Forms Based Authentication is an attractive option for companies running MOSS 2007 because it means you can give partners and external clients access to your Sharepoint sites without having to give them a full blown Windows domain account, the only drawbacks being it’s quite tricky to set up and most people only see SQL Server as an option for a user store which gives complications with regards to maintenance of them users and less flexibility should you need to migrate them users to a full blown Windows account later on.
I am currently running MOSS 2007 on Windows Server 2008 and I wanted to implement Forms Based authentication using AD LDS as the user store instead of SQL Server. The benefit for using AD LDS as a user store is that it is built on the same enterprise level authentication server as Active Directory and comes with a user management application that will be familiar to most Windows administrators unlike SQL Server which can only be administered using the Web Site Administration tool that comes with Visual Studio. You can also easily migrate an AD LDS user store to a full blown Active Directory domain controller if that requirement should arise in the future.
I couldn’t find much on the web on how to setup and configure AD LDS with Windows Server 2008 and as It’s a fairly tricky undertaking I thought I would write an article to hopefully give a clear and concise step by step guide on how to get it up and running.
Installing AD LDS
To start off with I am assuming you have MOSS 2007 installed on Windows Server 2008 already so the first step would be to add the AD LDS role.
- Open up Server Manager and click on the roles section to the left.
- Click on the “Add Roles” link on the right which should bring up the “Add Roles Wizard”.
- Check the box next to Active Directory Lightweight directory services and click next as shown below.
Follow the wizard until the end and AD LDS should now be installed on your server.
Configuring AD LDS
Now we have AD LDS installed we need to create a user store.
- Open up Administrative Tools and click on “Active Directory Lightweight Directory Services Setup Wizard” to start the setup process.
- Click next on the first page and you will be presented with the step below, make sure “Unique instance” is selected and click next.
- On the next step give your user store instance a name as shown below and click next.
- Now you need to give your instance a port number so you can access it, recommended to leave the default values here.
- Now we need to create a partition for our user store. Select “Yes, create an application directory partition” and enter a valid X.500 AD partition name. Make a note of this Partition name as you will need it later on.
- The next step is to tell AD LDS where to physically store your data.
- Choose which domain account you want AD LDS to run under, I have left selected the default Network Service Account.
- Next tell AD LDS which account you would like to give admin rights to.
- The last step is pretty important make sure you select the MS-User.ldif file to import; this makes sure you have the User classes available within your AD LDS store.
And thats it you now have a AD LDS store setup. Then next step is to add a user to your store.
- Under Administrative tool you will now see ADSI Edit application, open this up.
- Right click on the ADSI Edit node and select “Connect to” you will see the “Connection Settings” dialog box shown below.
- Enter a name for your connection in the Name box.
- Under Connection Point enter your Distinguished Name into the “Select or type a Distinguished Name or Naming Context:” box. This will be the Partition name you entered earlier on when creating the user store.
- In the “Select or type a domain or server” box enter you domain name and port number you setup earlier.
- Click the Ok button and you should now see your connection under the ADSI Edit node.
- You can now add a user by right clicking on the Users container and selecting New -> object.
- You will be presented with the dialog box shown below. Select the user class and click next.
- On the next screen enter the users username into the value box and click next, then click finish.
- You now have a user in your user store, to set the users password right click on the user and selected “Reset password”.
- One more step you need to take is to enable the user by right clicking on the user and selecting “Properties”.
- Scroll down to the ms-DS-UserAccountDisabled property and change it to TRUE.
Extending your web application
Now we have our user store in place we need to tell Sharepoint that we want to allow access to our sites for these users. You will need a separate URL and web application so that MOSS can distinguish from internal and external users and present them with the right authentication mechanism. For example my internal URL is portal.athousandthreads.net which will use Windows authentication and my external URL is partner.athousandthreads.net which will use FBA authentication. Both URL’s point to the same SharePoint site but each use different mechanisms for authenticating users.
Our first step is to extend the internal portal.athousandthreads.net application.
- Open Central Administration and go to “Application Management”
- Click on “Create or extend Web Application”.
- Click “Extend an existing web application”.
- You will be presented with the screen below.
- Change the web application to your internal web application, in my case portal.athousandthreads.net
- Select create a new IIS website and enter a name.
- Enter port 80 into the port textbox and your host header into the host header section, in my case partner.athousandthreads.net, this will be your external URL.
- Under the Load Balanced URL section make sure you change the Zone dropdown to Internet, this is very important.
- Click Ok and you extended web application will be created.
- Make sure you can navigate to your external URL, if you don’t get anything then make sure you have made the right DNS or Host file entries on your server.
Modifying web.config files.
At a minimum we need to modify the Central Administration and external web application web.config files you will also need to modify the SSP and MySite web.config files if you intend to use FBA with these services.
- Open up your external web application web.config file and make the following entry just before the system.web node.
- Be sure to change the connectionString attribute to match your own domain, port and partition name.
- Now make the following entry inside the system.web node.
- Change the connectionUsername and connectionPassword attributes to match your own credentials.
- Save the web.config file and now open up your Central Administration web.config file.
- Insert exactly the same entries in this web.config file as before.
- Change the defaultProvider attribute of the roleManager node to AspNetWindowsTokenRoleManger, this is to ensure you can still access Central Administration with Windows authentication.
- Save the web.config file and do and IISRESET for good luck.
Configuring authentication providers.
All we need to do now is tell Sharepoint that our external web application (partner.athousandthreads.net) will be using Forms Based Authentication.
- Open up Central Administration and go to Application Management.
- Click Authentication Providers and click the Internet zone on next screen. You should then be presented with the screen below.
- Change the authentication type to Forms and enter the Membership provider name and Role manager name from your web.config files in the respective boxes.
- Make sure you select Yes under Enable Client Integration.
- Click Save.
Adding FBA permissions.
Ok so now our external web application is using FBA and our Central Administration knows about our AD LDS store, we can now go ahead and add an FBA user to our web application.
- Open up Central Administration and select Policy for Web Application.
- Add a new user and you should now be able to enter an FBA user into the people picker box.
- Once you have added a user to the web application policy you should be able to log into the internal web application using Windows authentication (portal.athousandthreads.com) and begin adding your FBA user permissions to the site.
There you have it, It’s a bit long winded and a little tricky but pretty cool when it’s finally set up and working, trying navigation to you external web application (partner.athousandthreads.net) and you should be presented with a FBA login screen.