down to find Identity Providers section. Check Enable ASP.NET Membership and Role Provider (NOTE: You can also do this at the time of creating this web application) and type in the name of your provider. In my case, it is admembers. After you do this, UI should like Image9. Hit Save.
Close the Authentication Providers Dialog UI.
Now, hit User Policy ribbon option in the Web Applications Management page having selected your web application. Hit Add Users in the Policy for Web Application dialog. Hit Next in Add Users dialog. Use the Browse button in the Choose Users people picker control. Notice the Select People and Groups dialog that comes up is changed. Noticeable difference is that there are sections like Active Directory, All Users, Forms Auth & Organizations. Type in an active directory user alias and search. There should be 2 results for the same user. One identified through NTLM authentication and the other through FBA Claims authentication that’s using Active Directory membership provider (refer Image10).
Select the user from Forms Auth result. In my case, it’s the first user displayed in Image10. Hit Add and then OK in the Select People and Groups dialog. In the Add Users dialog, check Full Control - Has full control for the Choose Permissions section and hit Finish. NOTE: If you want to provide full control to other users either from FBA Claims authentication or NTLM authentication, you can do that here.
Now, your Policy for Web Application dialog should look like Image11. Hit OK.
Now, you can create your top-level site collection in this web application. Click Application Management from the left navigation in Central Administration site. Click Create Site Collections. Ensure that your web application plugged in with FBA Claims is selected in the Web Applications drop-down. Provide a title, description and pick up a template of your choice. In the Primary Site Collection Administrator section, type in the alias of the site collection administrator. This should be the NTLM authenticated user. The entries should look like Image12. Hit OK to create the site collection.
Once the site collection is created, browse to it. A page as shown in Image13 will be displayed.
Choose Windows Authentication from the drop-down and you’ll log into the newly created site collection using Windows Authentication. Now, you need to add another site collection administrator. But this must be from the active directory membership provider. You can login through forms authentication using the user you added with full control in user policy settings above. If you choose to not do that (which most customers do), you can do one of the following steps to add another site collection administrator to this FBA Claims Authentication enabled site.
After this, you should be able to login to this site using the same URL with both Windows and Forms Authentication (Forms Authentication login shown in Image15)
WARNING: Take utmost care when making the web.config file entries because that’s where thing go wrong. And if it does, identifying and fixing it might be a herculean task – trust me :) Hope this post was helpful! In my next post on FBA Claims, I’ll cover configuring Office LDAP Claims with some tips on Claims itself.
@Venkatesh Basi: i thing that you need in web.config file of Central Administration,
add tag <add key="admembers" value="%" />
in to <PeoplePickerWildcards> tag block.
You must get something like this:
<add key="AspNetSqlMembershipProvider" value="%" />
<add key="admembers" value="%" />
P.S. admembers - it's name of you membership provider
Getting this error in moss logs when browsing in for users in "Select People and Groups" dialog so that I can add them to the user policy:
An exception occurred in Forms Auth claim provider when calling SPClaimProvider.FillSearch(): The server cannot handle directory requests. (C:\inetpub\wwwroot\wss\VirtualDirectories\21606\web.config line 372)
Claims Search call failed. Error Message: The server cannot handle directory requests. (C:\inetpub\wwwroot\wss\VirtualDirectories\21606\web.config line 372) Callstack: at System.Web.Security.Membership.Initialize() at System.Web.Security.Membership.get_Providers() at Microsoft.SharePoint.Utilities.SPMembershipProviderPrincipalResolver.get_Provider() at Microsoft.SharePoint.Administration.Claims.SPFormsClaimProvider.AddZoneResolver[T](SPIisSettings iisSettings, Dictionary`2 resolvers) at Microsoft.SharePoint.Administration.Claims.SPFormsClaimProvider.AddAllZonesResolvers[T](SPWebApplication webApplication, Dictionary`2 resolvers) at Microsoft.SharePoint.Administration.Claims.SPFormsClaimProvider.<GetResolversForContext>d__0`1.MoveNext() at Microsoft.SharePoint.Ad..
I'm in the same boat as Saji. Trying to connect both FBA and Windows auth to AD and would like to not add users twice. The same permissions are needed for FBA\user1 and NTLM\user1, depending on which way they entered the site. Has anyone solved this? I have come across this question multiple times, but no one seems to have it working.
Would love to get that answer that Tom and Saji is looking. 2 different users are 2 DIFFERENT users. Different colleagues, different Newsstream, etc.
@sridhara2: Have you ever succeeded in displaying correct display name for FBA users in SharePoint 2010 claims? I saw in this example the display name for FBA user is sridhara (unlike AD users). I did a little code trace and it seemed that the problem is in claim provider itself....
Hi, Is Mapping of users for FBA to AD done automatically?
Not sure if this topic is active but I would like to ask regrding the form auth user....when i try to access it it sats access denied looks like that user doesnt have priveleges to access the web application. when i try thru windows authentication it works....is it because like you described i dint set any role provider?...i got one AD user from a different team who takes case of the LDAP domain set up so i dont have full knowledge of their AD setup as i dont set up the AD user myself. i just got one.
Please answer me as i am stuck at this point where with Form authentication it gives me access denied and i cant go any further.
After following all the steps, a user is not able to sign-in using forms authentication.
Exception from Event Viewer:
"An exception occurred when trying to issue security token: The security token username and password could not be validated.."
Event ID: 8306.
And more details from 14\LOGS\
Claims Authentication 0000 Unexpected Password check on 'domain\user' generated exception: 'System.ServiceModel.FaultException`1[Microsoft.IdentityModel.Tokens.FailedAuthenticationException]: The security token username and password could not be validated. (Fault Detail is equal to Microsoft.IdentityModel.Tokens.FailedAuthenticationException: The security token username and password could not be validated.).'.
11/01/2011 09:17:34.25 w3wp.exe (0x15D4) 0x084C SharePoint Foundation Claims Authentication fo1t Monitorable SPSecurityTokenService.Issue() failed: System.ServiceModel.FaultException`1[Microsoft.IdentityModel.Tokens.FailedAuthenticationException]: The security token username and password could not be validated. (Fault Detail is equal to Microsoft.IdentityModel.Tokens.FailedAuthenticationException: The security token username and password could not be validated.).
11/01/2011 09:17:34.26 w3wp.exe (0x0F68) 0x0E6C SharePoint Foundation Claims Authentication fsq7 High Request for security token failed with exception: System.ServiceModel.FaultException: The security token username and password could not be validated. at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.ReadResponse(Message response) at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr) at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst) at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext(Uri context, Boolean bearerToken, SecurityToken onBehalfOf, SecurityToken actAs, SecurityToken delegateTo) 94b01cce-46bd-4871-88fd-57dc0195110d
11/01/2011 09:17:34.26 w3wp.exe (0x0F68) 0x0E6C SharePoint Foundation Claims Authentication 8306 Critical An exception occurred when trying to issue security token: The security token username and password could not be validated.. 94b01cce-46bd-4871-88fd-57dc0195110d
Thanks in advance.
Thanks for helpful post. I was able to set up my site following the steps. But one thing I did notice it that I could only search by entering exactly user ID. If the search result has multiple values I could see a log message "UserProfileManager.GetBulkUserProfiles() Failed to retrieve profile of xxx users", and Form Auth group not contain any user.
Is this a normal experience?
Read Forms Based Authentication FBA In SharePoint 2010
Thanks for nice article!
Its fine working with me.
Now i have one more scenario,
I have done form based authentication from active directory in sharepoint foundation 2010 intranet application. And i have one more application Sharepoint 2007 which is windows authentication. Now I have to give a link from sharepoint 2010 site which redirect to Sharepoint 2007 site, now i dont want authenticate already logged in user in sharepoint 2010 site in sharepoint 2007 site. One more scenario is we have one syatem and more than one users. Is there any way to authentcate users which scenario i have??????
Thanks in Advance