SharePoint 2010: How to Configure AD LDS-Claims Based Authentication
Introduction
SharePoint 2010 provides you with the ability to setup multiple authentication providers, to provide clients or other external parties such as vendors, affiliates etc access to your SharePoint Sites without having to provide them with a Windows Active Directory Account.
This article walks through with step by step instructions on how this can be easily achieved using Windows 2008 R2 Active Directory Lightweight Directory Services (AD LDS).
http://1.bp.blogspot.com/-4u1Lzm2DFOQ/Tu20qU6GpdI/AAAAAAAAA1o/ZFzA4IXncok/s1600/ADLDS-SharePoint2010+%25281%2529.jpg
Summary
Executing this implementation guide will help in: Setting up CBA (Claims based authentication) with AD LDS in SharePoint 2010 extranet environment.
Steps
1. Add “Active Directory Lightweight Directory Services” Server Role
Open the Windows Server 2008 R2 Server Manager, click Roles in the navigation pane, and then click Add Roles link.
http://2.bp.blogspot.com/-DbRfql2sGNc/Tu20q39TCzI/AAAAAAAAA1s/9339NQaQCUk/s1600/ADLDS-SharePoint2010+%25282%2529.jpg
Click “Next” button
http://3.bp.blogspot.com/-eoSLx9LBGqA/Tu20rXwkq-I/AAAAAAAAA14/oG8b0QY13_8/s1600/ADLDS-SharePoint2010+%25283%2529.jpg
Check the box for Active Directory Lightweight Directory Services, and then click Next button
http://3.bp.blogspot.com/-utrjZUnEQHM/Tu20sMqE9EI/AAAAAAAAA18/cTmh0sKY0ko/s1600/ADLDS-SharePoint2010+%25284%2529.jpg
Click the Next button on introduction page.
http://2.bp.blogspot.com/-c7GIKJmZ2Xk/Tu20stn97NI/AAAAAAAAA2E/PRPtJXTY0B0/s1600/ADLDS-SharePoint2010+%25285%2529.jpg
Verify the Confirmation Installation Settings, and then click Install button.
http://4.bp.blogspot.com/-nl_noQwQv44/Tu20ta8hlNI/AAAAAAAAA2M/Z3E-A7NMzjM/s1600/ADLDS-SharePoint2010+%25286%2529.jpg
See the installation in progress.
http://1.bp.blogspot.com/-Mx5APUP1XY0/Tu20txCFfaI/AAAAAAAAA2Y/IXRZy-2R_6s/s1600/ADLDS-SharePoint2010+%25287%2529.jpg
When the installation has completed, click Close.
http://2.bp.blogspot.com/-Kxkk84xYVQ0/Tu20vAEHUJI/AAAAAAAAA2c/yVsLOR1X1ZA/s1600/ADLDS-SharePoint2010+%25288%2529.jpg
1(a). Create a New Instance of AD LDS
Create and AD LDS instance by clicking Start > Administrative Tools > Active Directory Lightweight Directory Services Setup. The setup wizard screen appears. Click Next.
http://4.bp.blogspot.com/-hoftx_UKQHI/Tu20vqtL7hI/AAAAAAAAA2k/nXUQQsyLAPA/s1600/ADLDS-SharePoint2010+%25289%2529.jpg
We can create a new unique instance, or we can replicate an existing instance also. Here we are going with the first option. Select “A unique instance” and then click on Next.
http://1.bp.blogspot.com/-d1yMjrzCdlU/Tu20wXxZLiI/AAAAAAAAA2s/_E555yCbPng/s1600/ADLDS-SharePoint2010+%252810%2529.jpg Type the Instance Name. The instance name will help you to identify and differentiate it from other instances that you may have installed on the same server.
http://3.bp.blogspot.com/-vutPfOoi_uE/Tu20wwjolMI/AAAAAAAAA20/ghaSDgAIZJI/s1600/ADLDS-SharePoint2010+%252811%2529.jpg
Specify the LDAP port numbers and then click Next. Note that these numbers cannot be in use by any other application on the same server.
http://3.bp.blogspot.com/-CkRup-mqLZs/Tu20xgTBhfI/AAAAAAAAA28/lIcVFm8WjRc/s1600/ADLDS-SharePoint2010+%252812%2529.jpg
Click “Next” and select the option “Yes, create an application directory partition” and enter the partition name. I have used “CN=LDAP,DC=SharePoint,DC=COM”. Note: It has no relation with your machine name or Active directory. This can be any new domain.
http://4.bp.blogspot.com/-oPKwiVtgmgQ/Tu20yPi-7SI/AAAAAAAAA3I/Qa29oOtLIVY/s1600/ADLDS-SharePoint2010+%252813%2529.jpg
Select the File Locations. Click Next.
Select Network service account. This should be sufficient in most cases. Select Next.
http://3.bp.blogspot.com/-6niHLYsoR0U/Tu20zhlTHZI/AAAAAAAAA3U/802UQEewchs/s1600/ADLDS-SharePoint2010+%252815%2529.jpg
Select your administrator account. Click Next.
http://4.bp.blogspot.com/-nOOtWDc0OkI/Tu200Orgw9I/AAAAAAAAA3g/KYioUKUn5Mw/s1600/ADLDS-SharePoint2010+%252816%2529.jpg
Important:
Make sure the Application Pool account has been added in the AD LDS Administrator Role. (Go to “Roles” node property, scroll to “Members” attribute and add the application pool account). Otherwise user accounts will not be resolved in SharePoint!!!
Click on the below options. This will be needed for extranet users’ accounts. Click Next
http://2.bp.blogspot.com/-BK794y3bxso/Tu201NpzKdI/AAAAAAAAA3k/sqF-hh7i_QE/s1600/ADLDS-SharePoint2010+%252817%2529.jpg
Click on Next
http://3.bp.blogspot.com/-iAxgLnzhvH8/Tu201uwpqyI/AAAAAAAAA3w/Y9p_b5W29no/s1600/ADLDS-SharePoint2010+%252818%2529.jpg
Click Finish
http://2.bp.blogspot.com/-hMcqDnkXGfg/Tu202vK2m2I/AAAAAAAAA34/J8iNayWP2FY/s1600/ADLDS-SharePoint2010+%252819%2529.jpg
1(b). Validate AD LDS instance is running
If everything configured correct then you will see the service running under Administrative Tools > Services.
http://2.bp.blogspot.com/-HaBIxKqM6-A/Tu203p-8eiI/AAAAAAAAA38/27NAf_Md2OU/s1600/ADLDS-SharePoint2010+%252820%2529.jpg
1(c) Un-install AD LDS Instance:
Go to Control Panel > Programs and Features > you will see the AD-LDS instance installed.
http://2.bp.blogspot.com/-qUC2HWAQOp8/Tu204I-mFeI/AAAAAAAAA4I/ODKj5MmLYlQ/s1600/ADLDS-SharePoint2010+%252821%2529.jpg
Select the AD LDS Instance and click on “Uninstall” to uninstall the particular AD LDS Instance.
2. Connecting to AD LDS Server using ADSI Edit
Now that our instance is complete, we are required to connect to this instance via ADSI Edit MMC snap in. Click on Start > Administrative Tools > ADSI Edit. Once the MMC is loaded, right click on the ADSI Edit Node and select Connect to…
http://1.bp.blogspot.com/-MenfUaNdXuU/Tu204uiok8I/AAAAAAAAA4M/PFBmUrMp9ys/s1600/ADLDS-SharePoint2010+%252822%2529.jpg
Enter the connection Properties and click OK
http://2.bp.blogspot.com/-vyjNb87j9kQ/Tu205bCMipI/AAAAAAAAA4U/oSQVty9CPMI/s1600/ADLDS-SharePoint2010+%252823%2529.jpg
On successful connection, this will lead to AD LDS Server view as shown in the below screen.
http://3.bp.blogspot.com/-Pfs6c_8w7tM/Tu2058T9AAI/AAAAAAAAA4c/tAbBqCE64os/s1600/ADLDS-SharePoint2010+%252824%2529.jpg
2(a). Creating new users in AD LDS Instance:
We now need to create a container to store our users. This is equivalent to an Organizational Unit in Active Directory. Right Click on CN entry and select New > Object and select the class as container. Click Next.
http://1.bp.blogspot.com/-2uKgC8bbJ4o/Tu206tbc6tI/AAAAAAAAA4o/VK2IFWV_vO8/s1600/ADLDS-SharePoint2010+%252825%2529.jpg Type Users as the value, click Next and Finish
http://4.bp.blogspot.com/-uj7Sl8-M9uI/Tu207el-rUI/AAAAAAAAA4s/JXF7f_1J3R4/s1600/ADLDS-SharePoint2010+%252826%2529.jpg
Now you will see “Users” container. We can now create our users in the “Users” container that we have just created.
http://4.bp.blogspot.com/-bwvFKeFyHZA/Tu207-qen3I/AAAAAAAAA44/Ctuek6RzUdE/s1600/ADLDS-SharePoint2010+%252827%2529.jpg
Right Click on CN=Users and select New > Object, and select class as user.
http://4.bp.blogspot.com/-GE5izMUJJac/Tu2080BYMGI/AAAAAAAAA48/anYVygt2yzI/s1600/ADLDS-SharePoint2010+%252828%2529.jpg
Type in a user name and then click Next and Finish.
http://4.bp.blogspot.com/-8TVadnjlgSo/Tu209WkZRxI/AAAAAAAAA5E/r-lF0H_oYSY/s1600/ADLDS-SharePoint2010+%252829%2529.jpg
Once the user is created we have to set:
- · Reset Password
- · msDS-UserAccountDisabled to False (its True by default)
- · Important: Set attributes like “cn” and other properties as required by membership provider setting – otherwise users without CN attribute set will not pick by SharePoint.
Reset Password
Right click on user and select “Reset Password”.
http://2.bp.blogspot.com/-v9XFTT8jhN4/Tu2090rjtTI/AAAAAAAAA5M/z-gsh58-fJ0/s1600/ADLDS-SharePoint2010+%252830%2529.jpg
http://3.bp.blogspot.com/-ousgpNtjz_8/Tu20-UTcQtI/AAAAAAAAA5Y/-uLlg6iALcc/s1600/ADLDS-SharePoint2010+%252831%2529.jpg
msDS-UserAccountDisabled
Right Click on your newly created user object and select properties.
http://1.bp.blogspot.com/-JE2V18fD5Uk/Tu20_KdcmNI/AAAAAAAAA5c/WYxDkjVY9iY/s1600/ADLDS-SharePoint2010+%252832%2529.jpg Scroll down and locate the msDS-UserAccountDisabled attribute and set it to False.
http://2.bp.blogspot.com/-dt0rd4cpwRA/Tu20_oXVkUI/AAAAAAAAA5k/SfBOUeq8tw8/s1600/ADLDS-SharePoint2010+%252833%2529.jpg
PowerShell Script to List the users in AD LDS instance:
|
3. Configure CBA for the web application
For new web application:
Go to Central Administration > Application Management
Click on Manage Web Applications
Click New
Select Claims Based Authentication
Check the Enable Windows Authentication box
Check the Enable ASP.NET Membership and Role Provider checkbox
* In the Membership provider name edit box, type LDAPMembershipProvider
* In the Role provider name edit box, type LDAPRoleManager
http://2.bp.blogspot.com/-es-JT-LGvC0/Tu20_20uBuI/AAAAAAAAA5s/owR9I3bOjJM/s1600/ADLDS-SharePoint2010+%252834%2529.jpg
For existing web applications:
- Go to Central Administration > Application Management
- Click on Manage Web Applications
- Select the target web application and click on authentication providers in ribbon
- Enter the above authentication settings
** **Once Successful configuration, on hitting the SharePoint site, you should get:
http://1.bp.blogspot.com/-TOwk3Svoy8I/Tu21AdFJcdI/AAAAAAAAA50/BwV7o7iqTZs/s1600/ADLDS-SharePoint2010+%252835%2529.jpg
4. Modifying web.config files
Important: Take the backup of web.config files before making any change
We have to change 3 web.config files totally.
1. To get the users from ADLDS to central administration site we have to change web.config of Central Administration site.
2. To get the users from ADLDS to the web application which we created to work CBA, we have to change its web.config.
3. To login to the site using claims based authentication, it uses security token service application. So, we have to change its configuration file.
4(a). Update Central Administration site’s web.config:
- Open the Central Administration site's web.config file
- Find the <system.web> entry
- Paste the following XML directly below it ( or just before: </system.web> <system.webServer>)
<membership>
<providers>
<add name="LdapMembershipProvider" otherrequireduserattributes="sn,givenname,cn" port="389" scope="Subtree" server="server.domain.com" type="Microsoft.Office.Server.Security.LdapMembershipProvider,
Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral,
PublicKeyToken=71e9bce111e9429c" usercontainer="CN=Users,CN=LDAP,DC=SharePoint,DC=COM" userdnattribute="distinguishedName" userfilter="(ObjectClass=person)" usernameattribute="cn" userobjectclass="person" usessl="false">
</add></providers>
</membership>
<rolemanager defaultprovider="AspNetWindowsTokenRoleProvider" enabled="true">
<providers>
<add dnattribute="distinguishedName" groupcontainer="CN=Users,CN=LDAP,DC=SharePoint,DC=COM" groupfilter="(ObjectClass=group)" groupmemberattribute="member" groupnamealternatesearchattribute="cn" groupnameattribute="cn" name="LdapRoleManager" port="389" scope="Subtree" server="server.domain.com" type="Microsoft.Office.Server.Security.LdapRoleProvider,
Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral,
PublicKeyToken=71e9bce111e9429c" userfilter="(ObjectClass=person)" usernameattribute="cn" usessl="false">
</add></providers>
</rolemanager>
Double check whether the <membership> and <rolemanager> entries only exist ones. Delete any double entries.
Update the <PeoplePickerWildcards> entry with below code:
<PeoplePickerWildcards>
<clear />
<add key="AspNetSqlMembershipProvider" value="%" />
<add key="LdapMembershipProvider" value="*"/>
<add key="LdapRoleManager" value="*"/>
</PeoplePickerWildcards>
4(b). Update Web application’s web.config:
Update the web.config with the below code
|
Update the <PeoplePickerWildcards> as below:
PeoplePickerWildcards>
<clear />
<add key="AspNetSqlMembershipProvider" value="%" />
<add key="LdapMembershipProvider" value="*"/>
<add key="LdapRoleManager" value="*"/>
</PeoplePickerWildcards>
4(c). Update security token service’s web.config:
· Open the Internet Information Services Manager
· Expand the Sites, and then SharePoint web Services, explore SecurityTokenServiceApplication to edit its web.config file
http://3.bp.blogspot.com/-njFs3kS4aXY/Tu21A6LgxTI/AAAAAAAAA6A/VdibG3AXTnE/s1600/ADLDS-SharePoint2010+%252836%2529.jpg
Pate the below code between <system.web> and </system.web> </configuration>
|
5. Add users to SharePoint site
After completing all the above steps, we have to grant access to the users to SharePoint site.
Set the Web application level user policy:
· Navigate to Central Administration > Application Management > Manage web applications
· Select the target extranet web application and click on “User Policy” from ribbon
http://3.bp.blogspot.com/-eSU4UFQRNuo/Tu21B6-IjsI/AAAAAAAAA6I/jiJd5kFlm1c/s1600/ADLDS-SharePoint2010+%252837%2529.jpg
Click on Add users
http://2.bp.blogspot.com/-0E5H2rkdUhw/Tu21CjehL1I/AAAAAAAAA6M/gcb0uJkJbOY/s1600/ADLDS-SharePoint2010+%252838%2529.jpg
· Click Next
http://1.bp.blogspot.com/-RWtV7ZjP_3U/Tu21DSjRFrI/AAAAAAAAA6U/NQcWwzlxgyg/s1600/ADLDS-SharePoint2010+%252839%2529.jpg
· In the add users window, click on address book
http://1.bp.blogspot.com/-xjgnJwkSWxo/Tu21D4NQS_I/AAAAAAAAA6c/gPFPfm4g9w4/s1600/ADLDS-SharePoint2010+%252840%2529.jpg
· Enter the user name, make sure the LDAP names are retrieved
http://4.bp.blogspot.com/-nqniN4b0NVQ/Tu21EDWXROI/AAAAAAAAA6k/YMVoKAbhKcU/s1600/ADLDS-SharePoint2010+%252841%2529.jpg
6. Unit Test: Verify LDAP Authentication works
Create a user in LDAP, Grant access to a SharePoint site, Open the SharePoint Site; enter the LDAP user name and password.
http://2.bp.blogspot.com/-FHbNryXdXic/Tu21FAnwO2I/AAAAAAAAA6s/aBXYrCeZXsg/s1600/ADLDS-SharePoint2010+%252842%2529.jpg
Make sure you are successfully logged-in into SharePoint site.
http://4.bp.blogspot.com/-mqBhxc9Uu5U/Tu21F4gqymI/AAAAAAAAA60/MZNV6AC-QsE/s1600/ADLDS-SharePoint2010+%252843%2529.jpg
More info:
http://salaudeen.blogspot.com/2011/12/configuring-ad-lds-with-sharepoint-2010.html