Ever wanted to provide clients or other external parties such as vendors, affiliates etc access to your SharePoint Sites without having to provide them with a Windows Active Directory Account? Luckily, SharePoint provides you with the ability to setup multiple authentication providers and in today’s post I will provide you with step by step instructions on how this can be easily achieved utilising Windows 2008 Active Directory Lightweight Directory Services (AD LDS) formerly known as Active Directory Application Mode (ADAM).
Previously, the most common method of providing Forms Authentication was to utilise the SQL Server membership provider which entailed running the ASP.NET SQL Server Setup wizard to configure your SQL server for application services, in our case SharePoint. My preferred method for extra security and flexibility is to utilise AD LDS, so let’s get to it.
1) Add the AD LDS Role to any Windows 2008 server
Click on Start / Administrative Tools / Server Manager. Click on Roles and then elect Add Roles on the right navigation pane. Check the box beside Active Directory Lightweight Directory Services then follow the wizard until the end. AD LDS is now installed and ready to be configured with your first data store.
In order to do so, click on Start / Administrative Tools / Active Directory Lightweight Directory Services Setup. The following setup wizard welcome screen appears. Click Next. 
Select A unique instance and then click on Next. 
Type in a friendly Instance Name. This will make it easier to distinguish down the track in the event you need to setup multiple instances for various applications.
Specify your LDAP port numbers and then click Next. Note that these numbers cannot be in use by any other application on your system. In my case I have specified 6000 and 6001 for SSL. 
Select Yes, create an application directory partition. Specify your Partition Name (keep this handy as you will need it at the end to connect the partition through ADSI Edit. Click Next. 
Select your File Locations. Click Next. 
Select Network service account. This should be sufficient in most cases. Select Next. 
Select your administrator account. Click Next. 
Click on the below options. This will be needed for your Extranet users accounts. Click Next 
Summary selections screen. Review and then click Next. 
Click Finish. 
You will notice that your newly created Instance (and other AD LDS instances for that matter) will now be listed under Programs and Features. This is where you will need to go in the event you want to remove that AD LDS instance at a later date. 
Now that our instance is complete, we are required to connect to this instance via ADSI Edit MMC snap in. Click on Start / Administrative Tools / ADSI Edit. Once the MMC is loaded, right click on the ADSI Edit Note and select Connect to…
Fill in the Connection Settings.
Name: Enter a friendly name
Connection Point: Click on Select or type a Distinguished Name and type in your Partition Name that you entered in earlier when creating the application directory partition (your wrote that part down like I told you, didn’t you?)
Computer: The machine that AD LDS is installed and the port number you specified earlier on.
Then click OK. 
Your User Store should now look similar to the screen below. 
We now need to create a container to store our users. This is equivalent to an Organizational Unit in Active Directory. Right Click on your CN entry and select New / Object and select your class as container. Click Next. 
Type Users as your value, Next and Finish 
We can now create our users in the “Users” container that we have just created.
Right Click on CN=Users and select New / Object, and select your class as user. 
Type in a user name. 
Right Click on your newly created user object and select properties. Scroll down and locate the msDS-UserAccountDisabled attribute and set it to False. 
Please note that if you have setup ADLDS on an existing domain, the password complexity requirements will be inherited from the Default Domain Policy and you may receive the following error after trying to apply any settings to that user account.
“Operation failed: Error code: 0x52d Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain.”
You will need to set the password by right clicking on the user object and selecting reset password. You will be prompted to enter and confirm the new password. 
2) Grant your SharePoint service account permission in the AD LDS store
Expand your AD LDS connection within ADSI Edit and click on the CN=Roles container. Right Click on CN=Readers listed on the right Navigation Pane and select properties. 
Locate the member attribute and select edit. 
Then select Add Windows Account and browse for your SharePoint Service Account and click OK. 
Wow, are we almost there yet? Well, for AD LDS we are. Now it’s time to focus more on the SharePoint side of things and Extend the existing web application to the Extranet Zone and set it to use Forms Based Authentication.
3) Extending your Web Application
Click on Start / Administrative Tools / SharePoint 3.0 Central Administration / Application Management.
Under SharePoint Web Application Management, click on "Create or extend Web application" Then Click on "Extend an existing Web application"
Select the Web application you would like to extend, and create a new IIS web site.
Enter port 443 and a host header which you can resolve via DNS, select SSL (you want to secure and encrypt your extranet zone for external access) and ensure your zone is set to Extranet. 
4) Authentication Providers
Again, under Central Administration / Application Management / Application Security, Select Authentication Providers.
Make sure the correct Web Application is selected and then click on the Extranet Zone
Select Forms as your Authentication Type and type in a Membership Provider Name (this can be set to anything) but will be required to be changed/match what you place in your web.config file. In my case I have set it to ADLDSMembership. Once you have made your changes, click Save. 
5) Modifying the web.config file for your Extranet Zone Site and your Default Zone Site
Here we need to browse to the location where our web.config file is located for the Web Site that we extended in step 2. By default, Internet Information Services (IIS) stores these files under
C:\inetpub\wwwroot\wss\VirtualDirectories\<Web Site Directory>
If you followed my example and specified a fully qualified domain name for your Host Header and a port number (443) the web site virtual directory will look something like this;
extranet.georgekhaliltesting.com443
The root of this directory will include the web.config file which you will now edit in your favourite editor (my case notepad) and insert the following entry just after your <system.web> node.
I have highlighted the variables in Red.
<membership defaultProvider="ADLDSMembership">
<providers>
<add
name="ADLDSMembership"
type="Microsoft.Office.Server.Security.LDAPMembershipProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"
server="<servernamehostingADLDS>"
port="60000"
useSSL="false"
userDNAttribute="distinguishedName"
userNameAttribute="cn"
userContainer= "CN=Users,CN=SPFBAStore,DC=georgekhaliltesting,DC=COM"
userObjectClass="user"
userFilter="(ObjectClass=user)"
scope="Subtree"
otherRequiredUserAttributes="sn,givenname,cn" />
</providers>
</membership>
You will also need to add the below code for your People Picker to correctly pick up your AD LDS users. Kudo’s to Matt Morse on this one. You can read more about it here
<PeoplePickerWildcards>
<clear />
<add key="AspNetSqlMembershipProvider" value="%" />
<add key="ADLDSMembership" value="*" />
</PeoplePickerWildcards>
Save your web.config file (oh did I mention take a backup copy first before editing) and then run IISRESET to ensure all new settings have been applied.
I accidently omitted this step from my original post, however you will also need to modify the web.config file for your Default Zone (Windows Authentication) to allow you to add the ADLDS users to your SharePoint groups later in the process.
That’s it! Finally we got there. When an external partner browses to the extended website in the Extranet Zone they will receive the following SharePoint Forms Login Screen which will authenticate them against the AD LDS store that we have created specifically for this Web Site. When an internal user browses to the default site (Windows Authentication) they will not receive a login screen and will access the SharePoint site via windows integrated authentication. 
If for some reason you don’t receive the above login screen but the dreaded SharePoint “Error… Troubleshoot issues with Windows SharePoint Services” something has gone pear shaped along the way. 
Don’t forget, you still need to provide your AD LDS users access to your SharePoint site via Site Actions / Site Settings / People and Groups. It is easier to add your AD LDS users via the default Windows Authentication Zone. You will notice in the below screen shot that the people picker will display both Domain User Accounts and AD LDS Membership Accounts. 
Now that our Forms Based Authentication model is now working for our External Partners to access our SharePoint site, are we able to customize the login page so it’s not so generic? Of course you can! But that will have to wait for another post…. Below is a little teaser of a FBA login screen that I have customised using SharePoint Designer (and I’m no graphics artist either :)) 
In Summary, AD LDS gives organisations flexible support for directory enabled applications and as you can see we are able to successfully implement and integrate AD LDS with SharePoint. Lastly, AD LDS can also provide us with the same functionality as a full blown Active Directory setup without the requirement to deploy separate domains or domain controllers.
17 comments:
i try n it wz not working for me...i people picker nt acceting any user at all
Hi Yasir,
Could you please provide me more information regarding your setup so that I can assist. Have you tried to use the people picker under the default site using Windows Authentication? Is it failing there as well.
Try searching by First Name or Last Name only.
I followed your post step by step. The only thing that changed is that I didn't provide a FQDN on the Host Header field, while extending the webapp. What URL should the extended webapp site should have if the Host Header field is blank?
Also, I am not able to add/see users from the ADLDS store under Site Settings/People and Groups...
Thanks in advanced,
Omar
Hi Omar,
It’s best practice to use a fqdn that is resolvable via DNS (you will need to create an A record in DNS). When specifying the host header during the process of extending the site, AAM is created for you and this is critical, as the AAM created will be using the Authentication Type of “Forms”. To answer your question, if you do not specify a host header the site should be resolvable via http://<machinename>:<port>. Check your AAM for the extranet zone. (Navigate to Central Administration / Operations / Alternate Access Mappings (under Global Configuration)
I would delete the site and re-extend the site again and this time ensure a fqdn host header is specified and ensure this is resolvable via DNS. Once you have extended the site, navigate to AAM and ensure the Extranet Zone is created with the correct URL, which should match the host header. Recall this extranet zone Web Application will be using the “Forms” Authentication Type whereas the Default Zone (your original Web Application) will be using the Windows Authentication Type.
I just noticed a major exclusion to my notes, which I have since updated, but you will need to modify the web.config file for your default zone aswell in order to be able to add the ADLDS users to your SharePoint permission groups. Use the same code provided.
You will know that AAM is operating correctly when you browse to your Default Zone you will be authenticated against Windows A.D and when browsing to your Extranet Zone you will receive the Forms Authentication Login, considering you had completed step 4 (Authentication providers) correctly.
Hi George,
First, thanks for the great posts; they are really very helpful!
Now, I am really struggling with step 4. I have followed your guide step-by-step and I cannot add AD LDS users from the default site people picker. I can log in to the default site using Windows authentication and I get the login screen on the extranet site. I have modified both web.config files and still cannot see any of the AD LDS users. I wish there was an easy way to verify that the connection to the provider is actually working.
Also, I noticed in your code above you specify port 50004 but when we setup AD LDS we used 60000 and 60001. Was that just a typo? In either case I have tried all 3 ports in my configs with no luck. Do you have any advice?
Thanks,
Shaune
Hi Shaune,
Oops, that was a typo that I have since amended, thanks for pointing that out. The port should be 60000 in the web.config file which should reflect the AD LDS setup screen shot. Have you added the below code to your Default Zone as well. Remember to always run an IISRESET after making any changes to the web.config file.
<span style=""><PeoplePickerWildcards>
<clear/>
<add key="AspNetSqlMembershipProvider" value="%"/>
<span style="color: maroon;"> <add key="ADLDSMembership" value="*"/></span>
</PeoplePickerWildcards></span>
Please try and search by first name or surname and double check that the membership name i.e. ADLDSMembership in my example is consistent in the web.config file and the authentication provider name.
Let me know how you go.
I have indeed added the wildcard key to the PeoplePicker node. Also, I am restarting IIS after every config change.
Here is a snip of the code I am entering on the web.configs. Do you see anything out of place? I have tried inserting this on the original site, external site, and the central administration configs.
<PeoplePickerWildcards>
<clear/>
<add key="AspNetSqlMembershipProvider" value="%"/>
<add key="ADLDSMembership" value="*"/>
</PeoplePickerWildcards>
------------------------------------------------------
<system.web>
<membership defaultProvider="ADLDSMembership">
<providers>
<add
name="ADLDSMembership"
type="Microsoft.Office.Server.Security.LDAPMembershipProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"
server="MB-ND01-VMG-027.mbnd.local"
port="60000"
useSSL="false"
userDNAttribute="distinguishedName"
userNameAttribute="cn" userContainer="CN=Users,CN=SPFBAStore,DC=sharepoint,DC=multibandusa,DC=com"
userObjectClass="user"
userFilter="(ObjectClass=user)"
scope="Subtree"
otherRequiredUserAttributes="sn,givenname,cn" />
</providers>
</membership>
Just some other thoughts about the environment; ADLDS is setup on one Win2K8 server while WSS is installed on a seperate Win2K3 server. The firewalls are off. The users I've added to the LDS so far are single names like "leonidas" so I could eliminate the possibility of searching the wrong name.
I am really excited to get this working but man, it's really finicky!
Thanks again,
Shaune
Oh and just another note, I double-checked the authentication providers in the Central Administration and the extranet zone is set to "ADLDSMembership".
Hi Shaune,
Your config seems to be in place with regards to the web.config file and I'm assuming you have provided the necessary read rights to your WSS service account against the AD LDS store as per step 2.
I have set this up a couple of times utilising a dedicated AD LDS and a separate SharePoint server so there should be no issues having 2 separate servers. I would confirm that you can connect to your ldap server from your SharePoint Server using ldp.exe which is part of the Windows 2003 support tools from memory.
Cheers
Hey George - Thank you for posting this set of instructions! It seems to be the most complete set of Server 2008/SharePoint 2007 setup instructions that I've found for adding non-domain users.
I'm experiencing an authentication issue that I'm having no luck in solving. I've gone through your steps a couple of times to make sure I'm not missing anything, but I'm just not seeing any missed steps on my part.
I'm on a Windows Server 2000 based domain and have a Windows 2008 Enterprise server with SharePoint 2007 installed onto it. My main SharePoint web application is the name of the server and I've extended it to an Extranet named "sp". Domain users are to log in at https://server.domain.org/site and non-domain users are to use https://sp.domain.org/site.
The problem I'm having is that I cannot get non-domain users to authenticate with the system. I don't receive any errors or anything. When I go to the Extranet site (regardless if I'm inside or outside of the network), I receive a login pop-up box and type in my credentials. IE thinks for a second and then displays the box again with the username listed as domain\username and the password. I cannot even get a ADSI admin account to authenticate with the Extranet. The odd thing is that I CAN get a domain account to authenticate with the Extranet site.
I've checked my settings in Central Admin and my localspadmin account is displayed with the correct "adammembershipprovider:localspadmin" in the Policy for Web Application area. My Default zone is set to have Windows as the provider and the Extranet is ADAMMembershipProvider.
I do have my Default Web Application and the Extranet to use SSL, but then I don't have the ADLDS connection to the ADSI instance using SSL. It appears that your set up is the same way. Does this issue sound like an SSL authentication issue to you or is something else going on?
One of my programmers showed me this great little LDAP authentication app for testing connectivity. It's been a huge help in trying to figure out which accounts to use. Using that app, I can connect up to my ADLDS/ADSI instance and verify that my base non-domain users can see the store container, but no other data within it and my Administrators can see everything in the store. I can connect up through the main ADLDS port (50002 for me), but I cannot connect to the SSL port (50003).
This LDAP tool is called LDAP Browser\Editor and I'm using version 2.8.2.
Please let me know if you've had this issue and/or how to fix it!
Chris
Hi Chris,
I'm glad you found the article of use.
You stated that when you access the extranet site that am I.E login pop-up box appears. This should not be the case and you should instead receive the "Forms Authentication Screen" identical the this
http://lh3.ggpht.com/_jC8JMIc-c-0/SfoeQ9zlwfI/AAAAAAAAAUA/vS2-Dm_WJtE/s1600-h/image[6].png
Could you confirm that the following is true;
You mentioned that your authentication provider for the extranet zone is ADAMMembershipProvider. This needs to match the settings required in the web.config files. Please note that In my example I labelled it as "ADLDSMembership". If your naming convention in the web.config file does not match the name of the Authentication provider that you setup in the Extranet Zone, then you will not receive the correct Forms login page.
Also out of curiosity did you setup ADLDS on your Windows 2008 Server or ADAM on Windows 2003?
BTW, Adding the extranet URL to your Local Intranet IE security zone should remove the IE popup, but this won't fix your issue if the naming convention does not match.
Let me know how you go.
Thanks for getting back to me George. That is correct that I only get a pop-up authentication box for my extranet.
I do have the SharePoint (Standard) 2007 site and ADLDS/ADSI installed on a single Windows 2008 Enterprise Server. It's connected to a separate SQL 2005 server. Can you do FBA in SharePoint Standard or does it nee the Enterprise version?
Here's the code that I've added to the Default, Extranet, and Central Admin web.config files. Notice that I've changed the Provider name.
<add key="ADLDSMembership" value="*"/>
---
<system.web>
<membership defaultProvider="ADLDSMembership">
<providers>
<add
name="ADLDSMembership"
type="Microsoft.Office.Server.Security.LDAPMembershipProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"
server="server"
port="50002"
useSSL="false"
userDNAttribute="distinguishedName"
userNameAttribute="cn"
userContainer="CN=Users,CN=SPFBAStore3,DC=eesnd,DC=domain,DC=org"
userObjectClass="user"
userFilter="(ObjectClass=user)"
scope="Subtree"
otherRequiredUserAttributes="sn,givenname,cn"
/>
</providers>
</membership>
---
The Provider names all matched before. Just for the fun of it I created copies of the original web.config files for all three sites and put just your steps in it (code above) with a new provider name. I also adjusted the Extranet to use this provider and added an ADLDS admin account to the Policy for Web application in Central Admin. It found my account so the connection should be working fine.
So it looks like the issues all resolve around the FBA method. Could it be an SSL or anonymous bind to the provider issue?
Thanks for the suggestions!
Hi Chris,
What's concerning is that you are not getting to the FBA screen and this is all governed by the contents of the web.config file and the relationship with the Authentication provider created in central admin that is mapped to the relevant zone. We can take ADLDS completely out of the equation as that isn't needed to reach the FBA screen.
Are you using an SSL certificate in IIS7 for your Extranet Web Site? If you are using SSL, ensure your certifcate CN matches the FQDN of the Extranet Site. All of my Extranet sites are SSL enabled and bound to a certificate in IIS7 so I can't see that being the issue, however misconfiguration of the site binding/SSL information can be!
On face value I do not see any issues with your setup and pretty sure FBA is supported in Std.
Dear George,
Your blog had been of great help to me. Now I am facing an issue while configuring FBA with SharePoint 2010 using AD LDS as data store on ssl port. My FBA works perfectly fine with LDS on non SSL port but it just does not for SSL on LDS.
1. I have already created a self signed cert sing IIS7 and imported that in the ADAM store as per (http://technet.microsoft.com/en-us/library/cc725767(WS.10).aspx) and http://technet.microsoft.com/en-us/library/cc725767(WS.10).aspx
2. Now when I change the port to SSL port and say useSSL="true" am getting "Logon failure: unknown user name or bad password" error in ULS logs and also the Directory.Bind errors.
Can you please suggest a solution to my scenario? Appreciate your help and time on this.
Thanks,
prakash.tadas@gmail.com
Hi Prakash,
Setting up AD LDS with SSL is a tricky affair which I haven't attempted yet. I am not going to be of much help this time round. However, I will be updating my post with SharePoint 2010 in which I will attempt SSL with AD LDS as it seems to be a common theme where people are struggling. BTW, my this blog is no longer being updated and has moved to http://sharepointgeorge.com
Ok.. I will be looking forward to that blog. Hopefully my issue resolves some how in another 2 days? Betting heavy :)
Thanks,
Prakash
George,
I really appreciate all that you have done with this tutorial. I am able to authenticate in People Picker and go to the website and login, but then I get an error and have done some trace logs and everything else with no answers specifically. It keeps just giving Unexpected Error with reference to the Security token and .net Framwork 3.0. Have you seen any issues like this in your research?
Thanks!
Post a Comment