Enable Forms Based Authentication
This process can be broadly divided into 3 sections:
Extend the SharePoint Web Application
We have a SharePoint site present on port 80 which uses NTLM authentication. For our purposes, we will extend the SharePoint Web Application to port 8080 in which we will configure Forms Authentication
(Note: Make sure the port you choose to extend is not already used)
Make Entries in the Web.Config
As a first step to enable forms authentication, you need to make entries in the web.config file of the "SharePoint Central Administration Web application" and of the "SharePoint Web application" you wish to use Forms Authentication (it can be a new SharePoint Web Application or an Extended Web Application).
Have the information on following points handy according to your environment -
DC is the server running Active Directory. DC will service all LDAP requests for the SSP (This needs to be changed to reflect one of your Domain Controller which you want SharePoint to use)
The default port number used by LDAP is 389. (Generally this doesn’t need to be changed unless you’re using a custom LDAP port)
User objects in Active Directory are located inside the OrgUsers OU in the contoso.com domain (This needs to be changed according to where your users – who needs to access SharePoint thru Forms Auth. are stored)
Groups in Active Directory are located inside the OrgGroups OU in the contoso.com domain (This needs to be changed according to where your Groups are stored)
Complete the following steps on the SharePoint server(s) (all Web Front End Servers).
I personally recommend copying the following excerpts in MS Word, updating the appropriate sections (in Red) and pasting them in the web.config file in appropriate section.
type="Microsoft.Office.Server.Security.LDAPMembershipProvider, Microsoft.Office.Server, Version=184.108.40.206, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"
<roleManager defaultProvider="AspNetWindowsTokenRoleProvider" enabled="true" cacheRolesInCookie="true" cookieName=".PeopleDCRole">
type="Microsoft.Office.Server.Security.LDAPRoleProvider, Microsoft.Office.Server, Version=220.127.116.11, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"
<roleManager defaultProvider="LdapRole" enabled="true" cacheRolesInCookie="true" cookieName=".PeopleDCRole">
Configure Forms-Based Authentication in Central Administration
Note: At this point SharePoint automatically enables anonymous access on the Web application for which you enabled forms authentication however there are no users who can access the Forms Authentication site (as DOMAIN\SPSAdmin is NOT equal to LdapMembership:SPSAdmin), so we need to grant at least 1 user Full Control permissions who can log in and grant permissions to other users as needed
Thank you so much for your code. I have searched wide and far and apparently this your documentation/code were clear and precise and well, it works!
You mentioned the centradmin default website also to be modified to Forms authentication I did not see any provision for that .
I changed the central admin web config also the application web config to point it to the right LDAP
But one thing I did not get is what is this spsadmin account you mentioned in the end ?
I was not able to get the login screeen after I changed the central admin web config alone and the application web config change and authentication to Forms
Please advise if you can
You need to modify both Central Admin web.config and Web Application web.config in order to configure forms authentication.
Users in Windows Authentication and users in Forms Authentication are considered different and unique, so for the first time when you configure Forms Authentication, none of the users have access to login to the SharePoint site using Forms Authentication and thats why you need to add at-least 1 user thru Policy for Web App (or change one of the site collection Admin) and then login with that user and manage permissions for other users...
I recommend following the blog step-by-step and you should be able to get it right. Making correct changes in the web.config is the key to Forms Auth.
You can read more at -
Also, if you need to implement different type of Forms Auth then this one, samples available at
I have made the required changes to both the web.config files in central administration site and application site. I am able to see the forms authentication form as well but when I go to Policy for Web Application -> Add Users, I get the form to add users but I am not able to find any of the users in my domain. Not sure if you have seen this before or if I am missing out something.
Would really appreciate your help on this.
I think you're missing out on correct configuration entries in web.config files. Have you added the above entries (after making relevent changes according to your domain and OU) to both Central Admin & Web Application's web.config?
I have configured FBA properly and it works. In the 10th Step(policy for web application) of your article, instead of having One user(admin) i have bunch of users who are administrators. I have created a security group in AD and it holds all the users. When i add that particular AD group in the 10th step that you mentioned, i am getting "access denied" error. What do you think might be the problem. Instead of AD Group, if i add AD User it works fine. Any help would be greatly appreciated. My email id is firstname.lastname@example.org
I was wondering how I can correctly a configure a web configuration file so that all applications are accepted within Microsoft IIS7?
I've done all the steps without any issue but still i am not able to login in the FBA enabled site.
Any idea ?
Got this working with (attributeMapUsername="sAMAccountName" ) for both central admin & internet site. However I got the same issue as sravan has. The site lets you login, when we add individual AD users in the policy for web application. Does not work for AD groups. Should be a setting in the membership provider
I read your article and made all the changes. I have the LDAp path that looks like this..
I am also able to see the forms authentication form as well but when I go to Policy for Web Application -> Add Users, I get the form to add users but I am not able to find any of the users in my domain
I could not fit this into the sample entry provided by you. Could you please modify your text as per these entries and reply me. Please.
@Sravan: I just changed most of the steps today to make it even more clear, you should add only a user in Authentication Providers and add the other users / groups after logging in with the user which you added in Auth Providers. HTH.
@ Adrian: Not sure if I understand your question correctly but the steps are similar for IIS 7 as well although IIS 7 interface is different, however we are not making any IIS site level changes so that shouldnt matter, if this doesnt answer your question, please re-post the question with more clarity.
@Sohaib: I just changed most of the steps today to make it even more clear. Pls go thru the blog again and let me know if you are able to 1) Find the Ldap user in CA 2) Login to FBA site
@Onions: Answered Sravan's query above, pls refer.
@Nutan: By the looks of string you provided, I think you're trying to configure ADMembership Provider (generally used for WSS) however this blog talks about LdapMembership Provider (which is a better option if you have MOSS as ADMembership cannot make use of LdapRole).
Nishant, Can you tell me how this can be applied to the situation where the membership provider needs to see AD built in service accounts (farm account for CA) as well as a specific security group and the AD Users object? I can't seem to get this to see all of those at the same time in order to specify the primary and secondary site collection admins. Note I did not extend an existing application as you specified. My goal is to simply eliminate the Windows security dialog for our users. -- Thanks!
@ mcpsspa: You would need to have the User accounts under a single OU which needs to use LdapMembershipProvider. Our scenario here is limited to have one OU for users and one OU for Groups. Its fine even if you dont extend the application and just want to make use of LdapMembership entirely to avoid Windows Authentication.
Nishant, great guide. I am having an issue with the FBA site. I can add a user with Full Control and as a Site Collection Admin, and they resolve as ldapmembership:username, but when I go to log in, I just keep getting the login page. I don't even get an Access Denied page. Any thoughts?