Custom Membership Provider under Minimal Trust in SharePoint 2007

 

Overview

 

This document is a systematic instruction sheet for creating and installing an ASP.NET 2.0 Membership Provider into SharePoint 2007 Beta 2 installation. This document assumes the reader is familiar with ASP.NET 2.0, SharePoint 2007 Beta 2, and the existence of membership providers to facilitate custom forms authentication. The intended audiences of this document are developers.

In addition, this document discusses the use of Code Access Security. For further reading and background-knowledge read the document titled “Code Access Security – A Primer.”

 

Creating a Membership Provider

 

Follow the rudimentary instructions below to create a simple membership provider for ASP.NET 2.0:

  1. Using Visual Studio 2005 – create a new class library.
  2. Add a class to the library; give it a name that reflects the membership that you will eventually create.
  3. Add a reference to the System.Web.Security namespace.
  4. Make your membership class inherit from System.Web.Security.MembershipProvider.
  5. Use Visual Studio to implement the stub methods to implement from the inherited abstract class.
  6. Implement the following methods, these methods are used by SharePoint when adding users to groups, and at authentication:

  1. FindUsersByName
  2. GetAllUsers
  3. GetUser (both versions)
  4. ValidateUser

  • Optionally implement the following methods to make the provider more flexible, these methods are not necessarily required for SharePoint to administer and authenticate users, but are useful:

    1. FindUsersByEmail
    2. GetUserNameByEmail
    3. UpdateUser

  • For all other methods leave the defaults or throw a NotImplementedException.
  • Build the project.
  • Add an ASP.NET 2.0 web site to the solution.
  • Add a reference from the web site to the custom membership, class library project.
  • Edit the configuration file in the web site (web.config).
  • Inside the system.web XML node add the following XML:

    <membership defaultProvider="MyProvider"><provider> <add name=”MyProvider” type=”NS.MyProviderClass”/></provider></membership>

  • Replace the name and type of the provider in the above XML to reflect the name and type of the membership provider you created in step #2.
  • With the web site set as the current project, run the ASP.NET Configuration tool from the website menu in Visual Studio.
  • Configure the tool to use your new membership provider and test the provider using the security tab.
  • Congratulations, you have just created a functional membership provider that runs in full trust (assuming the methods you created in steps #6 and #7 actually do something useful, like call out to SQL Server or a disk file).
  •  

    Minimum Trust Considerations

    Update:  It is often easier to install the membership provider DLL in the Global Assembly Cache to achieve full trust, but in cases where you're working with a hosted SharePoint site and cannot deploy to the GAC these instructions should steer you right.

    SharePoint 2007 runs in a partial trust environment. This means that the membership provider created in the previous section must also operate in a partial trust environment. Before continuing with the steps below, read, “Understand code access security issues in SharePoint 2007” for a better understanding of Code Access Security in .NET.

    1. Edit the configuration file for the web site (web.config), as mentioned in the above section.
    2. Add the following XML to the system.web XML node:

      <trust level=”minimal” originUrl=””/>

    3. Run the ASP.NET configuration tool again and test the custom membership provider. If you are lucky the provider may operate without a hitch, but more likely throw a security exception – this is because some code in the provider assembly or dependent assembly is demanding an elevation of permission.
    4. Open the Assembly Info file in the membership class library project and add the following attributes (assumes C# syntax):

      [assembly:AllowPartiallyTrustedCallers]
      [assembly:SecurityCritical]

    5. The above attributes allow partially trusted callers (the web site, and eventually SharePoint 2007) to use the custom membership provider, as well as making the assembly security transparent (with exceptions to security critical methods).
    6. Note: If you or your organization routinely performs security audits on code, then the audit team must check the membership provider before apply the attributes above. Allowing partially trusted callers and can potentially cause security vulnerabilities.
    7. Make a copy of the file web_minimaltrust.config in C:WINDOWSMicrosoft.NETFrameworkversionCONFIG and place the file in the main web site folder.
    8. Rename the file to web_minimaltrust.config, this file is the security policy file for the web application.
    9. Add the following XML to the system.web XML node in the web site configuration file (web.config):

      <securityPolicy> <trustLevel name=”CustomTrust” policyFile=” web_minimaltrust.config”/></securityPolicy>

    10. The above defines a new security policy using a copy of the ASP.NET 2.0 minimal trust policy file in the web site folder.
    11. Change the level attribute of the trust node, defined in step #2, to CustomTrust.
    12. Open the security policy file, web_minimaltrust.config, in Visual Studio 2005.
    13. The policy file defines a series of security classes, permission sets, and code groups. The code groups define evidence criteria for code and the mapping to the permission sets. The security classes are references to the hosting assembly and fully qualified type name.
    14. Find the permission set for ASP.Net. Notice, how little permission this set defines. Do not add permissions to this set because doing so will open the whole scope of ASP.Net to elevated permissions.
    15. Create a new custom permission set node at the same level as the ASP.Net permission set. Give it a name.
    16. To start with, apply unrestricted access (Full Trust) to the permission set, as follows:

      <PermissionSet class=”NamedPermissionSet” version=”1” Name=”MyCustomPermissionSet” Unrestricted=”true” Description=”My custom permission set”> </PermissionSet>

    17. Create a strong name key pair file using the command:

      sn –k secure.snk

    18. Add the key file to the custom membership provider, class library project. Under the project properties select the “signing” tab and set the strong named key to the key you just added in step #17.
    19. You now have a strong named custom membership assembly.
    20. Extract the public key token and public key blob from the assembly with the following command:

      sn –Tp customMembershipAssembly.dll

    21. Find the first code group node with class FirstMatchCodeGroup, and add a nested code group node as follows:

      <CodeGroup class=”UnionCodeGroup” version=”1” PermissionSetName=”MyCustomPermissionSet” Description=”Custom code group for my signed assembly”> <IMembershipCondition class=”StrongNameMembershipCondition” version=”1” PublicKeyBlob=”Insert the blob here from step #20”/></CodeGroup>

    22. What have we done? The code group above tells the CLR that any strong named assembly signed with a public key blob matching that specified in the attribute in the configuration file belongs to the MyCustomPermssionSet permission set. The custom permission set was set to unrestricted (Full Trust), so the custom membership provider should now operate under full trust.
    23. Decorate each method in the custom membership class that performs a security critical request with the SecurityCritical attribute.
    24. Surround security critical method calls with permission asserts so that demands for elevated permissions do not enter the minimum trust environment of ASP.Net.
    25. Test the custom membership provider in the ASP.Net configuration tool and confirm that it operates successfully.
    26. Remove the Unrestricted=true statement from the custom permission set.
    27. Test the custom membership provider again, but make a note of each security permission exception, e.g. There could be a requirement for the FileIOPermission class.
    28. Add each permission class to the custom permission set; make sure that there exists a definition of security permission class in the security classes section. Example permission:

      <PermissionSet class=”NamedPermissionSet” version=”1” Name=”MyCustomPermissionSet” Unrestricted=”true” Description=”My custom permission set”> <IPermission class=”FileIOPermission” version=”1” Unrestricted=”true” </PermissionSet>

    29. If you know the desired properties of the permission (such as read only file access in the FileIOPermission) then you can set the properties explicitly as node attributes. Setting unrestricted allows only the custom membership assembly full access to the permission. If the custom membership has completed a security audit full-access to this permission may be safe, otherwise, lock down the permission specifically.
    30. The custom membership provider should succeed under minimal trust once all the permission exceptions suppressed by adding the permission classes to the permission set.
    31. If you custom membership provider continues to throw security exceptions check the following:

    1. Check for existence of all desired permission classes in the permission set.
    2. Make sure that there exists a definition of the SecurityClass node for each permission class, and the StrongNameMembershipCondition.
    3. Confirm that the code group is working for the custom membership assembly by setting the custom permission set to unrestricted=true.
    4. Make sure that the public key blob (not the public key token) is correct in the code group.

     

     

    Installing the Custom Membership Provider in SharePoint 2007

     

    Now that we have created a custom membership provider that operates under minimal trust, it is time to add this provider to SharePoint 2007.

     

    Part 1 – The SharePoint Central Administration Website

     

    1. Find the directory where the main central administration website resides, opening up IIS manager and looking for the home directory for the site will provide the location.
    2. Copy the custom membership (and any dependent) assemblies to the app_bin sub directory.
    3. Copy the web_minimaltrust.config policy file to the SCAW directory (step #1).
    4. Open the website configuration file (web.config) and add a new trust level, using the new policy file.
    5. Add the membership provider node (see #13 in first section).
    6. Add the custom provider fully qualified assembly name (and those of any dependent assemblies) to the assemblies node under compilation, e.g.:

      <compilation batch=”false” debug=”false”> <add assembly=” MyCustomProvider Version=1.0.0.0, Culture=neutral, PublicKeyToken= 8e78636d3b27ebb9”/></compilation>

    7. Add the name of the custom membership provider to the PeoplePickerWildcards tag (assuming your provider handles wildcards):

      <PeoplePickerWildcards> <clear /> <add key=”MyCustomProvider” value=”%”/></PeoplePickerWildcard>

     

     

    Part 2 – Custom Web Application and Site Collection

     

    1. Create your web application and site collection.
    2. Follow steps #2 through #7 in the previous section for the custom web application. The directory can be located using the IIS manager, similar to step #1 above.
    3. Turn on forms authentication and specify the custom membership provider for the custom web application (Applic
      ation Management Tab, Application Security, and Authentication Providers).
    4. Add a new administrator to the site collection of your web application from the custom membership provider:

    1. Click Application Management Tab, SharePoint Site Management, and Site Collection Administrators.
    2. Change the site collection context to that of the custom-web -application site collection.
    3. Click the book icon to search for users within your custom membership provider. You should be able to search users from the custom provider.
    4. Assign an administrator user.

  • Open a new browser window using the URL for the custom web application. Expect a login page using forms authentication. Authentication will use the custom authentication provider.
  •  

     

    Problems Experienced

     

    After much experimentation, the above instructions were constructed. Most of the problems experienced were because the custom membership provider did not operating correctly under minimal trust. The quick solution would have been to raise the trust level of SharePoint to medium trust but a solution was required that would not compromise the security of SharePoint and install in the default minimal security level.

    Before embarking on adding a custom membership provider into SharePoint 2007, make sure that the provider works correctly in the ASP.Net Configuration tool with no security exceptions or errors. Be sure to try all the functions of the provider – validation worked correctly in the tests performed, but I overlooked one of the calls to retrieve user information from SQL server and caused a SqlClientPermission exception. SharePoint 2007 Beta 2 will not give you much of an error message, just a failure notice.

    The log files, located at c:Program FilesCommon FilesMicrosoft Sharedweb server extensions12LOGS, can be of some help.

    Tests would sometimes fail, with a notice about not being able to find the custom membership provider assembly. I experienced this problem after resetting IIS, and suspect that this is something to do with caching of assemblies at the ASP.Net level. Make an edit to the web configuration file and save the changes to fix the problem – this will cause IIS to reload the ASP.Net web application for the portal and reload the custom membership provider.

    kick it on SharePointKicks.com

    62 thoughts on “Custom Membership Provider under Minimal Trust in SharePoint 2007

    1. http://

      Excellent tutorial, thanks a lot for posting this. However there is a tiny mistake in one of your steps:

      “11. Change the level attribute of the trust node, defined in step #19, to CustomTrust. ”

      Should be “step #9” not 19 🙂

    2. robgarrett

      Thanks Nick, actually there were a number of mistakes with the references.

      Word 2007 allowed me to number lists continuously through the entire article, CS reset the list numbering to #1 in each section.

      Let me know if you see any more errors.

      Thanks again.

    3. http://

      Do you have a link for “Understand code access security issues in SharePoint 2007.” Thanks!

    4. http://

      Thanks a lot everybody !

      However I am experiencing the following issue :
      Whem I add my custom membership provider to the SharePoint Central Administration Website web.config, I am no longer able to click on Application Management -> Site collection administrators, I get a windows authentication login box which does no longer recognizes my windows credentials. Is it possible to let the SharePoint Central Administration use standard windows authentication and only use membership authetication for sharepoint websites ?

    5. http://

      The membership provider we created works in .net but under sharepoint we get a message

      Could not load ype ‘MyMemberShipProvider.MembershipProvider’.

      Troubleshoot issues with Windows SharePoint Services.

      How do we get a detailed message as to what the issue is?

    6. http://

      If you are getting locked out of SCAW:
      The default provider is only necessary in the site you are administering, not the sharepoint administration site. This is what is locking you out. The default is only needed on your actual site.

      I would also set your administation default role provider to the AspNetWindowsTokenRoleProvider, assuming you are writing a custom role provider as well. If not, ignore this. (enabled=true) would also be required.

    7. http://

      If your types are not getting loaded, it might be a permission issue. SharePoint may not have access to the assembly. Also use a program such as reflector to make sure that the assembly version is matched up with what is in your web.config. Place the dll in _app_bin.

    8. http://

      I am trying to set forms based authentication against the commerce server 2007 -> UpmMembershipProvider. I have got it working on a simple standalone website. However, when i try to do the same things on Sharepoint site, it says could not load. Upon further investigation, i found that a select query is indeed executed against the Commerce Server site’s database. But the logonNameProperty, which is set to GeneralInfo.email_address, is sent as an empty string. Any idea why ?

    9. http://

      One thing to note, the names of the trust levels are case sensitive. If your securityPolicy setting has a trustLevel with a name of “Minimal”, then you need trust level=”Minimal”. I got stuck on that for a while because one was Minimal and one was minimal.

    10. http://

      I’m building a Novell Directory Membership Provider and it seems to work fine because on my sharepoint site the users get authenticated (i know because the login page display an access denied message) but when i try to give permission to users the provider doesn’t initialize. what can be wrong?

    11. http://

      I am able to add users to Site collection Administration (using custom membership provider). but still can’t login to my web application.

      any help?

    12. robgarrett

      Farrukh,
      Does your site have any premission restrictions preventing access? Permissions do not trickle down in SharePoint, so regardless if your a site collection administrator or farm administrator, if a site is locked down to a different group then you’ll not be able to access it.

      R.

    13. http://

      Thanks for your quick reply.

      All the permissions are available under “User permissions for Web application” for this site.

      after my first post i have tried testing authentication provider in website administration tool and it gives me following error upon selecting Security tab:

      “There is a problem with your selected data store. This can be caused by an invalid server name or credentials, or by insufficient permission. It can also be caused by the role manager feature not being enabled. Click the button below to be redirected to a page where you can choose a new data store.

      The following message may help in diagnosing the problem: This feature is not supported at the configured trust level.”

      It was working fine until i used “web_minimaltrust.config” and customTrust

      Thanks

    14. http://

      Hi,

      In the articles related to implementing SQL ( forms based auth ) , we are required to create / configure our Database from this tool aspnet_regsql.exe initially .

      And then we have to add users manually, which get stored in a System generated dbo.Users Table on our DB.

      IS it not possible to implement authentication by reading Username and password from a different table other than the default Users table.

      I mean i have my own DB with a table having Users and Password fields. I can make users authenticate but cannot authorize them ..then i get message saying

      Access Denied : you are currently signed in as “username”

      I cannot add my users thru “People and Groups ” as which i do a search for them, it wont show up as my users are from my own table and not the System generated DBO.USERS tables

      I dont want to use aspnet_regsql tool. I want my Username and password to come from my own table.

      neerajshah81@gmail.com

    15. robgarrett

      Farrukh,
      This is “Code-Access-Security” problem. Unlike ASP.NET, which defaults to full trust, SP starts with minimum trust (and so it should). If your code is attempting to access SQL, filesystem, registry, or uses reflection, all of which minimal trust restricts, then you’ll get a permission error.

      Best way to debug your provider:

      Try using your provider in the standed ASP.NET configuration website (accessed through Visual Studio 2005).

      Create a test ASP.NET website that uses your provider, set custom errors to off, and set the trust level in the site to minimal. When your provider throws a security exception you can then figure out what permission it needs.

      See my post on CAS: http://robgarrett.com/cs/blogs/software/archive/2006/05/31/1994.aspx

    16. robgarrett

      Neeraj,
      Did you create your own membership provider and configure it in both the SP central adjin site and your working site?

      R.

    17. http://

      Hello,

      I am trying to follow the instructions in this article for making the provider work in the partial trust environment. I have completed the first 24 steps and testing the configuration as specified in step 25. As specified in step 22, I have added [SecurityCritical] attribute before each of the method I have implemented. I am getting an error “This feature is not supported at the configured trust level.”

      If I undo the changes made for making it work in the partial trust environment, it works. Any help will be appreciated.

      Atul.

    18. http://

      Atul,
      I am having the same issue. I am creating a custom membership provider for an LDAP server. The application works when I specify full trust, but when I use the custom provider I get the “This feature is not supported at the configured trust level.”

      I have the assembly entries in, and the class file has [SecurityCritical] and [DirectoryServicesPermission(SecurityAction.Assert, Unrestricted = true)] before each method that accesses the DirectoryServices namespace.

      I am not sure if it is not correctly matching the Blob which prevents it from entering my custom permission set. I have checked the Blob several times. I even regenerated the key, blob and token to make sure they were correct (using the .Net 2.0 SDK).

      Below is the description of the error:
      Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

      Any thoughts?

    19. http://

      Hi Rob, great post.
      I have been trying to follow it and encountering all sorts of wierd issues.
      My membership provider works fine and i tested it in ASP.NET configuration tool.
      Central Admin is able to use my provider easily and I can easily sepcify site collection admins from there. so my provider is working alright.
      But when i specify try to use the provider in my site by using the same membership attribute it gives me “unable to load file or assembly” error. my trust level for that site is wss_medium. I tried by putting my assembly in the GAC but then opening the site will give me 403 forbidden messages ( the event log shows that it cannot load the web.config file becuase “access is denied”).
      Any help in this regard is highly appreciated as i have been on this for 3 days.

    20. robgarrett

      IBM,
      Have you tried testing your membership provider at medium trust in the ASP.NET configuratuon tool? Set your ASP.NET at medium trust and run the tool. Sounds like a permission somewhere.

      R.

    21. http://

      hi Rob,
      I solved it by crook 🙂 Elevating some permissions did the trick for me. Since we will be hosting the site ourselves so i guess we have this leve.
      Anywayz I am far from completing my solution and surely will ping u again if i get into trouble.
      Thanks again and regards

      ibm

    22. http://

      Hello,

      I am trying to add users programmatically to the Contribute group of a Sharepoint web site that is not the one that I am currently logged in, it means that I am on web site A and I am trying to add users to web site B. When I execute the code to add the users into web site B i received “Access denied”, the web sites A and B are both working with Forms Authentication, when The code that I execute to add the users is running with elevated privileges.

      Regards !

    23. http://

      This XML fragment seems to be scrambled:

      <CodeGroup class=”UnionCodeGroup” version=”1” PermissionSetName=”MyCustomPermissionSet” Description=”Custom code group for my signed assembly” <IMembershipCondition class=”StrongNameMembershipCondition” version=”1” PublicKeyBlob=”Insert the blob here from step #20”/>/>

    24. http://

      Hello Rpb,
      Thank you so much for the information u provided above.

      I have one basic question
      In step 6 (Implementing methodsFindUsersByName,GetAllUsers ,GetUser,ValidateUser) can we use our existing table with users information?

      for the sake of getting familiarised with the various steps, I did hard code suitable return types(when implementing all the methods in step 6) instead of refering to any database.

      While it worked fine in xp(uptill step 31),the same code written from scratch in windows server 2003 shows the warning below when trying to test custom membership provider using asp.net configuration:

      Could not establish a connection top the database.
      If you have not yet created the SQL Server database, exit the Web Site Administration tool, use the aspnet_regsql command-line utility to create and configure the database, and then return to this tool to set the provider.

      Jus to give a try, i created aspnetdb using aspreg_sql.exe.

      Its still giving error.
      Your help needed..

    25. robgarrett

      Carlos,
      If I understand correctly – you have access to site A but not site B and you wish to add yourself to site B programmatically?

      Unless your the site collection administrator of site B you’ll not be able to add yourself to the contributors group (unless you’ve been granted explicit rights to do so).

    26. robgarrett

      Faiz,
      Sounds like a database connection issue to me. In short you can provide any code you like in your membership provider, including that to connect to a DB and query users (this is how the default ASPNET SQL Membership provider works).

      The reason your code does not work on Windows 2003 but does on XP could be all number of reasons:

      1. Do you have the same configuration on both machines?
      2. Can you access the DB from the Windows 2003 machine using SQL Mgmt Studio
      3. Have you setup permissions policies on the Windows 2003 box different to that of the XP machine?

      etc….

      R.

    27. http://

      I am new to MOSS 2007,I am working implement custom membership provider.can u tell me how to map existing user roles to sharepoint defined user roles.i have my own useradatabase and user roles.

    28. robgarrett

      Rajesh,
      You need to surplant both the SharePoint role provider and membership providers with custom providers.

      As a general rule it is better to use the built in SP role provider and create an authentication provider only for user login and for SP to seek new users.

      R.

    29. http://

      Hi Rob,
      Need your help again.

      Basically, I need to send a link in a mail so that on clicking that link the user should be taken to the home page of my sharepoint site.
      But when i enable forms authentication,the user will have to enter the userid and password(either using aspnetsqlmembership provider or custom forms authentication).
      Is there any way to supply these parameters in query string so that login page is bypassed and user is taken to the home page of the site?

      Thanks in advance!!

    30. robgarrett

      Faiz,
      I am not sure why you would want to forward the user to a secure page and not have them sign in themselves. The typical approach is to provide a public view home page (anonymous access) and then allow secure access via a login link or URL.

      If you still require priviledged access via a unique link embedded in an email, I would suggest you implement a custom ticketing system with the ticket embedded in the URL, which expires after a time. You’ll need to account for the ticket match in your custom membership provider in the ValidateUser method.

      R.

    31. http://

      [assembly:AllowPartiallyTrustedCallers]
      [assembly:SecurityCritical]

      After adding the above two line to my AssemblyInfo.cs file I get the the following two errors. What am I missing?

      “The type or namespace name ‘SecurityCritical’ could not be found (are you missing a using directive or an assembly reference?)”

      “The type or namespace name ‘AllowPartiallyTrustedCallers’ could not be found (are you missing a using directive or an assembly reference?)”

    32. http://

      I fixed the problem I was having with the [assembly:AllowPartiallyTrustedCallers] and [assembly:SecurityCritical]. I needed to add a reference to System.Security not System.Web.Security. Not sure if this is due to the version of .NET I am using or if it was a typo in your post, but it is good to note none-the-less.

    33. http://

      Not trying to be a pest, but I was wondering if you could clarify a couple points for me.

      A) What types of permissions errors are these steps supposed to fix? I am having a bizarre problem where my Membership Provider works some of the time, but other times I get a “You are not authorized to view this page” error. There does not appear to be any rhyme or reason to when it works or does not work. It is extra strange because there is no reporting of the event in the Security Events log.

      B) What exactly is meant by “Decorate each method in the custom membership class that performs a security critical request with the SecurityCritical attribute.” and “Surround security critical method calls with permission asserts”. I only ask because when I attempt to follow your steps, I get a page that says “Server Error in ‘/’ Application.”

    34. http://

      Hi Rob, I am trying to implement my Custom membership provider. I have managed to get it set in the Central admin and i have also assigned the site administrator to a user provided by the custom provider. When i browse to the site, i am also greeted with the login page. Now my problem is when i try to login using the administrator credentials, i keep staying in the login page and i am not taken into the site. Any ideas on why this may happen. Thanks in advance.

      p.s: I have tested the ValidateUser method using a ASP.Net site and it works.

    35. http://

      Hi Rob,

      Follow up to my previous comment, I wrote log statements to figure out if the validateuser method of the custom membership provider was called by Sharepoint. It is not getting called. Why could this be. I have double checked the web.config file, the settings for the membership provider is the same as in the web.config of central admin.

    36. robgarrett

      Satish,
      If your membership provider is working then you’ll either see a “failed to login” message, or you’ll authenticate with SharePoint – if your login page refreshes it is because your provider is failing. Failure could be for any number of reasons. I would rule out security first by setting the trust level of your test ASP.NET site to minimal, then start looking at connection strings, and user permissions to your database (assuming your using a database and the moss app pool user has rights to your DB).

      R.

    37. http://

      <p>Rob,</p>
      <p>I am not using a database. For testing, i have just hard coded the user details in the custom provider class. The central admin site is able to use the custom provider and i am able to assign site administrator to the site. But the forms auth site is not able to connect to the provider. I have got log statements in the validate user method and from that i can see that the ValidateUser method is not getting called. Which means the forms auth site, is not using the custom provider. I am giving below the parts of the web.config file where i have updated the details of the provider.</p>
      <p>Inside &lt;Compilation&gt; tag</p>
      <p>&lt;add assembly=&quot;MyCustomMembershipProvider, Version=1.0.0.0, Culture=neutral, PublicKeyToken=920351253b7c6f46&quot; /&gt;</p>
      <p>Inside &lt;System.Web&gt; tag</p>
      <p>&lt;membership defaultProvider=&quot;MyCustomMembershipProvider&quot;&gt;</p>
      <p> &nbsp; &nbsp; &nbsp;&lt;providers&gt;</p>
      <p> &lt;add name=&quot;MyCustomMembershipProvider&quot; type=&quot;NS.MyCustomMembershipProvider&quot;/&gt;</p>
      <p> &nbsp; &nbsp; &nbsp;&lt;/providers&gt;</p>
      <p> &nbsp; &nbsp;&lt;/membership&gt; </p>
      <p>Inside &lt;SharePoint&gt; tag</p>
      <p>&lt;PeoplePickerWildcards&gt;</p>
      <p> &nbsp; &nbsp; &nbsp;&lt;clear /&gt;</p>
      <p> &nbsp; &nbsp; &nbsp;&lt;add key=&quot;MyCustomMembershipProvider&quot; value=&quot;%&quot; /&gt;</p>
      <p> &nbsp; &nbsp;&lt;/PeoplePickerWildcards&gt;</p>
      <p>I dont see any error in the login page. I dont see anything in the log files or the event viewer.</p>
      <p>Would appreciate if you could give me possible causes on why this could happen.</p>
      <p>Thanks</p>

    38. http://

      Rob,

      Thanks for the wonderful post. I have installed the custom provider assembly in GAC and tryign to get it working on the sharepoint server. When I click, SCAW opens up fine, however when I click any of links to go to Operations or Application management, I get the login prompt. What did I do wrong? Could you please shed some light here.

      Thanks in advance.

    39. http://

      Thanks for a great walktrough. I have one question though. My membership provider uses webservice calls using Web Service Enhancements 3. Since this dll (System.Web.Services3.dll don’t allow partially trusted callers, I cannot make my Membership provider to run under minimal trust. (only Full trust !? will be sufficient).
      Is there some way to configure around this problem or are my only options to either run the Sharepoint site under FullTrust or to implementing the provider using only components that allow partially trusted callers?

    40. robgarrett

      Deepak,
      That question is pretty much down to you. The above infrastructure enables you to write your own provider, how you check user credentials is all dependent on your requirements. If there is something specific you want to achieve, drop me a line via the contact me form.

      Regards.

      Rob.

    41. http://

      Great post. This has helped me a lot to plough through numerous issues. I have been able to fix all, but one is still puzzling me.

      I am not able to add Site Administrators using the custom provider.
      So when a user logs into the site, access is denied.

      Appreciate any tip. Thanks.

    42. http://

      Rob, excellent article. Will I be able to use SharePoint web service with a custom membership provider?

    43. robgarrett

      Dimitry,
      Just so I understand you question..

      1. If you’re asking if you can access a SharePoint we service from a custom membership provider, the answer is yes, although you may need to authenticate to SharePoint in addition.

      2. If you want to access SharePoint from a process and SharePoint is using a custom membership provider then take a look at this blog post:

      http://robgarrett.com/cs/blogs/software/archive/2007/09/18/sharepoint-2007-web-services-and-forms-authentication.aspx

    44. http://

      Hi Rob,
      I am trying to add new user to the existing share point group, i have my customised membership provider. some code fragment are as follows:

      1. SPSite site = SPContext.Current.Site;
      2. SPWeb web = site.OpenWeb();

      3. web.AllUsers.Add(“customisedmembershipprovider:” + employee.Username, employee.Email, “”, null);

      Is there a way to add user without providing the membership name? the new user i added alway has the membership name in front of the actual name i want, but if i remove that membership heading, the add user will not work.

      Also a minor problem on opening the site, the above opening site code(1,2) always hang when i debug it, did i do anything worng or could you provide some alternative way of opening a site?

      Thanks

    45. robgarrett

      Burney,
      Unfortunately you have to apply the prefix so SharePoint knows to use your custom provider. To avoid seeing the provider name in SharePoint pass in a display name in to the Add method.

      Not sure what’s going on with your debugging environment.

      R.

    46. http://

      Hi Rob.

      Great article.! Thanks.

      I’m having a problem with a custom membership provider I wrote. I tested it with ASP.NET and passed. I added the required configuration in both .config files (working site and central administration site) and it works for a while … until an iisrestart command is executed, for some reason it stops working and no log error is registered in the Event log. This may sound weird but if I delete/add the dll file it works again! (I can justify this with a video). I used to love her(sharepoint) but I”‘ll have to kill her”.

      I appreciate your help.

    47. http://

      <p>I am using Novell e-Direcory for forms authentication, after writing the connection strings in web.config I can successfully add LDAP user as site collection administrator , but I cannot login in to my web application even when I enter &nbsp;admin &nbsp;username and password.</p><p>Please suggest me on this </p>

    48. http://

      I am able to add users to Site collection Administration (using custom membership provider). but still can’t login to my web application. I have error:
      An error has occurred while establishing a connection to the server. When connecting to SQL Server 2005, this failure may be caused by the fact that under the default settings SQL Server does not allow remote connections.
      I did not add custom trust level. I leave default trust level. Help.

    49. http://

      Hi Rob. I was following your steps to make my provider run under partial trust. At step no 25 when i test the provider using the ASP.NET Website. i get this error in the Security tab :

      There is a problem with your selected data store. This can be caused by an invalid server name or credentials, or by insufficient permission. It can also be caused by the role manager feature not being enabled. Click the button below to be redirected to a page where you can choose a new data store.

      The following message may help in diagnosing the problem: This feature is not supported at the configured trust level.

      BTW. my provider class will call another web service to validate the user. My class library has a web reference to the web service and will call it’s method. Would I need to do anything specific for this ?
      Any help would be greatly appreciated. Thanks Ravi

    50. http://

      Hi,

      Perhaps you can help me. I’m in Full trust and I have the same problem as Satish which is that my ValidateUser() method returns true but I keep staying on the login page without any errors in log file nor event viewer.

      Any idea ?

    51. http://

      I am having some trouble trying to customize an authentication provider for MOSS 3.0 using LDAP(so that I can authenticate users with Novell E-Directory without having to use Active Directory), I was trying to follow your recommended article :

      http://www.setfocus.com/technicalarticles/nickkellett/MOSS2007-and-Novell-LDAP-Authentication_pg1.aspx

      It was written for MOSS 2007 but I figured I could tweak MOSS 3.0 to authenticate this way

      First off, in which directory would I need to modify the web.config files, there are numerous config files associated with the sharepoint central administration

      Here are the directories containing web.config files I am looking at:

      I am assuming that this is the default
      C:InetpubwwwrootwssVirtualDirectories80web.config
      C:InetpubwwwrootwssVirtualDirectories80wpresourcesweb.config

      I am assuming that this is the Central admin
      C:InetpubwwwrootwssVirtualDirectories25077web.config
      C:InetpubwwwrootwssVirtualDirectories25077wpresourcesweb.config

      These are the files for a site I have created:

      C:InetpubwwwrootwssVirtualDirectories47106web.config
      C:InetpubwwwrootwssVirtualDirectories47106wpresourcesweb.config

      Where (within the System.web element) do I need to insert the membership provider information (see article)?

      What should I fill in for the items noted in red (see the article)?
      What should be the format of the server field is it “ldap://server_ip” or simply “server_ip” (assuming server_ip is the ip address)

      I am using a ldap browser that returns the following info: I right click on the server itself, and look at the properties, and it tells me the following

      Host: server_ip

      Port: “389”
      Protocol Version 3
      Base: “ou=BA, o=MNS” <<< is this what I should input into my [LDAP PATH TO GET BASE CONTAINERS AND ROOT OBJECT] ??? OR should I use “ldap://server_ip/ou=BA, o=MNS” or what?
      Would I be correct in assuming that the exact location to get to root objects and base containers is simply the location where I can see all of my user profiles? From my ldap browser, this is not labeled as the base for the ldap server.

      Also, since the UI on MOSS 3.0 is different from 07, how can I get the UI to see my new membership providers?

    52. http://

      I am getting error in ASP NET Configuration security tab i.e. “This feature is not supported at the configured trust level.” after setting trust level as “CustomTrust”

      Please help me out with this.

    Comments are closed.