Configure SharePoint Forms Based Authentication to use LDAP

By: Matt Takhar | Updated: 2010-08-10 | Comments | Related: > SharePoint Configuration

Problem

This article outlines how to configure SharePoint Forms Based Authentication (FBA) to use Lightweight Directory Access Protocol (LDAP), typically used on a SharePoint Extranet.

Solution

Prepare the Authentication Provider

First we need to configure the Authentication Provider to use Forms Based Authentication. This is done via SharePoint Central Administration.

Browse to SharePoint Central Administration
Select the Application Management tab
Under the Application Security section select Authentication Providers

Select the appropriate Web Application which you want to allow FBA for.

Click the appropriate Zone you would like to change, only Default is shown below.
Scroll down to the Authentication Type section and change the Authentication Type to Forms

Scroll down to Membership Provide Name and enter the name of your Membership provider, this must match the name in your web.config (see below).

Note the Enable Anonymous access check box. This is one of two settings you need to change to allow anonymous access to part of your site. You might want to do this to present a custom logon form. Read my tip on Enabling Anonymous Access to learn more.

Update SharePoint Central Admin web.config

Please note that updating the web.config incorrectly can damage your SharePoint installation. Extreme care should be taken, please do not edit the web.config if you are not familiar with web.config or XML structures.

Make a backup of the web.config file (always a best practice).
Locate your web.config file for the SharePoint Central Administration website. Normally located in C:\Inetpub\wwwroot\wss\VirtualDirectories
Take special care to select the right Virtual Directory, mine is named SharePointCA80 yours will be different
Locate the web.config file and open it with notepad
Scroll down to the configuration node, <configuration> find <connectionStrings>

<connectionStrings>
<add name="ADConnectionString" connectionString="<a 
href="ldap://???.local/CN=Users,DC=???,DC=local">
LDAP://???.local/CN=Users,DC=????,DC=local</a>" />
</connectionStrings>

Replace the ??? with your domain name
Scroll down to the system web <system.web> node and the following membership

<membership defaultProvider="ADMembershipProvider">
	<providers>
	<add name="ADMembershipProvider"
	type="System.Web.Security.ActiveDirectoryMembershipProvider,System.Web,
	Version=2.0.0.0,
	Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a" 
	connectionStringName="ADConnectionString"connectionUsername="xxx" 
	connectionPassword="yyy"enableSearchMethods="true"
	attributeMapUsername="sAMAccountName"/>
	</providers>
</membership>

Replace the connectionstring to the one matching your environment and replace "xxx" with domainname\username and "yyy" with password
Save and close the web.config for SharePoint Central Administration
Update the web.config of SharePoint Web application
Repeat steps 1 to 8 for the web.config of the SharePoint web application you configured the Authentication Provider for Forms Based Authentication above
Check the authentication in this web.config is set to the following.

<authentication mode="Forms">
	<forms loginUrl="/_layouts/login.aspx"></forms>
</authentication>

Note you can specify a custom login page here, shown as loginUrl="" above.

Common issues

The most common issue I get is using the wrong LDAP path in step 4 above. I strongly recommend you use an LDAP query tool to discover your path before setting up SharePoint.

Next Steps

Plan your approach to FBA authentication!
Investigate LDAP query tools, like Softerra LDAP Administrator, to make your life easier
Check back here for my next tip on "How to configure FBA to use SQL Authentication"
Read tip on Enabling Anonymous Access
Investigate the CKS FBA web parts on CodePlex.