Many peoples are asking why to use Active Directory as form authentication provider. Almost people are recommended to use ASPNet Form provider with SQL Server. Why? Maybe because they are considering that it is most secure to keep separate methods for authenticating external users. But you can use a separate domain deployed in Extranet to assure users authentication.
Many other peoples are complained that Active Directory procedure is not enough documented by Microsoft.
In this sample I used Microsoft Office SharePoint 2007 64b Standard Edition configured with NTLM as default authentication system.
1. Identify Central administration web folder and open web.config file.
Find first system.web section and put the following code with replace corresponding code:
<add name="LdapMembership" type="Microsoft.Office.Server.Security.LDAPMembershipProvider, Microsoft.Office.Server, Version=184.108.40.206, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" server="NetBIOSNameOfDomainController" port="389" useSSL="false" userDNAttribute="distinguishedName" userNameAttribute="sAMAccountName" userContainer="OU=External,OU=Users,DC=company,DC=org" userObjectClass="person" userFilter="(|(ObjectCategory=group)(ObjectClass=person))" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn" />
<roleManager defaultProvider="AspNetWindowsTokenRoleProvider" enabled="true" cacheRolesInCookie="true" cookieName=".PeopleDCRole">
<add name="LdapRole" type="Microsoft.Office.Server.Security.LDAPRoleProvider, Microsoft.Office.Server, Version=220.127.116.11, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" server="NetBIOSNameOfDomainController" port="389" useSSL="false" groupContainer="OU=External,OU=Users,DC=company,DC=org" groupNameAttribute="cn" groupMemberAttribute="member" userNameAttribute="sAMAccountName" dnAttribute="distinguishedName" groupFilter="(ObjectClass=group)" scope="Subtree" />
2. Put this code into web.config file corresponding of your Web Application that will be configured to accept form authentication.
3. Go into SharePoint 3.0 Central Administration, Application Management
4. Access link Authentication providers from Application Security section
5. Select your web application from dedicated list and after that access zone corresponding with your form authentication section or extend your web application to create a new zone for authentication.
6. Verify if into web.config file if there apear this code:
<forms loginUrl="/_layouts/login.aspx" />
Next step it is very important
7. Access Policy for Web application from Application Security section
Ignore all configurations and press Add Users
8. Select your zone from Select the Zone (in my case Custom zone) and press Next
9 Write username by using ldap provider created in web.config file:
adm_sharepoint is your system administrator account. This account can be a simple Domain Users with read access into your Active Directory domain but must be member of Administrators group on your web application server.
10. Access your web application in browser
After logon it is recommended to create a new group for Extranet users and add Active Directory users as ldapmembership:<username> format.