Saturday, October 31, 2009

SharePoint: Form-Based Authentication with ADAM

what is ADAM?

Active Directory Application Mode is a lightweight version of Active directory. Active directory setup requires much infrastructure, investment and management. ADAM runs as non-operating system service whereas Active Directory(AD) runs as OS service. So whereas only one AD exists per OS, there may be multiple ADAM running in a single OS.

 

Why ADAM instead of AD?

ADAM and AD both uses LDAP protocol and can be used to manage user information and for authentication. First of all think that you have a custom developed application (say app1) which is already working with AD (so LDAP provider). The application App1 is used for internal purpose and you are using AD for managing internal users of you enterprise. Now you need to develop another custom application (say app2) which will work with LDAP but for external users (say you need to manage buyers of your company’s product). In that case you want to use LDAP provider but surely you don’t want to manage those external user’s information in your AD. The best solution in that case is to use ADAM as this will keep the external users (so buyers) information not in AD but in ADAM and your existing system (app1) can work with ADAM (as ADAM and AD both use LDAP).

image

Figure 1: How AD and ADAM can exists side by side.

As shown in the figure 1,internal system uses AD primarily but it can also access ADAM. Also ADAM and AD can be synchronized which provides room for better integration between AD and ADAM.

Now you may ask I could use other way to manage external users like asp.net authentication provider or custom user management with database. But if you do so then it’ll be difficult for existing application (which is using AD now) to access those external user’s information as current system just only support LDAP provider. So ADAM is best choice for those who are using AD already and need AD like system to mange users for another system but don’t want to use AD directly.

Install and Configure ADAM

Download ADAM from here and install. Once you have installed ADAM click ADAM –> “Create an ADAM Instance”. Select next in the first window. Then make sure you have selected “A unique instance” option is selected in the Setup Options step. In the Instance Name step, enter a meaningful name. In the Ports step keep the default port and click next. In the Application Directory Partition select “Yes, create an application directory partition” and put something as shown in the figure 2. Remember the partition name as we will need this later to connect to ADAM.

image

Figure 2: ADAM setup.

Here in the above image, DC means Domain Controller (which I think may be your company name), OU means Organizational Unit (which I think the department the application will be used) and CN stands for Common Name (which may be your product name).

Now click next and you’ll move to File Locations step. Click next now and you may be prompted for a security warning and select yes if you see this warning window. You are now ADAM administrators step and take the default option of “currently logged in user….” Click next and you’ll be in the Import LDIF files step. Select

image

Figure 3: Import LDIF file

Now click next until you finish.

Create an User in ADAM

Navigate to the “ADAM ADSI Edit” from ADAM under start menu. You’ll prompted for the following screen. If the screen doesn’t appear automatically then click Action –> Connect to. Make sure you have put the server name and port. The partition name should be entered in the DN field.

image

Figure 4: Connect to ADAM

Once you have connect to the ADAM right click on the node labeling your partition name (so, CN=MyProduct,OU=Management,DC=MyCompany) and click new –> Object. You’ll get the select a class window and select user from that window and click next. In this window put a name for user and finish the wizard.

After creating user you need to enable the user account (as its disabled by default) and reset the password.

1. In the properties window select the properties msDS-UserAccountDisabled and set its value to false. By default the account is disabled.

2. Set user principal name to the username. To do so set the property userPrincipalName of the user to user name.

3. Reset the password by right clicking the user and  clicking Reset Password

4. Sometimes the user authentication doesn’t work without adding the user to group/role. you can add the user to ADAM groups (Administrators, Users, Readers) which is available under CN=Roles node. To add an user to a group first get the distinguished name of the user from properties window. The property name is distinguishedName. Now move to the CN=Roles node and click on any roles/group you want the user to add. Bring the properties window of the role and find the member property and click. You’ll find a window as shown below. Here in this window you will click the Add ADAM account and paste the distinguished name.

image

Figure 5: Add an ADAM user to group/role.

Configure ADAM in SharePoint

Once you have ADAM set up you can use ADAM. Now to configure ADAM for a site you need to modify the web config file for both for that site and for the central administration site. At first you need to add a membership section under <system.web> section.

 

  <membership defaultProvider="ADAMProvider">

    <providers>

      <add name="ADAMProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider,System.Web,Version=2.0.0.0,Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="ADAMProviderConnectionString"            connectionUsername="CN=srana,CN=MyProductUser,CN=MyProduct,OU=Management,DC=MyCompany" connectionPassword="srana" enableSearchMethods="true" connectionProtection="None" />

    </providers>

  </membership>

Here the connectionProtection value may be Secure or others based on your server’s configuration.

Also in the connection string section add the connection string to the ADAM as shown below:

  <connectionStrings>

    <add name="ADAMProviderConnectionString" connectionString="LDAP://servername:port/CN=MyProductUser,CN=MyProduct,OU=Management,DC=MyCompany" />

  </connectionStrings>

So you are done. But remember to add the same membership and connection string section both in the site you want the ADAM authentication and central administration. If you don’t put the configuration in the central administration web.config file then it’ll not work.

Now you need to check if the ADAM authentication works. Just go to the central administration => Application Management => Site Collection Administrators (under SharePoint site management).  Select your site from dropdown list and then put the ADAM user name in the primary or secondary site collection administrator’s box. If user is found then you are done. But if it doesn’t find the user then you need to find the error. Go to the folder like “C:\Program Files\Common Files\Microsoft Shared\web server extensions\12\LOGS” and find the latest log. You’ll find error description there and based on the error message you can easily figure out the reason.

Few suggestions:

1. After Configuring the ADAM you may find that its not working. The user is not showing valid in the SharePoint PeopleGroup Picker. In that you can search the SharePoint log files to get the root cause. The log files exists in a folder like “C:\Program Files\Common Files\Microsoft Shared\web server extensions\12\LOGS”.

2. Its better to create web site first then before creating any site collection configure the site for ADAM authentication. If you convert a windows authenticated site to ADAM then existing permission for windows user (as well as windows users) will no longer be in use.

3. By default the ADAM provider uses the userPrincipalName as the user name. So when user enter any username in username box (say srana) in sharepoint  site, the provider try to find any entry in the ADAM with userprincipalname srana. So when you will create any user in ADAM set the userPrincipalName to the user name.

No comments:

Post a Comment