WSS 3.0/MOSS 2007 Active Directory Forms Based Authentication PeoplePicker no users found

Posted by John Haigh on Geeks with Blogs See other posts from Geeks with Blogs or by John Haigh
Published on Sun, 18 Apr 2010 19:21:10 GMT Indexed on 2010/04/19 1:33 UTC
Read the original article Hit count: 595

Filed under:

WSS 3.0/MOSS 2007 Active Directory Forms Based Authentication PeoplePicker no users found

After finding these steps online from http://dattard.blogspot.com/2008/11/active-directory-forms-based.html in order to setup Active Directory Forms Based Authentication I was all set to complete this task, except for one problem. These steps are missing one very important vital step in order for FBA to work with Active Directory.

A supplement to step 3 before granting access in step 5 through the people picker. You need to specify the Active Directory Provider Name to the people picker, otherwise you will not be able specify users through the Policy for Web Application.

<PeoplePickerWildcards>
      <clear />   
      <add key="ADMembershipProvider" value="%" />
    </PeoplePickerWildcards>

Recently we needed to use Forms Based Authentication with Active Directory from an Extranet. This is how we got it to work.

1. Extend the Web Application
Instead of tweaking the internal web app, Extend the web application you want to expose to the Extranet, giving it the required host headers etc.

2. Configure SharePoint Central Admin to use FBA for the "new" Web Applications
Login to SharePoint Central Admin
Go to Application MBoldanagement / Application Security / Authentication Providers and Change the Web Application to the one which needs to be configured for Forms Based Authentication
Click zone / default, change authentication type to forms and enter ActiveDirectoryMemebershipProvider under membership provider name ( for example , "ADMembershipProvider") and save this change

3. Update the web.config of SharePoint Central admin site
under configuration node
<connectionStrings>
<add name="ADConnectionString" connectionString="LDAP://DynamicsAX.local/CN=Users,DC=DynamicsAX,DC=local />
</connectionStrings>

under system.web node
<membership defaultProvider="ADMembershipProvider">
<providers>
<add name="ADMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider,System.Web,Version=2.0.0.0,Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="ADConnectionString"
connectionUsername="xxx" connectionPassword="yyy"
enableSearchMethods="true"
attributeMapUsername="sAMAccountName"/>
</providers>
</membership>

4.Update the web.config of SharePoint Web application
Repeat step 3 for the web.config of the SharePoint webapplication to be configured for Forms Based Authentication
Change the authentication in web.config to
<authentication mode="Forms">
<forms loginUrl="/_layouts/login.aspx"></forms>
</authentication>

5. Grant Access on the extended Web Application
Your extranet web application is now configured to use FBA. However, until users, who will be accessing the site via FBA, are given permissions for the site, it will be inaccessible to them.

To get started, open your browser and navigate to your farm’s Central Administration site. Click on Application Management and then click on Policy for Web Application. Make sure that you are working on the extranet web application. Do the following steps:
Click on Add Users.
In the Zones drop down, select the appropriate Extranet zone. IMPORTANT: If you select the incorrect zone, you may not be able to resolve user names. Hence, the zone you select must match the zone of the web application that is configured to use FBA.
Click the Next button.
In the Users edit box, type the name of the FBA user whom you wish to have full control for the site.
Click the Resolve link next to the Users edit box. If the web application's FBA information has been configured correctly, the name will resolve and become underlined.
Check the Full Control checkbox.
Click the Finish button.

© Geeks with Blogs or respective owner