SharePoint Products TechCenter >
SharePoint Products and Technologies Forums
>
SharePoint - Setup, Upgrade, Administration and Operation
>
Forms Based Authentication with Active Directory issue
Forms Based Authentication with Active Directory issue
- I have setup the connection correct, at least i think it is correct. Here is what is happening, when I go to the external website and login I get redirected to a blank page. If i try to go to the home page by typing the url(https://testexternalsite.com/pages/default.aspx) i get the sharepoint access denied page, and I am even a full control user in the site collection. I was even set as a site collection administrator and still get the same results.
Here are the edits I added to the web.config files of central admin and the two web apps.
<connectionStrings> <add name="ADConnString" connectionString="LDAP://domain.com/OU=System Accounts,DC=domain,DC=com" name="ADServices" /> </connectionStrings> <membership defaultProvider="ADProvider"> <providers> <add name="ADProvider" connectionStringName="ADConnString" applicationName="web:80" type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionUsername="domain\admin" connectionPassword="password" attributeMapUsername="SAMAccountName" /> </providers> </membership> <httpModules>
Answers
- Here are my suggestions
This is incorrect with two names, should be like this
<connectionStrings>
<clear/>
<add name="ADConnString"
connectionString="LDAP://domain.com/OU=System Accounts,DC=domain,DC=com" />
</connectionStrings>
Seems you are missing this
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
Add a clear on existing providers, and your credentials go in the RoleManager not the membeship provider.
You may also need to use
"System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.50727.3082, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
as the type setting, in the membership provider.
<membership defaultProvider="ADProvider">
<providers>
<clear />
<add name="ADProvider"
connectionStringName="ADConnString"
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
applicationName="web:80" />
</providers>
</membership>
<roleManager defaultProvider="ADProvider">
<providers>
<clear />
<add name="ADProvider"
connectionStringName="ADConnString"
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
applicationName="web:80"
connectionUsername="domain\admin"
connectionPassword="password"
attributeMapUsername="SAMAccountName" />
</providers>
</roleManager>- Marked As Answer byDannyH Thursday, November 12, 2009 5:56 PM
All Replies
- anyone? come on some has to have setup an external site using FBA with AD. someone, anyone?
- Here are my suggestions
This is incorrect with two names, should be like this
<connectionStrings>
<clear/>
<add name="ADConnString"
connectionString="LDAP://domain.com/OU=System Accounts,DC=domain,DC=com" />
</connectionStrings>
Seems you are missing this
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
Add a clear on existing providers, and your credentials go in the RoleManager not the membeship provider.
You may also need to use
"System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.50727.3082, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
as the type setting, in the membership provider.
<membership defaultProvider="ADProvider">
<providers>
<clear />
<add name="ADProvider"
connectionStringName="ADConnString"
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
applicationName="web:80" />
</providers>
</membership>
<roleManager defaultProvider="ADProvider">
<providers>
<clear />
<add name="ADProvider"
connectionStringName="ADConnString"
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
applicationName="web:80"
connectionUsername="domain\admin"
connectionPassword="password"
attributeMapUsername="SAMAccountName" />
</providers>
</roleManager>- Marked As Answer byDannyH Thursday, November 12, 2009 5:56 PM
- Gunner,
The second name in the connection string was corrected.
I added the entries into the authorization node.
I added the following roleManager node to all web.config files:
<add name="AspNetWindowsTokenRoleProvider" applicationName="web:80" type="System.Web.Security.WindowsTokenRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
When I added the credentials to the role manager it came back with an attribute not recognized error.
And when changed the type attribute to what you suggested I got this:
Provider must implement the class 'System.Web.Security.RoleProvider'.
So I'm still exactly where I started, any other suggestions? - I think your name doesn't match any more
<add name="AspNetWindowsTokenRoleProvider" applicationName="web:80" type="System.Web.Security.WindowsTokenRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
Should be
<add name="ADProvider" applicationName="web:80" type="System.Web.Security.WindowsTokenRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
Otherwise post your code again. - Ok, I made some changes and now a different result, it does not accept my login account even though I am a site collection admin.
Also, when navigating to the home page on the external site it displays a blank screen instead of the login screen. you have to put in https://url.com/pages/default.aspx to get to login screen.
Here is my config code, this is added to the CA, internal web app, and external web app
<connectionStrings> <clear /> <add name="ADConnString" connectionString="LDAP://dc.com/OU=System Accounts,OU=Sites,DC=dc,DC=com" /> </connectionStrings> <authorization> <allow users="*" /> <deny users="?" /> </authorization> <membership defaultProvider="ADProvider"> <providers> <clear /> <add name="ADProvider" connectionStringName="ADConnString" applicationName="web:80" type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /> </providers> </membership> <roleManager defaultProvider="ADProvider"> <providers> <clear /> <add name="ADProvider" connectionStringName="ADConnString" type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" applicationName="web:80" connectionUsername="user" connectionPassword="password" attributeMapUsername="sAMAccountName" /> </providers> </roleManager>
- Just noticed the type in the roleManager, I changed it to what you said, the windowstokeroleprovider but that didnt make a difference.
This is now registering in the event log of the WFE:
Event code: 4006 Event message: Membership credential verification failed. Event time: 11/6/2009 5:05:34 PM Event time (UTC): 11/6/2009 11:05:34 PM Event ID: 3fc60e75116f4e9a9192bc73c4d539a8 Event sequence: 12 Event occurrence: 3 Event detail code: 0 Application information: Application domain: /LM/W3SVC/931017649/Root-9-129020221563835120 Trust level: WSS_Minimal Application Virtual Path: / Application Path: C:\Inetpub\wwwroot\wss\VirtualDirectories\web.com443\ Machine name: MOSS-WFE Process information: Process ID: 5044 Process name: w3wp.exe Account name: domain\app_pool_acct Request information: Request URL: https://web.com:443/_layouts/login.aspx?ReturnUrl=Membership credential verification failed.fPagesMembership credential verification failed.fdefault.aspx Request path: /_layouts/login.aspx User host address: xxx.xxx.xxx.xxx User: Is authenticated: False Authentication Type: Thread account name: domain\IUSR_MOSS-WFE Name to authenticate: testUser - Ok, I made some changes and now a different result, it does not accept my login account even though I am a site collection admin.
This may be due to how you are supplying your name. Since you specify attributeMapUsername="sAMAccountName" you should enter domain\username. If you remove this setting you need to use username@domain.com.
I would try these first.
windowstokeroleprovider was copied from the code you pasted in the previous post....i missed that.
Both the roleManage and the Membship need to use System.Web.Security.ActiveDirectoryMembershipProvider
Not sure wha tthe new erro is regarding. So i got everything right I believe but when I go to add a user to the policy for web app it is not finding any of the users in the people picker.
I did add <add key="ADProvider" value="%" /> to people picker node.
Am i missing something else?In the LDAP connection string does the last entry need to be a container or is using a OU fine?
I have: OU=System Accounts,OU=Sites,DC=dc,DC=com
Shoult it be: CN=System Accounts,OU=Sites,DC=dc,DC=com?- Yes, sorry i missed that. Probably Sites as well.
CN=System Accounts,CN=Sites,DC=dc,DC=com
Actually the best test is using only the domain DC portions like so.
DC=dc,DC=com
This will include all user accounts in the domain, once you know this works, you can trim is down to a specific OU as shown above. You can use ADSI Edit to attach to the domain and get the correct format from that utility as well. - trimming it down to just the DC portion still doesnt work. THis is soooo annoying.
- one more time here is my web.config file, its the same through out all web apps. Does it look right?
<authorization> <allow users="*" /> <deny users="?" /> </authorization> <PeoplePickerWildcards> <clear /> <add key="ADProvider" value="%" /> <add key="AspNetSqlMembershipProvider" value="%" /> </PeoplePickerWildcards> <connectionStrings> <clear /> <add name="ADConnString" connectionString="LDAP://domaincontroller.domain.com/DC=domain,DC=com" /> </connectionStrings> <membership defaultProvider="ADProvider"> <providers> <clear /> <add name="ADProvider" connectionStringName="ADConnString" applicationName="web:80" type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /> </providers> </membership> <roleManager defaultProvider="ADProvider"> <providers> <clear /> <add name="ADProvider" connectionStringName="ADConnString" type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" applicationName="web:80" connectionUsername="domain\admin" connectionPassword="password" attributeMapUsername="sAMAccountName" /> </providers> </roleManager> Here is my code, it wasn't written for Sharepoint, but it should work.
Mine is ordered a little different than yours...but i don't notice anything major.
A small version different on the membership provider....Version=2.0.50727.3082
A few of my items are ordered differently.
<connectionStrings>
<clear/>
<add name="DirectoryService" connectionString="LDAP://domain.net/DC=domain,DC=net" />
</connectionStrings>
<authentication mode="Forms">
<forms name=".TestForm" />
</authentication><authorization>
<deny users="?" />
<allow users="*" />
</authorization><membership defaultProvider="ADMembershipProvider">
<providers>
<clear />
<add name="ADMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.50727.3082, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="DirectoryService"
applicationName="SampleAuthorization" />
</providers>
</membership><roleManager defaultProvider="ADMembershipProvider">
<providers>
<clear />
<add name="ADMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="DirectoryService"
connectionUsername="domain\user"
connectionPassword="password"
applicationName="SampleAuthorization"
/>
</providers>
</roleManager>- Ok, i finally got it working and I think it was working all along. I just didnt realize that you cant do a people picker search with just a few letters of the person you are looking for, you have to put in the whole name. So the code in my previous post does work.
Thanks for the help Gunner.
