Sharepoint 2013 FBA

I have a single-domain forest with a fresh install of Sharepoint Server 2013.  I want to create a web application with FBA, so that my Active Directory users can log in using a nice friendly form.  I'm having trouble understanding exactly how to do this.  Microsoft's documentation http://technet.microsoft.com/en-us/library/ee806890.aspx seems to suggest that I need to reference a single OU in the web.config files that will contain all of my users.  My users are spread throughout multiple OUs in AD.  Will the LDAP lookups be recursive if I simply point them to the root?

I've also read several articles claiming that you must create an ASP database in SQL and have the web app authenticate to it, rather than directly to AD.  I would rather not do that, as it will just complicate things.  Does anyone have any advice?
LVL 1
marrjAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Melih SARICAOwnerCommented:
Shortly.. Add "Domain users" AD security group to  "Site Visitors" Sharepoint group.

then u ll see that all users of ur domain has readonly rights to ur sharepoint site via FBA
0
Melih SARICAOwnerCommented:
btw.. there is nothing to do with web.config file. Sharepoint configures web.config file for standart Operations..

best practice : never change web.config files on Sharepoint server ( except if u really need to change)
0
marrjAuthor Commented:
So, since you are claiming that the Microsoft-recommended method above is not the best way, do you have a link to an article for a better method?  Now I'm really confused.
0
Newly released Acronis True Image 2019

In announcing the release of the 15th Anniversary Edition of Acronis True Image 2019, the company revealed that its artificial intelligence-based anti-ransomware technology – stopped more than 200,000 ransomware attacks on 150,000 customers last year.

Melih SARICAOwnerCommented:
Do u want to use FBA for AD users?
0
marrjAuthor Commented:
Yes.
0
Melih SARICAOwnerCommented:
ok..

so thats rite u must add config sections about form based authentication configurations to ur web.config file.

membershipprovider, Adroleprovider  like default .net providers..

U dont ave to use single ou in Ad.

in web config allow "DOMAINNAME\Domain Users" and it ll work
0
Melih SARICAOwnerCommented:
try to use this as distingushed name

CN=Domain Users,CN=Users,DC=DomainName,DC=ForestName,DC=local

if ur using single domain like testdomain.local then clear DC=ForestName

else if ur domain is subdomain.testdomain.local then use DC=subdomain,DC=testdomain,DC=local
0
marrjAuthor Commented:
I tried this.  It didn't work.  Any other suggestions?

Do I use CN=Domain Users,CN=Users,DC=wbu,DC=edu for both the users and groups containers?
0
Walter CurtisSharePoint AEDCommented:
There is a lot to cover here. First, never use FBA just to provide a pretty form for your users. When switching to FBA you lose so much functionality compared to keeping Windows Integrated Authentication. You will also change the way people picker works and lose about half of its functionality.

FBA has a role when AD will not be available such as on an externally facing site that will be using named users. (That is when a SQL membership database comes in to play as you have read so much about.) But if all of your users are going to be AD internal users, stay away from FBA. It is not as complete a solution as WIA is.

If you still want to use FBA, and you are going to have internal AD users, you will need to add sections to the web config file for the web app, central admin and for the STS service. This is well documented in reliable TechNet and MSDN documentation. Use the SharePoint OOB AD Membership provider.

Another option is to use the SharePoint OOB LDAP membership provider. Either one is straight forward to implement, but as I said, you lose a lot of SharePoint functionality. So don't do it, especially just to provide a pretty form for your users.

Just an FYI - the OOB LDAP membership providers are to be used in the case of a network that uses something such as an Oracle ID Management system or other LDAP based authentication providers. Although they will work with AD (Active Directory) since it is based on LDAP, it should not be done unless there is no other option.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
marrjAuthor Commented:
Thank you very much, SneekCo.  I honestly thought this question would probably never be answered.  I had almost given up.  I guess there aren't that many SP experts on EE.   I will award points shortly and will likely stay away from FBA, knowing what you have told me.  I have another unanswered question in the Sharepoint posts titled "Sharepoint 2013 Managed Navigation Subsite Missing".  Care to take a look at it?

Thanks again.
0
Walter CurtisSharePoint AEDCommented:
Thanks for the points and the compliment. I am looking at your other question to see if I have any information to answer on it.

Your welcome!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft SharePoint

From novice to tech pro — start learning today.