The achievement which I would like to achieve is that I would like to create a custom login page (FBA) to authenticate users from active directory. The user got two domains with trusted domain forest so users from both AD can login. Currently I'm using the below approach:
I created a custom page to login SharePoint 2019, the code in login page uses below lines to authenticate the user:
SecurityToken token = SPSecurityContext.SecurityTokenForFormsAuthentication
(new Uri(SPContext.Current.Web.Url),
"admembers",
"",
_userName,
_password,
(SPFormsAuthenticationOption) 0);
SPFederationAuthenticationModule.Current.SetPrincipalAndWriteSessionToken(token);
The above lines comes from the link https://sharepoint.stackexchange.com/questions/42541/how-to-create-a-custom-fba-login-page-that-forces-user-to-change-password-and-vi
I followed this guide http://davidmsterling.blogspot.com/2013/05/setting-up-forms-based-authentication.html (This site was for SharePoint 2010 but I can't find much for SharePoint 2019) to set up the FBA
Mainly I changed 3 web.configs:
- The site application web.config
- The central administration web.config
- The Security Token Service web.config
Security Token Service:
For the security token service web.config I added below code to the end:
<connectionStrings>
<add name="adconn"
connectionString="LDAP://Sharepoint2019.int/DC=Sharepoint2019,DC=int" />
</connectionStrings>
<system.web>
<membership defaultProvider="admembers">
<providers>
<add name="admembers"
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="adconn"
enableSearchMethods="true"
attributeMapUsername="sAMAccountName" />
</providers>
</membership>
</system.web>
Central administration:
For the central administration web.config I added below code after the "</SharePoint>" tag:
<connectionStrings>
<add name="adconn"
connectionString="LDAP://Sharepoint2019.int/DC=Sharepoint2019,DC=int" />
</connectionStrings>
I've also added the below code to the "PeoplePickerWildCards" node
<add key="admembers" value="%" />
Moreover, I modified the default membership tag to below
<membership defaultProvider="admembers">
<providers>
<add name="admembers"
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="adconn"
enableSearchMethods="true"
attributeMapUsername="sAMAccountName" />
</providers>
</membership>
Site application:
For the site application, I added the below code
<connectionStrings>
<add name="adconn" connectionString="LDAP://Sharepoint2019.int/DC=Sharepoint2019,DC=int" />
</connectionStrings>
Also, I've added the below code to the "PeoplePickerWildcard"
<add key="admembers" value="%" />
Moreover, I added the below code to the membership provider:
<add name="admembers"
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="adconn"
enableSearchMethods="true"
attributeMapUsername="sAMAccountName" />
Then in the central administration, I selected the web application, enabled form authentication, set the default membership provider name to "admembers" and point the custom login page to "_layout\LoginPage\login.aspx"
Result:
The result was that I was able to use the farm admin account (Which is a site owner) to login the website. However, an error message "site hasn't been shared with you" appeared.
I've tested the LDAP path by below code: var ldapPath = "DC=corp,DC=ad,DC=example,DC=com";
using (var entry = new DirectoryEntry($"LDAP://Sharepoint2019.int/DC=Sharepoint2019,DC=int")) {
using(var searcher = new DirectorySearcher(entry)) {
searcher.Filter = "(&(objectClass=user)(sAMAccountName=spAdministrator*))";
SearchResultCollection result = searcher.FindAll();
}
}
The result was able to find that user
Does anyone have any advice which I did wrong or am I using the correct approach?
