Configuring AD LDS-Claims Based Authentication in SharePoint 2010 – Step by Step

Introduction:

SharePoint 2010 provides you with the ability to set up multiple authentication providers, to provide clients or other external parties such as vendors, affiliates, etc. access to your SharePoint Sites without having to provide them with a Windows Active Directory Account. This article walks through with step-by-step instructions on how this can be easily achieved using Windows 2008 R2 Active Directory Lightweight Directory Services (AD LDS)

Summary:  Executing this implementation guide will help in: Setting up CBA (Claims based authentication) with AD LDS in SharePoint 2010 extranet environment.

Overview:

  1. Adding AD Lds Server Role
    a. Creating AD LDS Instance
    b. Validate AD LDS instance is running
    c. Un-Install the AD LDS Instance
  1. Connecting to AD LDS Server using ADSI Edit
    a. Adding a User Object & Setting Mandatory user properties & password
  2. Configure CBA for the web application
  3. Modifying web.config files of:
    a. Central Administration
    b. Web Application which uses CBA
    c. Security Token Service (STS)
  4. Grant access to AD LDS users to SharePoint Sites.
  5. Unit Testing

1. Add “Active Directory Lightweight Directory Services” Server Role

Open the Windows Server 2008 R2 Server Manager, click Roles in the navigation pane, and then click Add Roles link.

Add Roles in Windows 2008 R2

Click “Next” button

adlds sharepoint2010 3

Check the box for Active Directory Lightweight Directory Services, and then click Next button

Add Active Directory Lightweight Directory Services Role

Click the Next button on the introduction page

adlds sharepoint2010 5

Verify the Confirmation Installation Settings, and then click Install button.

Installing Active Directory Lightweight Directory Services Role

See the installation in progress.

Installing Active Directory Lightweight Directory Services Role

When the installation has completed, click Close

completed Installing Active Directory Lightweight Directory Services Role

1(a). Create a New Instance of AD LDS

Create and AD LDS instance by clicking Start > Administrative Tools > Active Directory Lightweight Directory Services Setup.  The setup wizard screen appears.  Click Next.

Create and AD LDS instance

We can create a new unique instance, or we can replicate an existing instance also. Here we are going with the first option. Select “A unique instance” and then click on Next.

Create a Unique AD LDS instance

Type the Instance Name. The instance name will help you to identify and differentiate it from other instances that you may have installed on the same server.

Name AD LDS instance

Specify the LDAP port numbers and then click Next.  Note that these numbers cannot be in use by any other application on the same server.

AD LDS Port

Click “Next” and select the option “Yes, create an application directory partition” and enter the partition name. I have used “CN=LDAP,DC=SharePoint,DC=COM”.   Note: It has no relation with your machine name or Active directory. This can be any new domain.

AD LDS Application directory partition

Select the File Locations.  Click Next.

Select Network service account.  This should be sufficient in most cases.  Select Next.

AD LDS Service Account

Select your administrator account.  Click Next.

AD LDS Administrator account
Important:
Make sure the Application Pool account has been added in the AD LDS Administrator Role. (Go to “Roles” node property, scroll to “Members” attribute and add the application pool account. Otherwise, user accounts will not be resolved in SharePoint!!!

Click on the below options.  This will be needed for extranet users’ accounts.  Click Next

AD LDS LDIF Files Selection

Click on Next

Install AD LDS LDIF Files

Click Finish

adlds sharepoint2010 19

1(b). Validate AD LDS instance is running

If everything configured correctly then you will see the service running under Administrative Tools > Services.

Varify AD LDS instance in Services Console

1(c) Uninstall AD LDS Instance (In case if you want to uninstall existing instance):

Go to Control Panel > Programs and Features > you will see the AD-LDS instance installed.

Uninstall AD LDS Instance

Select the AD LDS Instance and click on “Uninstall” to uninstall the particular AD LDS Instance.

2. Connecting to AD LDS Server using ADSI Edit

Now that our instance is complete, we are required to connect to this instance via ADSI Edit MMC snap-in.  Click on Start > Administrative Tools > ADSI Edit.  Once the MMC is loaded, right-click on the ADSI Edit node and select Connect to…

Connect to AD LDS Server using ADSI Edit

Enter the connection Properties and click OK

Connect to AD LDS Server using ADSI Edit - Properties

On successful connection, this will lead to AD LDS Server view as shown in the below screen.

AD LDS Server in ADSI Edit

2(a). Creating new users in AD LDS Instance:

We now need to create a container to store our users.  This is equivalent to an Organizational Unit in Active Directory.  Right Click on CN entry and select New > Object and select the class as container.  Click Next.

How to Create user Container in AD LDS

Type Users as the value, click Next and Finish

adlds sharepoint2010 26

Now you will see “Users” container. We can now create our users in the “Users” container that we have just created.

users Container in AD LDS

Right Click on CN=Users and select New > Object, and select class as user.

How to Create new users in AD LDS

Type in a user name and then click Next and Finish.

New user creation in AD LDS

Once the user is created, we have to set:

  • Reset Password
  • msDS-UserAccountDisabled to False (its True by default)
  • Important: Set attributes like “cn” and other properties as required by membership provider setting – otherwise users without CN attribute set will not pick by SharePoint.

Reset Password

Right click on user and select “Reset Password”.

Reset Password in AD LDS
adlds sharepoint2010 31

msDS-UserAccountDisabled

Right Click on your newly created user object and select properties.

adlds sharepoint2010 32

Scroll down and locate the msDS-UserAccountDisabled attribute and set it to False.

Enable msDS-UserAccountDisabled attribute

PowerShell Script to List the users in AD LDS instance:
$Dom = "LDAP://server.domain.com/CN=Users,CN=LDAP,DC=SharePoint,DC=COM"
$Root = New-Object DirectoryServices.DirectoryEntry $Dom

# Create a selector and start searching from the Root of AD
$selector = New-Object DirectoryServices.DirectorySearcher
$selector.SearchRoot = $root
# Filter the users with -like "CN=Person*". Note the ForEach loop
$adobj= $selector.findall() | where {
$_.properties.objectcategory -like "CN=Person*"
}
foreach ($person in $adobj)
{
$prop=$person.properties
Write-host "First name: $($prop.givenname) Surname: $($prop.sn) User: $($prop.cn)"
}
Write-host "There are $($adobj.count) users in the $($root.name) domain" 
read-host  # just to keep the screen stay open

3. Configure CBA for the web application

For new web application:

  • Go to Central Administration > Application Management
  • Click on Manage Web Applications
  • Click New
  • Select Claims Based Authentication
  • Check the Enable Windows Authentication box
  •  Check the Enable ASP.NET Membership and Role Provider checkbox
              * In the Membership provider name edit box, type LDAPMembershipProvider          * In the Role provider name edit box, type LDAPRoleManager LDAP Role Provider

For existing web applications:

  • Go to Central Administration > Application Management
  • Click on Manage Web Applications
  • Select the target web application and click on authentication providers in ribbon
  • Enter the above authentication settings

Once Successful configuration, on hitting the SharePoint site, you should get:

Claims Sign-in Page

4. Modifying web.config files

Important: Take the backup of web.config files before making any change

We have to change 3 web.config files totally.

  1. To get the users from ADLDS to central administration site we have to change web.config of Central Administration site.
  2. To get the users from ADLDS to the web application which we created to work CBA, we have to change its web.config.
  3. To login to the site using claims based authentication, it uses security token service application. So, we have to change its configuration file.

4(a). Update Central Administration site’s web.config:

  • Open the Central Administration site’s web.config file
  • Find the <system.web> entry
  • Paste the following XML directly below it ( or just before:  </system.web>  <system.webServer>)
 <providers>
      <add name="LdapMembershipProvider" otherrequireduserattributes="sn,givenname,cn" port="389" scope="Subtree" server="server.domain.com" type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" usercontainer="CN=Users,CN=LDAP,DC=SharePoint,DC=COM" userdnattribute="distinguishedName" userfilter="(ObjectClass=person)" usernameattribute="cn" userobjectclass="person" usessl="false">
   </add>
  </providers>
</membership>
 
<rolemanager defaultprovider="AspNetWindowsTokenRoleProvider" enabled="true">
       <providers>
          <add dnattribute="distinguishedName" groupcontainer="CN=Users,CN=LDAP,DC=SharePoint,DC=COM" groupfilter="(ObjectClass=group)" groupmemberattribute="member" groupnamealternatesearchattribute="cn" groupnameattribute="cn" name="LdapRoleManager" port="389" scope="Subtree" server="server.domain.com" type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" userfilter="(ObjectClass=person)" usernameattribute="cn" usessl="false">
       </add>
     </providers>
</rolemanager>

Double check whether the <membership> and <rolemanager> entries only exist ones. Delete any double entries.

Update the  <PeoplePickerWildcards> entry with below  code:

<PeoplePickerWildcards>
<clear />
<add key=”AspNetSqlMembershipProvider” value=”%” />
<add key=”LdapMembershipProvider” value=”*”/>
<add key=”LdapRoleManager” value=”*”/>
</PeoplePickerWildcards>

4(b). Update Web application’s web.config:

Update the web.config with the below code

<membership defaultprovider="i">
      <providers>
    <add name="LdapMembershipProvider" otherrequireduserattributes="sn,givenname,cn" port="389" scope="Subtree" server="server.domain.com" type="Microsoft.Office.Server.Security.LdapMembershipProvider, 
    Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral,
     PublicKeyToken=71e9bce111e9429c" usercontainer="CN=Users,CN=LDAP,DC=SharePoint,DC=COM" userdnattribute="distinguishedName" userfilter="(ObjectClass=person)" usernameattribute="cn" userobjectclass="person" usessl="false">

        <add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c">
      </add></add></providers>
    </membership>
    <rolemanager cacherolesincookie="false" defaultprovider="c" enabled="true">
      <providers>
    <add dnattribute="distinguishedName" groupcontainer="CN=Users,CN=LDAP,DC=SharePoint,DC=COM" groupfilter="(ObjectClass=group)" groupmemberattribute="member" groupnamealternatesearchattribute="cn" groupnameattribute="cn" name="LdapRoleManager" port="389" scope="Subtree" server="server.domain.com" type="Microsoft.Office.Server.Security.LdapRoleProvider, 
    Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, 
    PublicKeyToken=71e9bce111e9429c" userfilter="(ObjectClass=person)" usernameattribute="cn" usessl="false">
        <add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c">
      </add></add></providers>
    </rolemanager>

Update the <PeoplePickerWildcards> as below:

<PeoplePickerWildcards>
<clear />
<add key=”AspNetSqlMembershipProvider” value=”%” />
<add key=”LdapMembershipProvider” value=”*”/>
<add key=”LdapRoleManager” value=”*”/>
</PeoplePickerWildcards>

4(c). Update security token service’s web.config:

·         Open the Internet Information Services Manager

·         Expand the Sites, and then SharePoint web Services, explore SecurityTokenServiceApplication to edit its web.config file

adlds sharepoint2010 36

Pate the below code between <system.web>  and </system.web> </configuration>

<membership>
       <providers>
          <add name="LdapMembershipProvider" otherrequireduserattributes="sn,givenname,cn" port="389" scope="Subtree" server="server.domain.com" type="Microsoft.Office.Server.Security.LdapMembershipProvider,
     Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, 
    PublicKeyToken=71e9bce111e9429c" usercontainer="CN=Users,CN=LDAP,DC=SharePoint,DC=COM" userdnattribute="distinguishedName" userfilter="(ObjectClass=person)" usernameattribute="cn" userobjectclass="person" usessl="false">
       </add></providers>
    </membership>

    <rolemanager enabled="true"> 
       <providers>
          <add dnattribute="distinguishedName" groupcontainer="CN=Users,CN=LDAP,DC=SharePoint,DC=COM" groupfilter="(ObjectClass=group)" groupmemberattribute="member" groupnamealternatesearchattribute="cn" groupnameattribute="cn" name="LdapRoleManager" port="389" scope="Subtree" server="server.domain.com" type="Microsoft.Office.Server.Security.LdapRoleProvider,
     Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, 
    PublicKeyToken=71e9bce111e9429c" userfilter="(ObjectClass=person)" usernameattribute="cn" usessl="false">
       </add></providers>
    </rolemanager>

5. Add users to SharePoint site

After completing all the above steps, we have to grant access to the users to SharePoint site.

Set the Web application level user policy:

·         Navigate to Central Administration > Application Management  > Manage web applications

·         Select the target extranet web application and click on “User Policy” from ribbon

adlds sharepoint2010 37

Click on Add users

adlds sharepoint2010 38

·         Click Next

adlds sharepoint2010 39

·         In the add users window, click on address book

adlds sharepoint2010 40

·         Enter the user name, make sure the LDAP names are retrieved

AD LDS Users in People Picker

6. Unit Test: Verify LDAP Authentication works

Create a user in LDAP, Grant access to a SharePoint site, Open the SharePoint Site; enter the LDAP user name and password.

adlds sharepoint2010 42

Make sure you are successfully logged-in into the SharePoint site.

adlds sharepoint2010 43

Salaudeen Rajack

Salaudeen Rajack is a SharePoint Architect with Two decades of SharePoint Experience. He loves sharing his knowledge and experiences with the SharePoint community, through his real-world articles!

28 thoughts on “Configuring AD LDS-Claims Based Authentication in SharePoint 2010 – Step by Step

  • August 4, 2015 at 3:37 PM

    https://technet.microsoft.com/en-us/library/ee806882(v=office.14).aspx

    Pay attention to the capitalization and the syntax on the LDAP filters — they are different for the 3 separate configurations errors here will affect the operation of the PeoplePicker control.

    Reply
  • August 4, 2015 at 2:32 PM

    If performed properly you should be able to add the LDAP users to the regular SharePoint Groups without having to resort to adding them via User Policy on the WebApplication.. Using the User Policy really limits the usefulness of ADLDS – especially if there are multiple site collections on the WebApplication.

    Reply
  • August 4, 2015 at 2:35 PM

    https://technet.microsoft.com/en-us/library/ee806882(v=office.14).aspx has the complete “school” solution..

    Reply
  • May 12, 2015 at 5:42 PM

    There are other blogs that give a more complete solution — when done properly you will not have to add users via the Web Application user policy. You will be able to use the people picker at any level within the site collection or site to pick users… The web configs at the CA, STS and Web Application need to be set as well as setting the role and membership provider on the web application.. — I’ll come back a post a better link…

    Reply
    • July 3, 2015 at 3:48 PM

      Hi Guy,

      Can you provide the link for the more complete solution?

      Thanks and regards

      Reply
  • April 29, 2014 at 5:14 AM

    Hi Sal – thanks for posting this. We have got it set up but have one issue. Users, when added to Sharepoint groups can go in fine. Issue is that when we add an AD group to ours sharepoint group and add users in ADLDS to that AD group they dont have access.

    Cheers,
    Clarky

    Reply
  • March 11, 2013 at 6:41 PM

    Hello Sal commend you on nice posting and thanks for your time that you took up to post this. The question (or confirmation rather) is instead of using the above model I can set up the LDS instance in DMZ instead of setting it up internally right? If I want to eliminate opening any ports on firewall to talk to DMZ instead?

    Reply
    • March 13, 2013 at 7:52 AM

      Yes! You can place the LDAP server in DMZ and open port 389 (or any other port you configured)!!

      Reply
  • January 23, 2013 at 6:16 PM

    Took me a couple hours to figure out that proper casing is a must for the membership and role provider.

    For example, usercontainer != work. userContainer == work.

    Reply
  • January 23, 2013 at 5:05 PM

    Why do you uninstall the LDS instance you just created?

    Reply
    • January 23, 2013 at 5:16 PM

      Anony,

      Uninstall procedure is given for reference! That doesn’t mean you have to uninstall AD LDS during setup!!

      Reply
  • November 28, 2012 at 7:12 AM

    hi
    thanks a lot,I did all the steps with sharepoint 2010 on win server 2008 but When I try adding users under user policy I cant find users in search partition.I also provide values for sn and given name and cant solve it and other way I clean these attributes from code but was not successful.
    also in one part state :PowerShell Script to List the users in AD LDS instance
    I skip this step, is this necessary?

    please help that is very important
    thanks

    Reply
    • November 28, 2012 at 4:48 PM

      Hi there,

      PowerShell script to list users in ADLDS is optional.

      Looks like your application pool account doesnt has access to ADLDS. Can you check ti once?

      Regards,
      Sal

      Reply
  • October 31, 2012 at 10:29 PM

    HI,
    Nice article. Followed all steps and made all necessary modifications in the SharePoint instance installed on my Windows 7 machine. When I try adding users under user policy I do not see my AD LDS users. I am also not able to view any other local Windows 7 users. I am able to view only the All Authenticated Users.

    Kindly Advise.

    Reply
    • November 1, 2012 at 4:33 AM

      Kesari,

      You have to provide values for: cn, sn, givenName attributes if user object.

      Regards,
      SalHi

      Reply
  • October 8, 2012 at 8:22 AM

    It’s really a nice post , but I cann’t see the config entries.

    Reply
    • October 8, 2012 at 11:25 AM

      There is a Format applied on XML and other codes in this blog. In case you dont get it, Just select the code sections by click and drag!

      Reply
  • July 7, 2012 at 11:38 PM

    TO get this to work using this article:
    1. Watch case, improper case used in web.config files.
    2. Using ADSIEdit, add the web app service account to the Administrative Role (the portion highlighted in yellow, you do it way later)
    3. STS website, you need to ADD the after the (it doesn’t exist) and add the roleProvider and membership.

    Reply
    • September 3, 2012 at 9:56 AM

      Thanks, This article is posted as step by step with exact configurations implemented, verified & worked of course!

      Reply
  • July 7, 2012 at 2:43 PM

    I get error:

    The configuration section ‘rolemanager’ cannot be read because it is missing a section declaration.

    Reply
    • September 3, 2012 at 9:54 AM

      Please Verify your changes with the above provided!

      Reply
    • March 26, 2013 at 4:34 PM

      I have the same problem.. ‘rolemanger cannot be read because it is missing a section declaration

      Reply
    • August 6, 2014 at 8:17 AM

      roleManager is case sensitive, the M must be capitalized

      Reply
  • May 26, 2012 at 5:58 PM

    I am new to SharePoint, and found this is a great article!

    Reply
  • April 17, 2012 at 3:41 AM

    Man you are the Best. It solves my lot of issues. Thanks for explaining this Authentication step by step

    Reply
  • April 13, 2012 at 7:34 PM

    How would one setup OpenID for CBA in SharePoint 2010 using, say MyOpenID.com as the provider?

    Reply
  • April 7, 2012 at 11:47 AM

    Wow! You made it pretty simple. Thank you sooooooooooo much!

    Reply
  • February 21, 2012 at 8:00 PM

    Awesome Man, this was super easy.
    Thanks alot….
    GaneshKB
    http://dexter-laboratory.blogspot.com

    Reply

Leave a Reply