SharePoint Foundation FBA Claims Based Authentication does not honor account or password expired


  • FOrwarding an unanswered post from a co-worker:

    I have implimented FBA Claims Authentication for a soon to be internet-facing site using :

            <add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
            <add name="ADMembers" type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="adconn" enableSearchMethods="true" attributeMapUsername="sAMAccountName" />

    I was happy to get the signon working.


    Logons with an expired account or password are still issued a valid token for the site.

    Disabled or locked accounts are correctly rejected.

    Normal sequence of events for a new ID is to set it up with a password the user must change at first logon.

    The Sign On control evidently verifies a valid password and issues a token without checking for expiration of the account or password.

    Note:  I am researching a custom membership provider because ActiveDirectoryMembershipProvider does not supply required information to the People Picker - (the signon ID is all I have to work with at present)

    The mechanism of changing the password is yet another area under research&development.

    Any tips in these latter points are appreciated as well.  But Authentication really needs to validate the credentials correctly including expiration.

    Monday, April 09, 2012 6:08 PM

All replies

  • Hi,

    From your narration, it looks like you are using LDAP provider. Based on my research, you can use the following filter to screen out disabled user.

    (&(objectCategory=person)(objectClass=user)( !(userAccountControl:1.2.840.113556.1.4.803:=2)))

    For more information about configuring LDAP provider, check out the following article:


    Rock Wang

    Rock Wang TechNet Community Support

    Wednesday, April 11, 2012 7:17 AM
  • Actually I am using System.Web.Security.ActiveDirectoryMembershipProvider, as stated above in the title and body of the post.

    The LDAP provider is not available for SharePoint Foundation and does not work.

    Parser Error Message: Could not load type
    'Microsoft.Office.Server.Security.LdapMembershipProvider' from assembly
    'Microsoft.Office.Server, Version=, Culture=neutral,

     SharePoint Foundation does not supply Microsoft.Office.Server.UserProfiles (in Microsoft.Office.Server.UserProfiles.dll) which contains this namespace,

    I spent a couple days trying to follow the article refernced in your reply before discovering  this

    • Edited by nfts Wednesday, April 11, 2012 6:25 PM
    Wednesday, April 11, 2012 3:53 PM