Recently I needed a SharePoint 2010 to test Deepnet IIS agent. Deepnet requires web services working under form authentication, so I follow these two posts [1][2] which are pretty good(especially the first one). However, the installation(and configuration) still costed 2 days! so I am going to write down my story,just in case I'll forget it in the future. It also tries to ensure those people, who are trying to do the SharePoint form authentication with LDAP provider, do not suffer the same fate.
At the very beginning, I tried a standalone version of sharepoint 2010 which I thought was enough for me. The installation itself was quite straightforward, however, the "People Picker" never returned any AD user. My AD server was on another machine, so it was kind of remote LDAP access which I think it needed authentication, so I provided connectionUsername and connectionPassword,just like the one mentioned by this post.
<add name="membership"
type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=94de0004b6e3fcc5"
server="192.168.222.200"
port="389"
useSSL="false"
userDNAttribute="distinguishedName"
userNameAttribute="sAMAccountName"
userContainer="CN=Users,DC=nanoart,DC=local"
userObjectClass="person"
userFilter="(&(ObjectClass=person))"
scope="Subtree"
otherRequiredUserAttributes="sn,givenname,cn"
connectionUsername="CN=administrator,CN=Users,DC=nanoart,DC=local"
connectionPassword="password" />
I doubled checked the connectionUsername and connectionPassword, in ADExplorer it worked without any problem. But in SharePoint People Picker, no luck at all.
This post suggested another format(not DN string) on connectionUsername and connectionPassword which I haven't got time to try. It points out, "One additional step is required and that is adding a couple of entries to the STS (Security Token Service) web.config file. You will need to add both connectionUserName and connectionPassword." If you are curious, please have a try yourself, and give me a feedback below.
<add name="membership"
type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=94de0004b6e3fcc5"
server="192.168.222.200"
port="389"
useSSL="false"
userDNAttribute="distinguishedName"
userNameAttribute="sAMAccountName"
userContainer="CN=Users,DC=nanoart,DC=local"
userObjectClass="person"
userFilter="(&(ObjectClass=person))"
scope="Subtree"
otherRequiredUserAttributes="sn,givenname,cn"
connectionUsername="nanoart\administrator"
connectionPassword="password" />
I struggled for a few hours on that, eventually I gave up the standalone version, and decided to install SharePoint 2010 in a AD environment. Officially SharePoint 2010 is not recommended being installed on Domain Controller, so generally, you need 2 machines(see this post
for the details). Basically one machine(512M) for domain controller, another one(4G) to be a member server of the domain, and for deploying SharePoint.
I always want to make things simple, so I tried my luck to install everything (SharePoint 2010 plus SQL server 2008) on DC machine. Guess what? this time I wasn't disappointed. The installation was successful, and People Picker worked as well!
However another issue awaited me, which tortured me longer than the LDAP issue, I always got Access Denied error.
I believe I did right thing on User's Policy, as you can see this test user(i:0#.f|ldapmember|mingfa.ma) had "Full Read"(tried "Full Control" later as well).
This problem puzzled me for two days. I didn't realized that I fell right into the trap setup by myself until I saw this post.It mentioned somewhere that you need to set the default provider to our Forms provider, i.e. FBAMembershipProvider
OK let's look at how I modified the web.config of SharePoint site.
<membership defaultProvider="LdapMember">
<providers>
<!-- <add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" /> -->
<add name="LdapMember" type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="WIN-SPSRV.nanoart64.local" port="389" useSSL="false" userDNAttribute="distinguishedName" userNameAttribute="sAMAccountName" userContainer="CN=Users,DC=nanoart64,DC=local" userObjectClass="person" userFilter="(ObjectClass=person)" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn" />
</providers>
</membership>
<roleManager defaultProvider="LdapRole" enabled="true" cacheRolesInCookie="false">
<providers>
<!-- <add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" /> -->
<add name="LdapRole" type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="WIN-SPSRV.nanoart64.local" port="389" useSSL="false" groupContainer="CN=Users,DC=nanoart64,DC=local" groupNameAttribute="cn" groupNameAlternateSearchAttribute="samAccountName" groupMemberAttribute="member" userNameAttribute="sAMAccountName" dnAttribute="distinguishedName" groupFilter="(ObjectClass=group)" userFilter="(ObjectClass=person)" scope="Subtree" />
</providers>
</roleManager>
Below I list correct one, you can easily see what the difference is.
<membership defaultProvider="i">
<providers>
<add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
<add name="LdapMember" type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="WIN-SPSRV.nanoart64.local" port="389" useSSL="false" userDNAttribute="distinguishedName" userNameAttribute="sAMAccountName" userContainer="CN=Users,DC=nanoart64,DC=local" userObjectClass="person" userFilter="(ObjectClass=person)" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn" />
</providers>
</membership>
<roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false">
<providers>
<add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
<add name="LdapRole" type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="WIN-SPSRV.nanoart64.local" port="389" useSSL="false" groupContainer="CN=Users,DC=nanoart64,DC=local" groupNameAttribute="cn" groupNameAlternateSearchAttribute="samAccountName" groupMemberAttribute="member" userNameAttribute="sAMAccountName" dnAttribute="distinguishedName" groupFilter="(ObjectClass=group)" userFilter="(ObjectClass=person)" scope="Subtree" />
</providers>
</roleManager>
How ironic it is! I could only blame my "cleverness". When I edited the web.config file I thought I should comment out the original one, and made the inserted one as the default member(role) which eventually resulted in an agony of finding the exact reason.
I wonder if SharePoint had some troubleshooting measures to guide me to the right place quickly. To some extent, the error "Access Denied" in this case misled me, I am afraid to say so.
Reference
Step by Step SharePoint 2010 Install RTM
How to Set Up Novell eDirectory Authentication for Microsoft SharePoint
Setting Up SharePoint 2010 forms-based authentication for claims based web applications
Configuring Forms Based Authentication for SharePoint 2010 using IIS7