Authenticating Users

Extending Applications

In order to authenticate users using LDAP, you have to extend the existing portal to allow LDAP authentication. To do this, go to the SharePoint Central Administration site and click the "Operations" tab. Select "Create or Extend Web Application" and click "Extend an existing web application". Extending the application means that you will be sharing the same content but allowing users to log in on different port numbers using different different authentication methods.

Keep all the defaults, including NTLM authentication. Select the "custom" zone and choose a free port. If your default portal's port number is 80, choose port 81. This will create an additional virtual directory complete with web.config. Make sure to add the LDAP membership provider to this new web.config as you did before. Now your default portal responds to both windows (port 80) and LDAPauthentication (port 81).

The next step is to edit the authentication method for this application. Under the "Applications" tab, click "Authentication Providers". Select the "Custom" zone you just created to edit its settings.

Make sure you've selected the portal's web application. Choose Forms authentication and the provider name you used in the web.config file. You can choose to enable client integration; but be aware that many applications don't integrate well through SharePoint if you use non-default authentication providers such as LDAP. More on this in the last section of this article.

Assign A System Administrator

The next step is to add one of the LDAP users as the system administrator for this web application. To do this, on the Application Management page, click "Policy for Web Applications". Choose the application you extended, and the Custom zone. Choose a user to be the system admin. The account name will likely be in the form[Ldap Membership Provider Name]:[LDAP unique user ID]. Select Full Control for the permission level.

This user should also be the Site Collection Administrator for the site collection. On the Applications tab of SharePoint Central Administration, click Site collection administrators. Add the account as the primary or secondary site collection administrator.

Test Authentication

Here comes the moment of truth. Open both the default windows authentication port (80 in our example) and the extended LDAP authentication port (81 in our example) in different tabs in your browser. Notice that in the Windows NTLM tab, you are automatically authenticated into the site. In the LDAP port tab, you are presented with this sign in page:

If you see this, make sure you add the following to the LDAP Membership Provider code in the web.config file: useDNAttribute="false". Thanks to Renee Hulsman for this fix: http://www.sharepointblogs.com/rhulsman/archive/2006/12/12/16853.aspx.

If the login works, notice that you have two different users logged in to the portal, on different ports but viewing the same content:

You can test this by modifying the content in one tab, and then watching it updated in the other tab (after a refresh). This is further proof that you are authenticating to the same content using different mechanisms.

You'll have to add your LDAP users to portal groups such as Portal Members or Portal Visitors in order to let them view the portal.

At this point, you can authenticate your eDirectory users into the portal using the extended web application you created. The next page of this article outlines a few issues to be aware of when using any kind of Forms authentication.

Page 1 | Page 2 | Page 3