SharePoint Forms Based Authentication against Active Directory with password change

Hi,

In this post I am going to guide you through the steps necessary to setup a FBA against AD with the possibility to change your password. I will not write a step by step instructions how to do it BUT based on what I had to fight and solve I will post the best possible ways to do these steps to my knowledge:

1. The first step to do is to to configure your existing web application(or create a new one) to support claims authentication and to follow the steps to configure the AD support for the forms authentication.

Configure forms-based authentication for a claims-based web application in SharePoint 2013:
http://technet.microsoft.com/en-us/library/ee806890.aspx

Migrate from classic-mode to claims-based authentication in SharePoint 2013:
http://technet.microsoft.com/en-us/library/gg251985.aspx

Also for SQL Server Authentication if needed:

http://blogs.technet.com/b/ptsblog/archive/2013/09/20/configuring-sharepoint-2013-forms-based-authentication-with-sqlmembershipprovider.aspx

http://msdn.microsoft.com/en-us/library/gg252020(v=office.14).aspx

2. The second step is to create a custom sign in page to apply custom logic to the authentication phase like changing the password of a user:

A few examples how to do it:

https://www.nothingbutsharepoint.com/sites/devwiki/articles/pages/sharepoint-custom-sign-in-and-sign-out-page-.aspx

http://blogs.technet.com/b/speschka/archive/2010/07/22/writing-a-custom-forms-login-page-for-sharepoint-2010-part-2.aspx

http://tomaszrabinski.pl/wordpress/2011/06/23/sharepoint-2010-custom-login-page/

http://blogs.msdn.com/b/kaevans/archive/2010/07/09/creating-a-custom-login-page-for-sharepoint-2010.aspx

http://www.mssharepointtips.com/tip.asp?id=1093&page=2

3. The third step is to create the custom code to change the user password:

What you need to do:

An Active Directory user with delegated privileges to the OU or CN where the authenticated users reside. This user must have the privileges to reset and change passwords.

http://www.petri.co.il/delegate-permission-reset-ad-user-account-passwords.htm

http://support.microsoft.com/kb/296999

Make use of Secure Store Service in SP2010 to store the AD account and other information securely. Notice: When accessing the Secure Store Service from the sign in page the user that will be accessing the SSS is anonymous user. So what you need to do is to use SPSecurity.RunWithElevatedPrivileges delegate.

http://social.technet.microsoft.com/wiki/contents/articles/20110.sharepoint-retrieving-credentials-from-the-secure-store-application-using-c.aspx

http://msdn.microsoft.com/en-us/library/microsoft.sharepoint.spsecurity.runwithelevatedprivileges.aspx

Implement the custom .NET code to change the password with impersonation so get access to the AD(notice that the user which runs the code is anonymous)

http://msdn.microsoft.com/en-us/library/w070t6ka%28v=vs.110%29.aspx

http://www.codeproject.com/Articles/18102/Howto-Almost-Everything-In-Active-Directory-via-C#1

http://msdn.microsoft.com/en-us/library/system.directoryservices.directoryentry(v=vs.110).aspx

NOTICE: I had problems using another set of .NET class and function to perform the change password trough code. Problems with authorization against AD:

http://msdn.microsoft.com/en-us/library/system.directoryservices.accountmanagement.authenticableprincipal.setpassword(v=vs.110).aspx

4. Bonus: How to get rid of the Mixed authentication selection page for internal users of the web application.

When you access a SharePoint application that has both Forms and Windows Authentication enabled for the application SharePoint will ask the users to select which authentication to use. This is not necessarily what you want internal users to see. Most probably the functionality required is so that the internal users logs in normally as if it is an intranet website.

The following code below is meant to be used for internal users who are not accessing the site through the forms sign in page. What you need to is to create a custom httpmodule and in the handler code below identify under which page you are and based on that to directly redirect the user to the front page of the website without asking users to choose which authentication method to use. Sample code(not the best but does the trick 🙂 ):

static void context_PreRequestHandlerExecute(object sender, EventArgs e)

        {

            HttpApplication httpApp = sender as HttpApplication;

            HttpContext context = httpApp.Context;

            string httpUrl = context.Request.Url.ToString().ToLower();

            var page = HttpContext.Current.CurrentHandler as Page;

            string previousPageUrl = context.Cache[CacheKey_LoginStatus] as String;

            String intranetURL = System.Configuration.ConfigurationManager.AppSettings[“authentication page in sharepoint app setting value, this is sharepoint specific sample(modify for your environment): http://localhost:46752/_windows/default.aspx?ReturnUrl=/_layouts/Authenticate.aspx?Source=/_windows/default.aspx&Source=/_windows/default.aspx “%5D ?? null;

            Uri httpUrlURI = new Uri(httpUrl);

            String localhostCalculated = httpUrlURI.AbsoluteUri.Replace(httpUrlURI.PathAndQuery, String.Empty);

            try

            {

                if (context.Request != null && String.IsNullOrEmpty(intranetURL) == false)

                {

                    if (httpUrl.Contains(“/_layouts/closeconnection.aspx?loginasanotheruser=true”))

                    {

                        context.Response.Cookies.Add(new HttpCookie(CacheKey_LoginStatus, “true”));

                    }

                    if (httpUrl.Contains(“/_layouts/signout.aspx”))

                    {

                        context.Response.Cookies.Add(new HttpCookie(CacheKey_LoginStatus, “true”));

                    }

                    bool isSignOut = false;

                    Boolean.TryParse(context.Response.Cookies[CacheKey_LoginStatus].Value, out isSignOut);

                    if (isSignOut)

                    {

                        context.Response.Cookies.Remove(CacheKey_LoginStatus);

                        context.Response.Redirect(ConfigurationManager.AppSettings[“redirect page to somewhere else than the application app settings value this can be any page you want”]);

                    }

                    else if (httpUrl.Contains(localhostCalculated + “/_login/default.aspx”))

                    {

                        context.Response.Redirect(intranetURL);

                    }

                }

            }

            catch (Exception Ex)

            {

            }

            if (page == null) return;

            page.PreInit += page_PreInit;

        }

OR you could do something like the following link where you do a IP based functionality:

http://spautomaticsignin.codeplex.com/

Possible problem areas – Good to know:

Office documents:

Authentication requests when you open Office documents:
http://support.microsoft.com/kb/2019105
How documents are opened from a Web site in Office 2003:
http://support.microsoft.com/kb/838028

For Juniper VPNs:

[SSL VPN] Known Issues and limitations when accessing Microsoft SharePoint 2003 / 2007 / 2010 resources via the Web Rewrite Access mechanism:
http://kb.juniper.net/InfoCenter/index?page=content&id=KB11501

[SSL VPN] Supported features and functionality of SharePoint 2010 when accessed via Secure Access SSL VPN’s Web/Rewrite access method:
http://kb.juniper.net/InfoCenter/index?page=content&id=KB20085

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s