Saturday, August 8, 2009

Configuring Forms Based Authentication (FBA) in SharePoint


If we want to configure Forms Based Authentication (FBA) in SharePoint,
then we have to follow following steps -

Configuration Steps:
1) Setup the membership data store.
2) Create an ASP.Net Web Site to manage Roles and Users.
3) Open ASP.Net Web Site’s Web Administration Tool.
4) Create a new Web Application from SharePoint Central Administration site.
5) Extend Web Application
6) Change Authentication Provider for Forms based site.
7) Change configuration files settings.
8) Change policy for Web Application
9) Add users/roles as site administrator (Primary and Secondary).
10) Check Forms Based Authentication



Now I will explain each steps in some detail -



1) Setup the membership data store.

To create database, Microsoft has provided a tool/ utility called aspnet_regsql.exe that creates a database for us.
This utility can be found in
%windir%\Microsoft.Net\Framework\vx.x.xxxxx folder.

Double click or run aspnet_regsql.exe,
it opens a pop-up window as demonstrated in following images :




[Figure - 1]



[Figure - 2]



[Figure - 3]
Note: Enter your Server Name and Database name in fields.




[Figure - 4]



[Figure - 5]



[Figure - 6]


Note: Check whether your custom MembershipDB is accessible by NT AUTHORITY\ NETWORK SERVICE or not.

Steps:
a) Open MS SQL Server Management Studio
b) Select SERVER (in Tree-node at left side)
c) Select Security
d) Select Logins
e) Select NT AUTHORITY\NETWORK SERVICE
f) Right-click on it, select Properties
g) Its pop-ups Login Properties window.
Select User Mapping (in Tree-node at left side)
h) Check your database name in top-right pane and
its corresponding access in bottom-right pane.
i) Click OK.
j) Then to check effective permissions of your custom MembershipDB,
select DB from left side tree view.
Server – Databases – custom MembershipDB
k) Right-click on custom MembershipDB, select Properties.
l) In Database Properties window, select Permission
(in left pane).
m) Select NT AUTHORITY\NETWORK SERVICE (in right pane),
click Effective Permissions button.
n) Check whether it has required permissions or not.
If not then assign required permissions.




2) Create a new ASP.Net Web Site to manage Roles and Users.

Do following changes in temporary ASP.Net web site's configuration file:

Web site’s configuration file (web.config) ---



<configuration>
<!--Remaining settings-->

<connectionStrings>
<add name="CustomMembershipDBCNX"
connectionString="SERVER=Server-Name; DATABASE=CustomMembershipDB;
TRUSTED_CONNECTION=true;"
providerName="System.Data.SqlClient" />
</connectionStrings>

<system.web>
<!--Remaining settings-->

<machineKey validationKey="Copy-it-from-sharepoint-site-cofig-file"
decryptionKey="Copy-it-from-sharepoint-site-cofig-file"
validation="SHA1" />

<authentication mode="Forms">
<forms loginUrl="/_layouts/login.aspx" />
</authentication>

<membership defaultProvider="CustomMembershipProvider">
<providers>
<add name="CustomMembershipProvider"
type="System.Web.Security.SqlMembershipProvider, System.Web,
Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="CustomMembershipDBCNX"
enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresQuestionAndAnswer="false"
applicationName="/"
requiresUniqueEmail="false"
passwordFormat="Hashed"
maxInvalidPasswordAttempts="5"
minRequiredPasswordLength="7"
minRequiredNonalphanumericCharacters="1"
passwordAttemptWindow="10"
passwordStrengthRegularExpression=""
/>
</providers>
</membership>

<roleManager enabled="true" defaultProvider="CustomRoleProvider">
<providers>
<add name="CustomRoleProvider"
connectionStringName="CustomMembershipDBCNX"
applicationName="/"
type="System.Web.Security.SqlRoleProvider, System.Web,
Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
/>
</providers>
</roleManager>
</system.web>
</configuration>




Changed following 4 settings in above snippet (quick review):
a) connectionStrings
b) machineKey
c) authentication
d) membership
e) roleManager



3) Open ASP.Net Web Site’s Web Administration Tool

Go To ---
Menu -> Website -> ASP.Net Configuration




[Figure - 7]


a) Security tab: To manage/create Roles and User
b) Provider tab: To test both Custom membership and role provider
(click Select a different provider for each feature (advanced) link).



4) Create a new Web Application from SharePoint Central Administration site

Step:

Central Administration > Application Management >
Create or Extend Web Application > Create New Web Application

After creating the Web Application create Site Collection (link gets displayed after completing the above step)



5) Extend Web Application

Note: Select proper site (from top-right dropdown) that you want to extend.
Step:

Central Administration > Application Management > Create or Extend Web Application > Extend Web Application to Another IIS Web Site

In above step/page select Zone as Extranet or Internet as per your requirement.



6) Change Authentication Provider for Forms based site

Note: Select proper site and zone (from top-right dropdown) whose Authentication Provider you want to change to Forms Based.

Step:

Central Administration > Application Management > Authentication Providers > Edit Authentication

a) Select Authentication Type as Forms.
b) Disable Anonymous access
c) Enter custom Membership provider name
d) Enter custom Role manager name

Save the changes.



7) Change configuration files settings

Changes required in SharePoint Central Administration configuration file (web.config).

IMPORTANT: Do take the back-up of web.config file.





<configuration>
<SharePoint>
<!--Remaining settings-->

<PeoplePickerWildcards>
<clear />
<add key="AspNetSqlMembershipProvider" value="%" />
<add key="CustomMembershipProvider" value="%" />
</PeoplePickerWildcards>

</SharePoint>
<!--Remaining settings-->

<connectionStrings>
<add name="CustomMembershipDBCNX"
connectionString="SERVER=Server-Name; DATABASE=CustomMembershipDB;
TRUSTED_CONNECTION=true;"
providerName="System.Data.SqlClient" />
</connectionStrings>

<system.web>
<!--Remaining settings-->

<membership>
<providers>
<add name="CustomMembershipProvider"
type="System.Web.Security.SqlMembershipProvider, System.Web,
Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="CustomMembershipDBCNX"
enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresQuestionAndAnswer="false"
applicationName="/"
requiresUniqueEmail="false"
passwordFormat="Hashed"
maxInvalidPasswordAttempts="5"
minRequiredPasswordLength="7"
minRequiredNonalphanumericCharacters="1"
passwordAttemptWindow="10"
passwordStrengthRegularExpression=""
/>
</providers>
</membership>

<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">
<providers>
<add name="CustomRoleProvider"
connectionStringName="CustomMembershipDBCNX"
applicationName="/"
type="System.Web.Security.SqlRoleProvider, System.Web,
Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
/>
</providers>
</roleManager>
</system.web>
</configuration>






Changed following 4 settings in above snippet (quick review):
a) PeoplePickerWildcards – To detect your custom provider
b) connectionStrings
c) membership – Don’t specify default provider
d) roleManager – Change default provider to AspNetWindowsTokenRoleProvider

Note : Don’t change MachineKey.



Now made following changes in SharePoint Web Application's (created in step 4) configuration file (default one with Windows authentication) (web.config)





<configuration>
<SharePoint>
<!--Remaining settings-->

<PeoplePickerWildcards>
<clear />
<add key="AspNetSqlMembershipProvider" value="%" />
<add key="CustomMembershipProvider" value="%" />
</PeoplePickerWildcards>

</SharePoint>
<!--Remaining settings-->

<connectionStrings>
<add name="CustomMembershipDBCNX"
connectionString="SERVER=Server-Name; DATABASE=CustomMembershipDB;
TRUSTED_CONNECTION=true;"
providerName="System.Data.SqlClient" />
</connectionStrings>

<system.web>
<!--Remaining settings-->

<membership defaultProvider="CustomMembershipProvider">
<providers>
<add name="CustomMembershipProvider"
type="System.Web.Security.SqlMembershipProvider, System.Web,
Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="CustomMembershipDBCNX"
enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresQuestionAndAnswer="false"
applicationName="/"
requiresUniqueEmail="false"
passwordFormat="Hashed"
maxInvalidPasswordAttempts="5"
minRequiredPasswordLength="7"
minRequiredNonalphanumericCharacters="1"
passwordAttemptWindow="10"
passwordStrengthRegularExpression=""
/>
</providers>
</membership>

<roleManager enabled="true" defaultProvider="CustomRoleProvider">
<providers>
<add name="CustomRoleProvider"
connectionStringName="CustomMembershipDBCNX"
applicationName="/"
type="System.Web.Security.SqlRoleProvider, System.Web,
Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
/>
</providers>
</roleManager>
</system.web>
</configuration>







Changed following 4 settings in above snippet (quick review):
a) PeoplePickerWildcards – To detect your custom provider
b) connectionStrings
c) membership
d) roleManager

Note : Don’t change MachineKey.



Repeat above configuration changes for Forms Based Web Application’s (created in step 5) configuration file (web.config)
(port number will be different).

The only difference in case of Forms Based Web Application’s config file will be:




<configuration>
<system.web>
<!--Remaining settings-->

<authentication mode="Forms">
<forms loginUrl="/_layouts/login.aspx"
timeout="120"
cookieless="UseCookies"
slidingExpiration="true" />
</authentication>
</system.web>
</configuration>





Changed following 5 settings in Forms based site's config (quick review):
a) PeoplePickerWildcards – To detect your custom provider
b) connectionStrings
c) membership
d) roleManager
e) Authentication – It will be automatically set by STEP 6.


So in total, we have to change 3 configuration files:
a) SharePoint’s Central Administration
b) Web Application with Default zone (Windows) [created in step 4]
c) Web Application with Internet/Extranet zone (Forms) [created in step 5]



8) Change policy for Web Application

Note: Select proper site (from top-right dropdown).

Step:

Central Administration > Application Management > Policy for Web Application

Click Add Users (top-left) to add new users/roles. Assign permission as per requirement.
Common Error: Access Denied

Steps to solve above error :

a) Go to --- SharePoint Central Administration > Application Management > Policy for Web Application
b) Select proper Web Application (from top-right)
c) Click "Add User" (top-left)
d) Add required User or Role in it.
e) Grant it "Full Control" (as per requirement) out of following options:
• Full Control - Has full control.
• Full Read - Has full read-only access.
• Deny Write - Has no write access.
• Deny All - Has no access.



9) Add users/roles as site administrator (Primary and Secondary)

Note: Select proper site (from top-right dropdown).

Step:

Central Administration > Application Management > Site Collection Owners



10) Open Forms based URL in browser; it will redirect you to login page

It means site is properly configured for Forms Based Authentication (FBA).

Enter the <Username> and <Password> (refer step 3) in login page; if you are able to login, its mean database is properly configured.
Otherwise check username, password, roles in DB and also the effective permissions of NT AUTHORITY\NETWORK SERVICE.



References:
1. simple-talk FBA

2. msdn FBA

3. codeproject FBA

4. hiddensharepointfeatures FBA

14 comments:

Unknown said...

Thank you Avinash. A very helpful tutorial indeed.
But additionally i want to use the same membership provider specified in the web.config of Central Admin to write and read from the database, where code to write in the database is in an assembly file deployed in GAC. Until now Sharepoint central admin throws an unknown error. I am wondering if it is at all possible.
I would really appreciate it if you could kindly advise me on this problem. Thank you.

Avinash said...

Hi Prem,

1) By-default SharePoint central admin doesn't contains custom membership provider (FBA).

2) If you want to use same custom membership provider in any site (including SP CA), then I don't think it will be a problem. You just have to check that the database contains proper permissions for network service.

3) If GAC contains DLL/code to write in database, then you have check that DLL is registered as safe control in appropriate application/site's web.config file.

Theoretically it should be possible, but I don't have much trust in SharePoint behavior :)

Please correct me, if I am in wrong direction or elaborate your scenario in detail.

~ Avi

Pratik Vyas said...

Hey Avinash,
Your blog is very nice but want to say you, we can't get images.
The reason is you might had uploaded them from your local machine, so easiest way to avoid this , upload your blog images to some online image hosting server.Like Picasa or Windows Live Photo uploader.

Anonymous said...

Hi Your blog is very helpful. But, I am not able to see the user in setting policy for web site, that I created using ASP.net web application administration. I am not sure how will my sharepoint site collaborate with the dummy .net application created to enter user names.

Please help.

MB

Avinash said...

Hi MB,

Basically we are using same config settings in both ASP.Net web application and SharePoint site.

Please cross check following entries in web.config file-
1) Connection String (DB name)
2) Membership Provider
3) Role Provider

As web config entries are same, so both ASP.Net and SharePoint are referring to same DB in SQL Server.

Please let me know if its solve your queries.

Regards,
Avinash

Anonymous said...

Hi Thanks for reply. I am able to work on that. My new issue is that I am not able to send mails to users eneterd in ASPNET DB. E.g I have a user with ID abc@xyz.com. Sharepoint is not sending mail to this FBA user abc@xyz.com.

Any clue on this.

Thanks in advance.

MB

Avinash said...

Hi MB,

You can refer this msdn forum link (not exact solution, but will help) -
http://social.msdn.microsoft.com/Forums/en-US/sharepointdevelopment/thread/98d1c323-5ffd-4883-9fc5-f62a6409700e/

Anonymous said...

Hi, I have checked this and it is working fine. Still, I am not able to send mails.

Regards,
MB

Anonymous said...

Hi When I enter the IDs of FBA users in SharePoint site and option "send welcome email to new users" is selected, I get this error message:

"The user or users have been added successfully, but there was an error in sending the e-mail message. The server may not be set up correctly to send e-mail. To verify that e-mail is configured correctly, contact your server administrator. "

Can you help in this?

Thanks in advance.
With Regards

Anonymous said...

Avinash,

Its very useful to me..
But i am facing a issue. I am not able to find the user when i will make setting for "Policy for Web Applicion".
I checked the connection string and all settings made in web.config file.

Can you please help me for the same.
Thansk in advance

Avinash said...

Regarding "Policy for Web Application" ---
Cross check settings in following 3 web.config files:
1. Central Admin web.config file
2. Windows Authenticated web app web.config file
3. FBA Authenticated web app web.config file

Before that check users in DB, if there is no user in DB then add a user through ASP.Net Web Site Administration tool.

Unknown said...

I added Connection string, provider for membership and role, entry for peoplepicker in below mentioned config files.

web.config files:
1. Central Admin web.config file
2. Windows Authenticated web app web.config file
3. FBA Authenticated web app web.config file


Also added users in database. But not able to find that user.

Please advice.

Anonymous said...

Thank you Avinash.It is very useful to me.

Login page is not working in IE.But login page is working fine in firefox.

Please help me.

Scorpion said...

Hi avinash

I need to do FBA in WSS 3.0 I follow your steps upto step 7 after that

Central Administration > Application Management > Policy for Web Application > Add Users

here i got this "No results were found to match your search item.Please enter a new term or less specific term". How i should sort out this problem

Also i need to config FBA in WSS 3.0 with custom DB

Google