Configure SharePoint Forms Based Authentication to use LDAP
This article outlines how to configure SharePoint Forms Based Authentication (FBA) to use Lightweight Directory Access Protocol (LDAP), typically used on a SharePoint Extranet.
Prepare the Authentication Provider
First we need to configure the Authentication Provider to use Forms Based Authentication. This is done via SharePoint Central Administration.
- Browse to SharePoint Central Administration
- Select the Application Management tab
- Under the Application Security section select Authentication Providers
- Select the appropriate Web Application which you want to
allow FBA for.
- Click the appropriate Zone you would like to change, only Default is shown below.
- Scroll down to the Authentication Type section and change the Authentication
Type to Forms
- Scroll down to Membership Provide Name and enter the name
of your Membership provider, this must match the name in your web.config (see
Note the Enable Anonymous access check box. This is one of two settings you need to change to allow anonymous access to part of your site. You might want to do this to present a custom logon form. Read my tip on Enabling Anonymous Access to learn more.
Update SharePoint Central Admin web.config
Please note that updating the web.config incorrectly can damage your SharePoint installation. Extreme care should be taken, please do not edit the web.config if you are not familiar with web.config or XML structures.
- Make a backup of the web.config file (always a best practice).
- Locate your web.config file for the SharePoint Central Administration website. Normally located in C:\Inetpub\wwwroot\wss\VirtualDirectories
- Take special care to select the right Virtual Directory, mine is named SharePointCA80 yours will be different
- Locate the web.config file and open it with notepad
- Scroll down to the configuration node, <configuration>
- Replace the ??? with your domain name
- Scroll down to the system web <system.web> node and
the following membership
- Replace the connectionstring to the one matching your environment and replace "xxx" with domainname\username and "yyy" with password
- Save and close the web.config for SharePoint Central Administration
- Update the web.config of SharePoint Web application
- Repeat steps 1 to 8 for the web.config of the SharePoint web application you configured the Authentication Provider for Forms Based Authentication above
- Check the authentication in this web.config is set to the following.
<connectionStrings> <add name="ADConnectionString" connectionString="<a href="ldap://???.local/CN=Users,DC=???,DC=local"> LDAP://???.local/CN=Users,DC=????,DC=local</a>" /> </connectionStrings>
<membership defaultProvider="ADMembershipProvider"> <providers> <add name="ADMembershipProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider,System.Web, Version=188.8.131.52, Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="ADConnectionString"connectionUsername="xxx" connectionPassword="yyy"enableSearchMethods="true" attributeMapUsername="sAMAccountName"/> </providers> </membership>
<authentication mode="Forms"> <forms loginUrl="/_layouts/login.aspx"></forms> </authentication>
Note you can specify a custom login page here, shown as loginUrl="" above.
The most common issue I get is using the wrong LDAP path in step 4 above. I strongly recommend you use an LDAP query tool to discover your path before setting up SharePoint.
- Plan your approach to FBA authentication!
- Investigate LDAP query tools, like Softerra LDAP Administrator, to make your life easier
- Check back here for my next tip on "How to configure FBA to use SQL Authentication"
- Read tip on Enabling Anonymous Access
- Investigate the CKS FBA web parts on CodePlex.
Last Updated: 2010-08-10