Configuring Forms Authentication in SharePoint 2010 Using ADLDS

 
In this article I am demonstrating how to create a claims-based web application using Active Directory Lightweight Directory Services (ADLDS) and SharePoint 2010. Forms-based authentication provides custom identity management in Microsoft SharePoint 2010 by implementing a membership provider, which defines interfaces for identifying and authenticating individual users, and a role manager, which defines interfaces for grouping individual users into logical groups. I found an article in the internet for the same purpose; most of the author's explainations are with the IIS configuration wizard to create a connection, providers etc. But here I am explainining a very manual approach and I didn't find many articles that explains forms with ADLDS.

This approach has two major parts:

1. Configure ADLDS
2. Configure Forms authentication with web application

Install and Configure ADLDS

Click on Start / Administrative Tools / Server Manager. Click on Roles and then elect Add Roles on the right navigation pane. Check the box beside Active Directory Lightweight Directory Services then follow the wizard until the end. AD LDS is now installed and ready to be configured with your first data store. In order to do so, click on Start / Administrative Tools / Active Directory Lightweight Directory Services Setup as shown below.

        

The following setup wizard welcome screen appears. Click Next.

        

Select a unique instance and then click on Next.

        

In the next screen give the instance name and description:

        

In the next screen give a convenient LDAP port number and SSL Port Number:

        

Select yes; create an application directory partition. Specify your Partition Name. Please make a note of this as you will need it at the end to connect the partition through ADSI Edit. Click Next.

        

Select your File Locations. Click Next.

        

Select this account (in my case), Network service account. Should be sufficient in most cases. Select Next:

        

Select your administrator account. Click Next:

        

Click on the below options. Click Next:

        

Summary selections screen. Review and then click Next:

        

        

Now that our instance is complete, we are required to connect to this instance via ADSI Edit MMC snap in. Click on Start / Administrative Tools / ADSI Edit. Once the MMC is loaded, right click on the ADSI Edit Note and select Connect to.

Fill in the Connection Settings.

• Name: Enter a friendly name.
   
• Connection Point: Click on Select or type a Distinguished Name and type in your Partition Name that you entered in earlier when creating the application directory partition.
   
• Computer: The machine that AD LDS is installed and the port number you specified earlier.
  Then click OK.
  
  
  

Click Connect to and fill in the below details and click OK:

       

Once done it will look like the screen below:

       

       

We now need to create a container to store our users. This is equivalent to an Organizational Unit in Active Directory. Right Click on your CN entry and select New / Object and select your class as container. Click Next.

       

Type Users as your value, Next and Finish.

      

Right Click on CN=Users and select New / Object, and select your class as user.

      

      

Type the username:

       

Then select (right-click) the user and reset the password:
      
      

Right-click on your newly created user object and select properties. Scroll down and locate the msDS-UserAccountDisabled attribute and set it to False:

      

Grant your SharePoint service account permission in the AD LDS store.
Expand your AD LDS connection within ADSI Edit and click on the CN=Roles container. Right-click on CN=Readers listed on the right Navigation Pane and select properties.

      

Locate the member attribute and select edit.

       

Then select Add Windows Account and browse for your SharePoint Service Account and click OK.

     

Once done you get the screen below:

     

Creating a SharePoint Web Application

To create a SharePoint Web application:

1. Browse to the SharePoint 2010 Central Administration page.
    
2. In the Application Management section, click Manage web applications.
    
3. On the ribbon, click New.
    
4. In the Create New Web Application dialog box, under Authentication, click Claims Based Authentication.
    
5. In the IIS Web Site section, under Create a new IIS web site, change the Name field to SharePoint – ADLDS FBA.
    
6. Change the Port number to 200.
    
7. In the Claims Authentication Types section, do the following:
   
   - Select Enable Forms Based Authentication (FBA).
   
   - I recommended to keep Windows so you get multiple authentication.
    
8. In the membership provider and role manager fields, enter the following names:
   
   - ASP.NET membership provider name: ADLDSMembership
    
9. In the Database Name and Authentication section, change the database name to be WSS_Content_200.
    
10. Leave other settings as their defaults.
     
11. Click OK to create the web application

• Central Administration: To allow picking for site collections.
   
• Security Token Service: To allow sign in, and for issuing tokens.
   
• FBA Web Application: To allow picking on the local web application.

<add name="ADLDSMembership" type="Microsoft.Office.Server.Security.LDAPMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" server="ServerName" port="60000" useSSL="false" userDNAttribute="distinguishedName" userNameAttribute="cn" userContainer="CN=SPFBAStore,DC=Destinitesting,DC=COM" userObjectClass="user" userFilter="(ObjectClass=user)" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn" />

Repeat the above steps to FBA web application that we created.

Adjust the web.config of the Security Token Service (STS) virtual directory

The SecurityTokenServiceApplication website is located under the SharePoint Web Services website, as shown in the figure. Go to your IIS and find the SecurityTokenServiceApplication and open it:

        

Find the <system.web> entry.

Then find out <membership> tag and paste the following lines inside the provider tag:

<add name="ADLDSMembership" type="Microsoft.Office.Server.Security.LDAPMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" server="ServerName" port="60000" useSSL="false" userDNAttribute="distinguishedName" userNameAttribute="cn" userContainer="CN=SPFBAStore,DC=Destinitesting,DC=COM" userObjectClass="user" userFilter="(ObjectClass=user)" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn" />

Add a user policy to the web application

1. Go to Central Administration
    
2. Go to Application Management
    
3. Click on Manage Web Applications
    
4. Select the claims based web application
    
5. Click on User Policy
    
6. Click on the Add Users link
    
7. Click the Next button.
    
8. Click the Address Book icon.
    
9. Type in the NT login name or account name and click the search button. If it's working correctly you should see at least two entries for the account – one that is for the user's Active Directory account, and one that is for that same account but which was found using the LDAP provider.
    
10. Select the account in the User section and click the Add button
     
11. Click the OK button
     
12. Check the Full Control checkbox, then click the Finish button
     
13. If you have configured dual mode then you can even go to your claim based web application and can add ADLDS user directly there
    
    
    

You have added your user then open your claims web application in Forms mode

       

Type your user ID and password. You are able to login: