What is ADAM?
Active Directory Application Mode is a lightweight version of Active directory. Active directory setup requires much infrastructure, investment and management. ADAM runs as non-operating system service whereas Active Directory(AD) runs as OS service. So whereas only one AD exists per OS, there may be multiple ADAM running in a single OS.
Why ADAM instead of AD?
ADAM and AD both use LDAP protocol and can be used to manage user information and for authentication. First of all, think that you have a custom developed application (say
app1) which is already working with AD (so LDAP provider). The application
App1 is used for internal purpose and you are using AD for managing internal users of your enterprise. Now you need to develop another custom application (say
app2) which will work with LDAP but for external users (say you need to manage buyers of your company’s product). In that case, you want to use LDAP provider but surely you don't want to manage those external users information in your AD. The best solution in that case is to use ADAM as this will keep the external users (so buyers) information not in AD but in ADAM and your existing system (
app1) can work with ADAM (as ADAM and AD both use LDAP).
Figure 1: How AD and ADAM can exist side by side.
As shown in figure 1, internal system uses AD primarily but it can also access ADAM. Also ADAM and AD can be synchronized which provides room for better integration between AD and ADAM.
Now you may ask if I could use other way to manage external users like ASP.NET authentication provider or custom user management with database. But if you do so, then it'll be difficult for existing application (which is using AD now) to access those external users information as current system only supports LDAP provider. So ADAM is the best choice for those who are using AD already and need AD like system to manage users for another system but don't want to use AD directly.
Install and Configure ADAM
Download ADAM from here and install. Once you have installed ADAM, click ADAM –> “Create an ADAM Instance”. Select next in the first window. Then make sure you have selected “A unique instance” option in the Setup Options step. In the Instance Name step, enter a meaningful name. In the Ports step, keep the default port and click next. In the Application Directory Partition, select “Yes, create an application directory partition” and put something as shown in figure 2. Remember the partition name as we will need this later to connect to ADAM.
Figure 2: ADAM setup.
Here in the above image, DC means Domain Controller (which I think may be your company name), OU means Organizational Unit (which I think is the department the application will be used) and CN stands for Common Name (which may be your product name).
Now click next and you'll move to File Locations step. Click next now and you may be prompted for a security warning and select yes if you see this warning window. You are now ADAM administrators step and take the default option of “currently logged in user….” Click next and you'll be in the Import LDIF files step. Select:
Figure 3: Import LDIF file.
Now click next until you finish.
Create an User in ADAM
Navigate to the “ADAM ADSI Edit” from ADAM under start menu. You'll prompted for the following screen. If the screen doesn't appear automatically, then click Action –> Connect to. Make sure you have put the server name and port. The partition name should be entered in the DN field.
Figure 4: Connect to ADAM
Once you have connected to the ADAM, right click on the node labelling your partition name (so,
CN=MyProduct,OU=Management,DC=MyCompany) and click new –> Object. You'll get the select a class window and select user from that window and click next. In this window, put a name for user and finish the wizard.
After creating user, you need to enable the user account (as it's disabled by default) and reset the password.
- In the properties window, select the properties msDS-UserAccountDisabled and set its value to
false. By default, the account is disabled.
- Set user principal name to the username. To do so, set the property userPrincipalName of the user to user name.
- Reset the password by right clicking the user and clicking Reset Password.
- Sometimes the user authentication doesn't work without adding the user to group/role. you can add the user to ADAM groups (Administrators, Users, Readers) which is available under CN=Roles node. To add a user to a group, first get the distinguished name of the user from properties window. The property name is distinguishedName. Now move to the CN=Roles node and click on any roles/group you want the user to add. Bring the properties window of the role and find the member property and click. You'll find a window as shown below. Here in this window, you will click the Add ADAM account and paste the distinguished name.
Figure 5: Add an ADAM user to group/role.
Configure ADAM in SharePoint
Once you have ADAM set up, you can use ADAM. Now to configure ADAM for a site, you need to modify the web config file both for that site and for the central administration site. At first, you need to add a membership section under
enableSearchMethods="true" connectionProtection="None" />
connectionProtection value may be
Secure or others based on your server’s configuration.
Also in the connection string section, add the connection string to the ADAM as shown below:
So you are done. But remember to add the same membership and connection string section both in the site you want the ADAM authentication and central administration. If you don't put the configuration in the central administration web.config file, then it'll not work.
Now you need to check if the ADAM authentication works. Just go to the central administration => Application Management => Site Collection Administrators (under SharePoint site management). Select your site from dropdown list and then put the ADAM user name in the primary or secondary site collection administrator’s box. If user is found, then you are done. But if it doesn't find the user, then you need to find the error. Go to the folder like “C:\Program Files\Common Files\Microsoft Shared\web server extensions\12\LOGS” and find the latest log. You'll find error description there and based on the error message, you can easily figure out the reason.
- After configuring the ADAM, you may find that it's not working. The user is not showing valid in the SharePoint PeopleGroup Picker. In that you can search the SharePoint log files to get the root cause. The log files exists in a folder like “C:\Program Files\Common Files\Microsoft Shared\web server extensions\12\LOGS”.
- It's better to create web site first, then before creating any site collection configure the site for ADAM authentication. If you convert a windows authenticated site to ADAM, then existing permission for windows user (as well as windows users) will no longer be in use.
- By default, the ADAM provider uses the
userPrincipalName as the user name. So when user enters any username in username box (say srana) in Sharepoint site, the provider tries to find any entry in the ADAM with
userprincipalname srana. So when you will create any user in ADAM, set the
userPrincipalName to the user name.