# This script automates the creation of Form-Based authentication sites
# It modifies the web config of the Central Administration site,
# STS and FBA Site
# Note: the FBA Site needs to be created prior to running this script
# Also, the authentication providers for the WebApp hosting the FBA site
# need to contain the Membership and RoleMembership providers used in this script (LDAPMEMBER and LDAPROLE).
# This script only uses a LDAP MemberShip provider/role
# !!! Please see the end of the script in order to modify variables to match your environment !!!!
#Load SPS Dlls
If ((Get-PSSnapIn -Name Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue) -eq $null )
{
Add-PSSnapIn -Name Microsoft.SharePoint.PowerShell
}
# Create Backup of current web.configs
function CreateBackupFile($xmlDoc, $path)
{
$date = Get-Date
$dateString = $date.ToString("yyyy MM dd H mm")
$backupPath = $path.Replace("web.config", "$dateString.web.config.bak")
$xmlDoc.Save($backupPath)
}
#Adding PeoplePicker search WildCards
function AddPeoplePickerWildcard($xmlDoc)
{
$newPeoplePickerNode = $xmlDoc.selectSingleNode("/configuration/SharePoint/PeoplePickerWildcards/add[@key='LdapMember']");
if(!$newPeoplePickerNode)
{
$peoplePickerNode = $xmlDoc.selectSingleNode("/configuration/SharePoint/PeoplePickerWildcards")
$newPeoplePickerMemberNode = $xmlDoc.CreateNode("element", "add", "")
$peoplePickerKeyAttr = $xmlDoc.CreateAttribute("key");
$peoplePickerKeyAttr.Value = "LdapMember";
$newPeoplePickerMemberNode.Attributes.Append($peoplePickerKeyAttr)
$peoplePickerValueAttr = $xmlDoc.CreateAttribute("value");
$peoplePickerValueAttr.Value = "*"
$newPeoplePickerMemberNode.Attributes.Append($peoplePickerValueAttr)
$peoplePickerNode.AppendChild($newPeoplePickerMemberNode)
$newPeoplePickerRoleNode = $xmlDoc.CreateNode("element","add","")
$peoplePickerKeyAttr = $xmlDoc.CreateAttribute("key");
$peoplePickerKeyAttr.Value = "LdapRole";
$newPeoplePickerRoleNode.Attributes.Append($peoplePickerKeyAttr)
$peoplePickerValueAttr = $xmlDoc.CreateAttribute("value");
$peoplePickerValueAttr.Value = "*"
$newPeoplePickerRoleNode.Attributes.Append($peoplePickerValueAttr)
$peoplePickerNode.AppendChild($newPeoplePickerRoleNode)
}
}
function AddMembership($xmlDoc, $ldapServer, $userContainer, $userFilter)
{
$membershipAddNode = $xmlDoc.selectSingleNode("/configuration/system.web/membership/providers/add[@name='LdapMember']")
if(!$membershipAddNode)
{
#The membership node doesn't exist
$membershipNode = $xmlDoc.selectSingleNode("/configuration/system.web/membership")
$providerNode = $null
if(!$membershipNode)
{
$membershipNode = $xmlDoc.CreateNode("element", "membership", "")
$providerNode = $xmlDoc.CreateNode("element","providers","")
$membershipNode.AppendChild($providerNode)
$xmlDoc.selectSingleNode("/configuration/system.web").AppendChild($membershipNode)
}
$providerNode = $xmlDoc.selectSingleNode("/configuration/system.web/membership/providers")
$membershipAddNode = $xmlDoc.CreateNode("element","add","")
$membershipNameAttr = $xmlDoc.CreateAttribute("name")
$membershipNameAttr.Value = "LdapMember"
$membershipAddNode.Attributes.Append($membershipNameAttr)
$membershipTypeAttr = $xmlDoc.CreateAttribute("type")
$membershipTypeAttr.Value = "Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
$membershipAddNode.Attributes.Append($membershipTypeAttr)
$membershipServerAttr = $xmlDoc.CreateAttribute("server")
$membershipServerAttr.Value = $ldapServer
$membershipAddNode.Attributes.Append($membershipServerAttr)
$membershipPortAttr = $xmlDoc.CreateAttribute("port")
$membershipPortAttr.Value = "389"
$membershipAddNode.Attributes.Append($membershipPortAttr)
$membershipuseSSLAttr = $xmlDoc.CreateAttribute("useSSL")
$membershipuseSSLAttr.Value = "false"
$membershipAddNode.Attributes.Append($membershipuseSSLAttr)
$membershipuserDNAttribute = $xmlDoc.CreateAttribute("userDNAttribute")
$membershipuserDNAttribute.Value = "distinguishedName"
$membershipAddNode.Attributes.Append($membershipuserDNAttribute)
$membershipuserNameAttribute = $xmlDoc.CreateAttribute("userNameAttribute")
$membershipuserNameAttribute.Value = "sAMAccountName"
$membershipAddNode.Attributes.Append($membershipuserNameAttribute)
$membershipuserContainer = $xmlDoc.CreateAttribute("userContainer")
$membershipuserContainer.Value = $userContainer
$membershipAddNode.Attributes.Append($membershipuserContainer)
$membershipuserObjectClass = $xmlDoc.CreateAttribute("userObjectClass")
$membershipuserObjectClass.Value = "person"
$membershipAddNode.Attributes.Append($membershipuserObjectClass)
$membershipuserFilter = $xmlDoc.CreateAttribute("userFilter")
$membershipuserFilter.Value = $userFilter
$membershipAddNode.Attributes.Append($membershipuserFilter)
$membershipScope = $xmlDoc.CreateAttribute("scope")
$membershipScope.Value = "Subtree"
$membershipAddNode.Attributes.Append($membershipScope)
$membershipotherRequiredUserAttributes = $xmlDoc.CreateAttribute("otherRequiredUserAttributes")
$membershipotherRequiredUserAttributes.Value = "sn,givenname,cn"
$membershipAddNode.Attributes.Append($membershipotherRequiredUserAttributes)
$providerNode.AppendChild($membershipAddNode)
}
}
function AddRoles($xmlDoc, $ldapServer, $userContainer, $userFilter, $groupFilter)
{
#Check to see if it was already created, and if not, create it
$rolesAddNode = $xmlDoc.selectSingleNode("/configuration/system.web/roleManager/providers/add[@name='LdapRole']")
if(!$rolesAddNode)
{
$rolesNode = $xmlDoc.selectSingleNode("/configuration/system.web/roleManager")
$providerNode = $null
if(!$rolesNode)
{
$rolesNode = $xmlDoc.CreateNode("element", "roleManager", "")
$providerNode = $xmlDoc.CreateNode("element","providers","")
$rolesNode.AppendChild($providerNode)
$xmlDoc.selectSingleNode("/configuration/system.web").AppendChild($rolesNode)
}
$rolesNode = $xmlDoc.selectSingleNode("/configuration/system.web/roleManager")
$rolesEnabledAttr = $xmlDoc.CreateAttribute("enabled");
$rolesEnabledAttr.Value = "true";
$rolesNode.Attributes.Append($rolesEnabledAttr)
$providerNode = $xmlDoc.selectSingleNode("/configuration/system.web/roleManager/providers")
$rolesAddNode = $xmlDoc.CreateNode("element","add","")
$roleNameAttr = $xmlDoc.CreateAttribute("name")
$roleNameAttr.Value = "LdapRole"
$rolesAddNode.Attributes.Append($roleNameAttr)
$roleTypeAttr = $xmlDoc.CreateAttribute("type")
$roleTypeAttr.Value = "Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
$rolesAddNode.Attributes.Append($roleTypeAttr)
$rolesserverAttr = $xmlDoc.CreateAttribute("server")
$rolesserverAttr.Value = $ldapServer
$rolesAddNode.Attributes.Append($rolesserverAttr)
$rolesPortAttr = $xmlDoc.CreateAttribute("port")
$rolesPortAttr.Value = "389"
$rolesAddNode.Attributes.Append($rolesPortAttr)
$rolesuseSSL = $xmlDoc.CreateAttribute("useSSL")
$rolesuseSSL.Value = "false"
$rolesAddNode.Attributes.Append($rolesuseSSL)
$rolesgroupContainer = $xmlDoc.CreateAttribute("groupContainer")
$rolesgroupContainer.Value = $userContainer
$rolesAddNode.Attributes.Append($rolesgroupContainer)
$rolesgroupNameAttribute = $xmlDoc.CreateAttribute("groupNameAttribute")
$rolesgroupNameAttribute.Value = "cn"
$rolesAddNode.Attributes.Append($rolesgroupNameAttribute)
$rolesgroupNameAlternateSearchAttribute = $xmlDoc.CreateAttribute("groupNameAlternateSearchAttribute")
$rolesgroupNameAlternateSearchAttribute.Value = "samAccountName"
$rolesAddNode.Attributes.Append($rolesgroupNameAlternateSearchAttribute)
$rolesgroupMemberAttribute = $xmlDoc.CreateAttribute("groupMemberAttribute")
$rolesgroupMemberAttribute.Value = "member"
$rolesAddNode.Attributes.Append($rolesgroupMemberAttribute)
$rolesuserNameAttribute = $xmlDoc.CreateAttribute("userNameAttribute")
$rolesuserNameAttribute.Value = "sAMAccountName"
$rolesAddNode.Attributes.Append($rolesuserNameAttribute)
$rolesdnAttribute = $xmlDoc.CreateAttribute("dnAttribute")
$rolesdnAttribute.Value = "distinguishedName"
$rolesAddNode.Attributes.Append($rolesdnAttribute)
$rolesgroupFilter = $xmlDoc.CreateAttribute("groupFilter")
$rolesgroupFilter.Value = $groupFilter
$rolesAddNode.Attributes.Append($rolesgroupFilter)
$rolesuserFilter = $xmlDoc.CreateAttribute("userFilter")
$rolesuserFilter.Value = $userFilter
$rolesAddNode.Attributes.Append($rolesuserFilter)
$rolesscope = $xmlDoc.CreateAttribute("scope")
$rolesscope.Value = "Subtree"
$rolesAddNode.Attributes.Append($rolesscope)
$providerNode.AppendChild($rolesAddNode)
}
}
function ProcessCentralAdmin($path, $ldapServer, $userContainer)
{
$content = Get-Content -Path $path
[System.Xml.XmlDocument] $xd = new-object System.Xml.XmlDocument
$xd.LoadXml($content)
CreateBackupFile $xd $path
#Add People Picker Wildcard
AddPeoplePickerWildcard $xd
#Add Roles
AddRoles $xd $ldapServer $userContainer "((ObjectClass=person)" "((ObjectClass=group)"
$roleNode = $xd.selectSingleNode("/configuration/system.web/roleManager")
$defaultRoleProviderAttr = $xd.CreateAttribute("defaultProvider")
$defaultRoleProviderAttr.Value = "AspNetWindowsTokenRoleProvider"
$roleNode.Attributes.Append($defaultRoleProviderAttr)
#Add Membership
AddMembership $xd $ldapServer $userContainer "(ObjectClass=person)"
$membershipNode = $xd.selectSingleNode("/configuration/system.web/membership")
$defaultMembershipProviderAttr = $xd.CreateAttribute("defaultProvider")
$defaultMembershipProviderAttr.Value = "LdapMember"
$membershipNode.Attributes.Append($defaultMembershipProviderAttr)
$xd.Save($path)
}
function ProcessWebApplication($path, $ldapServer, $userContainer)
{
$content = Get-Content -Path $path
[System.Xml.XmlDocument] $xd = new-object System.Xml.XmlDocument
$xd.LoadXml($content)
CreateBackupFile $xd $path
#Add People Picker Wildcard
AddPeoplePickerWildcard $xd
#Add Membership
AddMembership $xd $ldapServer $userContainer "(&(ObjectClass=person))"
#Add Roles
AddRoles $xd $ldapServer $userContainer "(&(ObjectClass=person))" "(&(ObjectClass=group))"
$xd.Save($path)
}
function ProcessSTS($path, $ldapServer, $userContainer)
{
$content = Get-Content -Path $path
[System.Xml.XmlDocument] $xd = new-object System.Xml.XmlDocument
$xd.LoadXml($content)
CreateBackupFile $xd $path
#People picker wildcard is not necessary in STS config
#Check to see if the system.web element exists, and if not, create it
$sysWebNode = $xd.SelectSingleNode("/configuration[system.web]")
if(!$sysWebNode)
{
$config = $xd.SelectSingleNode("/configuration");
$sysWebNode = $xd.CreateNode("element","system.web","")
$config.AppendChild($sysWebNode)
}
#Add Membership
AddMembership $xd $ldapServer $userContainer "(&(ObjectClass=person))"
#Set LdapMember as default in STS
$membershipNode = $xd.selectSingleNode("/configuration/system.web/membership")
$defaultMembershipProviderAttr = $xd.CreateAttribute("defaultProvider")
$defaultMembershipProviderAttr.Value = "LdapMember"
$membershipNode.Attributes.Append($defaultMembershipProviderAttr)
#Add Roles
AddRoles $xd $ldapServer $userContainer "(&(ObjectClass=person))" "(&(ObjectClass=group))"
#Set LdapRole as default in STS
$roleNode = $xd.selectSingleNode("/configuration/system.web/roleManager")
$defaultRoleProviderAttr = $xd.CreateAttribute("defaultProvider")
$defaultRoleProviderAttr.Value = "LdapRole"
$roleNode.Attributes.Append($defaultRoleProviderAttr)
$xd.Save($path)
}
function Main($pathToWebApplicationConfig, $pathToCentralAdminConfig, $ldapServer, $userContainer)
{
$servers = Get-SPServer | ?{$_.Role -eq "Application"}
foreach($server in $servers)
{
$name = $server.Name
$webAppConfigPath = $pathToWebApplicationConfig.ToLower().Replace("c:\", "\\$name\c$\")
$centralAdminConfigPath = $pathToCentralAdminConfig.ToLower().Replace("c:\", "\\$name\c$\")
$stsConfigPath = "\\$name\c$\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\WebServices\SecurityToken\web.config"
ProcessWebApplication $webAppConfigPath $ldapServer $userContainer
if(Test-Path $centralAdminConfigPath)
{
ProcessCentralAdmin $centralAdminConfigPath $ldapServer $userContainer
}
ProcessSTS $stsConfigPath $ldapServer $userContainer
}
}
#Update with path to Central Administration web.config
$pathToCentralAdminConfig = "C:\inetpub\wwwroot\wss\VirtualDirectories\8317\web.config"
#Update with path to web application's web.config
$pathToWebApplicationConfig = "C:\inetpub\wwwroot\wss\VirtualDirectories\8083\web.config"
#Update with the correct LDAP server
$ldapServer = "PBNET-DC.pbnet.pbnet.local"
#Update with the correct container name
$userContainer = "CN=Users,DC=pbnet,DC=pbnet,DC=local"
Main $pathToWebApplicationConfig $pathToCentralAdminConfig $ldapServer $userContainer