locked
LDAP Domain Users Access denied Error RRS feed

  • Question

  • I have a MOSS 2007 test server setup and have configured Forms Based Authentication on Internet site (just an extension of the main portal site) that authenticates via an LDAP Active Directory server. Most of it works. I can import profiles from the LDAP provider and LDAP users can authenticate to the FBA URL.

    The problem I'm running into is with LDAP groups and the Role provider. If I add an LDAP users to a Sharepoint permissions group directly, he can log in and access the site with no problems. However, if I instead add a Group from LDAP (which People Picker finds just fine) then members of that group can authenticate, but get the "Access Denied" page for the portal.

    Error Access Denied

    Current User
    You are currently signed in as:  esmu

     

    The relevant portions of my web.config (I have entered these into the web.config for the main portal site, the extended site for forms based authentication, and the Central Management server site (making the required change for the default role provider for the central management site): i follow these steps:

    http://social.msdn.microsoft.com/Forums/en-US/sharepointdevelopment/thread/38239458-ecb3-4983-b51b-d26ba8686a11

    And my web config set is:

      <system.web>
        <membership defaultProvider="Ldap_eDirectory">
          <providers>
            <add name="Ldap_eDirectory" type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="My Server" port="389" useSSL="false" userDNAttribute="distinguishedName" userNameAttribute="sAMAccountName" useDNAttribute="true"
    userContainer="DC=AA,DC=BB,DC=CC,DC=DD" userObjectClass="person" userFilter="(ObjectClass=person)" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn" />

          </providers>
        </membership>
        <roleManager defaultProvider="LdapRoleProvider" enabled="true" cacheRolesInCookie="false" cookieName=".PeopleDCRole">
          <providers>
            <add name="LdapRoleProvider" type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="my server name" port="389" useSSL="false" groupContainer="DC=AA,DC=BB,DC=CC,DC=DD" groupNameAttribute="sAMAccountName" groupMemberAttribute="member" userNameAttribute="sAMAccountName" dnAttribute="distinguishedName" groupFilter="(&amp;(ObjectClass=groupOfNames))" userFilter="(&amp;(ObjectClass=person))" scope="Subtree" />
          </providers>
        </roleManager>

    I have also read this article:

    http://social.msdn.microsoft.com/Forums/en-US/sharepointadmin/thread/db7fb08a-de9b-4d72-8200-5621ff2f5315/

    I added LDAP Domain Users from my site as well as from Ceteral Administration. but still i get access denied error. Is there any body solved this problem.

    I am waiting for your kind response.

    thanks,

    Imran

    • Moved by Mike Walsh FIN Monday, March 29, 2010 8:21 AM FBA = (usually) Admin (From:SharePoint - Development and Programming (pre-SharePoint 2010))
    Monday, March 29, 2010 8:08 AM

Answers

  • hello

    you need to perform the following steps:

    1. On root site go to Site Settings > Users and group -> All users

    2. Click News > Add user

    3. On "Add user" page (/_layouts/aclinv.aspx) in "User/Groups" multiline textbox click Browse button. Browse page for people picker will be opened

    4. Enter name of your AD group (e.g. TestGroup). It will probably show you 2 entities: NTLM (DOMAINNAME\testgroup) and FBA (roleprovidername:testgroup). You should select FBA entity (roleprovidername:testgroup). Click Ok

    5. In Give Permissions section on "Add user" page select Full control (Full control is for testing. In real life you will select those permissions which you need) and click Ok.

    Now you granted permissions to your AD group which will be valid for FBA.

    In order to test that all works properly - create user in AD and add it to TestGroup. Then login under this user in FBA zone (remember that you should user FBA login name which looks like membershipprovidername:username, not DOMAINNAME\username). You will have Full control permissions under FBA  zone on your site.

    So to summmarize:

    • when you work with AD groups for FBA you should always use roleprovidername:groupname (not DOMAINNAME\groupname)
    • when you work with AD users for FBA you should always use membershipprovidername:username (not DOMAINNAME\username)

    hope it will help you


    Blog - http://sadomovalex.blogspot.com
    Codeplex - http://camlex.codeplex.com
    • Marked as answer by Imrannooooooo Thursday, April 8, 2010 7:02 AM
    Wednesday, April 7, 2010 12:18 PM

All replies

  • Hi,

    Just check if you have proper SITE Permissions like just try to create a SharePoint group and then try to add the LDAP users in your new group.

    If above works, let me know.


    BR, PM
    Monday, March 29, 2010 8:27 AM
  • Dear Mandal,

    First thank you for you kind information, i have check the site permissions i have the full primary administrator and i can create group in sharepoint. and i can also add LDAP users in that group. and i can Add every LDAP users. and he can login fine. and i can Add LDAP Domain users also.

    The problem is that if i Add LDAP Domain users to sharepoint groups. not the specific users the LDAP Domain users. when he loging in the site he got error

    Error Access Denied

    Current User
    You are currently signed in as:  esmu

     

    I can Add Ldap users.  but there is 7000 LDAP users. i can not add all of them. I just want to add LDAP Domain usres. like in Windows Authentication i have only add Domain users group and every body can access the site.

    thanks,

    Imranoooo

    Monday, March 29, 2010 9:22 AM
  • http://technet.microsoft.com/en-us/library/cc197251.aspx
    Hewlett Packard pour l'Assistance Utilisateur Microsoft
    Friday, April 2, 2010 11:28 AM
  • hello,

    In Sharepoint AD groups are mapped to users. I.e. if you have AllUsers group in AD - you need to create user AllUsers in Sharepoint. But there is important point: when you create new user (which is mapped to AllUsers AD group) in Sharepoint you will have 2 entries for this group in people picker (one entity for Windows based NTLM authentication - usually it looks like DOMAINNAME\AllUsers; and another for FBA - looks like LdapRoleProvider:AllUsers). In order to make it work you should select exactly FBA entity, i.e. LdapRoleProvider:AllUsers. After you will add group using FBA entity - you should assign appropriate permissions to it in site collection and sites.

    Note that by default people picker uses NTLM entity. In order to use valid FBA entity - you need to click "Browse" button in people picker (near "Check names" button). In this case it will show you all entities where you can select FBA.


    Blog - http://sadomovalex.blogspot.com
    Codeplex - http://camlex.codeplex.com
    Friday, April 2, 2010 2:28 PM
  • Dear Sadomo,

    Thank you for your information. i can add the LdapRoleProvider:Domain Users and i can Add LdapRoleProvider:Domain users but i could not find how to give appropriate permissions to site collection and sites.?

     

    waiting for you response.

    thnaks,

    Imranoooooo

    Tuesday, April 6, 2010 3:35 PM
  • hello

    you need to perform the following steps:

    1. On root site go to Site Settings > Users and group -> All users

    2. Click News > Add user

    3. On "Add user" page (/_layouts/aclinv.aspx) in "User/Groups" multiline textbox click Browse button. Browse page for people picker will be opened

    4. Enter name of your AD group (e.g. TestGroup). It will probably show you 2 entities: NTLM (DOMAINNAME\testgroup) and FBA (roleprovidername:testgroup). You should select FBA entity (roleprovidername:testgroup). Click Ok

    5. In Give Permissions section on "Add user" page select Full control (Full control is for testing. In real life you will select those permissions which you need) and click Ok.

    Now you granted permissions to your AD group which will be valid for FBA.

    In order to test that all works properly - create user in AD and add it to TestGroup. Then login under this user in FBA zone (remember that you should user FBA login name which looks like membershipprovidername:username, not DOMAINNAME\username). You will have Full control permissions under FBA  zone on your site.

    So to summmarize:

    • when you work with AD groups for FBA you should always use roleprovidername:groupname (not DOMAINNAME\groupname)
    • when you work with AD users for FBA you should always use membershipprovidername:username (not DOMAINNAME\username)

    hope it will help you


    Blog - http://sadomovalex.blogspot.com
    Codeplex - http://camlex.codeplex.com
    • Marked as answer by Imrannooooooo Thursday, April 8, 2010 7:02 AM
    Wednesday, April 7, 2010 12:18 PM
  • Thanks for your kind response.

    i have followed your instruction i have add Ldaproleprovider:Domain users with full control and i have created new user from AD as well as i have created new Group from Active directory and add two users. but could not success. again same error.

     

    Error Access Denied

    Current User
    You are currently signed in as:  esmu

    thanks,

    Wednesday, April 7, 2010 2:28 PM
  • In addition to Sadomovalex reply, make suer that you have added ldap membership provider and its rols in you web.config.

    Please confirm


    Ashish Kanoongo, MCP, MCSD, MCTS
    Wednesday, April 7, 2010 2:35 PM
  • Of course i have added ldap membership provider and role in three web config file. In intranet, internet and in Central Administration.
    Wednesday, April 7, 2010 3:03 PM
  • Dear Sadomo, thanks for your support. I have resolved the problem. The problem is with Domain users. i have created new Group in Active Directory and add all the users in the new group then add the ldaproleproveder:group. then i can login successfuly. The default Domain users group in active directory does not authorized in sharepoint.it will be better to create new group in active directory and then add that new group in sharepoint server it will work. Once again thank you very much for your all help. tahnks,
    Thursday, April 8, 2010 6:59 AM
  • Dear Sadomo, thanks for your support. I have resolved the problem. The problem is with Domain users. i have created new Group in Active Directory and add all the users in the new group then add the ldaproleproveder:group. then i can login successfuly. The default Domain users group in active directory does not authorized in sharepoint.it will be better to create new group in active directory and then add that new group in sharepoint server it will work. Once again thank you very much for your all help. tahnks,
    • Proposed as answer by Peter_D503 Tuesday, May 18, 2010 4:16 AM
    Thursday, April 8, 2010 6:59 AM
  • We have just experienced the same issue - the Domain Users group doesn't work, even though it's in the Users container.

    I consider this a bug - what reason is there for this group not working?

    Tuesday, May 18, 2010 4:16 AM
  • Hi, Did you mean that when you added ADAM group to container users that resolved problem?

    I am just wondering because I still receive access denied for groups :(

     

    <roleManager enabled="true" defaultProvider="LdapRoleProvider">
       <providers>
        <add name="LdapRoleProvider" type="Microsoft.Office.Server.Security.LDAPRoleProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral,
    
    PublicKeyToken=71E9BCE111E9429C" server="Litwareserver" port="50002" useSSL="false" groupContainer="CN=Groups,DC=ADAM1,DC=ldap" groupNameAttribute="cn"
    
    groupMemberAttribute="member" userNameAttribute="sAMAccountName" dnAttribute="distinguishedName" groupFilter="(ObjectClass=group)" scope="Subtree" />
       </providers>
    any sugestions?

    Tuesday, June 22, 2010 12:20 PM
  • Imrannoooooo could you approve that resolution was addind LDAProlProvider:group to active directory group?
    Tuesday, June 22, 2010 12:23 PM
  • sorry for late response. No you should create new group in Active Directory with any name then add all users in that group and then when you search the group in sharepoint site then you will find the LDAProlProvider:xyzgroup. and then add your LDAProlProvider:xyzgroup in your sharepoint site.

    I hope you understand.

     

     

    • Proposed as answer by Michael Liben Monday, September 27, 2010 5:07 PM
    Thursday, August 19, 2010 7:51 AM
  • Strange....I didn't propose a solution but marked it as if I did...

     

    Monday, September 27, 2010 5:17 PM