SharePoint24x7 It's all about SharePoint.

10Oct/112

Article – Configuring Forms-based Authentication in SharePoint 2010

Posted by Joy

Configuring Form-based authentication has been always challenging in SharePoint products and technologies since its early releases. With the introduction of SharePoint 2010, it became simpler but little confusing to most of developers & administrators. I’m going to quickly go through how to configure forms-based authentication in SharePoint 2010 using a SQL Server based user store.

Note: Authentication in SharePoint can be configured only at the Web Application level. Web Application is the boundary for configuring authentication in SharePoint. Even before creating a new web application using CA, you need to decide what type of authentication you are planning to use within the web application. Changing authentication mode later might be difficult and error prone than expected.

Note: To configure form-based authentication, new claims-based authentication mode needs to be configured for the web application. In SharePoint 2010 form-based authentication is implemented using claims-based authentication and using classic mode authenticating to implement form-based authentication is not supported by Microsoft.

Configuring form-based authentication has several phases:

  1. Provisioning and configuring a custom user store
  2. Populating the user store with users and roles
  3. Creating a new Web Application
  4. Configuring STS, CA & FBA Web Application
  5. Test to see whether FBA works

Phase 1: Provisioning and configuring a user store

Task 1: Provisioning and configuring a custom user store

I’m going to use very simple script provided by Microsoft Visual Studio SDK to create a very simple user store to store all the users and roles information.

  1. Fire up Visual Studio Command Prompt (2010) by navigating to Start -> All Programs -> Microsoft Visual Studio 2010 -> Visual Studio Tools -> Visual Studio Command Prompt (2010).
  2. Enter aspnet_regsql and wait until it starts ASP.NET SQL Server Setup Wizard.
    Capture1
  3. Click Next in the Welcome to the ASP.NET SQL Server Setup Wizard page.
  4. Select Configure SQL Server for application services option from the Select a Setup Option page.
    Capture2
  5. In the Select the Server and Database page, enter name of the SQL Server for the Server: field. Select the appropriate authentication mode for the database server (In my case Windows authentication). And if you want to specify a database name, replace <default> with the name of your choice for the Database: field. Leaving Database: field with <default> will always create a database named aspnetdb. Click Next after you enter all the details.
    Capture3
  6. Click Next in the Confirm Your Settings page to start the configuration.
  7. After few seconds, you will get the “The database has been created or modified.” page. Click Finish to quit the wizard.
  8. Exit the Visual Studio Command Prompt (2010).

Task 2: Verify the existence of custom user store

  1. Fire up Microsoft SQL Server Management Studio by navigating to Start -> All Programs -> Microsoft SQL Server 2008 R2 -> SQL Server Management Studio.
  2. Connect to the correct SQL Server using Connect to Server dialog box.
  3. Expand Databases folder and verify the existence of the database aspnetdb.
    Capture4

Task 3: Configuring database access to CA and AppPool user accounts

In order to CA and Web Applications to being able to communicate with the custom user store (aspnetdb database), we need to grant access to SharePoint Farm account and AppPool account. In my environment, I have 02 accounts names SP_Farm and SP_AppPool which I have configured to run SharePoint Farm and AppPools respectively. You need to find out the name of the service accounts for SharePoint Farm Service Account and Application Pool Service Account you configured while you are setting up SharePoint. Once you identify them, perform following instructions to grant right permissions to the database:

  1. Expand Database folder in SQL Server Management Studio.
  2. Expand aspnetdb database.
  3. Expand Security folder and then Users folder.
  4. Right-click Users folder and select New User…
    Capture5
  5. In the Database User – New dialog box, enter name of the farm user for the User name: field and name of the login for the Login name: field.
  6. From the Database role membership: list select the following database Role Members:
  1. aspnet_Membership_FullAccess
  2. aspnet_Personalization_FullAccess
  3. aspnet_Profile_FullAccess
  4. aspnet_Roles_FullAccess
  5. aspnet_WebEvent_FullAccess
    Capture6
  • Select OK to add the user to the database.
  • Repeat steps 4 through 7 for granting SharePoint AppPool service account as well.

Phase 2: Populating the user store with users and roles

Next we need to get some sample users in to the new user store we created by using a role provider. Easiest way to do this is using a Visual Studio ASP.NET Web Site.

Task 1: Creating Users and Roles in custom user store

  1. Fire up Microsoft Visual Studio 2010 by navigating to Start -> All Programs -> Microsoft Visual Studio 2010 -> Microsoft Visual Studio 2010.
  2. Select File -> New -> Web Site…
  3. Select the language of your choice. Select ASP.NET Web Site project template. Provide a project name and click OK.
    Capture7
  4. Double-click web.config from the Solution Explorer and replace <connectionStrings /> with the following:
    <connectionStrings>
        <clear/>
        <add name="LocalSqlServer" connectionString="Data Source=(local);Initial Catalog=aspnetdb;Integrated Security=True"/>
    </connectionStrings>
  5. Make sure to change the highlighted connection string as per your environment to point to the new user store created.
  6. Save web.config file.
  7. Select the ASP.NET Configuration option from the Solution Explorer to open the ASP.NET Web Site Administration Tool.
    Capture8
    Capture9
  8. Go to Provider tab and click “Select a single provider for all site management data” link. Click the link “Test” in front of “AspNetSqlProvider” and make sure you receive a successful response message “Successfully established a connection to the database.”.
  9. Navigate to Security tab. Click “Select authentication type” link from Users section. Change the selection to “From the internet” and click Done.
  10. Select “Enable roles” link from the Roles section to enable role management.
  11. Select “Create user” link from Users section to create required number of users in the user store.
    Capture10
    Capture23
  12. Select “Create or Manage roles” link from Roles section to create roles. Enter Admins for the New role name: field and click Add Role. Add another role named Users following same steps.
    Capture12
  13. Select Manage for the Admins role and search for the Admin user and make sure he is a member of the Admins role. Repeat the same steps to include Sam and Joy users as a member of Users role.
    Capture13
    Capture14
    Capture15

Use steps 11 through 13 to setup the required users and groups in your user store depending on the requirement.

Phase 3: Creating a new Web Application

After we setup our custom user store with the required users and groups, we can start wiring it to the web application.

Task 1: Creating a Web Application to support FBA

  1. Fire up the SharePoint 2010 Central Administration site.
  2. Select Manage web applications from Application Management section.
  3. Click New from the Contribute group of the ribbon to create a new web application.
  4. In the Create New Web Application dialog, select Claims Based Authentication as the option for Authentication. Provide a meaningful name for the Name and provide a valid port for the Port in the IIS Web Site section.
    Capture16
    Capture17
  5. Move down to Claims Authentication Types section and select Enable Forms Based Authentication (FBA) and provide following for Membership and Role providers: (these information can be obtained from machine.config file).
  1. ASP.NET Membership provider name: AspNetSqlMembershipProvider
  2. ASP.NET Role manager name: AspNetSqlRoleProvider
    Capture18
  • Go down to section Sing In Page URL section and if you wish you can configure a custom Sign in page instead of using built-in sign in page. I will use the built-in sign in page for this demo.
    Capture19
  • Leave rest of the fields as it is and click OK to create the new web application.
  • After a few seconds/ minutes, you will get the Application Created dialog box confirming web application creation. Click the link “Create Site Collection” to create a new Site Collection in this new web application.
  • Give a Title and Description in the Title and Description section.
  • Select Team Site template from the Template Selection section.
  • Specify the Farm Administrator name for the Primary Site Collection Administrator field for being able to login using Windows Authentication. I provided my farm administrator account CONTOSO\Administrator for the same.
  • Click OK to create the Site Collection.
  • Click OK to navigate away from the Top-Level Site Successfully Created dialog box.

Task 2: Verify that the new Site Collection can be access using Windows Authentication

Before we proceed, let’s make sure that we can login and access the new site collection using Windows Authentication since we selected both the options while we were creating the Web Application.

  1. Enter the URL of the new Site Collection. In my case, http://teamserver:8080
  2. You will be taken to the default sign in page.
    Capture20
  3. Select Windows Authentication from the drop down and make sure you get access to the new site collection we just created.

Phase 4: Configuring Security Token Service, CA & FBA Web Application

We need to configure Membership provider for Security Token Service in order to FBA to work properly using Claims based authentication in SharePoint 2010.

Task 1: Configuring STS

  1. Fire up the IIS Manager by navigating to Start -> Administrative Tools -> Internet Information Services (IIS) Manager.
  2. Expand the IIS Server and expand the Sites folder.
  3. Expand SharePoint Web Services Web Site.
  4. Right-click SecurityTokenServiceApplication web site and select Explore.
    Capture21
  5. Open the web.config file.
  6. Go to the end of the file and locate the </system.net> element. Just after the </system.net> element, copy the following configuration elements:
    <system.web>
        <membership>
            <providers>
                <add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="LocalSqlServer" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="true" applicationName="/" requiresUniqueEmail="false" passwordFormat="Hashed" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="1" passwordAttemptWindow="10" passwordStrengthRegularExpression=""/>
            </providers>
        </membership>
        <roleManager>
            <providers>
                <add name="AspNetSqlRoleProvider" connectionStringName="LocalSqlServer" applicationName="/" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
            </providers>
        </roleManager>
    </system.web>
    <connectionStrings>
        <clear/>
        <add name="LocalSqlServer" connectionString="Data Source=(local);Initial Catalog=aspnetdb;Integrated Security=True"/>
    </connectionStrings>
  7. Save the changes to web.config file.

Task 2: Configuring FBA Web Application

  1. Fire up the IIS Manager by navigating to Start -> Administrative Tools -> Internet Information Services (IIS) Manager.
  2. Expand the IIS Server and expand the Sites folder.
  3. Right-click FBA enabled web application you created earlier in Phase 3 and select Explore. In my example, FBA Web Site – 8080.
    Capture27
  4. Open the web.config file.
  5. Locate the <membership defaultProvider="i"> element and within <providers> </providers> add the following just below existing content:
    <add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="LocalSqlServer" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="true" applicationName="/" requiresUniqueEmail="false" passwordFormat="Hashed" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="1" passwordAttemptWindow="10" passwordStrengthRegularExpression=""/>
  6. Just underneath the Membership provider, locate the <roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false"> element and within <providers> </providers> add the following just below existing content:
    <add name="AspNetSqlRoleProvider" connectionStringName="LocalSqlServer" applicationName="/" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
  7. Finally, locate the </system.web> element and just underneath that, add the following:
    <connectionStrings>
        <clear/>
        <add name="LocalSqlServer" connectionString="Data Source=(local);Initial Catalog=aspnetdb;Integrated Security=True"/>
    </connectionStrings>
  8. Save the changes to the web.config file.

Task 3: Configure CA – Optional

  1. Fire up the IIS Manager by navigating to Start -> Administrative Tools -> Internet Information Services (IIS) Manager.
  2. Expand the IIS Server and expand the Sites folder.
  3. Right-click SharePoint Central Administration v4 site and select Explore.
  4. Open the web.config file.
  5. Search for <roleManager></roleManager> and <membership></membership> elements and you will typically see a set of empty elements for the same. Replace those empty elements with the following:
    <membership>
        <providers>
            <add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="LocalSqlServer" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="true" applicationName="/" requiresUniqueEmail="false" passwordFormat="Hashed" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="1" passwordAttemptWindow="10" passwordStrengthRegularExpression=""/>
        </providers>
    </membership>
    <roleManager>
        <providers>
            <add name="AspNetSqlRoleProvider" connectionStringName="LocalSqlServer" applicationName="/" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
        </providers>
    </roleManager>
  6. And just underneath the </system.web> element, enter the following:
    <connectionStrings>
        <clear/>
        <add name="LocalSqlServer" connectionString="Data Source=(local);Initial Catalog=aspnetdb;Integrated Security=True"/>
    </connectionStrings>
  7. Save the changes to web.config file.

Phase 5: Test to see whether FBA works

Before we test to see whether FBA works, we need to make sure Windows Authentication works as earlier and grant access to one of the Forms based user account to site.

Task 1: Verify that the new Site Collection can be access using Windows Authentication

  1. Enter the URL of the new Site Collection. In my case, http://teamserver:8080
  2. You will be taken to the default sign in page.
  3. Select Windows Authentication from the drop down and make sure you get access to the new site collection we just created.

Task 2: Grand access to Forms based users

  1. While you are logged in as Administrator using Windows Authentication, select Site Actions -> Site Permissions.
  2. Select Grant Permissions from the Grant group in the ribbon.
  3. In the Grant Permissions dialog box, select the Browse button.
    Capture22
  4. In the Select People and Groups – Webpage Dialog, enter forms based user name in the Find field and click Search button. I’m searching for Joy user which I created earlier in Phase 2.
  5. You will see Joy user comes under User: Forms Auth category. Select the user and click Add -> button and click OK.
    Capture24
  6. Select the Contribute group from the Grant Permission dialog box and click OK.

Task 3: Test to see whether we can login using FBA

  1. Open a new browser window and enter the URL of the new Site Collection. In my case, http://teamserver:8080
  2. You will be taken to the default sign in page.
  3. Select Forms Authentication from the drop down and it will take you to a sign in page in which you can enter user name and password.
  4. Enter user name and password for the forms user and click Sign In button.
    Capture25
  5. Wow, you have now logged in as Joy who is a forms based user.
    Capture26

Closing Note: It’s going be bit difficult when you configure Forms-based Authentication for the first time but once you have experience doing it few times, you will not face any issues.