Solved

Configure Sharepoint 2013 for LDAP FBA Authentication

Posted on 2014-02-05
16
2,089 Views
Last Modified: 2014-07-23
Hi,

At our new sharepoint 2013 environment we try to configure FAB authentication by LDAP using this article: http://technet.microsoft.com/en-us/library/ee806890.aspx
I suppose only the steps Phase 1 and Phase 2 are needed.
After making the changes my page is not loading anymore.
We also tried the FBA Configuration Manager, also after Apply the Config to a new clean Sharepoint site the page will not load anymore.
Did anyone figured out how to get LDAP authentication working?

Kind Regards,
J.Romkes
0
Comment
Question by:jromkes
  • 8
  • 7
16 Comments
 
LVL 14

Expert Comment

by:SneekCo
ID: 39835583
Yes, FBA LDAP does work.

What do you mean by page does not load anymore? It is difficult to troubleshoot with such a general symptom.

Thanks
0
 
LVL 38

Expert Comment

by:Justin Smith
ID: 39835844
I'm also concerned about the "does not load anymore" statement.  Were you trying this on an existing web application?
0
 

Author Comment

by:jromkes
ID: 39836005
After adding the code to the web.config of the central admin page, ( found at http://social.technet.microsoft.com/Forums/sharepoint/en-US/331835da-893c-4bfc-ba55-7a321b6496e6/fba-using-ldap-authentication-in-sp-2013?forum=sharepointadmin )

I see this error in the browser:
screenshot browser error
Step 2:Add below entry in web.config of application and Central admin.

<system.web>

<membership defaultProvider="i">

<providers>

<add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />

<add name="LdapMember" type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="ECCOE-SPS2010" port="389" useSSL="false" userDNAttribute="distinguishedName" userNameAttribute="sAMAccountName" userContainer="OU=PRODUCTION,DC=SPS2010,DC=ECCOE" userObjectClass="person" userFilter="(ObjectClass=person)" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn" />

</providers>

</membership>

<roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false">

<providers>

<add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />

<add name="LdapRole" type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="ECCOE-SPS2010" port="389" useSSL="false" groupContainer="OU=PRODUCTION,DC=SPS2010,DC=ECCOE" groupNameAttribute="cn" groupNameAlternateSearchAttribute="samAccountName" groupMemberAttribute="member" userNameAttribute="sAMAccountName" dnAttribute="distinguishedName" groupFilter="(ObjectClass=group)" userFilter="(ObjectClass=person)" scope="Subtree" />

</providers>

</roleManager>

</system.web>

And

<PeoplePickerWildcards>

<clear />

<add key="AspNetSqlMembershipProvider" value="%" />

<add key="LdapMembershipProvider" value="*" />

<add key="LdapRoleManager" value="*" />

</PeoplePickerWildcards>
0
 
LVL 14

Accepted Solution

by:
SneekCo earned 500 total points
ID: 39836214
0
 

Author Comment

by:jromkes
ID: 39838553
After changing the web.config files in the article mentioned by SneekCo it goes wrong at the next step "Configure Forms-Based Authentication in Central Administration"
The central administration page wil not load in the browser having the error posted previously.
The event log will log this at that moment:

Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 6-2-2014 12:35:28
Event time (UTC): 6-2-2014 11:35:28
Event ID: 672ae6e9291f491ba6c197be1a8c935d
Event sequence: 19
Event occurrence: 18
Event detail code: 0
 
Application information:
    Application domain: /LM/W3SVC/52510270/ROOT-1-130361599046414006
    Trust level: Full
    Application Virtual Path: /
    Application Path: C:\inetpub\wwwroot\wss\VirtualDirectories\47754\
    Machine name: SP01
 
Process information:
    Process ID: 5248
    Process name: w3wp.exe
    Account name: REHOBOTH\Administrator
 
Exception information:
    Exception type: InvalidProgramException
    Exception message: Common Language Runtime detected an invalid program.
   at System.Web.Security.Roles.Initialize()
   at System.Web.Security.RoleManagerModule.OnEnter(Object source, EventArgs eventArgs)
   at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

 
 
Request information:
    Request URL: http://sp01:31704/_layouts/15/1043/styles/corev15.css?rev=vjvCVOi+Sm2BqpxbfeUuRg==
    Request path: /_layouts/15/1043/styles/corev15.css
    User host address: 192.168.52.104
    User:  
    Is authenticated: False
    Authentication Type:  
    Thread account name: REHOBOTH\Administrator
 
Thread information:
    Thread ID: 13
    Thread account name: REHOBOTH\Administrator
    Is impersonating: True
    Stack trace:    at System.Web.Security.Roles.Initialize()
   at System.Web.Security.RoleManagerModule.OnEnter(Object source, EventArgs eventArgs)
   at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
0
 

Author Comment

by:jromkes
ID: 39838580
How to be sure about the correct version number in: ...Microsoft.Office.Server, Version=12.0.0.0....
0
 
LVL 14

Expert Comment

by:SneekCo
ID: 39838866
Return to your original or last known good config files so that CA will start, and attempt the process again. Be very careful dealing with the config files. On small mistake and the site will not render. Good Luck
0
 

Author Comment

by:jromkes
ID: 39838983
I already returned to the original config a lot of times, at least at every attempt.
Also by rolling back the snapshot of this machine.
The article SneekCo adviced is not talking about configuring the SecurityTokenServiceApplication (STA) web.config, like other articles do.
Do I need to configure the STA? Does a misconfigured or not configured STA web.config can cause not loading the Central Administration page?
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 14

Expert Comment

by:SneekCo
ID: 39839050
Yes, there should be an entry in the security token service config file.

Also, the error message above is reference an error in the Central Admin web config file.

That means there are three files that need to be modified for FBA. The web config file for the web application, the config file for Central Admin and the config file for the STS service.
0
 

Author Comment

by:jromkes
ID: 39846622
When paste this code at the system.web section of the Central Admin web.config the page will give an error page, after removing this code the page will load fine. Can anyone help me to find the wrong code?

<membership defaultProvider="AspNetSqlMembershipProvider">
      <providers>
        <add name="membership" type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="SP01.r******h.nu" port="389" useSSL="false" userDNAttribute="distinguishedName" userNameAttribute="sAMAccountName" userContainer="OU=FBA,DC=R******H,DC=NU" userObjectClass="person" userFilter="(ObjectClass=person)" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn" />
      </providers>
    </membership>
    <roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">
      <providers>
        <add name="rolemanager" type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="SP01.r******h.nu" port="389" useSSL="false" groupContainer="OU=FBA,DC=R******H,DC=NU" groupNameAttribute="cn" groupNameAlternateSearchAttribute="samAccountName" groupMemberAttribute="member" userNameAttribute="sAMAccountName" dnAttribute="distinguishedName" groupFilter="(ObjectClass=group)" userFilter="(ObjectClass=person)" scope="Subtree" />
      </providers>
    </roleManager>

The bold code was changed by myself, the original code is:
groupFilter="((ObjectClass=group)"
userFilter="((ObjectClass=person)"

This is the EventLog error:
Log Name:      Application
Source:        ASP.NET 4.0.30319.0
Date:          10-2-2014 08:46:04
Event ID:      1309
Task Category: Web Event
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      SP01.r******h.nu
Description:
Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 10-2-2014 08:46:03
Event time (UTC): 10-2-2014 07:46:03
Event ID: fa1addc212c54ef8804bb41bddf69d20
Event sequence: 2
Event occurrence: 1
Event detail code: 0
 
Application information:
    Application domain: /LM/W3SVC/1989627596/ROOT-3-130364919440149296
    Trust level: Full
    Application Virtual Path: /
    Application Path: C:\inetpub\wwwroot\wss\VirtualDirectories\32686\
    Machine name: SP01
 
Process information:
    Process ID: 7708
    Process name: w3wp.exe
    Account name: R******H\administrator
 
Exception information:
    Exception type: InvalidProgramException
    Exception message: Common Language Runtime detected an invalid program.
   at System.Web.Security.Roles.Initialize()
   at System.Web.Security.RoleManagerModule.OnEnter(Object source, EventArgs eventArgs)
   at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

 
 
Request information:
    Request URL: http://sp01:31940/_layouts/15/1043/styles/error.css?rev=5935tKqaPgqYRcrzU55gzA==
    Request path: /_layouts/15/1043/styles/error.css
    User host address: fe80::6d54:a838:f4f0:2479
    User:  
    Is authenticated: False
    Authentication Type:  
    Thread account name: R******H\administrator
 
Thread information:
    Thread ID: 12
    Thread account name: R******H\administrator
    Is impersonating: True
    Stack trace:    at System.Web.Security.Roles.Initialize()
   at System.Web.Security.RoleManagerModule.OnEnter(Object source, EventArgs eventArgs)
   at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
 
 
Custom event details:

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="ASP.NET 4.0.30319.0" />
    <EventID Qualifiers="32768">1309</EventID>
    <Level>3</Level>
    <Task>3</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2014-02-10T07:46:04.000000000Z" />
    <EventRecordID>10385</EventRecordID>
    <Channel>Application</Channel>
    <Computer>SP01.r******h.nu</Computer>
    <Security />
  </System>
  <EventData>
    <Data>3005</Data>
    <Data>An unhandled exception has occurred.</Data>
    <Data>10-2-2014 08:46:03</Data>
    <Data>10-2-2014 07:46:03</Data>
    <Data>fa1addc212c54ef8804bb41bddf69d20</Data>
    <Data>2</Data>
    <Data>1</Data>
    <Data>0</Data>
    <Data>/LM/W3SVC/1989627596/ROOT-3-130364919440149296</Data>
    <Data>Full</Data>
    <Data>/</Data>
    <Data>C:\inetpub\wwwroot\wss\VirtualDirectories\32686\</Data>
    <Data>SP01</Data>
    <Data>
    </Data>
    <Data>7708</Data>
    <Data>w3wp.exe</Data>
    <Data>R******H\administrator</Data>
    <Data>InvalidProgramException</Data>
    <Data>Common Language Runtime detected an invalid program.
   at System.Web.Security.Roles.Initialize()
   at System.Web.Security.RoleManagerModule.OnEnter(Object source, EventArgs eventArgs)
   at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&amp; completedSynchronously)

</Data>
    <Data>http://sp01:31940/_layouts/15/1043/styles/error.css?rev=5935tKqaPgqYRcrzU55gzA==</Data>
    <Data>/_layouts/15/1043/styles/error.css</Data>
    <Data>fe80::6d54:a838:f4f0:2479%14</Data>
    <Data>
    </Data>
    <Data>False</Data>
    <Data>
    </Data>
    <Data>R******H\administrator</Data>
    <Data>12</Data>
    <Data>R******H\administrator</Data>
    <Data>True</Data>
    <Data>   at System.Web.Security.Roles.Initialize()
   at System.Web.Security.RoleManagerModule.OnEnter(Object source, EventArgs eventArgs)
   at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&amp; completedSynchronously)
</Data>
  </EventData>
</Event>
0
 
LVL 14

Expert Comment

by:SneekCo
ID: 39847418
Change these lines in your file:

<membership defaultProvider="AspNetSqlMembershipProvider">
 to
<membership defaultProvider="membership">
 and
<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">
to
<roleManager enabled="true" defaultProvider="rolemanager">
0
 

Author Comment

by:jromkes
ID: 39847461
I'm sorry, same error after changing.
0
 
LVL 14

Expert Comment

by:SneekCo
ID: 39847505
Are you modifying file in notepad. If so, I would suggest you use an xml editor that clearly highlights the xml nodes in color. A common error is that the section in not correctly in the system.web node and it is much easier to spot errors in an xml editor. Just an idea!
0
 

Author Comment

by:jromkes
ID: 39847545
I use Visual Studio and Notepad++ editor.
Should I focus at:  Exception message: Common Language Runtime detected an invalid program?
0
 
LVL 14

Expert Comment

by:SneekCo
ID: 39847594
Logically No - here is what you know

with the original files all works fine
when the lines are added to the config file, the errors occurs. The lines are more than likely incorrectly added to the file. The error message is deceptive and are a result of having lines of code in the wrong place. And don't take this the wrong way. Working with web.config files is very delicate and is so sensitive, one character in the wrong place will crash the site and will produce such a scary error message you will think a monster is outside about to crush the building. Just be very meticulous in adding lines to the web config file and you will be fine.
0
 
LVL 14

Expert Comment

by:SneekCo
ID: 40215262
Many Thanks
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Pimping Sharepoint 2007 without Server-Side Code Part 1 One of my biggest frustrations with Sharepoint 2007 in the corporate world is that while good-intentioned managers lock down the more interesting capabilities of Sharepoint programming in…
We had a requirement to extract data from a SharePoint 2010 Customer List into a CSV file and then place the CSV file into a directory on the network so that the file could be consumed by an AS400 system. I will share in Part 1 how to Extract the Da…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now