Hello All, I've been searching the forums and apparently a lot of folks have had difficulty setting up Forms Based Authentication with Active Directory. I can't seem to get this to work. My goal is to have an AD OU or security group to control access to our extranet portal. The portal has its own domain and domain controller to handle this; everything works fine with Windows Authentication but I get the dreaded 'access denied' message when any other user but myself (site collection admin) attempts to log in using FBA. I think its just that I haven't got the connection string right. Here are the particulars: 1. Active Directory: ourportal.net | |_OurUsers (organizational unit) 2. Web.config settings (in both the WFE and CA applications): . . . <connectionStrings> <add name="ADServices" connectionString="LDAP://ourportal.net/DC=ourportal, DC=net" /> </connectionStrings> <system.web> <membership defaultProvider="ADProvider"> <providers> <add name="ADProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionProtection="None" connectionStringName="ADServices" connectionUsername="OurUsers\MOSS2007AUTH" connectionPassword="thepassword" attributeMapUsername="sAMAccountName" /> </providers> </membership> . . . 3. In CA: Athentication Type is Forms, Enable anonymous access is checked, Membership provider name is ADProvider The site collection admins are a service account and myself, both referenced as ADProvider:accountname I don't think the connection string is searching the whole tree as I can't add users at the site collection level. I need to be able to ad an OU or security group as the accounts are created in AD automatically by a separate application. Note that if I add OU=OurUsers to the connection string, I can't look up the site collection admins using the People Picker. What am I doing wrong? Any help is very, very appreciated. Thanks, David

Bumping Can anyone help please?

Hi, I'm too are having the same scenario issue. I think the problem lies with CA in Policy for Web Application. It seems, on my side, that when adding users and selecting only extranet zone, I can't see AD users. The connection string is fine because it authenticated my credential. It's the Authorization that Sharepoint is having problem. I'm still troubleshooting and will update if I have a fix. -Napone

In .Net FBA, groups are provided through what is called a "role provider." If you notice in your web.config changes, you are only adding a "membership provider." There is no default AD role provider available that I have been able to find. There are two solutions that I have used to solve this issue: 1. I use the .Net LDAP providers for both my membership and role providers and point the LDAP settings to an OU in AD. Your groups and users will need to be in that OU. Unless you have a very small AD, you may run into performance issues trying to do LDAP lookups from the root of the AD so that is why the recommendation on the OU. http://technet.microsoft.com/en-us/library/cc262069%28office.12%29.aspx#section3 2. Use Microsoft AZMan to manage your roles. http://msdn.microsoft.com/en-us/library/ff649313.aspx Usually, I end up using Option 1 in most cases.JD Wade, MCITP SharePoint Consultant, Horizons Consulting, Inc. Blog: http://wadingthrough.com Twitter: http://twitter.com/jdwade

Napone, I will definitely post a solution if/when I find one.

JD, I've tried using the LDAP provider with no luck. I can't get the people picker to see anything when I've tried. Could you possibly provide specifics using the AD info I provided above and the info in the technet link you provided. It would be a huge help. Thanks, David

Here is an example: There is no connection string and this xml goes into the <system.web> section < membership defaultProvider = "PeopleDCLDAPMembership "> < providers > < add name = "PeopleDCLDAPMembership " type = "Microsoft.Office.Server.Security.LDAPMembershipProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C " server = "ourportal.net " port = "389 " useSSL = "false " userDNAttribute = "distinguishedName " userNameAttribute = "sAMAccountName " userContainer = " DC=ourportal , DC=net " userObjectClass = "person " userFilter = "(ObjectClass=person) " scope = "Subtree " otherRequiredUserAttributes = "sn,givenname,cn " /> </ providers > </ membership > < roleManager defaultProvider = "PeopleDCLDAPRole " enabled = "true " cacheRolesInCookie = "true " cookieName = ". PeopleDCRole "> < providers > < add name = "PeopleDCLDAPRole " type = "Microsoft.Office.Server.Security.LDAPRoleProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C " server = "ourportal.net " port = "389 " useSSL = "false " groupContainer = " DC=ourportal , DC=net" groupNameAttribute = "sAMAccountName " groupMemberAttribute = "member " userNameAttribute = "sAMAccountName " dnAttribute = "distinguishedName " groupFilter = "(ObjectClass=group) " scope = "Subtree " /> </ providers > </ roleManager > JD Wade, MCITP SharePoint Consultant, Horizons Consulting, Inc. Blog: http://wadingthrough.com Twitter: http://twitter.com/jdwade

Thanks again JD, I appreciate any help. Unfortunately, I still can't add the site collection admins, people picker does not see username or PeopleDCLDAPMembership:username or PeopleDCLDAPRole:username

Update, I have the ldap membership/role provider somewhat working. I have been able to set up the policy and add the site collection admins and can add an AD security group in the portal visitors group. But, when one of the members of the SG tries to log in, again the access denied message. :-/ Frustrated!

Solved! Thanks for the help JD! I followed this post to the letter, except I did not extend the application, I used the default instead: http://blogs.technet.com/b/nishants/archive/2009/05/22/how-to-configure-forms-based-authentication-active-directory-ldapmembership.aspx Then I found the following post while searching for the Access Denied issue. Note the comments by sadomovalex regarding using the Browse function to add the group, allowing you to select the result for the LDAP role provider instead of the membership provider. This solved the issue of the security group members being denied access. Hope this helps someone retain more of their hair than I did :) As a side note, after changing over to FBA from windows, some of our custom web parts that rely on retrieving data based on the user's identity (HttpContext.Current.User.Identity.Name) broke and had to be modified due to the identity changing from domain\user to LdapMembership:user. So if you are planning to use FBA and need to determine identity in your custom code, be aware of this gotcha. Again, thanks!

Check this out: http://social.msdn.microsoft.com/Forums/en-US/sharepointadmin/thread/1a580dba-6932-4bb3-ad47-cc072a012781BR, PM