Skip to content

Forms Based Authentication – SharePoint

August 1, 2013

Part 1

Note: In 2013 you have the option to extend the existing web application to use for external users or you can use the same web application configured with both authentication (NTLM and Forms Based) methods. Difference will be if you are not extending web app, you and external users will use same URL to access the site.

After you create web application confirm by selecting the web app and click on Authentication Provider. By default all web apps created in 2013 are created using Claim Based Authentication.

In case  web app has windows authentication

Change authentication to claims based authentication as mentioned below

$cba = Get-SPWebApplication http://EnterYourSiteURL”

$cba.UseClaimsAuthentication = 1;

$cba.Update()

Now when you click on default it will take you to the screen where you can enable FBA for our partners or external users.

Remember Membership name and Role manager name mentioned here, it will be used later on in the providers in web.config.

After you hit save, web.config file for this web app will be updated with entry that confirm that forms based authentication is enabled. You can check by browsing the site, you should see a sign in page  at this stage as shown below.

Part 2

Let’s create data base to store external user information and password for authentication. There are many way to do that I will use this.

Open command prompt as administrator and initiate ASP.Net SQL Server Setup Wizard as mentioned below and click on next

At the next screen enter server name where SQL is running and you want to create data base

Enter the name of the data base. This will be the repository for all external users as shown below.

Click next to confirm the server name and database name and finish the process as shown below

At this point you can log in to your SQL and see your data base has been created there – well.

Since you are in SQL lets go and set up some permissions for this data base.

We need to set permissions for two accounts on this data base

  1. App Pool Account for Security TokenServiceApplication.
  2. App pool account for content web application

I am sure you know how to find the application pool account for both apps but just in case here is a screen shot from IIS.

Once you confirm your app pool account for both lets add them to newly created data base i.e. Partners (in this case)

Click on + sign next to Partners Database. Expand security, right click on Users, Click on New User. In new user wizard fill out app pool account identified above as shown below in the screen shot

Click on Membership and check all Role that start with asp.net and end with Full Access as shown below

Once Done, Click OK.

In my case I am working on dev machine and using same account for admin on machine and this account is also dbo on the data bases so it give me this message. If you get the same that means account already has the permissions for it, repeat the above steps for both account and let’s move to the next step.

Part 3

This is the step I wanted to write this blog for. I find some information on how to configure FBA in 2013 but this part was very confusing and not in detail in many posts. I will try to go in to details in an organized way as much as I can and if you think anything that can make it better to understand feel free to comment.

In order to configure forms based authentication with SQL database or ADAM / LDAP we need these 3 things. (this blog covers with SQL only)

  1. Connection String
  2. ASP.NET Membership Provider
  3. ASP.NET Role manager

Connection String:

Defines the connection properties and path to connect to database created above (Partners) for example data base server name, data base name. You can use this connection string and modify the server name and DB name highlighted in red as per your environment.

In add name tag you can give this connection string any name in this case I am using SqlConn. You can have more than one connection string in one environment so we use names to identify this.

<connectionStrings>
<add name=”SqlConn
connectionString=”server=ServerName;database=Partners; Integrated Security=true”/>
</connectionStrings>

Membership Provider:

Membership provider and Role provider define configuration for web app to connect to the asp.net data base. A connection string is defined to connect to the data base and based on member ship and role users get authentication for that web app.

Member ship also define policies and properties for passwords e.g. in the below member ship provider we have declare “minRequiredNonalphanumericCharacters=”1″” this mean you must have to have one non alpha numerical character in the password i.e. ! @, # etc. if you don’t want this password policy remove this line from the code.

For a full list of properties click here. Member ship provider is always declared with in <membership><providers> Tags.

You can use the mentioned below membership provider. Make sure name in red match with the names in your environment.

              <membership>

<providers>

<add name=”LDAPMembership

type=”System.Web.Security.SqlMembershipProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a”

connectionStringName=”SqlConn

enablePasswordRetrieval=”false”

enablePasswordReset=”true”

requiresQuestionAndAnswer=”false”

applicationName=”/”

requiresUniqueEmail=”true”

passwordFormat=”Hashed”

maxInvalidPasswordAttempts=”5″

minRequiredPasswordLength=”7″

minRequiredNonalphanumericCharacters=”1″

passwordAttemptWindow=”10″

passwordStrengthRegularExpression=”” />

</providers>

</membership>

Role Provider:

You can use role provider mentioned below. Just make sure names highlighted in red match your environment.

             <roleManager>

<providers>

<add name=”LDAPRole

connectionStringName=”SqlConn

applicationName=”/”

type=”System.Web.Security.SqlRoleProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a” />

</providers>

</roleManager>


Now that you have all the pieces you need, let’s put them all in machine.config file. Why? In older version we use to edit web.config for central administration, SSP and content web app but you have to edit each web.config on each WFE to achieve this.

If you edit one file on each WFE i.e. machine .config it will take care of all web.config files mentioned above.

One more thing you will have to do is, edit web.config for Security Token service   Application and place this info in the web.config I will go in details of this also.

Let’s do it one by one.

For Machine.config file :

On WFE go to C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Config

Take a backup of this file before you edit. Open machine.config file. You need to enter 3 things here

  1. Connection strings
  2. Membership provider
  3. Role manager

Below is screen shot of 2 sections from my Machine.config file before any changes

1-

2-

Easy way to do this is open machine.config file and search for Connection string and membership provider one by one and add your membership provider details as described earlier. After making changes your machine.config file will look as shown below

1

2-

Once done, save machine.config.

For Security TokenServiceApplication :

Open web.config for Security Token Service Application. Location for web.config can be find from IIS .

In IIS expand Sites, Expand SharePoint Web Services, Right click on Security Token Service Application and click on Explore. This will take you to folder where web.config file is. Take a backup of this file before you make any changes to it.

You need to enter 2 things here

  1. Membership provider
  2. Role Manager Provider

Below is screen shot of web.config before making any changes. Notice I scroll all the way down to get this screen shot.

If you don’t have System.web tag in this file you will have to create after </system.net>  as shown in the screen shot after modification below.

Once done save the file.

Configuration is complete now.

We have FBA set up but there are no users in the data base to test this work. Again there are many ways to do this e.g. using Visual studio but I will use SharePoint 2013 FBA Pack  available at CodePlex. Download the package from here and add, deploy solution in to your SharePoint farm. Once done you can find all the options in site settings page and step by step direction are also available here

Let me know how it goes.

Advertisements
5 Comments
  1. I think what you posted made a great deal of sense.
    However, think about this, suppose you composed a catchier post title?
    I ain’t suggesting your information is not solid.,
    however suppose you added a headline to maybe grab people’s attention? I mean Configure Forms Based Authentication for SharePoint 2013 | SharePoint 2013 is
    a little plain. You could peek at Yahoo’s front page and watch how they write
    post titles to grab viewers interested. You might add a related video or a pic or two to get people interested about what you’ve
    written. Just my opinion, it could bring your posts a little livelier.

  2. This post helped me a lot, thank you 🙂

Trackbacks & Pingbacks

  1. Setting up Forms Based Authentication in SharePoint 2013 | SharePoint Interests

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: