基于AD的表单认证 Moss2010

http://msdn.microsoft.com/zh-cn/xna/ee806890

参照MSDN这篇文章配置基于LADP的FROM认证，发现没有成功，而MSDN的一些参数说明不清楚，所以自己研究了一下：

1，  首先创建一个基于声明验证的web应用程序

2，  配置三个WEB.CONFIG：管理中心，WEB应用程序，安全住处

管理中心配置如下：

<sessionState mode="InProc" timeout="20" cookieless="UseCookies" />

这行下添加

<membership defaultProvider="AspNetSqlMembershipProvider">

                     <providers>

                              <add name="membership"

                                        type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"

                                        server="域控服务器地址(pc.office.com)"

                                        port="389"

                                        useSSL="false"

                                        userDNAttribute="distinguishedName"

                                        userNameAttribute="sAMAccountName"

                                        userContainer="CN=Users,DC= office,DC=com"

                                        userObjectClass="person"

                                        userFilter="(ObjectClass=person)"

                                        scope="Subtree"

                                        otherRequiredUserAttributes="sn,givenname,cn"

                                                connectionUsername="office\administrator" connectionPassword="abc@123"/>

                     </providers>

           </membership>

           <roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider" >

                     <providers>

                              <add name="roleManager"

                                        type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"

                                        server="域控服务器地址(pc.office.com)"

                                        port="389"

                                        useSSL="false"

                                        groupContainer="DC=office,DC= com "

                                        groupNameAttribute="cn"

                                        groupNameAlternateSearchAttribute="samAccountName"

                                        groupMemberAttribute="member"

                                        userNameAttribute="sAMAccountName"

                                        dnAttribute="distinguishedName"

                                        groupFilter="((ObjectClass=group)"

                                        userFilter="((ObjectClass=person)"

                                        scope="Subtree"  connectionUsername=“office\administrator” connectionPassword=“abc@123” />

                     </providers>

           </roleManager>

截图如下

 

安全令牌设置SecurityTokenServiceApplication，IIS中找到这个子站点

找到web.config，在system.web加入代码：

<membership>

                                          <providers>

                                                        <add name="membership"

                                                                       type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"

                                                                       server="域控服务器地址(pc.office.com)"

                                                                       port="389"

                                                                       useSSL="false"

                                                                       userDNAttribute="distinguishedName"

                                                                       userNameAttribute="sAMAccountName"

                                                                       userContainer=" CN=Users,DC= office,DC=com"

                                                                       userObjectClass="person"

                                                                       userFilter="(&amp;(ObjectClass=person))"

                                                                       scope="Subtree"

                                                                       otherRequiredUserAttributes="sn,givenname,cn"  connectionUsername=“office\administrator” connectionPassword=“abc@123” />

                                          </providers>

                            </membership>

                            <roleManager enabled="true" >

                                          <providers>

                                                        <add name="rolemanager"

                                                                       type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"

                                                                       server="域控服务器地址(pc.office.com)"

                                                                       port="389"

                                                                       useSSL="false"

                                                                       groupContainer="DC=office,DC=com"

                                                                       groupNameAttribute="cn"

                                                                       groupNameAlternateSearchAttribute="samAccountName"

                                                                       groupMemberAttribute="member"

                                                                       userNameAttribute="sAMAccountName"

                                                                       dnAttribute="distinguishedName"

                                                                       groupFilter="(&amp;(ObjectClass=group))"

                                                                       userFilter="(&amp;(ObjectClass=person))"

                                                                       scope="Subtree"  connectionUsername=“office\administrator” connectionPassword=“abc@123”

                                                                       />

                                          </providers>

                            </roleManager>                         

如下图

 

修改对应WEB应用程序的web.config，找到<membership defaultProvider="i">在下面添加如下代码：

<add name="membership" type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="域控服务器地址(pc.office.com)" port="389" useSSL="false" userDNAttribute="distinguishedName" userNameAttribute="sAMAccountName" userContainer=" CN=Users,DC=office,DC=com" userObjectClass="person" userFilter="(&amp;(ObjectClass=person))" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn" connectionUsername=“office\administrator” connectionPassword=“abc@123”/>

 

<roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false">下面添加如下代码

<add name="roleManager" type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="域控服务器地址(pc.office.com)" port="389" useSSL="false" groupContainer="DC=office,DC=com" groupNameAttribute="cn" groupNameAlternateSearchAttribute="samAccountName" groupMemberAttribute="member" userNameAttribute="sAMAccountName" dnAttribute="distinguishedName" groupFilter="(&amp;(ObjectClass=group))" userFilter="(&amp;(ObjectClass=person))" scope="Subtree" connectionUsername=“office\administrator” connectionPassword=“abc@123”/>

截图如下：

 

 

这边说一下userContainer=“cn=User,DC=OFFICE,DC=COM”这里的CN指的是AD里默认的组，如果是自己创建的群组就要用OU

即userContainer=”ou=InfomationCenter,DC=office,DC=com”

connectionUsername=“office\administrator” connectionPassword=“abc@123”

这个什么时候加，什么时候不加呢，当你的搜索用户是目标域的管理员时，可不加，如果是跨域则必须加

 

 

然后打开管理中心

 

点击指定WEB应用程序用户策略

右边选择对应站点，然后添加用户选择人员

 

添加权限后，就可以登陆了