Forms Authentication Active Directory - Access Denied
Hello All,
I've been searching the forums and apparently a lot of folks have had difficulty setting up Forms Based Authentication with Active Directory. I can't seem to get this to work. My goal is to have an AD OU or security group to control access to
our extranet portal. The portal has its own domain and domain controller to handle this; everything works fine with Windows Authentication but I get the dreaded 'access denied' message when any other user but myself (site collection admin) attempts to
log in using FBA. I think its just that I haven't got the connection string right.
Here are the particulars:
1. Active Directory:
ourportal.net
|
|_OurUsers (organizational unit)
2. Web.config settings (in both the WFE and CA applications):
.
.
.
<connectionStrings>
<add name="ADServices" connectionString="LDAP://ourportal.net/DC=ourportal, DC=net" />
</connectionStrings>
<system.web>
<membership defaultProvider="ADProvider">
<providers>
<add name="ADProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionProtection="None" connectionStringName="ADServices"
connectionUsername="OurUsers\MOSS2007AUTH" connectionPassword="thepassword" attributeMapUsername="sAMAccountName" />
</providers>
</membership>
.
.
.
3. In CA:
Athentication Type is Forms, Enable anonymous access is checked, Membership provider name is ADProvider
The site collection admins are a service account and myself, both referenced as ADProvider:accountname
I don't think the connection string is searching the whole tree as I can't add users at the site collection level. I need to be able to ad an OU or security group as the accounts are created in AD automatically by a separate application.
Note that if I add OU=OurUsers to the connection string, I can't look up the site collection admins using the People Picker.
What am I doing wrong? Any help is very, very appreciated.
Thanks,
David
May 26th, 2010 9:18pm
Bumping
Can anyone help please?
Free Windows Admin Tool Kit Click here and download it now
May 28th, 2010 3:54pm
Hi, I'm too are having the same scenario issue. I think the problem lies with CA in Policy for Web Application. It seems, on my side, that when adding users and selecting only extranet zone, I can't see AD users. The connection string is
fine because it authenticated my credential. It's the Authorization that Sharepoint is having problem.
I'm still troubleshooting and will update if I have a fix.
-Napone
June 1st, 2010 8:18pm
In .Net FBA, groups are provided through what is called a "role provider." If you notice in your web.config changes, you are only adding a "membership provider." There is no default AD role provider available that I have been able
to find. There are two solutions that I have used to solve this issue:
1. I use the .Net LDAP providers for both my membership and role providers and point the LDAP settings to an OU in AD. Your groups and users will need to be in that OU. Unless you have a very small AD, you may run into performance issues trying to do LDAP
lookups from the root of the AD so that is why the recommendation on the OU.
http://technet.microsoft.com/en-us/library/cc262069%28office.12%29.aspx#section3
2. Use Microsoft AZMan to manage your roles.
http://msdn.microsoft.com/en-us/library/ff649313.aspx
Usually, I end up using Option 1 in most cases.JD Wade, MCITP
SharePoint Consultant, Horizons Consulting, Inc.
Blog: http://wadingthrough.com
Twitter: http://twitter.com/jdwade
Free Windows Admin Tool Kit Click here and download it now
June 2nd, 2010 12:23am
Napone,
I will definitely post a solution if/when I find one.
June 2nd, 2010 3:15pm
JD,
I've tried using the LDAP provider with no luck. I can't get the people picker to see anything when I've tried. Could you possibly provide specifics using the AD info I provided above and the info in the technet link you provided. It would
be a huge help.
Thanks,
David
Free Windows Admin Tool Kit Click here and download it now
June 2nd, 2010 3:17pm
Here is an example:
There is no connection string and this xml goes into the <system.web> section
<
membership
defaultProvider
=
"PeopleDCLDAPMembership ">
<
providers
>
<
add
name
= "PeopleDCLDAPMembership "
type
= "Microsoft.Office.Server.Security.LDAPMembershipProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C "
server
=
"ourportal.net "
port
=
"389 "
useSSL
=
"false "
userDNAttribute
=
"distinguishedName "
userNameAttribute
=
"sAMAccountName "
userContainer
=
"
DC=ourportal , DC=net "
userObjectClass
=
"person "
userFilter
=
"(ObjectClass=person) "
scope
=
"Subtree "
otherRequiredUserAttributes
=
"sn,givenname,cn " />
</
providers
>
</
membership
>
<
roleManager
defaultProvider
=
"PeopleDCLDAPRole "
enabled = "true "
cacheRolesInCookie
= "true "
cookieName = ".
PeopleDCRole ">
<
providers
>
<
add
name
= "PeopleDCLDAPRole "
type
=
"Microsoft.Office.Server.Security.LDAPRoleProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C "
server
=
"ourportal.net "
port
=
"389 "
useSSL
=
"false "
groupContainer
=
"
DC=ourportal , DC=net"
groupNameAttribute
=
"sAMAccountName "
groupMemberAttribute
=
"member "
userNameAttribute
=
"sAMAccountName "
dnAttribute
=
"distinguishedName "
groupFilter
=
"(ObjectClass=group) "
scope
=
"Subtree " />
</
providers
>
</
roleManager
>
JD Wade, MCITP
SharePoint Consultant, Horizons Consulting, Inc.
Blog: http://wadingthrough.com
Twitter: http://twitter.com/jdwade
June 2nd, 2010 10:08pm
Thanks again JD, I appreciate any help.
Unfortunately, I still can't add the site collection admins, people picker does not see username or PeopleDCLDAPMembership:username or PeopleDCLDAPRole:username
Free Windows Admin Tool Kit Click here and download it now
June 3rd, 2010 5:10pm
Update, I have the ldap membership/role provider somewhat working. I have been able to set up the policy and add the site collection admins and can add an AD security group in the portal visitors group. But, when one of the members of the SG
tries to log in, again the access denied message.
:-/ Frustrated!
June 3rd, 2010 9:30pm
Solved!
Thanks for the help JD!
I followed this post to the letter, except I did not extend the application, I used the default instead:
http://blogs.technet.com/b/nishants/archive/2009/05/22/how-to-configure-forms-based-authentication-active-directory-ldapmembership.aspx
Then I found the following post while searching for the Access Denied issue. Note the comments by sadomovalex regarding using the Browse function to add the group, allowing you to select the result for the LDAP role provider instead of the membership
provider. This solved the issue of the security group members being denied access.
Hope this helps someone retain more of their hair than I did :)
As a side note, after changing over to FBA from windows, some of our custom web parts that rely on retrieving data based on the user's identity (HttpContext.Current.User.Identity.Name) broke and had to be modified due to the identity changing from domain\user
to LdapMembership:user. So if you are planning to use FBA and need to determine identity in your custom code, be aware of this gotcha.
Again, thanks!
Free Windows Admin Tool Kit Click here and download it now
June 4th, 2010 5:44pm
Check this out:
http://social.msdn.microsoft.com/Forums/en-US/sharepointadmin/thread/1a580dba-6932-4bb3-ad47-cc072a012781BR, PM
June 6th, 2010 8:59pm