SharePoint 2007 SP1 LDAP Membership Provider


In case you weren’t aware that SharePoint 2007 shipped with an LDAP Membership Provider, I recently had a requirement to use it and so I thought I would post the steps to implement it.  The LDAP membership and role providers got some love in SP1 when Microsoft added the connectionUsername and connectionPassword attributes to support Authenticated Binds.

If you plan to do LDAP over SSL (port 636) you will require a cert be created for your DC otherwise you can skip this section for standard LDAP (port 389).

Make yourself a CERT

Use the .NET SDK and execute “makecert.exe” with the following options (Make sure you use an elevated command prompt under Vista/Windows 2008 or you will receive the following error: WriteFile failed => 0x5 (5), also verify the environment variables used below to make sure they contain the values you expect)

Create a Root Certificate Authority

C:\Program Files\Microsoft.NET\SDK\v2.0 64bit\Bin>makecert -pe -n CN=root.like10.local -ss root -sr LocalMachine -a sha1 -sky signature -r c:\tmp\root.cer

It should return Succeeded. (2008/07/19: I fixed a typo in the command line above; removed the double quotes around CN=)

Create a Certificate issued from the previously created Certificate Authority

C:\Program Files\Microsoft.NET\SDK\v2.0 64bit\Bin>makecert -pe -n CN=server.like10.local -ss my -sr LocalMachine -a sha1 -sky exchange -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -in root.like10.local -is root -ir LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 c:\tmp\server.cer

It should return Succeeded. (2008/06/19: I fixed a typo in the command line above)

Export the Certificates

Start Microsoft Management Console (MMC).

Add the Certificates snap-in that manages certificates on the Local Computer.

Expand Certificates (Local Computer), expand Personal, and then expand Certificates.

A new certificate should be present in the Personal store. In the Certificate Properties dialog box, the intended purpose displayed is Server Authentication. This certificate is issued to the computer’s fully qualified host name.

Export the certificate and save it to disk, also don’t forget to export the Root Certificate Authority which can be found in Trusted Root Certification Authorities

Restart the domain controller at this point.

Verify the LDAPS connection

Note: You should run this test directly on the domain controller first, then once you have imported the certificates on the front-end web server run the same test from the web server.

Start the Active Directory Administration Tool (Ldp.exe).
Note: This program is installed with the Windows Server 2003 Support Tools.

On the Connection menu, click Connect.

Type the name of the domain controller to which you want to connect.

Type 636 as the port number.

Click OK.  RootDSE information should print in the right pane, indicating a successful connection.

SharePoint 2007 Site Configuration

Here is the section to add to the SharePoint sites’ and Central Administration web.config (inside the <system.web> element):

<membership defaultProvider="LDAPMembershipProvider">
      <providers>
        <add
      name="LDAPMembershipProvider"
      type="Microsoft.Office.Server.Security.LDAPMembershipProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"
      connectionUsername="secure\ossldap"
      connectionPassword="pass@word1"
      server="dc.secure.local"
      port="636"
      useSSL="true"
      userDNAttribute="distinguishedName"
      userNameAttribute="sAMAccountName"
      userContainer="CN=Users,DC=secure,DC=local"
      userObjectClass="person"
      userFilter="(ObjectClass=person)" 
      scope="Subtree"
      otherRequiredUserAttributes="sn,givenname,cn"
      />
      </providers>
    </membership>
    <roleManager defaultProvider="LDAPRoleProvider" enabled="true" cacheRolesInCookie="false" cookieName=".PeopleDCRole">
      <providers>
        <add
        name="LDAPRoleProvider"
        type="Microsoft.Office.Server.Security.LDAPRoleProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"
        connectionUsername="secure\ossldap"
        connectionPassword=”pass@word1”
        server="dc.secure.local"
        port="636"
        useSSL="true"
        groupContainer="dc=secure,dc=local"
        groupNameAttribute="cn"
        groupMemberAttribute="member"
        dnAttribute="distinguishedName"
        userNameAttribute="sAMAccountName"
        groupFilter="(ObjectClass=group)"
        scope="Subtree"       
        />
      </providers>
    </roleManager>

Note: connectionUsername and connectionPassword are new to SP1.  I have bolded all the items in the provider attributes you will more than likely change. 

The membership and roleManager sections can be encrypted using DPAPI and the local machine keys to secure the account used in the provider to connect to the DC:

aspnet_regiis.exe -pef "system.web/membership" "C:\Inetpub\wwwroot\wss\VirtualDirectories\8000" -prov "DataProtectionConfigurationProvider"
aspnet_regiis.exe -pef "system.web/roleManager" "C:\Inetpub\wwwroot\wss\VirtualDirectories\8000" -prov "DataProtectionConfigurationProvider"

Note: You must repeat the process on each front-end Web server.

The name attributes of the Membership and Role providers are bolded above. You need to make note of what these names are because you will enter them in Central Administration when you configure the authentication provider for the extended site.  You also need to make changes to the web.config for the Central Administration site.

The roleManager element for the web application should look like the following:

<roleManager enabled="true" defaultProvider="LDAPRoleProvider">

The roleManager element for SharePoint Central Administration should look like the following:

<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">

This change is required because the Central Administration site uses Windows authentication for the role provider.

Constraints of Using the LDAP Membership and Role Provider

Be aware of the following constraints when you are using the LDAP membership and role provider:

  • Trusted Forests
  • Primary group membership
  • Authenticated Binds

If you are interested in reading more about Forms Authentication and the various providers in SharePoint 2007 here are links to a 3 part series of articles on MSDN:

Forms Authentication in SharePoint Products and Technologies (Part 1): Introduction

Forms Authentication in SharePoint Products and Technologies (Part 2): Membership and Role Provider Samples

Forms Authentication in SharePoint Products and Technologies (Part 3): Forms Authentication vs. Windows Authentication

If you’ve never configured Forms Based Authentication for SharePoint 2007 you might want to read this blog posting “Configuring Multiple Authentication Providers for SharePoint 2007” by the Microsoft SharePoint Product Group.

About wesmacdonald

Wes MacDonald is a Visual Studio ALM MVP, PSD, MCT and a Principal Consultant for LIKE 10 INC., a SharePoint Server, Visual Studio and Team Foundation Server Consulting Firm providing premium support and guidance services.

No comments yet... Be the first to leave a reply!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: