SharePoint Forms Based Authentication against Active Directory with password change

Hi,

In this post I am going to guide you through the steps necessary to setup a FBA against AD with the possibility to change your password. I will not write a step by step instructions how to do it BUT based on what I had to fight and solve I will post the best possible ways to do these steps to my knowledge:

1. The first step to do is to to configure your existing web application(or create a new one) to support claims authentication and to follow the steps to configure the AD support for the forms authentication.

Configure forms-based authentication for a claims-based web application in SharePoint 2013:
http://technet.microsoft.com/en-us/library/ee806890.aspx

Migrate from classic-mode to claims-based authentication in SharePoint 2013:
http://technet.microsoft.com/en-us/library/gg251985.aspx

Also for SQL Server Authentication if needed:

http://blogs.technet.com/b/ptsblog/archive/2013/09/20/configuring-sharepoint-2013-forms-based-authentication-with-sqlmembershipprovider.aspx

http://msdn.microsoft.com/en-us/library/gg252020(v=office.14).aspx

2. The second step is to create a custom sign in page to apply custom logic to the authentication phase like changing the password of a user:

A few examples how to do it:

https://www.nothingbutsharepoint.com/sites/devwiki/articles/pages/sharepoint-custom-sign-in-and-sign-out-page-.aspx

http://blogs.technet.com/b/speschka/archive/2010/07/22/writing-a-custom-forms-login-page-for-sharepoint-2010-part-2.aspx

http://tomaszrabinski.pl/wordpress/2011/06/23/sharepoint-2010-custom-login-page/

http://blogs.msdn.com/b/kaevans/archive/2010/07/09/creating-a-custom-login-page-for-sharepoint-2010.aspx

http://www.mssharepointtips.com/tip.asp?id=1093&page=2

3. The third step is to create the custom code to change the user password:

What you need to do:

An Active Directory user with delegated privileges to the OU or CN where the authenticated users reside. This user must have the privileges to reset and change passwords.

http://www.petri.co.il/delegate-permission-reset-ad-user-account-passwords.htm

http://support.microsoft.com/kb/296999

Make use of Secure Store Service in SP2010 to store the AD account and other information securely. Notice: When accessing the Secure Store Service from the sign in page the user that will be accessing the SSS is anonymous user. So what you need to do is to use SPSecurity.RunWithElevatedPrivileges delegate.

http://social.technet.microsoft.com/wiki/contents/articles/20110.sharepoint-retrieving-credentials-from-the-secure-store-application-using-c.aspx

http://msdn.microsoft.com/en-us/library/microsoft.sharepoint.spsecurity.runwithelevatedprivileges.aspx

Implement the custom .NET code to change the password with impersonation so get access to the AD(notice that the user which runs the code is anonymous)

http://msdn.microsoft.com/en-us/library/w070t6ka%28v=vs.110%29.aspx

http://www.codeproject.com/Articles/18102/Howto-Almost-Everything-In-Active-Directory-via-C#1

http://msdn.microsoft.com/en-us/library/system.directoryservices.directoryentry(v=vs.110).aspx

NOTICE: I had problems using another set of .NET class and function to perform the change password trough code. Problems with authorization against AD:

http://msdn.microsoft.com/en-us/library/system.directoryservices.accountmanagement.authenticableprincipal.setpassword(v=vs.110).aspx

4. Bonus: How to get rid of the Mixed authentication selection page for internal users of the web application.

When you access a SharePoint application that has both Forms and Windows Authentication enabled for the application SharePoint will ask the users to select which authentication to use. This is not necessarily what you want internal users to see. Most probably the functionality required is so that the internal users logs in normally as if it is an intranet website.

The following code below is meant to be used for internal users who are not accessing the site through the forms sign in page. What you need to is to create a custom httpmodule and in the handler code below identify under which page you are and based on that to directly redirect the user to the front page of the website without asking users to choose which authentication method to use. Sample code(not the best but does the trick 🙂 ):

static void context_PreRequestHandlerExecute(object sender, EventArgs e)

        {

            HttpApplication httpApp = sender as HttpApplication;

            HttpContext context = httpApp.Context;

            string httpUrl = context.Request.Url.ToString().ToLower();

            var page = HttpContext.Current.CurrentHandler as Page;

            string previousPageUrl = context.Cache[CacheKey_LoginStatus] as String;

            String intranetURL = System.Configuration.ConfigurationManager.AppSettings[“authentication page in sharepoint app setting value, this is sharepoint specific sample(modify for your environment): http://localhost:46752/_windows/default.aspx?ReturnUrl=/_layouts/Authenticate.aspx?Source=/_windows/default.aspx&Source=/_windows/default.aspx “%5D ?? null;

            Uri httpUrlURI = new Uri(httpUrl);

            String localhostCalculated = httpUrlURI.AbsoluteUri.Replace(httpUrlURI.PathAndQuery, String.Empty);

            try

            {

                if (context.Request != null && String.IsNullOrEmpty(intranetURL) == false)

                {

                    if (httpUrl.Contains(“/_layouts/closeconnection.aspx?loginasanotheruser=true”))

                    {

                        context.Response.Cookies.Add(new HttpCookie(CacheKey_LoginStatus, “true”));

                    }

                    if (httpUrl.Contains(“/_layouts/signout.aspx”))

                    {

                        context.Response.Cookies.Add(new HttpCookie(CacheKey_LoginStatus, “true”));

                    }

                    bool isSignOut = false;

                    Boolean.TryParse(context.Response.Cookies[CacheKey_LoginStatus].Value, out isSignOut);

                    if (isSignOut)

                    {

                        context.Response.Cookies.Remove(CacheKey_LoginStatus);

                        context.Response.Redirect(ConfigurationManager.AppSettings[“redirect page to somewhere else than the application app settings value this can be any page you want”]);

                    }

                    else if (httpUrl.Contains(localhostCalculated + “/_login/default.aspx”))

                    {

                        context.Response.Redirect(intranetURL);

                    }

                }

            }

            catch (Exception Ex)

            {

            }

            if (page == null) return;

            page.PreInit += page_PreInit;

        }

OR you could do something like the following link where you do a IP based functionality:

http://spautomaticsignin.codeplex.com/

Possible problem areas – Good to know:

Office documents:

Authentication requests when you open Office documents:
http://support.microsoft.com/kb/2019105
How documents are opened from a Web site in Office 2003:
http://support.microsoft.com/kb/838028

For Juniper VPNs:

[SSL VPN] Known Issues and limitations when accessing Microsoft SharePoint 2003 / 2007 / 2010 resources via the Web Rewrite Access mechanism:
http://kb.juniper.net/InfoCenter/index?page=content&id=KB11501

[SSL VPN] Supported features and functionality of SharePoint 2010 when accessed via Secure Access SSL VPN’s Web/Rewrite access method:
http://kb.juniper.net/InfoCenter/index?page=content&id=KB20085

Advertisements

Converting SharePoint WebPart HTML tables into DIVs

Just wanted to make a quick post on this matter for those who might be fighting with this issue. There is a great link on the code that needs to be implemented here. Follow this by creating into your project the following control adapters.

Removing Web Parts tables in SharePoint 2010

What is missing from the post is where to apply the adapter and against what.

What you need to do is to implement a code(or do it manually) that adds to your IIS webapplication compat.browser file new adapters.

Sample file path: C:\inetpub\wwwroot\wss\VirtualDirectories\”your app name”\App_Browsers

The control adapters need to be applied to the following control types: 

System.Web.UI.WebControls.WebParts.WebPartZone

Microsoft.SharePoint.Publishing.WebControls.RichHtmlField

Add the your configs to the controlAdapters XML element. the following:

<adapter controlType=”System.Web.UI.WebControls.WebParts.WebPartZone”
adapterType=”your class reference, your assembly name, Version=1.0.0.0, Culture=neutral, PublicKeyToken=publickeytoken” />
<adapter controlType=”Microsoft.SharePoint.Publishing.WebControls.RichHtmlField”
adapterType=”your class reference, your assembly name, Version=1.0.0.0, Culture=neutral, PublicKeyToken=publickeytoken” />

Install-SPFeature throws argumentnull exception

Hi,

If you encounter problems when you try to install a new feature through PowerShell using the Install-SPFeature command try one of the following:

  1. Either close and restart your powershell(as admin just to be sure) and run your command again. This helped in my case.
  2. OR restart your windows service for the SharePoint timer service.

This cause me some trouble. Hope it helps someone.

Good to know!? SharePoint 2013 Administrators Key Features reference – Part 1

Hi,

Here is a new post on the key issues for a SharePoint administrator or someone who needs to work and configure SharePoint.

Design SharePoint topology: Information/logical/Physical architecture and SP Online Deployment
Capacity management and sizing overview for SharePoint Server 2013 http://technet.microsoft.com/en-us/library/ff758647.aspx
Configure Request Manager in SharePoint Server 2013 http://technet.microsoft.com/en-us/library/jj712708.aspx
Define managed paths in SharePoint Server 2013 http://technet.microsoft.com/en-us/library/cc261845.aspx
Designing large lists and maximizing list performance (SharePoint Server 2010) http://technet.microsoft.com/en-us/library/cc262813
Hybrid for SharePoint Server 2013 http://technet.microsoft.com/en-us/library/jj838715.aspx
Manage the search schema in SharePoint Server 2013 http://technet.microsoft.com/en-us/library/jj219667.aspx
Overview of search in SharePoint Server 2013 http://technet.microsoft.com/en-us/library/jj219738.aspx
Overview of SharePoint Health Analyzer http://msdn.microsoft.com/en-us/library/ee534957%28v=office.14%29.aspx
Performance and capacity test results and recommendations (SharePoint Server 2013) http://technet.microsoft.com/en-us/library/ff608068.aspx
Plan for information management policy in SharePoint Server 2013 http://technet.microsoft.com/en-us/library/cc262490.aspx
Plan terms and term sets in SharePoint Server 2013 http://technet.microsoft.com/en-us/library/ee519604.aspx
SharePoint Online Service Description http://technet.microsoft.com/en-us/library/jj819267.aspx
Software boundaries and limits for SharePoint 2013 http://technet.microsoft.com/en-us/library/cc262787
Storage and SQL Server capacity planning and configuration (SharePoint Server 2013) http://technet.microsoft.com/en-us/library/cc298801.aspx
Storage and SQL Server capacity planning and configuration (SharePoint Server 2013) http://technet.microsoft.com/en-us/library/cc298801.aspx
Security: Authentication, authorization, platform security, farm-level security, search
A Guide to Claims-Based Identity and Access Control (2nd Edition) http://msdn.microsoft.com/en-us/library/ff423674.aspx
Access Control Service 2.0 http://msdn.microsoft.com/en-us/library/hh147631.aspx
Add or remove service application connections from a web application in SharePoint 2013 http://technet.microsoft.com/en-us/library/ee704550.aspx
Add or remove service application connections from a web application in SharePoint 2013 http://technet.microsoft.com/en-us/library/ee704550.aspx
Add-SPShellAdmin – Adds a user to the SharePoint_Shell_Access role for the specified database. http://technet.microsoft.com/en-us/library/ff607596.aspx
Azure Workflow Manager 1.0 http://msdn.microsoft.com/en-us/library/jj193528.aspx
Change the default search topology in SharePoint Server 2013 http://technet.microsoft.com/en-us/library/jj862356.aspx
Configure a service application by using a Windows PowerShell script (SharePoint Server 2010) http://technet.microsoft.com/en-us/library/gg983005.aspx
Configure an environment for apps for SharePoint (SharePoint 2013) http://technet.microsoft.com/en-us/library/fp161236.aspx
Configure email integration for a SharePoint 2013 farm http://technet.microsoft.com/en-us/library/ee956941.aspx
Configure forms-based authentication for a claims-based web application in SharePoint 2013 http://technet.microsoft.com/en-us/library/ee806890.aspx
Configure incoming email for a SharePoint 2013 farm http://technet.microsoft.com/en-us/library/cc262947.aspx
Configure People Picker in SharePoint 2013 http://technet.microsoft.com/en-us/library/gg602075.aspx
Configure SAML-based claims authentication with AD FS in SharePoint 2013 http://technet.microsoft.com/en-us/library/hh305235.aspx
Configure server-to-server authentication between SharePoint 2013 and Exchange Server 2013 http://technet.microsoft.com/en-us/library/jj655399.aspx
Configure server-to-server authentication between SharePoint 2013 and Lync Server 2013 http://technet.microsoft.com/en-us/library/jj670179.aspx
Configure server-to-server authentication between SharePoint 2013 farms http://technet.microsoft.com/en-us/library/jj655400.aspx
Configure SharePoint 2013 to use Office Web Apps http://technet.microsoft.com/en-us/library/ff431687.aspx
Configuring an On-Premises Partner Application for Microsoft Lync Server 2013 http://technet.microsoft.com/en-us/library/jj204975.aspx
Configuring Service Connection Points for SharePoint 2013 http://onpointwithsharepoint.blogspot.fi/2013/06/configuring-service-connection-points.html
Creating a Custom Indexing Connector http://msdn.microsoft.com/en-us/library/ff625806.aspx
Creating Web Parts for SharePoint http://msdn.microsoft.com/en-us/library/ee231579.aspx
Default connectors in SharePoint Server 2013 http://technet.microsoft.com/en-us/library/jj219746.aspx
Deploy Office Web Apps Server http://technet.microsoft.com/en-us/library/jj219455.aspx
Estimate performance and capacity requirements for SharePoint Server 2010 Search http://technet.microsoft.com/en-us/library/gg750251%28v=office.14%29.aspx
Federated Identity for Web Applications http://msdn.microsoft.com/en-us/library/ff359110.aspx
Grant Active Directory Domain Services permissions for profile synchronization in SharePoint Server 2013 http://technet.microsoft.com/en-us/library/hh296982.aspx
Internet sites search architectures for SharePoint Server 2013 http://www.microsoft.com/en-us/download/details.aspx%3Fid%3D30464
Language Packs for SharePoint Server 2013 http://www.microsoft.com/en-us/download/details.aspx?id=37140
Locking down Office SharePoint Server sites http://technet.microsoft.com/en-us/library/ee191479.aspx
Logical architecture components (SharePoint Server 2010) http://technet.microsoft.com/en-us/library/cc263121.aspx
Manage blocked file types in SharePoint 2013 http://technet.microsoft.com/en-us/library/cc262496
Manage search components in SharePoint Server 2013 http://technet.microsoft.com/en-us/library/jj862354.aspx
Plan incoming email for a SharePoint farm in SharePoint 2013 http://technet.microsoft.com/en-us/library/cc263260.aspx
Plan profile synchronization for SharePoint Server 2013 http://technet.microsoft.com/en-us/library/ff182925.aspx
Plan security for an external anonymous access environment (Office SharePoint Server) http://technet.microsoft.com/en-us/library/cc263468.aspx
Plan security hardening for SharePoint 2013 http://technet.microsoft.com/en-us/library/cc262849.aspx
Register-SPWorkflowService http://technet.microsoft.com/en-us/library/jj663115.aspx
Scale search for performance and availability in SharePoint Server 2013 http://technet.microsoft.com/en-us/library/jj219628.aspx
Service Connection Points (SCPs) and ADAM/AD LDS http://blogs.technet.com/b/askds/archive/2008/09/18/service-connection-points-scps-and-adam-ad-lds.aspx
Services architecture planning (SharePoint Server 2010) http://technet.microsoft.com/en-us/library/cc560988.aspx
SharePoint 2010 Administration Toolkit (SharePoint Server 2010) http://technet.microsoft.com/en-us/library/cc508851%28v=office.14%29.aspx
SharePoint Designer for developers http://msdn.microsoft.com/en-us/sharepoint/hh850380.aspx
Track or block SharePoint Server 2010 installations http://technet.microsoft.com/en-us/library/ff730261.aspx
User permissions and permission levels in SharePoint 2013 http://technet.microsoft.com/en-us/library/cc721640.aspx
Web applications and Site collections: Provision, configure, maintain, security, search, taxonomy
Add, edit, or delete custom properties in SharePoint Server 2013 user profiles http://technet.microsoft.com/en-us/library/cc262327.aspx
Configure an environment for apps for SharePoint (SharePoint 2013) http://technet.microsoft.com/en-us/library/fp161236.aspx
Configure authentication infrastructure in SharePoint 2013 http://technet.microsoft.com/en-us/library/jj219795.aspx
Configure refiners and faceted navigation in SharePoint Server 2013 http://technet.microsoft.com/en-us/library/jj679902.aspx
Configure result sources for search in SharePoint Server 2013 http://technet.microsoft.com/library/jj683115.aspx
Configure Search Web Parts in SharePoint Server 2013 http://technet.microsoft.com/en-us/library/jj679900.aspx
Configure site mailboxes in SharePoint Server 2013 http://technet.microsoft.com/en-us/library/jj552524.aspx
Configure site mailboxes in SharePoint Server 2013 http://technet.microsoft.com/en-us/library/jj552524.aspx
Configuring Site Collection Quotas and Locks http://office.microsoft.com/en-us/windows-sharepoint-services-it/configuring-site-collection-quotas-and-locks-HA001160794.aspx
Create, edit, and delete quota templates in SharePoint 2013 http://technet.microsoft.com/en-us/library/cc263223.aspx
Designing large lists and maximizing list performance (SharePoint Server 2010) http://technet.microsoft.com/en-us/library/cc262813
Grant permissions to anonymous users http://office.microsoft.com/en-us/sharepoint-foundation-help/grant-permissions-to-anonymous-users-HA101805390.aspx
Host-named site collection architecture and deployment (SharePoint 2013) http://technet.microsoft.com/en-us/library/cc424952.aspx
How to: Customize page layouts for a catalog-based site in SharePoint 2013 http://msdn.microsoft.com/en-us/library/dn144674.aspx
HTML Field Security http://community.bamboosolutions.com/blogs/sharepoint-2013/archive/2013/05/22/how-to-use-html-field-security-and-insert-iframes-into-sharepoint-2013-sites.aspx
Manage query rules in SharePoint Server 2013 http://technet.microsoft.com/en-us/library/jj871676.aspx
Overview of site permissions in SharePoint 2013 http://technet.microsoft.com/en-us/library/jj219771.aspx
Overview of site policies in SharePoint 2013 http://technet.microsoft.com/en-us/library/jj219569.aspx
Plan navigation term sets in SharePoint Server 2013 http://technet.microsoft.com/en-us/library/dn194310.aspx
Plan self-service site creation in SharePoint 2013 http://technet.microsoft.com/en-us/library/cc263483.aspx
Publish a content type from a content publishing hub http://office.microsoft.com/en-us/sharepoint-help/publish-a-content-type-from-a-content-publishing-hub-HA102773265.aspx
Set up and manage access requests http://office.microsoft.com/en-us/sharepoint-help/set-up-and-manage-access-requests-HA103456596.aspx
SharePoint 2013 Design Manager display templates http://msdn.microsoft.com/en-us/library/jj945138.aspx
SharePoint 2013: Break Document Library Permissions Inheritance http://social.technet.microsoft.com/wiki/contents/articles/18203.sharepoint-2013-break-document-library-permissions-inheritance.aspx
Software boundaries and limits for SharePoint 2013 http://technet.microsoft.com/en-us/library/cc262787
User permissions and permission levels in SharePoint 2013 http://technet.microsoft.com/en-us/library/cc721640.aspx
SharePoint Maintenance: Monitoring, optimization, Troubleshooting
Configure diagnostic logging in SharePoint 2013 http://technet.microsoft.com/en-us/library/ee748656.aspx
Database maintenance for SharePoint 2010 Products http://technet.microsoft.com/en-us/library/cc262731.aspx
Monitor cache performance in SharePoint 2013 http://technet.microsoft.com/en-us/library/ff934623.aspx
Monitoring and maintaining SharePoint Server 2013 http://technet.microsoft.com/en-us/library/ff758658.aspx
Monitoring and maintaining SharePoint Server 2013 http://technet.microsoft.com/en-us/library/ff758658.aspx
Overview of monitoring in SharePoint 2013 http://technet.microsoft.com/en-us/library/ee748636.aspx
SharePoint Health Analyzer rules reference (SharePoint 2013) http://technet.microsoft.com/en-us/library/ff686816.aspx
SharePoint Health Analyzer rules reference (SharePoint 2013) http://technet.microsoft.com/en-us/library/ff686816.aspx
Software boundaries and limits for SharePoint 2013 http://technet.microsoft.com/en-us/library/cc262787.aspx
SQL Server Best Practices Article http://msdn.microsoft.com/en-us/library/cc966412.aspx
Storage and SQL Server capacity planning and configuration (SharePoint Server 2013) http://technet.microsoft.com/en-us/library/cc298801.aspx
System Center 2012 Operations Manager http://technet.microsoft.com/en-us/library/hh205987.aspx
Using the Developer Dashboard http://msdn.microsoft.com/en-us/library/ff512745%28v=office.14%29.aspx
View data in the logging database in SharePoint 2013 http://technet.microsoft.com/en-us/library/jj715694.aspx
View data in the logging database in SharePoint 2013 http://technet.microsoft.com/en-us/library/jj715694.aspx
View diagnostic logs in SharePoint 2013 – ULS http://technet.microsoft.com/en-us/library/ff463595.aspx
View timer job status in SharePoint 2013 http://technet.microsoft.com/en-us/library/ee748599.aspx