Daniel @ The Road to MCA

Hi all,

I have a requirement for a customer to only allow certain users, which are in a certain OU in AD to use WSS as we have a shared AD environment.

I tried installing WSS and just using local accounts, however WSS would not pick them up at all (because it is in a domain I suspect). So I turned my attention to the AD membership provider, which for the most part, appears to work on the site level. However Central Administration is another story.

I try to change the Site Collection Admin, and no users are returned by the user search tool... at all, no matter what I search for, nothing!

I then tried the LDAP provider, same deal, team site works fine (although cant log in, due to no users being setup I would imagine) and central admin will not pick up the users at all.

Can anyone offer some suggestions on how I can get this working

This is a matter of urgency Sad

Also, for "I did it wrong" proposes, here are the sections of my web.configs

Here is my extranetted team site web.config section: http://202.58.54.9/teamsite.txt

Here is the central administration site web.config section: http://202.58.54.9/ca.txt

Please note that username / password / LDAP path has been modified.

NOTE: I did have code blocks in here, but they edited out my elements names/tags :\

I copy and pasted these lines directly from the web.config's (and not just from 1)

I have also checked the dll version and it is a match.

I have also tried the LDAPProvider also with exactly the same amount of success Sad

So, PLEASE if you could please take a look and maybe point out something which IĦŻm not seeing or have a solution, please post it.

Remember, I need WSS to only authenticate people in a particular OU inside of AD (3-4 levels deep)

Thanks & Cheers,

Daniel Brown




Re: SharePoint - Setup, Upgrade, Administration and Operation URGENT : WSS - Authentication Provider to a specific OU in AD

Daniel @ The Road to MCA

Also, Ihave followed the guide located at (http://blogs.msdn.com/echarran/archive/2006/09/11/749707.aspx) however, as you can see, not much luck at all Sad

DB






Re: SharePoint - Setup, Upgrade, Administration and Operation URGENT : WSS - Authentication Provider to a specific OU in AD

rcangus

Daniel,

not sure if this will help, but I had very similar issues with trying to get a site to use FBA and authenticate to AD.

I created a custom membership provider, and inherited from the ActiveDirectoryMembershipProvider. I merely implemented base.xxx, and then debugged.

I was running into problems when I tried to add an initial administrator through Central Administration -> Application Management -> Policy

What I found was that the user would authenticate, but would not be granted access. What I then did was set up AzMan (Start -> Run -> mmc; add/remove snapin -> authorization manager), change the CN to point to the AzMan store I had created, and hey presto. It suddenly worked

What I was observing (and I am not syaing that this is the reason), was that the AD authorization and the AD Role provider were expecting to find an authorization manager store set up.

In the end, we revereted to using the Sql membership provider, but I am assuming that that is not an option for you.

Not sure if that helps, but maybe others can shed light on this.

Cheers

RA





Re: SharePoint - Setup, Upgrade, Administration and Operation URGENT : WSS - Authentication Provider to a specific OU in AD

Daniel @ The Road to MCA

Hi rcangus and thanks for your post, I've made quite a bit of headway, but not nearly enough Sad

My Team site, now allows me to log in

Central Admin allowed me to add myself to access the site.

This is the steps I took

Searched some more and found: http://blogs.msdn.com/sharepoint/archive/2006/08/16/702010.aspx

This explains the benefits of Extranetting, so I did that.

A few issues still

1. The Extranetted Team Site cannot resolve usernames using Forms (ONLY get AD accounts)

2. If I add AD accounts to the Extranetted site, it does jack, I log in fine, however then get access is denied. - I assume this has something to do with #1

3. Central Admin can only resolve 1 user from the adprovider and not all 10 users

IĦŻm at a total loss with these 3 issues Sad and IĦŻm getting grumpy at SharePoint!!!!!

Would anyone be kind enough to offer some more tips!

Cheers,

DB






Re: SharePoint - Setup, Upgrade, Administration and Operation URGENT : WSS - Authentication Provider to a specific OU in AD

Daniel @ The Road to MCA

It is worth noting that the USERNAME/PASSWORD used in my membership provider line in both web.config is the user which is showing up in people picker as adprovider:username

- DB






Re: SharePoint - Setup, Upgrade, Administration and Operation URGENT : WSS - Authentication Provider to a specific OU in AD

Daniel @ The Road to MCA

Alright, more headway made,


Code Block
<membership defaultProvider="ADProvider">
<providers>
<add name="ADProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider,
System.Web, Version=2.0.0.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="ADServices"
connectionUsername="USERNAME"
connectionPassword="PASSWORD"
attributeMapUsername="SAMAccountName"/>
</providers>
</membership>



OK, so I had a thought, the only user, which was showing up as an adprovider user, was the user in the amove section
(connectionUsername="USERNAME"). SO I changed this, and sure enough, the single username did change.

For example,
If it is admin, people picker will show adprovider:admin
If it is user, people picker will show adprovider:user

OK, so next course of action, was to remove the line, low and behold... NO users came up!!!! GRRRR

Does anyone have a solution for this please

Cheers,

DB






Re: SharePoint - Setup, Upgrade, Administration and Operation URGENT : WSS - Authentication Provider to a specific OU in AD

Daniel @ The Road to MCA

OK, So I have confirmed that it indeed permissions based. I make the user who's credentials are used to establish the LDAP connection a domain admin and whamo! it works! However, being a domain admin is way overkill and a high security risk.

Does anyone know what permissions are required for this account in order to be able to access/iterate though the users

Cheers,

DB

Almost there Smile