Create a Project Web Access site that uses forms-based authentication against an LDAP data store
This Office product will reach end of support on October 10, 2017. To stay supported, you will need to upgrade. For more information, see , Resources to help you upgrade your Office 2007 servers and clients.
Topic Last Modified: 2008-04-11
This article provides information about creating a Project Web Access site that uses forms-based authentication against a Lightweight Directory Access Protocol (LDAP) data store. The following steps for doing such authentication are described in detail in this article:
Have an available LDAP data store
Back up your site's Web.config files
Extend the Web application to create the forms-authenticated site
Specify the authentication method for the site
Edit the Web.config file for the new site and the SharePoint Central Administration Web site
Verify communication with the LDAP directory
Add user accounts to Project Server
These procedures are done through Central Administration, Project Web Access Server Settings, and through the Internet Information Services Manager. Verify that you have the correct permissions to perform these procedures.
Having an available LDAP data store
You must have an LDAP data store that your Project Server users can be authenticated against. This might already exist through your network operating system (NOS) directory service, or you can create one through an external LDAP directory service.
An example of an external LDAP directory service is ADAM (Active Directory Application Mode). For more information, see Create your LDAP data store with the Active Directory Application Mode (ADAM) directory service.
Backing up your site's Web.config files
Enabling forms-based authentication against an LDAP data store requires that you edit several Internet Information Services (IIS) Web site configuration files. As a best practice, you should save a backup copy of each of these files.
Create backup copies of the IIS Web Configuration files
In Windows Explorer, browse to <drive>\Inetpub\wwwroot\wss\VirtualDirectories\. This directory contains files for each Windows SharePoint Services Web application site.
By default, at this stage there should be at least three subdirectories. One subdirectory is named for the port used by the Web application for the Project Web Access default site. Another subdirectory has the name of the port used by the Web application for the Shared Services Provider. The third subdirectory is for the port used by the Web application for Central Administration.
Run Internet Information Services Manager if you need to verify which port is used by which Web application.
Open the folder used by the Web application for the Project Web Access site, copy the Web.config file, and save the copy to a different location. You might want to rename the file to a different name (for example, if this Web application uses port 80, save it as Web.config80).
Open the folder for Central Administration, copy the Web.config file, and save it to a different location. You might want to rename the file to a different name (for example, save it as Web.configCA).
If you need to store the files from backup, copy the files to their original folders and rename them to overwrite the copy that you want to replace.
While you are backing up your site's Web.config files, be careful not to make any configuration changes in Windows SharePoint Services. Having your Web.config files open while attempting to make configuration changes in Windows SharePoint Services could negate your changes.
Extending the Web application
The Project Web Access site that you are using for your default zone has a Web application and a configuration database.
This Web application can use any of a number of ports. To easily refer to this Web application later in this article, let's say that it is using port 80.
You must extend your Web application to create a new site for your users that will be taking advantage of forms-based authentication. This site will use the same configuration database as the default site. However, it will be accessing Project Server through a different port, and users on this site will be authenticated against the LDAP data store that you created previously.
This procedure is performed by using Central Administration.
Extend the Web application
On Central Administration, go to Application Management. In the SharePoint Web Application Management section, click Create or extend Web application.
On the Create or Extend Web Application page, click Extend an existing Web application.
On the Extend Web Application to Another IIS Web Site page, in the Web application section, go to the Web Application list and select Change Web Application. Click the Web application for the Project Web Access default site.
In the IIS Web Site section, type a unique port number in the Port box (for example, 90). The port number will be reflected in the description for the new site (for example, SharePoint - 90).
In the Load Balanced URL section, in the Zone box, select the zone for which the site is being created.
Specifying the authentication method for the site
The following procedure allows you to specify the authentication method for the new Web site.
Specify the authentication method for the site
On the SharePoint Central Administration Web site, go to Application Management. In the Application Security section, click Authentication providers.
On the Authentication Providers page, on the Web Application menu, make sure that the Web application for the Project Web Access site is selected (the one using port 80 referred to in the previous section).
Select the zone you used for the extended site you have just created (for example, Extranet).
On the Edit Authentication page, go to the Authentication Type section and select Forms. This selection changes the other configuration options that are available to you on the page.
In the Membership Provider Name section, type the name of the membership provider in the Membership provider name box.
The name that you type must exactly match the Membership Provider name entered in the site's Web.config file. This setting is specified in the "name" attribute of the <add> element. For more information about editing the Web.config file, see Example Web.config files for LDAP forms-based authentication.
Editing your site's Web.config files
After creating the site and specifying the authentication provider for the site, edit the site's Web.config file. These changes are used to specify where the LDAP data store is located and where in the directory structure the user accounts for the site will be stored.
The Web.config file needs to be edited for the following sites:
The newly created site that uses forms-based authentication against the LDAP data store
The SharePoint Central Administration Web site
Configuring the Web.config file for Central Administration is required so that the Central Administration service knows where to go to authenticate users who are added through Windows SharePoint Services.
If you have only one site for forms-based authentication, the changes to the Web.config files for this site and Central Administration will be identical. If you have more than one site for forms-based authentication, information for both sites is needed in the Web.config file Central Administration. For more information, see Example Web.config files for LDAP forms-based authentication.
The following procedure assumes that there is one site for forms-based authentication.
Edit the Web.config files to use the LDAP forms authentication provider
In Windows Explorer, browse to <drive>:\Inetpub\wwwroot\wss\VirtualDirectories**\**. Browse to the folder for the new forms-based authentication site. The folder name should be reflected by port number. (For example, if the port for the site is 90, the corresponding folder is 90.)
In the folder for the site, open the Web.config file with a text editor.
<configuration> <system.web> </system.web> </configuration>element, enter configuration information for your LDAP data store that you are using to authenticate against. For example, the following configuration information would use the example LDAP data store created with the ADAM utility in Create your LDAP data store with the Active Directory Application Mode (ADAM) directory service:
<membership defaultProvider="ADAMMembership"> <providers> <add name="ADAMMembership" type="Microsoft.Office.Server.Security.LDAPMembershipProvider, Microsoft.Office.Server, Version=22.214.171.124, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" server="ps2007ldap" port="50000" useSSL="false" userDNAttribute="distinguishedName" userNameAttribute="cn" userContainer="CN=Users,OU=Support,O=fabricam,C=US" userObjectClass="user" userFilter="(ObjectClass=user)" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn" /> </providers> </membership>
Insert this text just before the closing
</system.web>tag to ensure that your changes do not affect any of the other XML data. Be sure you are inserting the text in the correct location, as there are other
<system.web>tags deeper in the XML file.
For more information about editing the Web.config file, see Example Web.config files for LDAP forms-based authentication.
Save the changes to the file.
In Windows Explorer, open the Web.config file for Central Administration. Enter the same text information you entered in step 3 into the same location of this file.
Save the changes to the file.
Verifying communications with the LDAP directory
After editing the Web.config files for both sites, you can now verify communication with your LDAP directory. This is done through Central Administration, on the Add Users page. You test whether one of your users is able to validate against the LDAP directory. If the account is not recognized and you know that it exists in the LDAP directory, then check your settings in the Web.config file.
Note that this procedure is optional. You can bypass this step and add users directly to Project Server through Project Web Access. However, we recommend as a best practice that you run this procedure to verify communication with the LDAP directory. When you are adding users in Project Web Access by using forms-based authentication, there is no way to verify communication with the LDAP directory.
Verify communication with the LDAP directory
On Central Administration, go to Application Management. In the Application Security section, click Policy for Web Application.
On the Policy for Web Application page, go to the Web Application list and verify that the correct one is selected (the Web application for Project Web Access).
Click Add Users.
On the Add Users page, in the Select the Zone section, select the correct zone, and then click Next.
In the Choose Users section of the same page, in the Users box, add a user to the site in the following format:
Click the Check Name icon to verify the user name against your LDAP directory. The user name appears underlined if it is verified by the LDAP directory that you are configured to authenticate against. If the name does not verify, check the information you entered in the Central Administration Web site's Web.config file.
You do not need to select permissions, because you are only verifying communication with the LDAP directory and not actually adding the user to Windows SharePoint Services. Click Back.
On the Add Users page, click Cancel.
Adding user accounts to Project Server
After verifying communications to the LDAP directory, you can now add your forms-authenticated user accounts to Office Project Server 2007 through Project Web Access.
Add an LDAP form authenticated user to Project Server
Log on to your Project Web Access site in the default zone. Click Server Settings.
Click Manage Users.
On the Manage Users page, click New User.
On the New User page, type a display name for the user. Then select Forms Authentication.
Enter the user logon account (for example, ADAMMembership:User1).
Configure the user for its other security settings. Then click Save.
You should now be able to log onto the LDAP-authenticated site with your logon information.