none
FBA Users with LDAP can not Login to Extended Web Application and access site

    Question

  • I have to expose my web application to Extranet. So I extended the Web application and Configured Form Based Authentication using "LDAP" and created Custom Login Page as well. It is working fine.

    Well I am new to this FBA stuff, now while adding users in "User Policy" in central admin I am getting two accounts for a user ( FBA User and Windows users) as shown below.


    But the question is do we have to maintain permission separately for both FBA and AD Users?

    Moreover, while giving permission I am not getting FBA Users. See screenshot below :


    Can't we create a Security group for FBA users so that each time we don't have to give permission manually ?

    While trying to login , after successful authentication it throws "Sorry We Encountered a Problem" Error.

    Below is ULS details :

    I have given access to the user earlier using request access option, but still its throwing error.

    Thanks

    Shubham


    vendredi 11 mai 2018 11:32

Toutes les réponses

  • Hi Shubham,

    From the error the message, the main error message “Access is denied”, the FBA user does not have the permission on the site. And in the people picker, you cannot find the FBA user.

    To troubleshoot the issue, check things below:

    1. Check if the “Form based Authentication Management” site collection feature is activated.

    Go to Site Settings -> Site Collection Administration -> Site Collection Features -> Form based Authentication Management.

    2. Create the new providers for each web application. And then configure the people picker to use the new providers.

    3. Check if you have configure FBA with LDAP according to the article below.

    Configure a SharePoint 2013 Web Application with Forms Based Authentication with a LDAP membership provider.

    https://blogs.msdn.microsoft.com/spblog/2014/09/26/configure-a-sharepoint-2013-web-application-with-forms-based-authentication-with-a-ldap-membership-provider/

    More references:

    Configuring Forms Based Authentication in SharePoint 2013 – Part 1 – Creating the Membership Database.

    https://blogs.visigo.com/chriscoulson/configuring-forms-based-authentication-in-sharepoint-2013-part-1-creating-the-membership-database/

    Configuring Forms Based Authentication in SharePoint 2013 – Part 2 – Adding users to the Membership Database.

    https://blogs.visigo.com/chriscoulson/configuring-forms-based-authentication-in-sharepoint-2013-part-2-adding-users-to-the-membership-database/

    Best regards,

    Sara Fan


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    lundi 14 mai 2018 05:59
    Modérateur
  • Hi Sara, 

    I could not find "Form based authentication" feature in site collection features.

    Whereas I used this https://blogs.msdn.microsoft.com/spblog/2014/09/26/configure-a-sharepoint-2013-web-application-with-forms-based-authentication-with-a-ldap-membership-provider/ to configure ldap authentication.

    This is working fine with other web applications but not extended web applications.

    lundi 14 mai 2018 08:52
  • Hi Shubham,

    You should check if you have enabled FBA on the extended the web application in the center administration.

    Go to central administration->manage web applications->select the extended web application->click authentication providers in the ribbon->check if the FBA is selected.

    Best regards,

    Sara Fan


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.


    lundi 14 mai 2018 09:45
    Modérateur
  • Your suspicious are correct that you're not going about this the right way. SharePoint sees that the LDAP and Windows auth user are two different identities, so you'd have to manage permissions independently -- clearly not sustainable.

    Instead what you should do is scrap the LDAP plan and go for a pre-auth reverse proxy placed in a DMZ. This will give you the forms-based logon capabilities while still retaining the use of Windows auth on SharePoint so you don't have to manage multiple identities.

    You can do this with WAP + ADFS if you want a Microsoft solution, or a ton of 3rd parties (F5, KEMP, etc.). Azure App Proxy would be another option if you have Azure P1 or better licenses for all users.


    Trevor Seward

    Office Servers and Services MVP



    Author, Deploying SharePoint 2016

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    lundi 14 mai 2018 14:12
    Modérateur
  • Hi Shubham,

    If the reply is helpful to you, you could mark the reply as answer. Thanks for your understanding.

    Best regards,

    Sara Fan


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    mardi 15 mai 2018 00:55
    Modérateur
  • Hi Sara, 

    Form Based Authentication is enabled that's why I can access the login Page.

    The Error is : The referenced file '/_controltemplates/15/MUISelector.ascx' is not allowed on this page.

    ULS Logs : 
    Token Cache: Failed to get token from distributed cache for '0#.f|ldapmember|shp-admin000'.(This is expected during the process warm up or if data cache Initialization is getting done by some other thread).

    Application error when access /sites/publishing/SitePages/Home.aspx, Error=The referenced file '/_controltemplates/15/MUISelector.ascx' is not allowed on this page.  
     at System.Web.UI.TemplateParser.ProcessError(String message)    
     at System.Web.UI.BaseTemplateParser.GetReferencedType(VirtualPath virtualPath, Boolean allowNoCompile)    
     at System.Web.UI.BaseTemplateParser.GetUserControlType(VirtualPath virtualPath)    
     at System.Web.UI.MainTagNameToTypeMapper.ProcessUserControlRegistration(UserControlRegisterEntry ucRegisterEntry)    
     at System.Web.UI.BaseTemplateParser.ProcessDirective(String directiveName, IDictionary directive)    
     at System.Web.UI.TemplateParser.ParseStringInternal(String text, Encoding fileEncoding)

    Getting Error Message for Exception System.Web.HttpParseException (0x80004005): The referenced file '/_controltemplates/15/MUISelector.ascx' is not allowed on this page. ---> System.Web.HttpParseException (0x80004005): The referenced file '/_controltemplates/15/MUISelector.ascx' is not allowed on this page. ---> System.Web.HttpException (0x80004005): The referenced file '/_controltemplates/15/MUISelector.ascx' is not allowed on this page.    
     at System.Web.UI.TemplateParser.ProcessError(String message)    
     at System.Web.UI.BaseTemplateParser.GetReferencedType(VirtualPath virtualPath, Boolean allowNoCompile)    
     at System.Web.UI.BaseTemplateParser.GetUserControlType(VirtualPath virtualPath)    
     at System.Web.UI.MainTagNameToTypeMapper.ProcessUserControlRegistration(UserControlRegisterEntry ucRegisterEntry)    
     at System.Web.UI.BaseTemplateParser.ProcessDirective(String directiveName, IDictionary directive)    
     at System.Web.UI.TemplateParser.ParseStringInternal(String text, Encoding fileEncoding)    
     at System.Web.UI.TemplateParser.ProcessException(Exception ex)    
     at System.Web.UI.TemplateParser.ParseStringInternal(String text, Encoding fileEncoding)    
     at System.Web.UI.TemplateParser.ParseString(String text, VirtualPath virtualPath, Encoding fileEncoding)    
     at System.Web.UI.TemplateParser.ProcessException(Exception ex)    
     at System.Web.UI.TemplateParser.ParseStringInternal(String text, Encoding fileEncoding)    
     at System.Web.UI.TemplateParser.ParseString(String text, VirtualPath virtualPath, Encoding fileEncoding)    
     at System.Web.UI.TemplateParser.ParseFile(String physicalPath, VirtualPath virtualPath)    
     at System.Web.UI.TemplateParser.ParseFile(String physicalPath, String virtualPath)    
     at System.Web.UI.TemplateParser.Parse()    
     at System.Web.UI.TemplateParser.Parse(ICollection referencedAssemblies, VirtualPath virtualPath)    
     at System.Web.Compilation.BaseTemplateBuildProvider.get_CodeCompilerType()    
     at System.Web.Compilation.BuildProvider.GetCompilerTypeFromBuildProvider(BuildProvider buildProvider)    
     at System.Web.Compilation.BuildProvidersCompiler.ProcessBuildProviders()    
     at System.Web.Compilation.BuildProvidersCompiler.PerformBuild()    
     at System.Web.Compilation.BuildManager.CompileWebFile(VirtualPath virtualPath)    
     at System.Web.Compilation.BuildManager.GetVPathBuildResultInternal(VirtualPath virtualPath, Boolean noBuild, Boolean allowCrossApp, Boolean allowBuildInPrecompile, Boolean throwIfNotFound, Boolean ensureIsUpToDate)    
     at System.Web.Compilation.BuildManager.GetVPathBuildResultWithNoAssert(HttpContext context, VirtualPath virtualPath, Boolean noBuild, Boolean allowCrossApp, Boolean allowBuildInPrecompile, Boolean throwIfNotFound, Boolean ensureIsUpToDate)    
     at System.Web.Compilation.BuildManager.GetVirtualPathObjectFactory(VirtualPath virtualPath, HttpContext context, Boolean allowCrossApp, Boolean throwIfNotFound)    
     at System.Web.Compilation.BuildManager.CreateInstanceFromVirtualPath(VirtualPath virtualPath, Type requiredBaseType, HttpContext context, Boolean allowCrossApp)    
     at System.Web.UI.PageHandlerFactory.GetHandlerHelper(HttpContext context, String requestType, VirtualPath virtualPath, String physicalPath)    
     at System.Web.HttpApplication.MaterializeHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()    
     at System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step)    
     at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

    mardi 15 mai 2018 14:49
  • Hi Shubham,

    To troubleshoot the issue, check things below:

    1.Install AppFabric Cumulative Update 3, AppFabric Cumulative Update 4, or a later AppFabric CU to all servers in the farm.

    2.Add backgroundGC key to DistributedCacheService.exe.config file on all cache servers.

    3.Restart AppFabric Windows Service on all cache servers.

    4.Restart Distributed Cache SharePoint service on all cache servers.

    5.Reset IIS (IISRESET) on all servers in the farm.

    For more detailed information, refer to the article below.

    SharePoint 2013 distributed cache bug.

    https://www.habaneroconsulting.com/stories/insights/2013/sharepoint-2013-distributed-cache-bug

    Best regards,

    Sara Fan


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    mercredi 16 mai 2018 09:28
    Modérateur
  • It got resolved, I un-extended the web application and re extended it again. It worked !!
    jeudi 17 mai 2018 10:05
  • Hi Shubham,

    It is very happy that you have resolved your problem.

    Thank you for your sharing and it will help others have the same issue.

    If the reply is helpful to you, you could mark the reply as answer. Thanks for your understanding.

    Best regards,

    Sara Fan


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    jeudi 17 mai 2018 10:13
    Modérateur
  • Hi Trevor,

    Thanks for the post, the client wants it FBA+ LDAP only, but the problem is I am not getting FBA users while giving permission to them in the group. Is this something related to User Profile Synchronization ?

    Now, service accounts which are given access at web application User Policy are being able to access the site.

    As I am new to this FBA thing , I have one more query, will there be different user profiles of the users based on LDAP and Windows auth user?

    jeudi 17 mai 2018 10:13
  • Hi theshubgam,

    Follow below Microsoft lab guide on FBA with LDAP and see if it helps! 

    https://download.microsoft.com/download/1/2/9/129E9CB3-D9AD-4EE5-AE92-6E7ABE5F2A2A/tlg-sp2013-fba-claims.pdf

    -Ashok Yadala


    Best Regards, A-Yadala Please remember to click "Mark As Answer" if a post solves your problem or "Vote As Helpful" if it was useful.

    jeudi 17 mai 2018 11:38
  • Hi Shubham,

    If the reply is helpful to you, you could mark the reply as answer. Thanks for your understanding.

    Best regards,

    Sara Fan


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    lundi 21 mai 2018 01:56
    Modérateur
  • Hi Shubham,

    I am checking to see how things are going there on this issue. Please let us know if you would like further assistance.

    If the issue was resolved, you can mark the helpful post as answer to help other community members find the helpful information quickly.

    Best regards,

    Sara Fan


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    mardi 5 juin 2018 01:37
    Modérateur