Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Moss With External Ad


Published on

The presentation talks about a scenario where the business requirement is to authenticate the MOSS Live users with the external (different) Active Directory. There are some areas where more details can be added though.

  • Be the first to comment

  • Be the first to like this

Moss With External Ad

  1. 1. MOSS WITH EXTERNAL AD FBA using ADAM July 10 2009 SAURABH DHALL Technical Architect – Microsoft Technologies
  3. 3. FBA USING ADAM – PRE-REQUISITES <ul><li>Following are the pre requisites for Configuring FBA using ADAM. </li></ul><ul><li>AD Setup </li></ul><ul><li>Download Active Directory in Application Mode. </li></ul><ul><li>Create the LDAP Datastore with ADAM, ad name the sever 'ADAMServer‘. </li></ul><ul><li>Run ADAM on Port 5000 </li></ul><ul><li>Name the Forest “ ADAM-Forest”. </li></ul><ul><li>Assuming that our MOSS server’s name would be ‘SharePoint-Server’ during this execution. </li></ul>
  4. 4. CONFIGURATION: FBA USING ADAM – STEP 1 <ul><li>One of the first things you will need to do is grant permissions for the account you have running SharePoint (your App Pool acct) to be able to access your ADAM store.  </li></ul><ul><li>Open ADAM ADSIEdit on your server running ADAM. Connect to: </li></ul><ul><ul><li>Server name: localhost </li></ul></ul><ul><ul><li>Port: 50000 </li></ul></ul><ul><ul><li>Distinguished Name: CN=Adam-Forest,dc=forest,dc=com </li></ul></ul><ul><ul><li>Create a new container &quot;Users&quot; by right clicking on the partition folder TokenRoleProvider in the tree view, select &quot;New&quot; and &quot;object&quot; from the context menu. </li></ul></ul><ul><ul><li>Select Container </li></ul></ul><ul><ul><li>Container Name: Users </li></ul></ul>
  5. 5. CONFIGURATION: FBA USING ADAM – STEP 2 <ul><li>Create 3 users:  'AdamUser1',  'AdamUser2',  'AdamUser3'  (Name these whatever you like) by taking the following steps for each user: (Repeat the steps for all 3 users) </li></ul><ul><ul><li>Right click &quot;CN=Users&quot;, click New, Object, Select user and click Next </li></ul></ul><ul><ul><li>Value: AdamUser1 </li></ul></ul><ul><ul><li>Click Next, Finish </li></ul></ul><ul><ul><li>Right click on &quot;CN=AdamsUser1&quot; and click Reset Password </li></ul></ul><ul><ul><li>Enter the password and click OK </li></ul></ul><ul><ul><li>Double click on &quot;CN=Adam1“ </li></ul></ul><ul><ul><li>Edit msDS-UserAccountDisabled, set the value to False and click OK </li></ul></ul><ul><ul><li>NOTE: The account is disabled by default </li></ul></ul>
  6. 6. CONFIGURATION: FBA USING ADAM – STEP 3 <ul><li>Create a Group in ADAM for testing purpose.  Create a new group called 'AdamGroup1' by doing the following steps: </li></ul><ul><li>o   Right click &quot;CN=Users&quot;, click New, Object </li></ul><ul><li>o   Select group and click Next </li></ul><ul><li>o   Value: AdamGroup1 </li></ul><ul><li>o   Click Next </li></ul><ul><li>o   Set the groupType Value: -2147483646 </li></ul><ul><li>o   Click Next, Finish </li></ul><ul><li>Add AdamUser1,  AdamUser2 and AdamUser3 to the Member attribute of AdamGroup1: </li></ul><ul><li>Double click on &quot;CN=AdamGroup1&quot; </li></ul><ul><li>Edit the member attribute by clicking on Add ADAM Account and enter the distinguished name for the user: </li></ul><ul><li>CN=AdamUser1,CN=Users,CN=Adam-ForestB,DC=forestb,DC=com </li></ul><ul><li>(Repeat for AdamUser2 and AdamUser3) </li></ul><ul><li>Click OK, OK to exit out of that. </li></ul>
  7. 7. CONFIGURATION: FBA USING ADAM – STEP 4 <ul><li>ADAM is now setup with the users and group, so we need to configure SharePoint.  To be able to set the provider up, modification of Central Admin web.config file is now required, to make SharePoint aware of the ADAM provider. </li></ul><ul><li>We’ll edit the web.config for Central Admin, we will add the following after the <system.web> tag and save our changes: </li></ul>The top configuration section is actually defining our ADAM membership provider and telling SharePoint how to connect to it.  The second entry is telling the ASP.Net role provider that ADAM exists as a role provider store, but notice the defaultProvider entry is pointing to the ‘AspNetWindowsTokenRoleProvider’ provider.  That is because we don’t want to use ADAM as our primary provider, we just want to include it.  
  8. 8. CONFIGURATION: FBA USING ADAM – STEP 5 <ul><li>Now configure our newly ‘installed’ provider: </li></ul><ul><li>  </li></ul><ul><li>For our next steps, we are going to assume you have extended the web app <http://SharePoint-Server> to <http:// SharePoint-Server:8888> and set the zone to ‘Extranet’.  </li></ul><ul><li>  </li></ul><ul><li>Edit the web.config for the <http://SharePoint-Server:8888> extranet site by adding the following configuration after the <system.web> tag and then save the file: </li></ul>NOTE:  In the extranet configuration we have the default role provider set to the LDAP store since that is our default store for external users.
  9. 9. CONFIGURATION: FBA USING ADAM – STEP 6 <ul><li>One last thing we need to do to make this really useful is to set a wildcard for your people picker so you can find ADAM users and groups without typing an exact match for them.  To do this, simply add the wildcard entry below to your web.config files: </li></ul><ul><li><PeoplePickerWildcards>   <clear />   <add key=&quot;ADAMMembership&quot; value=&quot;*&quot; /> </PeoplePickerWildcards> </li></ul><ul><li>  </li></ul><ul><li>Completing the setup in SharePoint : </li></ul><ul><li>  In Central Admin > Application Management tab > Authentication Providers: </li></ul><ul><li>o   Click Extranet and choose- </li></ul><ul><ul><li>Authentication Type:  Forms </li></ul></ul><ul><ul><li>Membership provider name:  ADAMMembership </li></ul></ul><ul><ul><li>Role manager name:  LdapRole </li></ul></ul><ul><li>o   Click Save </li></ul>
  10. 10. CONFIGURATION: FBA USING ADAM – STEP 7 <ul><li>In Central Admin > Application Management tab > Policy for Web Application </li></ul><ul><li>·         Click Add Users </li></ul><ul><li>·         Web Application: <http://SharePoint-Server/> </li></ul><ul><li>·         Zones: Extranet </li></ul><ul><li>·         Click Next </li></ul><ul><li>·         Choose Users, click the address book icon and in the ‘Find’ field, type AdamUSer1 and click the magnifying glass icon </li></ul><ul><li>·         Double click on Adam1 </li></ul><ul><li>·         In the Find field, type AdamGroup1 and click the magnifying glass icon </li></ul><ul><li>·         Double click on AdamGroup1 and click OK </li></ul><ul><li>·         Choose Permissions: put a checkmark beside Full Control and click Finish </li></ul><ul><li>  </li></ul><ul><li>NOTE:  Now the permissions have been granted explicitly to the LDAP user AdamUser1 and our LDAP group AdamGroup1 Full Control.  We can test it by logging in as AdamUser1 and then closing IE and logging in as AdamUser3. </li></ul>
  11. 11. WEB LINK <ul><li>How To: Use Forms Authentication with Active Directory in ASP.NET 2.0 </li></ul>