SharePoint Forms Based Authentication against Active Directory with password change

Hi,

In this post I am going to guide you through the steps necessary to setup a FBA against AD with the possibility to change your password. I will not write a step by step instructions how to do it BUT based on what I had to fight and solve I will post the best possible ways to do these steps to my knowledge:

1. The first step to do is to to configure your existing web application(or create a new one) to support claims authentication and to follow the steps to configure the AD support for the forms authentication.

Configure forms-based authentication for a claims-based web application in SharePoint 2013:
http://technet.microsoft.com/en-us/library/ee806890.aspx

Migrate from classic-mode to claims-based authentication in SharePoint 2013:
http://technet.microsoft.com/en-us/library/gg251985.aspx

Also for SQL Server Authentication if needed:

http://blogs.technet.com/b/ptsblog/archive/2013/09/20/configuring-sharepoint-2013-forms-based-authentication-with-sqlmembershipprovider.aspx

http://msdn.microsoft.com/en-us/library/gg252020(v=office.14).aspx

2. The second step is to create a custom sign in page to apply custom logic to the authentication phase like changing the password of a user:

A few examples how to do it:

https://www.nothingbutsharepoint.com/sites/devwiki/articles/pages/sharepoint-custom-sign-in-and-sign-out-page-.aspx

http://blogs.technet.com/b/speschka/archive/2010/07/22/writing-a-custom-forms-login-page-for-sharepoint-2010-part-2.aspx

http://tomaszrabinski.pl/wordpress/2011/06/23/sharepoint-2010-custom-login-page/

http://blogs.msdn.com/b/kaevans/archive/2010/07/09/creating-a-custom-login-page-for-sharepoint-2010.aspx

http://www.mssharepointtips.com/tip.asp?id=1093&page=2

3. The third step is to create the custom code to change the user password:

What you need to do:

An Active Directory user with delegated privileges to the OU or CN where the authenticated users reside. This user must have the privileges to reset and change passwords.

http://www.petri.co.il/delegate-permission-reset-ad-user-account-passwords.htm

http://support.microsoft.com/kb/296999

Make use of Secure Store Service in SP2010 to store the AD account and other information securely. Notice: When accessing the Secure Store Service from the sign in page the user that will be accessing the SSS is anonymous user. So what you need to do is to use SPSecurity.RunWithElevatedPrivileges delegate.

http://social.technet.microsoft.com/wiki/contents/articles/20110.sharepoint-retrieving-credentials-from-the-secure-store-application-using-c.aspx

http://msdn.microsoft.com/en-us/library/microsoft.sharepoint.spsecurity.runwithelevatedprivileges.aspx

Implement the custom .NET code to change the password with impersonation so get access to the AD(notice that the user which runs the code is anonymous)

http://msdn.microsoft.com/en-us/library/w070t6ka%28v=vs.110%29.aspx

http://www.codeproject.com/Articles/18102/Howto-Almost-Everything-In-Active-Directory-via-C#1

http://msdn.microsoft.com/en-us/library/system.directoryservices.directoryentry(v=vs.110).aspx

NOTICE: I had problems using another set of .NET class and function to perform the change password trough code. Problems with authorization against AD:

http://msdn.microsoft.com/en-us/library/system.directoryservices.accountmanagement.authenticableprincipal.setpassword(v=vs.110).aspx

4. Bonus: How to get rid of the Mixed authentication selection page for internal users of the web application.

When you access a SharePoint application that has both Forms and Windows Authentication enabled for the application SharePoint will ask the users to select which authentication to use. This is not necessarily what you want internal users to see. Most probably the functionality required is so that the internal users logs in normally as if it is an intranet website.

The following code below is meant to be used for internal users who are not accessing the site through the forms sign in page. What you need to is to create a custom httpmodule and in the handler code below identify under which page you are and based on that to directly redirect the user to the front page of the website without asking users to choose which authentication method to use. Sample code(not the best but does the trick 🙂 ):

static void context_PreRequestHandlerExecute(object sender, EventArgs e)

        {

            HttpApplication httpApp = sender as HttpApplication;

            HttpContext context = httpApp.Context;

            string httpUrl = context.Request.Url.ToString().ToLower();

            var page = HttpContext.Current.CurrentHandler as Page;

            string previousPageUrl = context.Cache[CacheKey_LoginStatus] as String;

            String intranetURL = System.Configuration.ConfigurationManager.AppSettings[“authentication page in sharepoint app setting value, this is sharepoint specific sample(modify for your environment): http://localhost:46752/_windows/default.aspx?ReturnUrl=/_layouts/Authenticate.aspx?Source=/_windows/default.aspx&Source=/_windows/default.aspx “%5D ?? null;

            Uri httpUrlURI = new Uri(httpUrl);

            String localhostCalculated = httpUrlURI.AbsoluteUri.Replace(httpUrlURI.PathAndQuery, String.Empty);

            try

            {

                if (context.Request != null && String.IsNullOrEmpty(intranetURL) == false)

                {

                    if (httpUrl.Contains(“/_layouts/closeconnection.aspx?loginasanotheruser=true”))

                    {

                        context.Response.Cookies.Add(new HttpCookie(CacheKey_LoginStatus, “true”));

                    }

                    if (httpUrl.Contains(“/_layouts/signout.aspx”))

                    {

                        context.Response.Cookies.Add(new HttpCookie(CacheKey_LoginStatus, “true”));

                    }

                    bool isSignOut = false;

                    Boolean.TryParse(context.Response.Cookies[CacheKey_LoginStatus].Value, out isSignOut);

                    if (isSignOut)

                    {

                        context.Response.Cookies.Remove(CacheKey_LoginStatus);

                        context.Response.Redirect(ConfigurationManager.AppSettings[“redirect page to somewhere else than the application app settings value this can be any page you want”]);

                    }

                    else if (httpUrl.Contains(localhostCalculated + “/_login/default.aspx”))

                    {

                        context.Response.Redirect(intranetURL);

                    }

                }

            }

            catch (Exception Ex)

            {

            }

            if (page == null) return;

            page.PreInit += page_PreInit;

        }

OR you could do something like the following link where you do a IP based functionality:

http://spautomaticsignin.codeplex.com/

Possible problem areas – Good to know:

Office documents:

Authentication requests when you open Office documents:
http://support.microsoft.com/kb/2019105
How documents are opened from a Web site in Office 2003:
http://support.microsoft.com/kb/838028

For Juniper VPNs:

[SSL VPN] Known Issues and limitations when accessing Microsoft SharePoint 2003 / 2007 / 2010 resources via the Web Rewrite Access mechanism:
http://kb.juniper.net/InfoCenter/index?page=content&id=KB11501

[SSL VPN] Supported features and functionality of SharePoint 2010 when accessed via Secure Access SSL VPN’s Web/Rewrite access method:
http://kb.juniper.net/InfoCenter/index?page=content&id=KB20085

Advertisements

Resources: SharePoint MySites, User Profiles, AD/Users and Alerts

Here are some links to resources that I have used in my years with SharePoint developing and fixing SP solutions. Hope this helps someone.

MySites:

Customizing MOSS 2007 My Sites within the enterprise

Customising the “My Site” Templates – Point2Share – Site Home – MSDN Blogs

Talk Sharepoint Only: MySIte Customization

Customizing MySite in MOSS 2007 – Sridhar’s blog – Site Home – MSDN Blogs

Customizing My Sites in Microsoft SharePoint 2010 – Microsoft SharePoint Social Computing Team Blog – Site Home – MSDN Blogs

SharePoint @ Big Scholar » Blog Archive » Customise and Branding MySites

SharePoint MySite Branding

Salman’s Blogs » MySite Branding for SharePoint 2010

Set up My Sites (SharePoint Server 2010)

Configuring My Site in SharePoint 2010 | SharePoint George

User Profiles:

Syncing WSS and MOSS User profile properties with Active Directory « SharePoint Notes

Updating SharePoint 2010 User Information « SharePoint Automation

Account Deletion and SharePoint 2010 User Profile Synchronization

User Profile creation and the impact of AD synchronization/import | dev.notes.share()

Get user Profile in SharePoint 2010 | Enter your blog name here

SharePoint 2007: A user’s presence information does not appear correctly in People search results intermittently

People Search: Use a custom Ranking Model to search in added Profile Properties

SharePoint Steve » Making Custom User Profile Properties Searchable in SharePoint 2010

SharePoint User Profile Custom Properties Keyword Search Problem « kgraeme

SharePoint 2007: All you ever wanted to know about User Profiles – Sahil Malik | blah.winsmarts.com

How user profile synchronization works in SharePoint 2010 – Microsoft SharePoint Social Computing Team Blog – Site Home – MSDN Blogs

User Profile Information not updated on site collection’s people and group – Sharepoint made easier – Site Home – TechNet Blogs

Missing “I like it” and Tags on SharePoint 2010 – Jojo Koshy – Site Home – MSDN Blogs

Troubleshooting User Profile Sync Issues in Office SharePoint Server 2007 – My SharePoint World! – Nishant Shah – Site Home – TechNet Blogs

Alerts:

SharePoint Blog – René Hézser – Display all my alerts

How To Create Alerts Programmatically | Sharepointology

Sending alerts to groups in Sharepoint 2007 « Gavin’s Sharepoint Blog

Sharepoint 2007 task notification alert emails not working – Mel Lota’s Weblog

Sharepoint Tips And Tricks: Email Alerts not getting sent, while other emails are

SharePoint Alerts Not Working | SharePoint Geek

How to Troubleshoot Alerts in WSS 3.0 / MOSS – THE OFFICIAL BLOG OF THE SBS “DIVA”

Robin’s Sharepoint Blog: Alerts not working *all the time*

Zeb Sadiq | SharePoint 2010 custom alert template

Customizing Alert Notifications and Alert Templates in Windows SharePoint Services 3.0 – Microsoft SharePoint Developer Documentation Team Blog – Site Home – MSDN Blogs

Creating custom list alert templates in SharePoint 2010

Customizing Alert Templates in SharePoint Foundation 2010 – Developer – NothingButSharePoint.com

How To: Customizing alert emails using IAlertNotifyHandler – Microsoft SharePoint Developer Documentation Team Blog – Site Home – MSDN Blogs

Configure alert settings for a Web application (SharePoint Foundation 2010)

Create an Alert for a List or Library

People Picker:

Getting your ‘People Picker’ to pick AD groups « SharePoint Internals – Hristo Pavlov’s Blog

All you want to know about People Picker in SharePoint ( Functionality | Configuration | Troubleshooting ) Part-2 – Lesson’s Learnt – Site Home – MSDN Blogs

Bharat Reddy Basani: Mysterious bug in SharePoint People Editor Control

No exact match found when adding users from different domains in SharePoint « Fast .NET

Other: