Once the AD schema has been edited, you will need to set up a SharePoint Site with Intranet and Extranet Zones. Here is a quick how-to:
2.1. Create the Web Application for the Extranet Zone
-
On your SharePoint server, open up SharePoint Central Administration
-
Click on the Application Management tab
-
Click Create or Extend Web Application
-
Click Create a new Web application
-
Fill out the fields as appropriate for your web application and click OK
-
After the operation completes, open up a command prompt and run iisreset /noforce command
-
On the Application Created page, clik on the Create Site Collection link
-
Fill out the fields as appropriate for your site collection and click OK
-
After the operation completes, on the Application Management tab, click Authentication providers
-
Make sure your newly-created web application is selected and click on the Default zone
-
Select Forms as the Authentication Type
-
Check the Enable anonymous access checkbox
-
Type in the name of your membership provider name (i.e. PortalMembershipProvider) in the Membership provider name textbox
-
Type in the name of your role manager name (i.e. PortalRoleManager) in the Role manager name textbox
-
Select No for Enable Client Integration
-
Click Save
2.2. Extend the Web Application to the Intranet Zone
-
On your SharePoint server, open up SharePoint Central Administration
-
Click on the Application Management tab
-
Click Create or Extend Web Application
-
Click Extend and existing web application
-
Select your newly-created web application in the Web Application dropdown
-
Fill out the fields are appropriate for your web application
-
Select Intranet from the Zone dropdown
-
Click OK
-
Click on Authentication providers
-
Click Intranet zone
-
Make sure the Authentication Type is set to Windows
-
Make sure Enable anonymous access is unchecked
-
Click Save
Step 3 - Create Roles with AzMan
Windows Authorization Manager (AzMan) is a Windows tool for defining application roles and mapping them to Windows users/AD groups defined in your AD store. This article explains in details how to create roles with AzMan. I recommend to configure an AzMan policty store in an an xml file for quick development. For a test, staging and production environment, I recommend to configure an AzMan policy store in AD.
Step 4 - Edit SharePoint Web.config Files
You will need to mofidy the following three web.config files:
-
Exranet web.config
-
Intranet web.config
- SharePoint Central Administration web.config.
Each web.config file needs to have different modifications made to it, depending on what each web application needs to be configured for.
4.1 Extranet web.config
The extranet web.config needs four modifications made to it: changes must be made to the <connectionstrings>, <membership>, <rolemanager>, and <authentication> sections.<connectionstrings><membership><rolemanager><authentication>
</authentication></rolemanager></membership></connectionstrings>
4.1.1 Connection Strings
In order to connect to the AD store for authentication and the AzMan-provided XML file for role definitions, the <connectionstrings> section of the extranet web.config must be modified to include connection string values that point to said resources. The connection string for the AD connection should be an LDAP string to your domain, and the AzMan connection string should be in the format “msxml://
”.
The <connectionstrings> section is a child of the root <configuration> section.</configuration></connectionstrings></connectionstrings>
<connectionstrings>
<add name=”PortalAdConnection” connectionstring=”LDAP://portal.test.com “>
<add name=”AzManConnection” connectionstring=”msxml://c:/Roles/AzManRoles.xml”>
</add></add></connectionstrings>
4.1.2 Membership Provider
The <membership> section needs to have a membership provider added to it that specifies that AD will be used as the membership store for the SharePoint portal site.
The <membership> section is under <configuration>/<system.web></system.web></configuration></membership></membership>
<membership defaultprovider=”PortalMembershipProvider”>
<providers>
<add name=”PortalMembershipProvider” type=”System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a” connectionstringname=”PortalAdConnection” connectionusername=”UserWithAppropriateRights” connectionpassword=”PasswordForUser” connectionprotection=”Secure” enablepasswordreset=”true” enablesearchmethods=”true” requiresquestionandanswer=”true” applicationname=”/” description=”Default AD connection” requiresuniqueemail=”true” clientsearchtimeout=”30″ serversearchtimeout=”30″ attributemappasswordquestion=”department” attributemappasswordanswer=”division” attributemapfailedpasswordanswercount=”singleIntAttribute” attributemapfailedpasswordanswertime=”singleLargeIntAttribute” attributemapfailedpasswordanswerlockouttime=”singleLargeIntAttribute” attributemapemail=”mail” attributemapusername=”userPrincipalName” maxinvalidpasswordattemps=”20″ passwordattemptwindow=”20″ passwordanswerattemptlockoutduration=”30″></add>
</providers></membership>
4.1.3 Login URL
The
section needs to have a login URL specified. This will allow the SharePoint web application to know what web form will be used to authenticate the user with. When authenticated users attempt to access a resource they are not authorized for, they will be redirected to the specified login page and asked to sign in as a different user.
The
section is under <configuration>/<system.web>/<authentication>
<authentication mode=”Forms”>
<forms loginurl=”/_layouts/Portal/login.aspx”>
</forms></authentication></authentication></system.web></configuration></forms></forms>
4.2 Intranet web.config
The Intranet web.config needs two modifications made to it: changes need to be made to the <connectionstrings> and <rolemanager> sections.</rolemanager></connectionstrings>
4.2.1 Connection Strings
In order to connect to the AzMan-provided XML file for role definitions, the <connectionstrings> section of the extranet web.config must be modified to include a connection string value that points to said resource. The connection string for the AzMan XML file should be in the format “msxml://<path>”.
The <connectionstrings> section is a child of the root <configuration> section.</configuration></connectionstrings></path></connectionstrings>
<connectionstrings>
<add name=”AzManConnection” connectionstring=”msxml://c:/Roles/AzManRoles.xml”></add></connectionstrings>
4.2.2 Role Provider
The <rolemanager> section needs to have a role provider added to it that specifies that the AzMan-created XML file will supply roles to the SharePoint web application.
The <rolemanager> section is under <configuration>/<system.web>
</system.web></configuration></rolemanager></rolemanager>
<rolemanager enabled=”true” defaultprovider=”PortalRoleProvider” cacherolesincookie=”true” cookieprotection=”All” cookietimeout=”10″ cookiename=”.PortalRole”>
<providers>
<clear>
<add connectionstringname=”AzMan” applicationname=”AzManPortal” name=”PortalRoleProvider” type=”System.Web.Security.AuthorizationStoreRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, publicKeyToken=b03f5f7f11d50a3a”>
</add>
</clear></providers></rolemanager>
4.3 SharePoint Central Administration web.config
The SharePoint Central Administration web.config only needs a modification to the <rolemanager> </rolemanager>
4.3.1 Role Provider
The <rolemanager> section needs to be enabled and have its default provider set to the ASP.NET Windows token provider.
The <rolemanager> section is under <configuration>/<system.web>
<rolemanager enabled=”true” defaultprovider=”AspNetWindowsTokenProvider”>
</rolemanager></system.web></configuration></rolemanager></rolemanager>
Step 5 - Map AzMan Roles to SharePoint Site Groups
Without performing this mapping, you may notice that users can authenticate against the AD store, but will not be authorized to view any restricted SharePoint content not configured for anonymous access. The reason for this is that the SharePoint web application can confirm the username/password combination against AD, but it cannot know the role(s) of the user without them being somehow mapped to security groups within SharePoint.
5.5 Mapping Application Roles to Site Groups
-
As an administrator of the SharePoint portal site, open up the Intranet home page
-
Click on Site Actions -> Site Settings
-
Click on People and groups
-
Click on one of your SharePoint site groups, i.e. Site Members
-
Click New
-
In the Users/Groups multi-line textbox, you should be able to add the roles that you defined with AzMan and successfully perform a check name operation against them.
You finished all the steps necessary to create a login/registration system. Now, using Microsoft Visual Studio, you can create a login, registration, password recovery, etc. by following this article.
Summary
In this post, I outlined key steps to create a login/registration system using FBA against AD in a SharePoint Server 2007. I did not necessary go through detailed steps, and refered to other articles instead for further details. Creating a login/registration system in a SharePoint Server 2007 is not a trivial task, but it is certainly possible to do it. Once it is implemented, a SharePoint Server 2007 can act as a great platform for an internet-facing web site or an extranet, supporting all necessary functionalties required for a login and registration process.
Other useful links: