Forms Based Authentication in SharePoint 2010

There are some much information available to configure Form Based Authentication (FBA) on net.

I have also followed lots of urls to setup FBA. And finally succeed to setup FBA. Also my client needs to implement FBA with Windows Authentication so that he must be able to use Windows Authentication as well as FBA.

After successfully implementation, I am blogging the same for others who found difficulties to setup also not able to get FBA users using PeoplePicker.

1- Create the Membership Database

Forms Based Authentication requires a SQL database to store the user logon information.

Details:

1. Launch the SQL Server Setup Wizard via the following command line

C:\Windows\Microsoft.NET\Framework\V2.0.50727\aspnet_regsql.exe.

2. Follow the wizard steps to install and configure the membership database.

3. IMPORTANT: Note the database name being created.

The database name will be listed on the Confirm Your Settings wizard screen

2- Configure IIS to access the FBA database

The Forms Authentication data is stored in the SQL Server created in step#2. IIS needs to be configured to know where to look for the database.

Details:

1. Launch Internet Information Services (IIS) Manager

2. Select the top level (machine) entry (Usually named after the server)

Why here? Creating the connection string at the top level allows the connection to be

“inherited” by all websites.

3. On the home page (located in the middle of the IIS Manager), double click the Connection

Strings icon.

4. Add a new connection to point to the SQL Server and database the membership store is stored in.

a. IMPORTANT: Note the name of the connection. We use FBAMembershipStore

b. The database name must match the membership store database name from step#1

c. Be sure to check Use Windows Integrated Security.

Activate FBA on the SharePoint Web Services website

The web service also need to authenticate users. If you do not give the web service site access to the

FBA membership store, your FBA will not work

Details

1. Select Providers for the SharePoint Web Services site

2. Select .NET Roles from the feature selector and right click in the screen. Click Add on the right

click menu.

3. Create a new role provider

a. Set type to SqlRoleProvider.

b. Name the provider. We use FBARoleProvider

c. Select the connection string you created in Step#2

d. Set the ApplicationName to /

4. Select .NET Users from the feature selector and right click in the screen. Click Add on the right

click menu.

5. Create a new user provider

a. Set type to SqlMembershipProvide

b. Name the provider. We use FBAUserProvider

c. Select the connection string you created in Step#2

d. Set the ApplicationName to /

e. Set the StorePasswordInSecureFormat

6. Determine the Application Pool credentials the SharePoint application is running under.

a. Right click on the SharePoint Web Services.

b. Click Manage Web Site -> Advanced Settings from the right click menu.

c. Note the Application Pool name

d. Open the Application Pool Advanced Settings and note the Identity it is running under

7. Launch SQL Server Management Studio.

8. Under Security -> Logon verify the application pool identity (user) exists as a valid SQL Server

9. logon. If not, create the user.

10. Grant the user the following roles on the aspnetdb database:

a. aspnet_Membership_FullAccess

b. aspnet_Roles_FullAccess

4- Create the New Web Application

FBA works only with Claim Based Authentication. It enables authentication from windows as well as non-windows based systems. This also provides the capability to have multiple authentication in a single URL.

If you have already created a web application with classic model and wan to use the same for FBA, Then you first need to convert it from Classic Mode Authentication to Claims Based Authentication using below PoweShell cmdLet. This is only one way for this conversion.

Steps to execute PoweShell cmdLet for the abover conversion are as follows:

A. On the Start menu, click All Programs.

B. Click Microsoft SharePoint 2010 Products.

C. Click SharePoint 2010 Management Shell.

D. From the Windows PowerShell command prompt, type the following to set the specified user account as an administrator for the site:

$WebAppName = "http://yourWebAppUrl"

$wa = get-SPWebApplication $WebAppName

$wa.UseClaimsAuthentication = $true

$wa.Update()

E. Open Application n Management -> Web Application page.

F. Select Web Application you have used in PowerShell cmdLet (http://yourWebAppUrl)

G. Click Authentication Provide from Ribbon and then click default Authentication provider.

H. Select Claim Authentication Type to FBA. Because I am setting Windows as well as FBA, so I have selected both as shown below.

Also provide MemberShip provider name and ASP.Net Role provide name.

You can create Membership provider and

5- Modify the web.config file for Membership Provider and Role Manager

We need to modify 3 different web.config files for FBA to work. Web.config of FBA Web application, web.config of Central Administration Site & Web.config of STS (SecurityTokenServiceApplication).

1. Modify web.config of FBA web application.

a. Add connection String:

</connectionStrings>

Connection string you created in Step#2. Connection String has to be added after </SharePoint> and Before <system.web>.

b. Add membership Provider and Role Manager:

</providers>

</membership>

</providers>

</roleManager>

c. Search “ <PeoplePickerWildcards>” and add keys for PeoplePicker to work in Central Admin and this site against your .NET membership database, you need to add a reference to the provider as follows:

</PeoplePickerWildcards>

Note: Text highlighted in yellow color is already exists in Web.config. You need to add.

In Web.config just search “roleManager” and you will get both the tags at same place.

2. Modify web.config of the Central Administration web application.

a. Add connection String:

</connectionStrings>

Connection string you created in Step#2. Connection String has to be added after </SharePoint> and Before <system.web>.

b. Add membership Provider and Role Manager:

<add description="Stores and Retrieves membership data from SQL Server"

connectionStringName=" SQLConnectionString" enablePasswordRetrieval="false"

enablePasswordReset="false" requiresQuestionAndAnswer="true"

applicationName="/" requiresUniqueEmail="true" passwordFormat="Hashed"

passwordAttemptWindow="5" name="ClaimMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

</providers>

</membership>

<add connectionStringName=" SQLConnectionString" description="Stores and retrieves roles from SQL Server"

applicationName="/" name="ClaimSqlRoleProvider" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

</providers>

</roleManager>

Note: Highlighted text (in yellow color) should always set as defaultprovider in rolemanager. In Web.config just search “roleManager” and you will get both the tags at same place.

</PeoplePickerWildcards>

3. Modify web.config of STS. You can locate the STS web.config from %programfiles%\common files\Microsoft Shared\web server extensions\14\WebServices\SecurityToken

a. Add connection String just before the </configuration> element :

</connectionStrings>

Connection string you created in Step#2.

<system.web>

<add connectionStringName=" SQLConnectionString" description="Stores and retrieves roles from SQL Server"

applicationName="/" name="ClaimSqlRoleProvider" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

</providers>

</roleManager>

<add description="Stores and Retrieves membership data from SQL Server"

connectionStringName=" SQLConnectionString" enablePasswordRetrieval="false"

enablePasswordReset="false" requiresQuestionAndAnswer="true"

applicationName="/" requiresUniqueEmail="true" passwordFormat="Hashed"

passwordAttemptWindow="5" name="ClaimMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

</providers>

</membership>

</system.web>

6- Add a new .NET User

Now we need to add a user that we will use to login to the FBA site. To do this we need to carry out the following steps:

· Open up IIS (Start > Run > type inetmgr)

· Select the SharePoint Central Administration v4 site from the list of sites

· Double click on .NET Users from the right hand side (as in the screeshot below).

· From the actions menu on the right click on ‘Set Default Provider’ and select ‘ClaimMembershipProvider’ from the DropDownList (or whatever name you used to name the ClaimMembershipProvider)

· From the actions menu click on ‘Add’ and fill out the form (screenshot below)