Wednesday, 30 November 2011

Configuration of Forms Based Authentication for SharePoint 2010

I have much researched about configuring Forms Based Authentication by viewing different blogs. After i succeed, i have decided to write the detailed stepts with related troubleshooting in this blog.

In this blog, you will create a SQL Server database to hold users and roles, create a SharePoint Web Application that uses FBA, configure IIS and the web.config files for the Web App, Central Admin and the Security Token Service, create a test user in the database and test your setup.

SharePoint 2010 supports FBA, Like WSS 3.0 or MOSS 2007. It's a feature of ASP .Net which we use with SharePoint. SharePoint 2010 you can create web applications using Classic Based Authentication or Claims based Authentication. 
However, FBA can only be configured with web applications created using Claims Based Authentication.

Differences between Classic Mode Authentication and Claims based Authentication ?

Classic Mode Authentication: It refers to the integrated windows authentication. You cannot configure the Forms based authentication 
If your web application is using Classic Mode Authentication. You can convert a web application from Classic Mode Authentication to Claims Based Authentication. However, that can only be done using Power Shell commands and its an irreversible process. I have detailed steps to convert the web application from Classic Mode authentication to Claims Based Authentication.

Claims Based Authentication: SharePoint 2010 is built on Windows Identity Foundation. It enables authentication from windows as well as non-windows based systems. This also provides the capability to have multiple authentication in a single URL.

Configuration of FBA with SharePoint 2010 involves 5 major steps. The steps to configure the FBA with SQL membership Provider are 


1. Configure SQL for membership store
  • Create database
  • Create SQL User
  • Add SQL user to database

2. Configure Central Admin to use SQL membership store -  Modify web config file

3. Configure Secure Store Web Service to use SQL membership store - Modify web config file

4. Create new Web Application for extranet site

5. Configure Extranet site to use SQL membership store - Modify web config file

1. Configure SQL for membership store :

The membership store is still created using the ASP.NET SQL Server Setup Wizard.  This is launched from the .NET 2.0 Framework folder 

on the server at:


This wizard will take you thorough the steps and will build out the SQL database for you.

Once you select to Configure SQL Server for application services, you will be prompted for the SQL Server name and database name. You can choose an existing database to add the membership elements to, or you can type in a new name and the database will be created for you.

Once the database is created, we’re going to create and add a SQL user, rather than use integrated authentication.
 If your SQL instance is not already running in mixed-mode, you can change it through Server properties in SQL Server Management Studio.  Right-click on Server in Object Explorer and select Properties, then navigate to the Security page.

Create SQL User :
In this case, we’ll be using SQL Server authentication. So create a new Login on the SQL Server. From SQL Server Management Studio, use the Object Explorer to navigate to the Security → Logins folder. Right click on the Logins folder to open the context menu and choose the menu item New Login…
This will open the Login – New dialog. Here, you specify a Login name, i.e. FBAService and a SQL Server authentication password, i.e. pwd. You can set your membership provider database as the Default database. Click OK to add the user. It will now show up in the list of logins.

To give the login access to the database, locate the database in the Object Explorer, under the Databases folder and expand the folder Security. Open the context menu from the Users folder and choose the option New User…

This opens the Database User – New dialog.

In this dialog, specify a name for the user and insert the login name that you created earlier (i.e. FBAService) in the Login name text field.

Assign the following Database roles to the user:

give the role as “db_owner”.
Click the OK button to add the user to the database.

To recap:

We created a database called aspnetdb.
We created a SQL user called FBAUser
We added FBAUser to aspnetdb database and gave them the db_owner role.
We’re done with SQL.

2. Configure Central Admin Web Site to use SQL Membership Provider

SharePoint web sites out of the box are configured to use Active Directory.  So you may be wondering why we’re configuring Central Admin to use FBA when we don’t really want to login in as an FBA user.  Well, we actually don’t want to configure it to login as a forms user, but we do need to be able to add users from out membership database when configuring site collection admins, and the like.

So all we want to do is tell the Central Admin web application to use our SQL membership provider as well as AD, so when you use the people picker to select users, it will provide results from our membership database.

Open IIS Manager on the WFE server (if more than one, then this needs to be done on every FWE that has Central Admin.  The same goes for the proceeding steps for the other web applications).

Select the SharePoint Central Administration v4 site.  On the Home Page, you’ll see many options for ASP.NET and IIS.  The ones we’re concerned with are

Open the Connection Strings Page.  Under Actions menu on the right, select Add… to create a new connection string.  Provide the details for the membership database for the new connection string.
In the web.config, you’ll see sections for the connection string. You should also see a <connectionStrings> section close to the bottom of the web.config file. like as below

Add Role Provider:

Go back to the Web Application page and open up Providers page.  Here we will create a provider for Roles and Users. In top most left Set feature to .NET Roles and click Add… in the Actions pane to add a new role provider.  I called it FBARoleProvider and selected the right type and connection string.

Ensure you provide an ApplicationName so the provider knows what uses to authenticate.  For a good explanation on why you need this, see Scott Guthrie’s blog.

Add Membership Provider:

Now set feature to .NET Users and click Add… from the actions pane to add a membership provider.

Select the correct type and connection string, and whatever behaviors you choose.
That’s it for the providers for Central Admin.
To verify that all looks ok, we can check the web.config of the web application.  To get to the right web.config, right-click on the web application(Central Administration) under sites, and select Explore.

In the web.config, you’ll see sections for the connection string. You should see a <roleManager> and <membership> section of the web.config file. like as below

3. Configure Secure Store Web Service to use SQL Membership Provider

Everything we did for Central Admin site, we are going to do for the SecurityTokenServiceAppliaation which is in the SharePoint Web Services application.

do Same as what we did for Central administration site

Create the connection string
Add the .NET role provider
Add the .NET users provider
Verify connection by editing config.xml.

In the web.config, you’ll see sections for the connection string and the providers.  The <connectionStrings> <roleManager> and <membership> sections should look like:

4. Create Extranet Web Application

Finally we are ready to create our web application (called SharePoint – FBA) that will use FBA authentication.

In Central Admin, Select the Application Management page, and select Manage web applications.  Select New from the ribbon to create a new web application.
Select Claims Based Mode Authentication as Authentication Type.  Select values for all the other options until you get to the “Enable Forms Based Authentication”.

Add the values we created earlier in the section “Enable Forms Based Authentication” for role - FBARoleProvider and membership provider - FBAMembershipProvider.

Once the application is created, we should create a site collection.

Create Site Collection

Go to the Create Site Collection page from the Manage Applications section in Central Admin.  Select the team (or blank, or whichever you choose) template then select the site collection administrator. 

Configure Membership Providers for Web App through IIS

In IIS Manager, browse to the new site SharePoint – FBA. For our new FBA site we need to do the following:
Again same what we did before

  • Add connection string
  • Add Providers for members and roles
  • Configure .NET Roles
  • Configure .NET Users
  • Set Authentication to Forms and Integrated
  • Add User as Site Collection Admin

1. 1. Add Connection String     -   Same as we have done before.

2. Add role and user providers -   Again, same as what we did before.  Open Providers page and add an entry for our role and user providers.

3. Configure .NET Roles
This and the next steps are not required for the other two web applications we configured (Central Admin and SSS).
Open the .NET Roles page for our web application.  You will receive a warning that the default role provider is not trusted.

This and the next steps are not required for the other two web applications we configured (Central Admin and SSS).

Open the .NET Roles page for our web application. You will receive a warning that the default role provider is not trusted. WE just need to set our default role provider from 'C' to 'FBARoleProvider'

We do not have any roles in our database at this point, so let’s create two (StandardUser, SuperUser) by clicking Add… in the actions pane.

4. Configure .NET Users
Assuming you don’t let’s add some. Click Add… from the Actions pane to add users, and assign them roles.

Now we need to do the same for .NET Users. Open the .NET Users page. You will get a similar warning saying the default is not

trusted. Set the default provider to FBAMembershipProvider. If you had members in the database, you would now see them listed.

Assuming you don’t let’s add some. Click Add… from the Actions pane to add users, and assign them roles.

5. Set Authentication

SharePoint should have done this when you created the web application, but let’s confirm. From the web application home page in IIS Manager, select Authentication under the IIS section. Confirm that the web application has both Integrated and Forms enabled.

6. Add User as Site Collection Admin

Now that we have everything hopefully configured correctly, we can go back to SharePoint Central Admin and add our new FBA user as the Site Collection Administrator.  From Central Admin Application Management page, click Change site collection administrators.  Select SharePoint – FBA root site collection, and add our new user.

In order for you to use IIS Manager to manage your SQL users, you need to set the default provider to our Forms provider, i.e. FBAMembershipProvider.  In order for it to work we need to set it to the SharePoint claims provider.  Go back to .NET Users and reset the default provider from ' FBAMembershipProvider ' to ' i ' ,  and Reset the default provider from 'FBARoleProvider' to ' c '.

No comments:

Post a Comment