Configure Forms Based Authentication(FBA) using ASPNetMembershipProvider for Claims based web applications in SharePoint 2010


This article willl help you to configure FBA using ASPNetMembership provider on a claims based web application. Here are the steps that are needed to configure SQL for MemberShip store:

  • Create SQL database
  • Create SQL User in the SQL database

To Create SQL Database for the SQLMembershipProvider

1. Install and then open the Visual Studio 2008

2. Select new website, select template as ASP.NET web site and select language as C#

VisualStudio

3. Once you have the website created, click on Website menu and select the ASP.NET configuration..

ASPNETconfig

4. Once you click on it, it will take you to : \&applicationUrl=/websitename">http://localhost:53663/asp.netwebadminfiles/default.aspx?applicationPhysicalPath=C:\<website_location>\&applicationUrl=/websitename 

ASPNETconfig1

 
5. Click on Providers and Click the  Select a different provider for each feature (advanced)

MemberShip

6. Test both the Membership Provider & Role Provider and ensure that it is successful.

 

 

 

 

ConnectSuccess

 

 

7. Now click on the Security tab and Select authentication type under Users
8. Select the option “From the internet"  and click on Done.
9. Click on Create User and enter all the field required and click on  “Create User”.
10. Once you have created the user, right on the website that we created in the VS 2008 and click on the refresh folder, you will now see the following database : ASPNETDB.MDF
11. Close the web site from VS 2008 and browse to the location where you created the web site like C:\<website_location>\App_Data
12. Copy the MDF and LDF files and rename if required and then paste it in the directory where you have the SQL server databases.
13. Attach the database to the SQL database server using SQL Management Studio with whatever name you wish you have.

OR

You can create the ASP.NET membership database using this method:

1. On the SQL server, open Windows Explorer.
2. Navigate to the path %System Drive%\Windows\Microsoft.NET\Framework\v2.0.50727.
3. To start the ASP.NET SQL Server Setup Wizard, double-click aspnet_regsql.exe.
4. Start the wizard by clicking Next, and then complete the wizard :

ASP.NET SQL _1

5. Click Configure SQL Server for application services, and then click Next.

ASP.NET SQL_2

6. In the Server box, type aspnetdb for the database name, and then click Next

ASP.NET SQL_3

7. Confirm that the data you typed is correct, and then click Next

ASP.NET SQL_4

8. The database is created and the final status information is displayed. Click Finish to complete the wizard

ASP.NET SQL_5

To perform the tasks such as creating users and groups and managing passwords, you can use the tool named MembershipSeeder. The tool and source code are available on CodePlex from the MemberShipSeeder page. You can use the MembershipSeeder tool as is for simple user and role management, or you can use the source code as a base on which to create your own tool; however, Microsoft does not provide support for this tool.

Before you create users from the MembershipSeeder tool
  1. Start the MembershipSeeder tool. Click Configure.

  2. In the dialog box that opens, type the name of the computer running SQL Server that hosts your SQL membership database.

  3. Save your changes, and then restart MembershipSeeder so that it will use the new server name.

Membership1

To create users for testing purposes
  1. In the User Prefix field, type a value.

  2. In the Password field, type the password you want each user to have.

  3. In the # of Users field, select the number of users to create.

  4. Click Create to create users where the user name is the value of the User Prefix field with an incrementing number added to the end.

Membership2

You can also refer the following : http://msdn.microsoft.com/en-us/library/bb975136(office.12).aspx

Now that we have created the users, lets create the web application by selecting the authentication as Claims Based Authentication:

ClaimsWebApp

Select the Claims Authentication Type as shown below, you can either use “NTLM” or “Negotiate(Kerberos or NTLM)” for Windows Authentication.I have selected NTLM in this example

ClaimsAuthentication

Once the web application is created, we will need to edit 3 web.config files for enabling claims:

1.The web.config file of the Central Administration site.
2.The web.config file of the Web Application.
3.The web.config file of the STS (SecurityTokenService) Application.  This is important because it is this service that will ensure claims tokens are being passed correctly between the SQL provider and the Central Admin and the Web Application. 

Central Administration web.config changes:

Place the below snippet between </SharePoint> & <system.web> in the web.config

<!-- Connection String for FBA Start -->

<connectionStrings>
<add name="SQLConnectionString" connectionString="data source=<SQLServerName>;Integrated Security=SSPI;Initial Catalog=<SQL_DB_NAME>" />
</connectionStrings>

<!-- Connection String for FBA End –>

Place this between <machineKey validationKey… /> & </system.web>

<!-- Role Manager & Membership Provider for FBA-->

<roleManager defaultProvider="AspNetWindowsTokenRoleProvider" enabled="true" cacheRolesInCookie="false">
<providers>
<add connectionStringName="SQLConnectionString" applicationName="/" description="Stores and retrieves roles from SQL Server" name="SQLRoleManager" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</roleManager>

<membership defaultProvider="SQLMembershipProvider">
<providers>
<add connectionStringName="SQLConnectionString" passwordAttemptWindow="5" enablePasswordRetrieval="false" enablePasswordReset="false" requiresQuestionAndAnswer="true" applicationName="/" requiresUniqueEmail="true" passwordFormat="Hashed" description="Stores and Retrieves membership data from SQL Server" name="SQLMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</membership>
<!-- Role Manager & Membership Provider for FBA -->

In the Web Application web.config changes:

Place this between </SharePoint> & <system.web> in the web.config

<connectionStrings>
<add name="SQLConnectionString" connectionString="data source=<SQLServerName>;Integrated Security=SSPI;Initial Catalog=<SQL_DB_NAME>" />
</connectionStrings>

Place this between <machineKey validationKey…. /> & </system.web>

<!-- Add membership Provider and Role Manager:  -->

                <roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false">
                <providers>
                <add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
                <add connectionStringName="SQLConnectionString" applicationName="/" description="Stores and retrieves roles from SQL Server" name="SQLRoleManager" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
                </providers>
                </roleManager>

                <membership defaultProvider="i">
                <providers>
                <add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
                <add connectionStringName="SQLConnectionString" passwordAttemptWindow="5" enablePasswordRetrieval="false" enablePasswordReset="false" requiresQuestionAndAnswer="true" applicationName="/" requiresUniqueEmail="true" passwordFormat="Hashed" description="Stores and Retrieves membership data from SQL Server" name="SQLMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
                </providers>
                </membership>
<!-- Add membership Provider and Role Manager ends  -->

In the following location : C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\WebServices\SecurityToken

Place the below code between : </system.net> &  </configuration>

<!-- FBA configuration -->
<connectionStrings>
<add name="SQLConnectionString" connectionString="data source=<SQLServerName>;Integrated Security=SSPI;Initial Catalog=<SQL_DB_NAME>" />
</connectionStrings>

<system.web>
<roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false">
<providers>
<add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
<add connectionStringName="SQLConnectionString" applicationName="/" description="Stores and retrieves roles from SQL Server" name="SQLRoleManager" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</roleManager>

<membership defaultProvider="i">
<providers>
<add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
<add connectionStringName="SQLConnectionString" passwordAttemptWindow="5" enablePasswordRetrieval="false" enablePasswordReset="false" requiresQuestionAndAnswer="true" applicationName="/" requiresUniqueEmail="true" passwordFormat="Hashed" description="Stores and Retrieves membership data from SQL Server" name="SQLMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</membership>

</system.web>

<!-- FBA CONFIG ENDS -->

NOTE: ensure that you have taken the backup of the web.config file before making changes.

Now go ahead and add a user by going to User Policy ribbon option in the Web Applications Management page having selected the web application.  Hit Add Users in the Policy for Web Application dialog. Use the Browse button in the Choose Users people picker control.  You will now see sections like Active Directory, All Users, Forms Auth & Organizations. When you search for users, it would now tell you if its AD or Forms Auth as seen below.

UsersAdd

Add the user to the site and browse to the site. You should be able to successfully login to the site.

Hope this helps!!!

Comments (15)
  1. Lars says:

    Hi, Thanks for a good article, however i have one "small" problem after i have done the things you decribe. I can't see any of the users i have created in the SQLdb in the peoplepicker ?. do you have any suggestions ?

    br.

    Lars

  2. DhirajM says:

    Hi Lars,

    I suspect you might have missed on the connection string, please check the same and also check if you are you able to add the users from the Central Admin –> Users Policy?  Do you see the users when you directly query the SQLDB? If not, then there could be some other issue. Try taking a backup and restore it again and then check.

  3. Lars says:

    Hi, thanks for your reply

    I can see the users then i open the SQL Management studio ?. is there any way i can check from sharepoint that my connection is vaild  or see some kind of errormsg

    Lars

  4. DhirajM says:

    Check if you are able to add user from the Central Admin site under User Policy for the FBA  web application? If yes, then the connection is correctly configured. If not, the web.config file is not correctly configured.

  5. Lars says:

    When i try to add users from central admin from the peoplepicker find only get 3 groups 1)  All users (SqlMemberShipProvider)  2) All Authenticated uers, 3) all users (windows)

    but the Forms auth(0) don't include any users ?

  6. DhirajM says:

    what happens when you try to add the user, are you able to pull the user from the SQL? if not check the permission onthe SQL db? Does the app pool running has the necessary permission?

  7. Lars says:

    Hi I found a solution 🙂

    in the peoplepickerwildcards was missing

    <add key="SQLMembershipProvider" value="%" />

    Thank you again for you input

    Br

    Lars

  8. v.ash says:

    thanks DhirajM,

    im very beginner in sharepoint.

    my english is bad, excuseme

    with these ability, Claims-Based, Can internet users inter and register new username & password?

    when you set configuration, When and Where users register? How do you sign in?

    thank you so much,

    im very beginner in sharepoint.

  9. Christian Gram says:

    Hi DhirajM

    We are using claimbased authentication for a dual zone sharepoint site.

    Windows in the edit zone and forms in the public zone.

    But we have trouble to access forms users in the windows zone. Providers and connection strings are added to the webconfig, but we are unable to select forms users in windows zone.

    We got the forms users working in central administration, I think this is because this is not using Claimbased Authentication.

    Do you have an idea what we are doing wrong?

    Best regards

    Christian

  10. DhirajM says:

    @ v.ash: You can have internet users register with a new username and password, but this can be done only use custom page that will write in the database and create users. Following this blogs, you will not be able to create users. You will have to create users in the database and then users from the database will be able to access the FBA site.

  11. DhirajM says:

    @Christian: I am not quite sure i understand : Windows in the edit zone and forms in the public zone?

    Does it mean that you have 2 zone: windows and Forms and both uses claims.

    I believe that you are able to add users using Forms site, for adding users in Windows, you need to typically something like ldapmembership:username

    Hope that helps.

  12. SumanRC says:

    I've created a Web Application with Claims Authentication in SharePoint 2010 as detailed out in your blog …

    trying to open up the site on IE I get Java Script Errors (pasted below)

    One thing to note, in the same server ; I could successfully publish a Web Application with Classic Mode Authentication and the Site opened up well and proper. Kindly help !

    Webpage error details

    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; WOW64; Trident/4.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3; .NET4.0C; .NET4.0E)

    Timestamp: Thu, 9 Dec 2010 09:40:54 UTC

    Message: 'Sys' is undefined

    Line: 63

    Char: 1

    Code: 0

    URI: http://localhost:28293/

    Message: Object expected

    Line: 176

    Char: 1

    Code: 0

    URI: http://localhost:28293/

    Message: Object expected

    Line: 177

    Char: 1

    Code: 0

    URI: http://localhost:28293/

    Message: Object expected

    Line: 178

    Char: 1

    Code: 0

    URI: http://localhost:28293/

    Message: Object expected

    Line: 179

    Char: 1

    Code: 0

    URI: http://localhost:28293/

    Message: 'Sys' is undefined

    Line: 183

    Char: 1

    Code: 0

    URI: http://localhost:28293/

    Message: Object expected

    Line: 78

    Char: 1

    Code: 0

    URI: http://localhost:28293/

    Message: Object expected

    Line: 78

    Char: 1

    Code: 0

    URI: http://localhost:28293/

    and this is how the site looks like  …

    Error

    An unexpected error has occurred.

    Troubleshoot issues with Microsoft SharePoint Foundation.

    Correlation ID: 2184da9e-b1d9-4c7a-87f5-f8d34afb6ee2

    Date and Time: 12/9/2010 1:44:47 AM

    Go back to site

    ——————————————————————————–

    Suman RC

  13. Vikram Daruru says:

    Hi Dhiraj,

    Thank you very much for a nice article. You have mentioned each and every step clearly. It was of great help and very easy to configure.

    Regards,

    Vikram

  14. XYZ says:

    I have done all settings as you mentioned in the blog, but still i am not getting the db users in User Policy of web application in central admin. please suggest

  15. Dhiraj Moghe says:

    Hello Xyz,

    If you are not able to pull the users in the Policy for web application in the Central Admin site, then you might want to look at :

    1. the correct web.config for the web site. Check if its extended site.

    2. Check the settings you entered in the web.config as mentioned in the above blog.

       There are 2 places where you need to add the snippet provided :

    Place the below snippet between </SharePoint> & <system.web> in the web.config

    Place this between <machineKey validationKey… /> & </system.web>

    3. Also, not sure if you are configuring this for SPS 2010 or SPS 2013.

    Hope this helps!

Comments are closed.

Skip to main content