No trusted providers were found while creating new User Profile Sync Connection

 

In my last post Sync FBA user profiles I discussed how to synchronize Form based authentication users with SharePoint.

One of the steps is to create a new synchronization connection for FBA. Now I received couple of comments mentioning that they faced an issue where while creating new connection they got several errors like Value is not valid or drpClaimId is not a valid value. 

If you look closely you will see one of the drop downs have “No trusted providers found” as shown in below screen shot

image

 

Now the Authentication Provider type should be Forms Based Authentication and still if you see No trusted providers were found there is a problem.

Lets take a step back and see how to configure a web application for FBA (assuming you already have a solution which would do the actual authentication)

There are 2 main steps to do this.

1. Configure the membership provider and membership role in web config files

2. Change the authentication provider setting in central admin for that web application.

Step 1 – Changing web config.

The web.config files need to be changed for web application, central admin and Security Token Service

Web application web.config should have below changes. Add the key under app settings.

<appSettings>

<add key="LDAPPath" value=LDAP://CN=Users,DC=Talespin,DC=local />

</appSettings>

Add providers under <membership><providers> and rolemanager tag under <rolemanager><providers>. Highlighted in Green shows the custom additions

<membership defaultProvider="i">
<providers>
  <add name="LdapMember" type="Microsoft.Office.Server.Security.LdapMembershipProvider,&#xD;&#xA; Microsoft.Office.Server, Version=15.0.0.0, Culture=neutral,&#xD;&#xA; PublicKeyToken=71e9bce111e9429c" server="sk-dc.sickkids.local" port="389" useSSL="false" userDNAttribute="distinguishedName" userNameAttribute="sAMAccountName" userContainer="OU=SPUsers,DC=Talespin,DC=LOCAL" userObjectClass="person" userFilter="(ObjectClass=person)" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn" />
<add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />

</providers>
</membership>
<roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false">
<providers>
       <add name="LdapRole" type="Microsoft.Office.Server.Security.LdapRoleProvider, &#xD;&#xA;Microsoft.Office.Server, Version=15.0.0.0, Culture=neutral, &#xD;&#xA;PublicKeyToken=71e9bce111e9429c" server="sk-dc.sickkids.local" port="389" useSSL="false" groupContainer="OU=SPUsers,DC=Talespin,DC=LOCAL" groupNameAttribute="cn" groupNameAlternateSearchAttribute="samAccountName" groupMemberAttribute="member" userNameAttribute="sAMAccountName" dnAttribute="distinguishedName" groupFilter="(ObjectClass=group)" userFilter="(ObjectClass=person)" scope="Subtree" />
<add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />

</providers>
</roleManager>

Central Admin web config should have below additions

    <membership>
   <providers>
<add name="LdapMember"
type="Microsoft.Office.Server.Security.LdapMembershipProvider,
Microsoft.Office.Server, Version=15.0.0.0, Culture=neutral,
PublicKeyToken=71e9bce111e9429c"
server="sk-dc.sickkids.local"
port="389"
useSSL="false"
userDNAttribute="distinguishedName"
userNameAttribute="sAMAccountName"
userContainer="OU=SPUsers,DC=SICKKIDS,DC=LOCAL"
userObjectClass="person"
userFilter="(ObjectClass=person)"
scope="Subtree"
otherRequiredUserAttributes="sn,givenname,cn" />
</providers>

</membership>
<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider" >
   <providers>
<add name="LdapRole"
type="Microsoft.Office.Server.Security.LdapRoleProvider,
Microsoft.Office.Server, Version=15.0.0.0, Culture=neutral,
PublicKeyToken=71e9bce111e9429c"
server="sk-dc.sickkids.local"
port="389"
useSSL="false"
groupContainer="OU=SPUsers,DC=SICKKIDS,DC=LOCAL"
groupNameAttribute="cn"
groupNameAlternateSearchAttribute="samAccountName"
groupMemberAttribute="member"
userNameAttribute="sAMAccountName"
dnAttribute="distinguishedName"
groupFilter="(ObjectClass=group)"
userFilter="(ObjectClass=person)"
scope="Subtree" />
</providers>

</roleManager>

 

Web config of STS is as below additions.

<system.web>
     <membership>
<providers>
<add name="LdapMember"
type="Microsoft.Office.Server.Security.LdapMembershipProvider,
Microsoft.Office.Server, Version=15.0.0.0, Culture=neutral,
PublicKeyToken=71e9bce111e9429c"
server="sk-dc.sickkids.local"
port="389"
useSSL="false"
userDNAttribute="distinguishedName"
userNameAttribute="sAMAccountName"
userContainer="OU=SPUsers,DC=SICKKIDS,DC=LOCAL"
userObjectClass="person"
userFilter="(ObjectClass=person)"
scope="Subtree"
otherRequiredUserAttributes="sn,givenname,cn" />
</providers>
</membership>

<roleManager enabled="true">
<providers>
<add name="LdapRole"
type="Microsoft.Office.Server.Security.LdapRoleProvider,
Microsoft.Office.Server, Version=15.0.0.0, Culture=neutral,
PublicKeyToken=71e9bce111e9429c"
server="sk-dc.sickkids.local"
port="389"
useSSL="false"
groupContainer="OU=SPUsers,DC=SICKKIDS,DC=LOCAL"
groupNameAttribute="cn"
groupNameAlternateSearchAttribute="samAccountName"
groupMemberAttribute="member"
userNameAttribute="sAMAccountName"
dnAttribute="distinguishedName"
groupFilter="(ObjectClass=group)"
userFilter="(ObjectClass=person)"
scope="Subtree" />
</providers>
</roleManager>

</system.web>

2nd steps is to change configuration of application. To do so navigate to central admin go to application management. Select web application and click Authentication Providers. 

image

Click on default or if you have some other zone. Enable FormBased Authentication by checking the check box for FBA.

Next is to provide the membershipprovider name. This name is what you added in the web.config file above. This name should match the string in web.config

image

image

image

Note that this is case sensitive also . If this name or case does not match it gives the “No trusted provider” in the drop down when you try to add the connection.