Forms Based Authentication with Active Directory issue

Question

I have setup the connection correct, at least i think it is correct.  Here is what is happening, when I go to the external website and login I get redirected to a blank page. If i try to go to the home page by typing the url(https://testexternalsite.com/pages/default.aspx) i get the sharepoint access denied page, and I am even a full control user in the site collection.  I was even set as a site collection administrator and still get the same results.

Here are the edits I added to the web.config files of central admin and the two web apps.

<connectionStrings>
    <add name="ADConnString" 
            connectionString="LDAP://domain.com/OU=System Accounts,DC=domain,DC=com" 
            name="ADServices" />
  </connectionStrings>


    <membership defaultProvider="ADProvider">
      <providers>
        <add name="ADProvider" 
                connectionStringName="ADConnString"
                applicationName="web:80"    
                type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
                connectionUsername="domain\admin" 
                connectionPassword="password"
                attributeMapUsername="SAMAccountName" />
      </providers>
    </membership>
    <httpModules>

Answer 1

anyone?  come on some has to have setup an external site using FBA with AD.  someone, anyone?

Answer 2

Did you try to follow this?
http://msdn.microsoft.com/en-us/library/ms998360.aspx

Answer 3

Here are my suggestions

This is incorrect with two names, should be like this
<connectionStrings>
     <clear/>
    <add name="ADConnString"
            connectionString="LDAP://domain.com/OU=System Accounts,DC=domain,DC=com" />
  </connectionStrings>

Seems you are missing this

   <authorization>
    <deny users="?" />
    <allow users="*" />
   </authorization>

Add a clear on existing providers, and your credentials go in the RoleManager not the membeship provider.

You may also need to use
"System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.50727.3082, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
as the type setting, in the membership provider.

    <membership defaultProvider="ADProvider">
      <providers>
           <clear />
        <add name="ADProvider"
                connectionStringName="ADConnString"
                type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
                applicationName="web:80" />
      </providers>
    </membership>

    <roleManager defaultProvider="ADProvider">
      <providers>
           <clear />
        <add name="ADProvider"
                connectionStringName="ADConnString"
                type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
                applicationName="web:80" 
                connectionUsername="domain\admin"
                connectionPassword="password"
                attributeMapUsername="SAMAccountName" />
      </providers>
    </roleManager>

Answer 4

Gunner,
The second name in the connection string was corrected.
I added the entries into the authorization node.
I added the following roleManager node to all web.config files:
 <add name="AspNetWindowsTokenRoleProvider" applicationName="web:80" type="System.Web.Security.WindowsTokenRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

When I added the credentials to the role manager it came back with an attribute not recognized error.

And when changed the type attribute to what you suggested I got this:
Provider must implement the class 'System.Web.Security.RoleProvider'.
     

So I'm still exactly where I started, any other suggestions?

Answer 5

I think your name doesn't match any more
<add name="AspNetWindowsTokenRoleProvider" applicationName="web:80" type="System.Web.Security.WindowsTokenRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

Should be

<add name="ADProvider" applicationName="web:80" type="System.Web.Security.WindowsTokenRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

Otherwise post your code again.

Answer 6

Ok, I made some changes and now a different result, it does not accept my login account even though I am a site collection admin.
Also, when navigating to the home page on the external site it displays a blank screen instead of the login screen.  you have to put in https://url.com/pages/default.aspx to get to login screen.


Here is my config code, this is added to the CA, internal web app, and external web app

  <connectionStrings>
	<clear />
    <add name="ADConnString" connectionString="LDAP://dc.com/OU=System Accounts,OU=Sites,DC=dc,DC=com" />
  </connectionStrings>
    <authorization>
      <allow users="*" />
      <deny users="?" />
    </authorization>   

    <membership defaultProvider="ADProvider">
      <providers>
	<clear />
        <add name="ADProvider" connectionStringName="ADConnString" applicationName="web:80" type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
      </providers>
    </membership>

    <roleManager defaultProvider="ADProvider">
      <providers>
           <clear />
        <add name="ADProvider" 
                connectionStringName="ADConnString"
                type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
                applicationName="web:80" 
                connectionUsername="user" 
                connectionPassword="password"
                attributeMapUsername="sAMAccountName" />
      </providers>
    </roleManager>

      

Answer 7

Just noticed the type in the roleManager, I changed it to what you said, the windowstokeroleprovider but that didnt make a difference.
This is now registering in the event log of the WFE:

Event code: 4006 
Event message: Membership credential verification failed. 
Event time: 11/6/2009 5:05:34 PM 
Event time (UTC): 11/6/2009 11:05:34 PM 
Event ID: 3fc60e75116f4e9a9192bc73c4d539a8 
Event sequence: 12 
Event occurrence: 3 
Event detail code: 0 
 
Application information: 
    Application domain: /LM/W3SVC/931017649/Root-9-129020221563835120 
    Trust level: WSS_Minimal 
    Application Virtual Path: / 
    Application Path: C:\Inetpub\wwwroot\wss\VirtualDirectories\web.com443\ 
    Machine name: MOSS-WFE 
 
Process information: 
    Process ID: 5044 
    Process name: w3wp.exe 
    Account name: domain\app_pool_acct
 
Request information: 
    Request URL: https://web.com:443/_layouts/login.aspx?ReturnUrl=Membership credential verification failed.fPagesMembership credential verification failed.fdefault.aspx 
    Request path: /_layouts/login.aspx 
    User host address: xxx.xxx.xxx.xxx 
    User:  
    Is authenticated: False 
    Authentication Type:  
    Thread account name: domain\IUSR_MOSS-WFE
 
Name to authenticate: testUser 

Answer 8

Ok, I made some changes and now a different result, it does not accept my login account even though I am a site collection admin.

This may be due to how you are supplying your name.  Since you specify attributeMapUsername="sAMAccountName"  you should enter domain\username.  If you remove this setting you need to use username@domain.com.

I would try these first.


windowstokeroleprovider was copied from the code you pasted in the previous post....i missed that.

Both the roleManage and the Membship need to use System.Web.Security.ActiveDirectoryMembershipProvider

Not sure wha tthe new erro is regarding.

Answer 9

So i got everything right I believe but when I go to add a user to the policy for web app it is not finding any of the users in the people picker.
I did add      <add key="ADProvider" value="%" />  to people picker node. 
Am i missing something else?

Answer 10

In the LDAP connection string does the last entry need to be a container or is using a OU fine?
I have: OU=System Accounts,OU=Sites,DC=dc,DC=com

Shoult it be: CN=System Accounts,OU=Sites,DC=dc,DC=com?

Answer 11

Yes, sorry i missed that.   Probably Sites as well.

CN=System Accounts,CN=Sites,DC=dc,DC=com

Actually the best test is using only the domain DC portions like so.

DC=dc,DC=com

This will include all user accounts in the domain, once you know this works, you can trim is down to a specific OU as shown above.  You can use ADSI Edit to attach to the domain and get the correct format from that utility as well.

Answer 12

trimming it down to just the DC portion still doesnt work. THis is soooo annoying.

Answer 13

one more time here is my web.config file, its the same through out all web apps.  Does it look right?

    <authorization>
      <allow users="*" />
      <deny users="?" />
    </authorization>   

  
    <PeoplePickerWildcards>
      <clear />
      <add key="ADProvider" value="%" />
      <add key="AspNetSqlMembershipProvider" value="%" />
    </PeoplePickerWildcards>

<connectionStrings>
	<clear />
    <add name="ADConnString" connectionString="LDAP://domaincontroller.domain.com/DC=domain,DC=com" />
  </connectionStrings>  

<membership defaultProvider="ADProvider">
      <providers>
	<clear />
        <add name="ADProvider" 
		connectionStringName="ADConnString" 
		applicationName="web:80"
		type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
      </providers>
    </membership>

    <roleManager defaultProvider="ADProvider">
      <providers>
           <clear />
        <add name="ADProvider" 
                connectionStringName="ADConnString"
                type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
                applicationName="web:80" 
                connectionUsername="domain\admin" 
		connectionPassword="password" 
                attributeMapUsername="sAMAccountName" />
      </providers>
    </roleManager>

Answer 14

Here is my code, it wasn't written for Sharepoint, but it should work.

Mine is ordered a little different than yours...but i don't notice anything major. 
A small version different on the membership provider....Version=2.0.50727.3082
A few of my items are ordered differently.


  <connectionStrings>
    <clear/>
    <add name="DirectoryService" connectionString="LDAP://domain.net/DC=domain,DC=net" />
  </connectionStrings>

    <authentication mode="Forms">
      <forms name=".TestForm" />
    </authentication>

   <authorization>
    <deny users="?" />
    <allow users="*" />
   </authorization>

    <membership defaultProvider="ADMembershipProvider">
      <providers>
        <clear />
        <add name="ADMembershipProvider"
             type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.50727.3082, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
             connectionStringName="DirectoryService"
             applicationName="SampleAuthorization" />
      </providers>
    </membership>

    <roleManager defaultProvider="ADMembershipProvider">
      <providers>
        <clear />
        <add name="ADMembershipProvider"
             type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
             connectionStringName="DirectoryService"
             connectionUsername="domain\user"
             connectionPassword="password"
             applicationName="SampleAuthorization"
  />
      </providers>
    </roleManager>  

Answer 15

Ok, i finally got it working and I think it was working all along.  I just didnt realize that you cant do a people picker search with just a few letters of the person you are looking for, you have to put in the whole name.  So the code in my previous post does work.

Thanks for the help Gunner.