Authenticating Users
Extending Applications
In order to authenticate users using LDAP, you have to extend the existing portal
to allow LDAP authentication. To do this, go to the SharePoint Central Administration
site and click the "Operations" tab. Select "Create or Extend Web Application" and
click "Extend an existing web application". Extending the application means that
you will be sharing the same content but allowing users to log in on different port
numbers using different different authentication methods.
Keep all the defaults, including NTLM authentication. Select the "custom" zone and
choose a free port. If your default portal's port number is 80, choose port 81.
This will create an additional virtual directory complete with web.config. Make
sure to add the LDAP membership provider to this new web.config as you did before.
Now your default portal responds to both windows (port 80) and LDAPauthentication
(port 81).
The next step is to edit the authentication method for this application. Under the
"Applications" tab, click "Authentication Providers". Select the "Custom" zone you
just created to edit its settings.
Make sure you've selected the portal's web application. Choose Forms authentication
and the provider name you used in the web.config file. You can choose to enable
client integration; but be aware that many applications don't integrate well through
SharePoint if you use non-default authentication providers such as LDAP. More on
this in the last section of this article.
Assign A System Administrator
The next step is to add one of the LDAP users as the system administrator for this
web application. To do this, on the Application Management page, click
"Policy for Web Applications". Choose the application you extended, and the Custom
zone. Choose a user to be the system admin. The account name will likely be in the
form[Ldap Membership Provider Name]:[LDAP unique user ID]. Select Full
Control for the permission level.
This user should also be the Site Collection Administrator for the site collection.
On the Applications tab of SharePoint Central Administration, click Site
collection administrators. Add the account as the primary or secondary
site collection administrator.
Test Authentication
Here comes the moment of truth. Open both the default windows authentication port
(80 in our example) and the extended LDAP authentication port (81 in our example)
in different tabs in your browser. Notice that in the Windows NTLM tab, you are
automatically authenticated into the site. In the LDAP port tab, you are presented
with this sign in page:
Log in using your LDAP Site Collection administrator account. You don't need to
include the
[Ldap Membership Provider Name]: part, just the LDAP account
name.
You may see the following message:
If you see this, make sure you add the following to the LDAP Membership Provider
code in the web.config file: useDNAttribute="false". Thanks to Renee Hulsman
for this fix:
http://www.sharepointblogs.com/rhulsman/archive/2006/12/12/16853.aspx.
If the login works, notice that you have two different users logged in to the portal,
on different ports but viewing the same content:
You can test this by modifying the content in one tab, and then watching it updated
in the other tab (after a refresh). This is further proof that you are authenticating
to the same content using different mechanisms.
You'll have to add your LDAP users to portal groups such as Portal Members
or Portal Visitors in order to let them view the portal.
At this point, you can authenticate your eDirectory users into the portal using
the extended web application you created. The next page of this article outlines
a few issues to be aware of when using any kind of Forms authentication.
Page 1 | Page 2 |
Page 3