Click here to Skip to main content
Click here to Skip to main content
Technical Blog

Tagged as

SharePoint: Form-Based Authentication with ADAM

, 21 Dec 2009 CPOL
Rate this:
Please Sign up or sign in to vote.
Whereas only one AD exists per OS, there may be multiple ADAM running in a single OS.

What is ADAM?

Active Directory Application Mode is a lightweight version of Active directory. Active directory setup requires much infrastructure, investment and management. ADAM runs as non-operating system service whereas Active Directory(AD) runs as OS service. So whereas only one AD exists per OS, there may be multiple ADAM running in a single OS.

Why ADAM instead of AD?

ADAM and AD both use LDAP protocol and can be used to manage user information and for authentication. First of all, think that you have a custom developed application (say app1) which is already working with AD (so LDAP provider). The application App1 is used for internal purpose and you are using AD for managing internal users of your enterprise. Now you need to develop another custom application (say app2) which will work with LDAP but for external users (say you need to manage buyers of your company’s product). In that case, you want to use LDAP provider but surely you don't want to manage those external users information in your AD. The best solution in that case is to use ADAM as this will keep the external users (so buyers) information not in AD but in ADAM and your existing system (app1) can work with ADAM (as ADAM and AD both use LDAP).

image

Figure 1: How AD and ADAM can exist side by side.

As shown in figure 1, internal system uses AD primarily but it can also access ADAM. Also ADAM and AD can be synchronized which provides room for better integration between AD and ADAM.

Now you may ask if I could use other way to manage external users like ASP.NET authentication provider or custom user management with database. But if you do so, then it'll be difficult for existing application (which is using AD now) to access those external users information as current system only supports LDAP provider. So ADAM is the best choice for those who are using AD already and need AD like system to manage users for another system but don't want to use AD directly.

Install and Configure ADAM

Download ADAM from here and install. Once you have installed ADAM, click ADAM –> “Create an ADAM Instance”. Select next in the first window. Then make sure you have selected “A unique instance” option in the Setup Options step. In the Instance Name step, enter a meaningful name. In the Ports step, keep the default port and click next. In the Application Directory Partition, select “Yes, create an application directory partition” and put something as shown in figure 2. Remember the partition name as we will need this later to connect to ADAM.

image

Figure 2: ADAM setup.

Here in the above image, DC means Domain Controller (which I think may be your company name), OU means Organizational Unit (which I think is the department the application will be used) and CN stands for Common Name (which may be your product name).

Now click next and you'll move to File Locations step. Click next now and you may be prompted for a security warning and select yes if you see this warning window. You are now ADAM administrators step and take the default option of “currently logged in user….” Click next and you'll be in the Import LDIF files step. Select:

image

Figure 3: Import LDIF file.

Now click next until you finish.

Create an User in ADAM

Navigate to the “ADAM ADSI Edit” from ADAM under start menu. You'll prompted for the following screen. If the screen doesn't appear automatically, then click Action –> Connect to. Make sure you have put the server name and port. The partition name should be entered in the DN field.

image

Figure 4: Connect to ADAM

Once you have connected to the ADAM, right click on the node labelling your partition name (so, CN=MyProduct,OU=Management,DC=MyCompany) and click new –> Object. You'll get the select a class window and select user from that window and click next. In this window, put a name for user and finish the wizard.

After creating user, you need to enable the user account (as it's disabled by default) and reset the password.

  1. In the properties window, select the properties msDS-UserAccountDisabled and set its value to false. By default, the account is disabled.
  2. Set user principal name to the username. To do so, set the property userPrincipalName of the user to user name.
  3. Reset the password by right clicking the user and  clicking Reset Password.
  4. Sometimes the user authentication doesn't work without adding the user to group/role. you can add the user to ADAM groups (Administrators, Users, Readers) which is available under CN=Roles node. To add a user to a group, first get the distinguished name of the user from properties window. The property name is distinguishedName. Now move to the CN=Roles node and click on any roles/group you want the user to add. Bring the properties window of the role and find the member property and click. You'll find a window as shown below. Here in this window, you will click the Add ADAM account and paste the distinguished name.

image

Figure 5: Add an ADAM user to group/role.

Configure ADAM in SharePoint

Once you have ADAM set up, you can use ADAM. Now to configure ADAM for a site, you need to modify the web config file both for that site and for the central administration site. At first, you need to add a membership section under <system.web> section.

  <membership defaultProvider="ADAMProvider">
     <providers>
       <add name="ADAMProvider"
 type="System.Web.Security.ActiveDirectoryMembershipProvider,
	System.Web,Version=2.0.0.0,Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="ADAMProviderConnectionString"
connectionUsername="CN=srana,CN=MyProductUser,CN=MyProduct,
	OU=Management,DC=MyCompany" connectionPassword="srana"
 enableSearchMethods="true" connectionProtection="None" />
      </providers>
   </membership>  

Here the connectionProtection value may be Secure or others based on your server’s configuration.

Also in the connection string section, add the connection string to the ADAM as shown below:

  <connectionStrings>
    <add name="ADAMProviderConnectionString"
	connectionString="LDAP://servername:port/CN=MyProductUser,
	CN=MyProduct,OU=Management,DC=MyCompany" />
  </connectionStrings>

So you are done. But remember to add the same membership and connection string section both in the site you want the ADAM authentication and central administration. If you don't put the configuration in the central administration web.config file, then it'll not work.

Now you need to check if the ADAM authentication works. Just go to the central administration => Application Management => Site Collection Administrators (under SharePoint site management).  Select your site from dropdown list and then put the ADAM user name in the primary or secondary site collection administrator’s box. If user is found, then you are done. But if it doesn't find the user, then you need to find the error. Go to the folder like “C:\Program Files\Common Files\Microsoft Shared\web server extensions\12\LOGS” and find the latest log. You'll find error description there and based on the error message, you can easily figure out the reason.

Few Suggestions

  1. After configuring the ADAM, you may find that it's not working. The user is not showing valid in the SharePoint PeopleGroup Picker. In that you can search the SharePoint log files to get the root cause. The log files exists in a folder like “C:\Program Files\Common Files\Microsoft Shared\web server extensions\12\LOGS”.
  2. It's better to create web site first, then before creating any site collection configure the site for ADAM authentication. If you convert a windows authenticated site to ADAM, then existing permission for windows user (as well as windows users) will no longer be in use.
  3. By default, the ADAM provider uses the userPrincipalName as the user name. So when user enters any username in username box (say srana) in Sharepoint  site, the provider tries to find any entry in the ADAM with userprincipalname srana. So when you will create any user in ADAM, set the userPrincipalName to the user name.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Share

About the Author

Sohel_Rana
Architect ImpleVista Aps
Denmark Denmark
Sohel has more than six years of experience in professional software development with extensive involvement in Web based Object-Oriented, Multi-Tiered application design and development. He's Familiar with Test Driven Development (TDD) and refactoring techniques as well as having expertise in architecturing large enterprise applications. He has Experience in working with Content Management System and Portal Management System tools like SharePoint, DotNetNuke, Ektron.
 
Over last few years, he’s involved in development with projects on Microsoft SharePoint and received Microsoft MVP for SharePoint Server Development in the year 2011 and 2012. Currently he's working in a software company located Copenhagen,Denmark on a project integrating SharePoint and SAP. You can read his popular blog at: http://ranaictiu-technicalblog.blogspot.com

Comments and Discussions

 
QuestionUsing windows credentials? Pinmemberdconlon21-Dec-09 5:42 
AnswerRe: Using windows credentials? PinmemberSohel_Rana21-Dec-09 6:03 
GeneralRe: Using windows credentials? Pinmemberdconlon21-Dec-09 6:33 
Yea. According to the MSDN/TechNet articles, they do not specify credentials in the config, so it uses the app pool account. you give this account read-access to ADAM by adding it to the Reader role.
 
I've set it up according to TechNet, and can get the people-picker working fine so LDAP is being searched. But for the life of me, I cannot get FBA working. The logs show nothing obvious.
Seems I am not alone here.
GeneralRe: Using windows credentials? PinmemberSohel_Rana21-Dec-09 17:32 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Mobile
Web04 | 2.8.141022.2 | Last Updated 21 Dec 2009
Article Copyright 2009 by Sohel_Rana
Everything else Copyright © CodeProject, 1999-2014
Terms of Service
Layout: fixed | fluid