Enable you to configure forms-based authentication for a Microsoft SharePoint Server 2010 claims-based Web application.
Help you upgrade existing Office SharePoint Server 2007 Web applications that were configured to use forms-based authentication to work with SharePoint Server 2010.
After upgrading to SharePoint Server 2010, your Microsoft Office SharePoint Server 2007 Web applications will be configured for legacy login. For Office SharePoint Server 2007 Web applications that were configured to use Windows authentication, there are no additional steps required for upgrade. However, for Office SharePoint Server 2007 Web applications that were configured to use forms-based authentication, or Web SSO authentication, you must first convert to claims authentication before the Office SharePoint Server 2007 Web applications can be used in SharePoint Server 2010. After you convert you Office SharePoint Server 2007 Web applications to claims authentication, configure your Web application zones for forms-based authentication (or Web SSO authentication, as appropriate). The final step is to migrate users and permissions to SharePoint Server 2010
In this article:
Convert Web applications to claims authentication
Configure a forms-based Web application to use an LDAP provider by using Central Administration
Configure the LDAP Web.Config files
Configure a forms-based Web application to use an LDAP provider by using Windows PowerShell
Migrate users and permissions from SharePoint Server 2007 to SharePoint Server 2010
Convert Web applications to claims authentication
Perform the steps in the following procedure to use Windows PowerShell to convert existing Web applications to claims authentication.
To convert Web applications to claims authentication
1.Verify that you meet the following minimum requirements: You are a member of the SharePoint_Shell_Access role on the configuration database and a member of the WSS_ADMIN_WPG local group on the computer where SharePoint 2010 Products is installed.
2.On the Start menu, click All Programs.
3.Click Microsoft SharePoint 2010 Products.
4.Click SharePoint 2010 Management Shell.
5.From the Windows PowerShell command prompt (that is, PS C:\>), type the following and press ENTER:
Copy Code $w = Get-SPWebApplication "http://
$w.UseClaimsAuthentication = True;
$w.Update()Note:
We recommend that you use Windows PowerShell when performing command-line administrative tasks. The Stsadm command-line tool has been deprecated, but is included to support compatibility with previous product versions.
Configure a forms-based Web application to use an LDAP provider by using Central Administration
Perform the steps in the following procedure to use Central Administration to configure forms-based authentication for a claims-based Web application.
To configure forms-based authentication for a claims-based Web application by using Central Administration
1.Verify that the user account that is performing this procedure is a site collection administrator.
2.In Central Administration, under Application Management, select Manage Web Applications.
3.On the ribbon, select New.
4.In the Authentication section of the New Web Application dialog box, select Claims Based Authentication.
5.In the Authentication Type section, select Enable ASP.NET Membership and Role Provider.
6.Type a membership provider name and a role manager name. In the example Web.Config file depicted in this article, the name of the membership provider is membership, and the name of the role manager is rolemanager.
7.Click OK to create the Web application.
Configure the LDAP Web.Config files
After you have successfully created the Web application (described in the preceding procedure), modify the following Web.Config files:
The Central Administration Web application Web.Config file
The Security Token Service Web.Config file
The forms-based authentication claims-based Web application Web.Config file
To configure the Central Administration Web.Config file
1.Open IIS Manager by typing INETMGR at a command prompt.
2.Go to the SharePoint Central Administration site in IIS.
3.Right-click SharePoint Central Administration and select Explore.
4.Open the Web.Config file.
5.Find the
Copy Code
type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="yourserver.com"
port="389"
useSSL="false"
userDNAttribute="distinguishedName"
userNameAttribute="sAMAccountName"
userContainer="OU=UserAccounts,DC=redmond,DC=corp,DC=microsoft,DC= distinguishedName (of your userContainer)"
userObjectClass="person"
userFilter="(ObjectClass=person)"
scope="Subtree"
otherRequiredUserAttributes="sn,givenname,cn" />
type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="yourserver.com"
port="389"
useSSL="false"
groupContainer="DC=redmond,DC=corp,DC=microsoft,DC= distinguishedName (of your groupContainer)"
groupNameAttribute="cn"
groupNameAlternateSearchAttribute="samAccountName"
groupMemberAttribute="member"
userNameAttribute="sAMAccountName"
dnAttribute="distinguishedName"
groupFilter="((ObjectClass=group)"
userFilter="((ObjectClass=person)"
scope="Subtree" />
Important:
After you have added the preceding entry, save and close the Web.Config file.
To configure the Security Token Service Web.Config file
1.Open IIS Manager by typing INETMGR at a command prompt.
2.Go to the SharePoint Web Services site.
3.Go to the SecurityTokenServiceAppliction sub-site.
4.Right-click SharePoint Central Administration and select Explore.
5.Open the Web.Config file.
6.Find the
Copy Code
type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="yourserver.com"
port="389"
useSSL="false"
userDNAttribute="distinguishedName"
userNameAttribute="sAMAccountName"
userContainer="OU=UserAccounts,DC=redmond,DC=corp,DC=microsoft,DC=com"
userObjectClass="person"
userFilter="(&(ObjectClass=person))"
scope="Subtree"
otherRequiredUserAttributes="sn,givenname,cn" />
type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="yourserver.com"
port="389"
useSSL="false"
groupContainer="DC=redmond,DC=corp,DC=microsoft,DC=com"
groupNameAttribute="cn"
groupNameAlternateSearchAttribute="samAccountName"
groupMemberAttribute="member"
userNameAttribute="sAMAccountName"
dnAttribute="distinguishedName"
groupFilter="(&(ObjectClass=group))"
userFilter="(&(ObjectClass=person))"
scope="Subtree" />
Important:
After you have added the preceding entry, save and close the Web.Config file.
To configure the forms-based authentication claims-based Web application Web.Config file
1.Open IIS Manager by typing INETMGR at a command prompt.
2.Go to the Claims Forms site.
3.Right-click Claims Forms and select Explore.
4.Open the Web.Config file.
5.Find the
6.Find the
Copy Code
type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="yourserver.com"
port="389"
useSSL="false"
userDNAttribute="distinguishedName"
userNameAttribute="sAMAccountName"
userContainer="OU=UserAccounts,DC=redmond,DC=corp,DC=microsoft,DC=com"
userObjectClass="person"
userFilter="(&(ObjectClass=person))"
scope="Subtree"
otherRequiredUserAttributes="sn,givenname,cn" />Find the
Copy Code
type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
server="yourserver.com"
port="389"
useSSL="false"
groupContainer="DC=redmond,DC=corp,DC=microsoft,DC=com"
groupNameAttribute="cn"
groupNameAlternateSearchAttribute="samAccountName"
groupMemberAttribute="member"
userNameAttribute="sAMAccountName"
dnAttribute="distinguishedName"
groupFilter="(&(ObjectClass=group))"
userFilter="(&(ObjectClass=person))"
scope="Subtree" />Important:
After you have added the preceding entry, save and close the Web.Config file.
Warning:
Do not overwrite any existing entries in this Web.Config file.
Configure a forms-based Web application to use an LDAP provider by using Windows PowerShell
Perform the steps in the following procedure to use Windows PowerShell to configure forms-based authentication for a claims-based Web application.
To configure a forms-based Web application to use an LDAP provider by using Windows PowerShell
1.Verify that you meet the following minimum requirements: You are a member of the SharePoint_Shell_Access role on the configuration database and a member of the WSS_ADMIN_WPG local group on the computer where SharePoint 2010 Products is installed.
2.On the Start menu, click All Programs.
3.Click Microsoft SharePoint 2010 Products.
4.Click SharePoint 2010 Management Shell.
5.From the Windows PowerShell command prompt (that is, PS C:\>), type the following and press ENTER:
Copy Code >$ap = New-SPAuthenticationProvider -Name "ClaimsForms" -ASPNETMembershipProvider "membership" -ASPNETRoleProviderName "rolemanager"
>$wa = New-SPWebApplication -Name "Claims Windows Web App" -ApplicationPool "Claims App Pool" -ApplicationPoolAccount "redmond\appool"
-Url http://servername -Port 80 -AuthenticationProvider $apNote:
The value of the ApplicationPoolAccount parameter must be a managed account on the farm.
6.After you have successfully created an authentication provider and a Web application, modify the following Web.Config files using the sample entries provided in the "Configure the LDAP Web.Config files" section of this article:
The Central Administration Web application Web.Config file
The Security Token Service Web.Config fil
The forms-based authentication claims-based Web application Web.Config file
7.After you have modified the Web.Config files, create a SPClaimsPrinciple and a site collection, as shown in the following example:
Copy Code >$cp = New-SPClaimsPrincipal -Identity "membership:SiteOwner" -IdentityType FormsUser
>$sp = New-SPSite http://servername:port -OwnerAlias $cp.Encode() -Template "STS#0"Note:
We recommend that you use Windows PowerShell when performing command-line administrative tasks. The Stsadm command-line tool has been deprecated, but is included to support compatibility with previous product versions.
Migrate users and permissions from SharePoint Server 2007 to SharePoint Server 2010
Perform the steps in the following procedure to use Windows PowerShell to migrate users and permissions.
To migrate users and permissions from SharePoint Server 2007 to SharePoint Server 2010
1.Verify that you meet the following minimum requirements: You are a member of the SharePoint_Shell_Access role on the configuration database and a member of the WSS_ADMIN_WPG local group on the computer where SharePoint 2010 Products is installed.
2.On the Start menu, click All Programs.
3.Click Microsoft SharePoint 2010 Products.
4.Click SharePoint 2010 Management Shell.
5.From the Windows PowerShell command prompt (that is, PS C:\>), type the following and press ENTER:
Copy Code $w = Get-SPWebApplication "http://
$w.MigrateUsers(True)Note:
We recommend that you use Windows PowerShell when performing command-line administrative tasks. The Stsadm command-line tool has been deprecated, but is included to support compatibility with previous product version.
No comments:
Post a Comment