i:0#.w|Ali.Mazaheri

Azure, Open Source, SharePoint and ...

Configuring FBA in SharePoint Server 2010

In SharePoint server 2010 deployments in order to allow access to the sites using Form Based Authentication (FBA) the web application hosting the site collection(s) should be provisioned in Claims Mode as opposed the classic Windows auth mode, in this post I provide step by step guide on how to configure the FBA against SQL server and AD using UI (Same can be done via SP 2010 PowerShell cmdlets):

Note: This post is based on Beta 2 and is subject to change in future releases.

Steps

Provisioning a Claims based web application using UI

1. From CA, go to ‘Application Management’

2. Click on ‘Manage Web Applications’ link

3. From the Ribbon Select New

4. make sure to select the ‘Claims Based Authentication’
MSS2010PS03 Oct. 26 17.05 

5. In the Authentication Type section select Enable Windows Authentication and select NTLM or Kerberos

6. Click on “OK” button to create the web application

7. If required extend the web application and configure the desired authentication (In 2010 you can select more than one Authentication provider per zone)

8. In the Authentication Type section select Enable ASP.NET Membership and Role Provider and enter in the Membership provider and Role manager
MSS2010PS17 Oct. 16 12.43
MSS2010PS19 Oct. 16 12.44

9. Modify all Web.config files (Central Admin, Security Token Service, Forms Web Applications)

Modifying Web.Config files for the Central Administration, FBA web applications and Secure Token Service

1. Modify all Web.config files (Central Admin, Security Token Service, Forms Web App) and add the following sections:

“connectionStrings” setting (SQL FBA)

<configuration>

<configSections>…

</configSections>

<connectionStrings>

<clear />

<!– FBA Claims Auth–>

<add name="AspNetSqlMembershipProvider" connectionString="data source=[Server Name];Integrated Security=SSPI;Initial Catalog=aspnetdb"

providerName="System.Data.SqlClient" />

<!– FBA Claims Auth–>

</connectionStrings>

</configuration>

People Picker Wildcards setting for Central Admin and Extended web application (SQL and LDAP FBA)

<configuration>

<PeoplePickerWildcards>

<clear />

<add key="AspNetSqlMembershipProvider" value="%" />

<add key="LdapMembershipProvider" value="*"/>

<add key="LdapRoleManager" value="*"/>

</PeoplePickerWildcards>

</configuration>

“roleManager” and “membership” sections for Central Administration web.config (SQL and LDAP FBA)

<configuration>

<roleManager enabled="true" cacheRolesInCookie="false" cookieName=".ASPXROLES"

cookieTimeout="30" cookiePath="/" cookieRequireSSL="false" cookieSlidingExpiration="true"

cookieProtection="All" defaultProvider="AspNetWindowsTokenRoleProvider"

createPersistentCookie="false" maxCachedResults="25">

<providers>

<clear />

<add connectionStringName="AspNetSqlMemberShipProvider" applicationName="/"

name="AspNetSqlRoleProvider" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

<add applicationName="/" name="AspNetWindowsTokenRoleProvider"

type="System.Web.Security.WindowsTokenRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

</providers>

</roleManager>

<membership defaultProvider="AspNetSqlMembershipProvider" userIsOnlineTimeWindow="15"

hashAlgorithmType="">

<providers>

<clear />

<add connectionStringName="AspNetSqlMemberShipProvider" enablePasswordRetrieval="false"

enablePasswordReset="true" requiresQuestionAndAnswer="true"

passwordAttemptWindow="10" applicationName="/" requiresUniqueEmail="false"

passwordFormat="Hashed" name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

</providers>

</membership>

</system.web>

</configuration>

“roleManager” and “membership” sections for Extended web application web.config (SQL FBA)

<configuration>

<roleManager enabled="true" cacheRolesInCookie="false" cookieName=".ASPXROLES" cookieTimeout="30" cookiePath="/" cookieRequireSSL="false" cookieSlidingExpiration="true" cookieProtection="All" defaultProvider="c" createPersistentCookie="false" maxCachedResults="25">
      <providers>
        <clear />
        <add connectionStringName="AspNetSqlMemberShipProvider" applicationName="/" name="AspNetSqlRoleProvider" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
        <add applicationName="/" name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
        <add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
      </providers>
    </roleManager>
    <membership defaultProvider="i" userIsOnlineTimeWindow="15" hashAlgorithmType="">
      <providers>
        <clear />
        <add connectionStringName="AspNetSqlMemberShipProvider" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="true" passwordAttemptWindow="10" applicationName="/" requiresUniqueEmail="false" passwordFormat="Hashed" name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
        <add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
      </providers>
    </membership>

</system.web>

</configuration>

“roleManager” and “membership” sections for Extended web application web.config (LDAP FBA)

<configuration>

<roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false">

<providers>

<add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />

<add name="LdapRoleManager" type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="servername.contosocorp.com" port="389" useSSL="false" groupContainer="DC=Contosocorp,DC=com" groupNameAttribute="cn" groupNameAlternateSearchAttribute="samAccountName" groupMemberAttribute="member" userNameAttribute="sAMAccountName" dnAttribute="distinguishedName" groupFilter="(&amp;(ObjectClass=group))" userFilter="(&amp;(ObjectClass=person))" scope="Subtree" />

</providers>

</roleManager>

<membership defaultProvider="i">

<providers>

<add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />

<add name="LdapMembershipProvider" type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="servername.contosocorp.com" port="389" useSSL="false" userDNAttribute="distinguishedName" userNameAttribute="sAMAccountName" userContainer="DC=Contosocorp,DC=com" userObjectClass="person" userFilter="(&amp;(ObjectClass=person))" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn" />

</providers>

</membership>

</configuration>

“roleManager” and “membership” sections for Security Token Service web.config (SQL and LDAP FBA)

Note: Security Token Service web.config can be found under "[14hive]\WebServices\SecurityToken" folder

<configuration>

<system.web>

<membership>

<providers>

<add connectionStringName="AspNetSqlMemberShipProvider" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="true" passwordAttemptWindow="10" applicationName="/" requiresUniqueEmail="false" passwordFormat="Hashed" name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

<add name="LdapMembershipProvider" type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="servername.contosocorp.com" port="389" useSSL="false" userDNAttribute="distinguishedName" userNameAttribute="sAMAccountName" userContainer="DC=Contosocorp,DC=com" userObjectClass="person" userFilter="(&amp;(ObjectClass=person))" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn"/>

</providers>

</membership>

<roleManager enabled="true">

<providers>

<add connectionStringName="AspNetSqlMemberShipProvider" applicationName="/" name="AspNetSqlRoleProvider" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

<add name="LdapRoleManager" type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="servername.contosocorp.com" port="389" useSSL="false" groupContainer="DC=Contosocorp,DC=com" groupNameAttribute="cn" groupNameAlternateSearchAttribute="samAccountName" groupMemberAttribute="member" userNameAttribute="sAMAccountName" dnAttribute="distinguishedName" groupFilter="(&amp;(ObjectClass=group))" userFilter="(&amp;(ObjectClass=person))" scope="Subtree"/>

</providers>

</roleManager>

</system.web>

</configuration>

Post-setup configuration

1. Browse to Central Admin web site.

2. Under ‘Application Management’, click on ‘Policy for Web Application’ link and add the first admin user.

3. Select the Zone (e.g. Extranet)
MSS2010PS21 Oct. 16 12.46

4. Add the selected user
MSS2010PS25 Oct. 16 13.56

5. Make sure to give required permission policy
MSS2010PS24 Oct. 16 13.55

Accessing the site

1. Browse to Extranet site, if both Windows and FBA authenticated is selected for the zone user should be redirected to a landing login page to select the type of authentication
MSS2010PS04 Oct. 22 07.42

2. Select Forms Authentication and provide the credentials
MSS2010PS27 Oct. 16 16.39

3. Make sure users have access to all content and add additional FBA users with required permission level as needed
MSS2010PS02 Oct. 26 16.50