SharePoint Notes

Bleeding on the cutting edge …

SharePoint Extranet Solutions with ISA Server 2006 – Part 4: LDAP authentication in SharePoint

Posted by Christian Dam on March 30, 2008


In this post we will configure our Extranet Web Application to authenticate users in the Extranet Zone using LDAP.  However, not any LDAP server can be used since it must be supported by ISA Server 2006, so we are using a Active Directory in the DMZ.

The trick is to configure web.config files are the Central Administration IIS site as well as all IIS sites for that is part of the Extranet Web Application. When that is done, the Authentication Provider for the extended web application must be changed to use the new provider. Finally, we add some Site Collection Administrators and users.

Still with me? Good, let’s go!

Oh, BTW, the web.config for a SharePoint Web Application is normally located at this location:

     C:\Inetpub\wwwroot\wss\VirtualDirectories\xxx

where xxx is the directory for the Web Application. If the exact location is not known, use the Internet Information Services (IIS) Manager to locate it:

  1. Start Internet Information Services (IIS) Manager(Start -> Administrative Tools -> Internet Information Services (IIS) Manager)
  2. Navigate to <Server> -> Web Sites
  3. Right-click the Web Application in question and select Properties
  4. Select the Home Directory tab
  5. The Local Path setting is the Web Application path

Step 1: Edit Web.config for Central Administration
Modifying the web.config for Central Administration is needed in order to add a Site Collection administrator or to add users in a Policy for Web Application.

  1. Open Web.config for Central Administration
  2. Between the </configSections> and <SharePoint>tags, create a LDAP connection string.
  3. <connectionStrings>
      <add name=”ADConnectionString
        connectionString=
          “LDAP://dmz.dmzad.local:389/CN=Users,DC=DMZAD,DC=local“/>

    </connectionStrings>

  4. Between <system.web> and <securityPolicy> tags add the following:
  5. <membership defaultProvider=”LDAP“>
      <providers>
        <add
          name=”LDAP
          connectionStringName=”ADConnectionString
          connectionUsername=”DMZAD\administrator
          connectionPassword=”password
          enableSearchMethods=”true”
          attributeMapUsername=”userPrincipalName”
          type=”System.Web.Security.ActiveDirectoryMembershipProvider,
            System.Web, Version=2.0.0.0,
            Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a” />
      </providers>
    </membership>
  6. The settings in bold are provided as an example and are customizable. The settings must be changed to match the settings in your environment. Under normal circumstances these settings are the same as the ones used for the Extranet Web Application below.

Step 2: Edit Web.config for the Extranet Web Application
Modifying the web.config for Extranet Web Application is needed in order to add a Site Collection administrator or to add users in a Policy for Web Application. Modifying web.config for the extended web application (dmz.extranet.sharepointnotes.local) is necessary for authenticating external users. Modifying the web.config in the Default Zone will allow a site administrator in that zone to add users in the Extranet Zone.

  1. Open Web.config for the (Extended) Extranet Web Application
  2. Between the </configSections> and <SharePoint>tags, create a LDAP connection string.
  3. <connectionStrings>
      <add name=”ADConnectionString
        connectionString=
          “LDAP://dmz.dmzad.local:389/CN=Users,DC=DMZAD,DC=local“/>

    </connectionStrings>

  4. Between <system.web> and <securityPolicy> tags add the following:
  5. <membership defaultProvider=”LDAP“>
      <providers>
        <add
          name=”LDAP
          connectionStringName=”ADConnectionString
          connectionUsername=”DMZAD\administrator
          connectionPassword=”password
          enableSearchMethods=”true”
          attributeMapUsername=”userPrincipalName”
          type=”System.Web.Security.ActiveDirectoryMembershipProvider,
            System.Web, Version=2.0.0.0,
            Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a” />
      </providers>
    </membership>
  6. Again, the settings in bold are provided as an example and are customizable. The settings must be changed to match the settings in your environment. Under normal circumstances these settings are the same as the ones used for Central Administration above.

Step 3: Change the Authentication Provider the Extranet Zone
Follow these instructions to chance the authentication provider:

  1. Go to the Application Management section of Central Administration
  2. In the Application Security section click Authentication Providers
  3. Select the Extranet Web Application
  4. Click the Extranet Zone
  5. In the Authentication Type section select Forms
  6. In the Membership Provider Name enter the same provider name that was used in step 1 and 2, for example LDAP
  7. Click Save
  8. Verify that the Membership Provider Name for the Extranet Zone has changed from Windows to the new name, for example LDAP

Step 4: Add Site Administrators
Follow these instructions to add LDAP user as a Site Administrator:

  1. Go to the Application Management section of Central Administration
  2. In the SharePoint Site Management section click Site collection administrators
  3. In the Site Collection section select the Extranet Web Application
  4. In the Secondary Site Collection Administrator add a user account from the DMZ Active Directory. Remember that the format is: *@dmzad.local
  5.  Click OK

Site Collection administrators can also be added through the Site Settings interface:

  1. Log on to http://extranet.sharepointnotes.local as a site administrator
  2. Navigate to Site Actions -> Site Settings
  3. In the Users and Permissions section click Site collection administrators
  4. In the Site Collection Administrators section, add the user or group you want to add and select the Check Names-icon (or press CTRL+K). Verify that the user/group was found.

Step 5: Add Users to the Extranet Web Application
Follow these instructions to add users to the Extranet Web Application

  1. Log on to http://extranet.sharepointnotes.local as a site administrator
  2. Navigate to Site Actions -> Site Settings
  3. In the Users and Permissions section click People and groups
  4. Select the group that suite the user or groups of users you want to add
  5. Select New -> Add users
  6. In the Add Users section, add the user or group you want to add and select the Check Names-icon (or press CTRL+K). Verify that the user/group was found.
  7. In the Give Permission section check the correct permission level is granted and click OK

This completes the configuration on the SharePoint site of thing. In the coming posts, we’ll install the Root CA, issue and install some certificates, create some ISA User Sets and finally publish the Extranet Web Application through ISA Server.

Advertisements

5 Responses to “SharePoint Extranet Solutions with ISA Server 2006 – Part 4: LDAP authentication in SharePoint”

  1. Sally said

    Do you have a suggestion as to how to avoid putting an admin user & pwd in clear text in a file? Our IT group will not allow this for obvious security reasons. There does not seem to be a way to provide an encrypted pwd.

  2. Hi Sally,

    it should be possible to encrypt the configuration section according to this article: http://msdn2.microsoft.com/en-us/library/ms998360.aspx#paght000026_step3.

    The article reference these links as further information:
    How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI: http://msdn2.microsoft.com/en-us/library/ms998280.aspx
    How To: Encrypt Configuration Sections in ASP.NET 2.0 Using RSA: http://msdn2.microsoft.com/en-us/library/ms998283.aspx

    I haven’t tried it yet, so let me know if it works! 🙂

    Cheers,
    Christian

  3. Fredrik said

    Hi!

    Is it possible to use Windows autentication for both AD:s instead of Forms Authentication? Forms Authentication is a not a reliable solution when you want to allow customers and partners to edit documents using Word and Excel. Forms Authetication cannot authenticate Office applications.

  4. Fredrik,

    no, I don’t think so. As far as I know you can only use the Windows authentication towards the AD where the MOSS servers are members.

    However, it is not a requirement that all MOSS servers are members of the same AD, so maybe you can make the Extranet WFE member of a Extranet AD and the internal WFE and application servers members of the internal AD and solve it that way.

    I haven’t tried it so I am curious if it works – please let me know if you try it 🙂

    Cheers,
    Christian

  5. Kalvador said

    Hi!

    In all WWW I can’t find solution for my trouble. How it possible to encrypt LDAP traffic between sharepoint-server and OpenLDAP-server. If I change “useSSL=false” for “useSSL=true” it faild 😦
    Any suggestion will be appreciated!!!

    Thanks

Sorry, the comment form is closed at this time.

 
%d bloggers like this: