Run MOSS Against Multiple Active Directories

One of the great new features that MOSS introduced, was an easy way to have the same information shared between multiple portals/sites.  By extending your web applications, you can have separate authentication providers utilized to reach the same information using Forms Based Authentication (FBA).  FBA is usually associated with a custom SQL server database, or some other authentication mechanism, however you can use it to provide AD services as well.

Since implementing FBA in MOSS is pretty well documented already, I won’t go down that route, but just tell you what needs to be changed for it to work with Active Directory (AD).  If you need an article that talks about FBA specifically, try this one:
http://www.devcow.com/blogs/jdattis/archive/2007/02/23/Office-SharePoint-Server-2007-Forms-Based-Authentication-FBA-Walkthrough-Part-1.aspx.  This article assumes you have implemented FBA already or know how to, and just need the specifics for the ADMembershipProvider.

This article also assumes that you have extended a web application to use FBA.  Though there is nothing preventing you from using this on a primary web application and not using an extended web application, I use the term ‘extended web application’ to mean the web application that you want to set up for FBA.

In the extended web application’s web.config file, change the connectionString element to:

<connectionStrings>
<add name=”ADConnectionString” connectionString=LDAP://[ldapquery]/>
</connectionStrings>

I placed this node between </configSections> and <SharePoint>.

The next change is to the membership node and should read:

<membership defaultProvider=”ADMembershipProvider”>
<providers>
<add
name=”ADMembershipProvider”
type=”System.Web.Security.ActiveDirectoryMembershipProvider,
System.Web,Version=2.0.0.0,
Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a”
connectionStringName=”ADConnectionString”
connectionUsername=”[accountName]
connectionPassword=”[password]
enableSearchMethods=”true”
attributeMapUsername=”sAMAccountName” />
</providers>
</membership>

This node, I placed between <sessionState … /> and </system.web>.  Please make sure that the ‘type’ line is properly formatted XML as this post may not display properly.  Put type=”…” all on one line.

Make sure to replace [ldapquery], [accountName], and [password] with the information specific to your AD.  You can even change sAMAccountName as the attributeMapUsername to another field in your AD if that is appropriate.  Your domain administrators will be able to help you with the LDAP query if you aren’t familiar with the technology or the domain’s structure.

You’ll also need to change the nodes in the Central Administration web.config and change the authentication provider at Central Administration > Application Management > Authentication Providers (all of which you should have touched with doing a typical FBA configuration).

Infrastructure Requirements:

  • the account used above should have ‘read’ permissions on the directory (a standard user account will usually work.)
  • the appropriate firewall ports will need to be open if traveling outside of the local network – port 389 by default.

Again, this article assumes that you know what you’re doing with MOSS and FBA and just need the specifics for the AD integration.  I had a hard time finding that information at the time, so I decided to post it here.  If you have any questions, post them into comments and I’ll get them answered ASAP.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s