SharePoint Foundation 2013, the LdapMembershipProvider and LdapRoleProvider Class

SharePoint Foundation 2013 ships with the dll that provides the Microsoft.Office.Server.Security.LdapMembershipProvider and Microsoft.Office.Server.Security.LdapRoleProvider classes.  Yay! Right?  Let’s find out…

When properly configured for LDAP, be that Active Directory, AD LDS, OpenLDAP, and so forth, we start seeing these really weird errors in the ULS log in addition to getting a general error in SharePoint when we attempt to hit a Web Application configured for FBA using Microsoft’s provider.

In addition, there is an ASP.NET Warning in the Application Event Log with an identical error.  Why would we be getting an error of “Common Language Runtime detected an invalid program”?  Well, glad you asked!

When your LdapMembershipProvider class looks like this…

FoundationLdapProvider

 

…It is no wonder we get that error.  Microsoft has specifically stripped out the code within the methods that provide the logic behind the Microsoft.Office.Server.Security.LdapMembershipProvider and LdapRoleProvider!

What does this mean to you?  It means you have to build an alternate provider.  I do have a provider for SharePoint Foundation 2010 that mimics the Microsoft provider, however the source needs to have it’s reference updated to for SharePoint 2013 (Microsoft.SharePoint.dll) and simply recompiled.

51 Comments

  1. Thanks for all the info, this post has been really invaluable.

    Following up on the thread on technet, I’m hoping you can give me a little more info about updating the Sharepoint 2010 provider you linked to above.

    I downloaded the source and loaded it up in VS 2012 (with Office tools installed).

    The “Setup” solution is listed as incompatible – I’m not sure if that’s something I would need.

    As expected, the ADLDS.Provider solution has Microsoft.Sharepoint in it’s references with a warning. Going to “Add Reference” Sharepoint wasn’t listed at all. I downloaded the Microsoft.Sharepoint.dll file from my server running S.F. 2013 and put it in the solution directory, then added a reference to that.

    When I go to build the project, it fails with 2 errors and 65 warnings.

    Both errors are similar to:
    “Cannot import the following key file: key.snk.pfx. The key file may be password protected. To correct this, try to import the certificate again or manually install the certificate to the Strong Name CSP with the following key…

    I went to reinstall that .pfx file, but it asked for a password which I don’t have. I tried selecting “Exclude from Project” in the Solution Explorer, but the build still fails with the following error:
    “The type or namespace name ‘Sharepoint’ does not exist in the namespace ‘Microsoft’ (are you missing an assembly reference?)

    All 65 warnings also appear to be some variation of:
    “The primary reference “Microsoft.Sharepoint” could not be resolved because it has indirect dependency on the framework assembly xxxxxx”

    I also tried to load the ADLDS.FBA solution, but it similarly would not build – and was also missing references for Microsoft.Office.Server and Microsoft.Office.Server.UserProfiles. I’m not even sure whether I would need to update and build both of them or just one.

    Not quite sure where to go from here, any assistance would be appreciated.

  2. Thanks much, you’ve been very generous. So far, it appears to have installed fine. Still have some configuration to do before I can validate that everything is working, but from what I can tell things seem to be fine so far.

    Thanks again!

  3. Spoke too soon…

    Every time I try a search in the people picker, it has no results and generates the following error in the ULS log:

    05/02/2013 21:24:57.77 w3wp.exe (0x166C) 0x22D8 SharePoint Foundation Claims Authentication f8qd High Error resolving test@test.com from membership provider LDAPMember: System.NullReferenceException: Object reference not set to an instance of an object. at Nauplius.ADLDS.Provider.LdapMembershipManager.MembershipProviderNode() at Nauplius.ADLDS.Provider.LdapMembershipManager.get_Server() at Nauplius.ADLDS.Provider.LdapMembership.GetUser(String username, Boolean userIsOnline) at Microsoft.SharePoint.Utilities.SPMembershipProviderPrincipalResolver.ResolvePrincipal(String input, Boolean inputIsEmailOnly, SPPrincipalType scopes, SPPrincipalSource sources, SPUserCollection usersContainer) at Microsoft.SharePoint.Administration.Claims.SPFormsClaimProvider.Resolve(SPPrincipalResolver resolver, Boolean inputIsEmailOnly, SPPrincipalSource pricipalSource, SPPrincipalType p… ada2179c-3204-202d-ca0b-ad9409ec969b
    05/02/2013 21:24:57.77* w3wp.exe (0x166C) 0x22D8 SharePoint Foundation Claims Authentication f8qd High …ricipalType, String resolveInput, List1 resolved) at Microsoft.SharePoint.Administration.Claims.SPFormsClaimProvider.FillResolve(Uri context, Boolean allZones, String[] entityTypes, String resolveInput, List1 resolved) ada2179c-3204-202d-ca0b-ad9409ec969b

    Does this look like a simple misconfig on my end, or a problem with the provider?

    I’ve been trying for a solid week to get this working, and I’m at a loss. Here’s some additional background in case it helps:

    I was originally trying to authenticate against an openLDAP server, but couldn’t get it working, so decided to test out an AD LDS instance installed on the same machine as Sharepoint instead. Still no luck.

    I followed the “Sharepoint and AD LDS – Better Together” post as closely as possibly, with the following two exceptions:
    1) I didn’t configure SSL
    2) I don’t have a separate machine for AD LDS. I tried installing it on my Domain Controller instead, but struggled to get an anonymous bind to work, so it’s on the same box as Sharepoint.

    The AD LDS instance appears to be operational – I can successfully do an anonymous bind to it from multiple locations, and I can easily see my test user object.

    On Sharepoint, I have started from scratch with a new claims-based web app and a new host-named site collection. I’ve enabled FBA in Central Admin for the webapp and edited all the web.config files, cutting and pasting the entries except for updating the “type” for 2013.

    I can log onto the site with Windows Authentication, but when I try to add a forms-based user in the people picker, the search comes back with no results. Same thing when trying to add a site collection admin from CA.

    There’s nothing I can see in the Application Event log, and I can’t see much that looks helpful in procmon or netmon.

    Any ideas for troubleshooting?

    I greatly appreciate all the help so far, and any additional guidance you can provide.

    • From the looks of it, I think it is erroring out here:

      membershipProvider =
      xmlDocument.SelectSingleNode((String.Format(“configuration/system.web/membership/providers/add[@name='{0}’]”,
      settings.FormsClaimsAuthenticationProvider.MembershipProvider)));

      I would check to validate that under the Authentication provider, it is indeed set in Central Administration on the particular Web Application.

  4. Under Application Management – Manage Web Applications – I select the Webapp and click “Authentication Providers” on the ribbon. There’s a check mark next to Enable Windows Authentication (and Integrated/NTLM), and a checkmark next to Enable FBA.
    Membership provider name is set to LDAPMember, Role provider name is set to LDAPRole.

    I just triple checked, and the name attribute in all three web.config files is also set to LDAPMember/LDAPRole.

    Is there somewhere else I would need to set it?

  5. Hi, I’m getting the same error with the same stack trace. Were you able to figure out the problem?

    Thanks.

  6. Thanks for getting back to me.

    I’ve worked around the issue by hardcoding the membership provider name at provider.cs:590

    //membershipProvider =
    // xmlDocument.SelectSingleNode((String.Format(“configuration/system.web/membership/providers/add[@name='{0}’]”,
    // settings.FormsClaimsAuthenticationProvider.MembershipProvider)));

    string membershipProviderName = “FBAMembership”;

    membershipProvider = xmlDocument.SelectSingleNode((String.Format(“configuration/system.web/membership/providers/add[@name='{0}’]”,
    membershipProviderName)));

    Not an ideal solution but the lookup is now working.

  7. Hi Trevor and company,

    First of all thanks for your LDAP Provider and all your help and support.

    I am using your provider to authenticate to my SharePoint foundation 2013 using FBA. I’ve modified the 3 web.config files and I’ve enabled FBA authentication for the web app in central administration.
    Once i’ve done that i can enter to my new site collection and choose Form base authentication to log in. Then i use an Active directory user and password and it authenticates but sharepoint tell me that the user has no rights and the AccessDenied.aspx web page appears.

    Does anybody know why the LDAPProvider recognize the user and the password but then SharePoint does not let me in? I even tried Greg’s Provider.cs modification and recompile the project anduse the modified dl without any luck.

    P.S: If I use the windows authentication and log in with the same user that fails using FBA it works as expected.

    P.S.2: i cannot see any error in the Logs or in the event viewer.

    Any hwlp or direction will be appreciated

    Thanks

    Miki

  8. Hello Trevor, i’ve the same issues as Miki. About which newer code you’re talking about? The latest sources (from may) don’t solve the issue.

    Thanks,
    Jerry

  9. Hi Trevor, thanks for your fast answer,

    Do you mean newer code in your Nauplius.ADLDS.Provider.2013? Because I’ve tried downloading the latest version (from April 24th) and even with the latest source code (build 72109).

    Is there any newer code? or did you mean something else?

    Thanks

  10. Hi,
    Did you find a solution for Aaron’s problem?
    I’m facing the same issue..

  11. I’ve try again to find a solution but I’m stuck:

    When I use Setup2013.msi to install the provider, then when I go to my Site Collection within my Web Application, I get this error:
    provider must implement the class ‘system.web.security.roleprovider’

    So I tryed to recompile the solution but I’ve got an error because of the certificate :
    Cannot Import key file : key.snk.pfx. File is protected by password

    Any solution?

  12. Hi all. I am running Sharepoint 2010 Enterprise on Server 2008R2 IIS7 using the built in Microsoft.Office.Server.Security.LdapMembershipProvider to talk back to my AD LDS and it’s working fine, but now I need to set up a self service password reset page and the “ChangePassword” method is apparently not included in the built in provider. I was hoping to find out if this method was included in your LDAP membership provider. If so I’ll gladly switch over.

  13. Hi Trevor,
    Thanks for your LDAP Provider. I have same issue with Sharepoint foundation 2013 and FBA. I have install setup.msi file. My Membership provider name is LDAPMember and rolemanager name is LDAPRole. But nothing is work after installation. Can you plz tell me what other steps i have to follow after running setup file.

    Regards,

  14. Hello Trevor,
    I want to use FBA in my sharepoint 2013 foundation site. I have installed ‘Setup.2013.msi’ file and also configure the web.config for web application , Security Token and Central admin. Now i am able to do login. But after login it says ‘sorry this site hasn’t been shared with you ‘ . I have checked , user is the site administrator and have all rights.

  15. Hi Trevor,
    I have installed ‘setup.2013.msi’ on my sharepoint foundation 2013.And configure FBA and also configure the web.config for web application , Security Token and Central admin. Now i am able to do login.But after login , the link ‘Site Settings’ is not available in right site setting panel means the site administrator can’t perform administrative task.I am working on mutlti server farm topology. Does it matter?

  16. Hi Trevor,
    I previously i write , I have installed ‘setup.2013.msi’ on my sharepoint foundation 2013.And configure FBA and also configure the web.config for web application , Security Token and Central admin . But my site collection administrator is not able not view all site contents and site settings link . He has only read permissions like other users.

  17. Hi,
    I have setup FBA in sharepoint 2013 foundation on windows Azure. Is it create any problem?

  18. Hi,
    I am working on mutlti server farm topology. I had run setup.msi on sharepoint server. Do I also need to run on AD server?

  19. Hi Trevor,
    Permission is not working in FBA. If I use already created user than user come according to permission. But after setting up FBA, If I create new user than it does not take permission. If I add user in site member,visitor,administrator group it doesn’t take any permission. Please help us in this matter.

    Regards,
    Shraddha

  20. Hi!

    I get this error when I try to use the provider:

    Unexpected exception in GetUser(sb) Unknown error (0x80005000)
    at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
    at System.DirectoryServices.DirectoryEntry.Bind()
    at System.DirectoryServices.DirectoryEntry.get_AdsObject()
    at System.DirectoryServices.DirectorySearcher.FindAll(Boolean findMoreThanOne)
    at System.DirectoryServices.DirectorySearcher.FindOne()
    at Nauplius.ADLDS.Provider.LdapMembership.GetUser(String username, Boolean userIsOnline)

    I really need to get this to work fast..so please help

    Toni

  21. Pingback: Nauplius » SharePoint Foundation 2013, the ... - Trevor Seward | ARB Security Solutions - SharePoint Security Solutions

  22. Hi Trevor, quick question: do your membership and role providers also work with an OpenLDAP solution or do they only work with Active Directory / AD LDS?

  23. Hi Trevor,

    Working on FBA for Sharepoint foundation 2013. Need “Setup.2013.msi”. Kindly suggest where i can get it to download?

  24. Thank you very much for reply.

    Installed Setup.2013.msi on applicaiton server, configured 3 web.config files (central admin, security token and website). Done changes as directed in documentation for “Nauplius.ADLDS.Provider” for Membership provider and Role Provider. Still not able to add the FBA users as they are not available at grant permission level. I am able to access the system using Windows Authentication which was given error while using LDapmembership provider by microsoft.

    Do i need to install Setup.2013.msi on database server also. Both database and application server are on same domain.

  25. Can I use this in combination of a SUN Ldap? Always getting Username or password is incorrect.

  26. Hey Trevor,

    Any Idea that SharePoint Server 2013 would have these methods implemented or not? If yes then we would upgrade from SP Foundation 2013 to SharePoint Server 2013.

    Thanks

    • Yes, SharePoint Server 2013 has these classes and you can use them.

      • For the time, I updated web.config files used by Central Administration, SecurityTokenService and Web Application. Installed the executable provided by you.

        (a question however that there are three executables in the link you provided, which one has implementation for classes?)

        Now when I tried to access the web application it gave me error of “Common Language Runtime”. What could be the problem? I spent my whole day with this.

  27. I am trying to find the msi but it seems it is missing from the site. please help

Leave a Reply