Configuring FBA in SharePoint Server 2010
In SharePoint server 2010 deployments in order to allow access to the sites using Form Based Authentication (FBA) the web application hosting the site collection(s) should be provisioned in Claims Mode as opposed the classic Windows auth mode, in this post I provide step by step guide on how to configure the FBA against SQL server and AD using UI (Same can be done via SP 2010 PowerShell cmdlets):
Note: This post is based on Beta 2 and is subject to change in future releases.
Steps
Provisioning a Claims based web application using UI
1. From CA, go to 'Application Management'
2. Click on 'Manage Web Applications' link
3. From the Ribbon Select New
4. make sure to select the 'Claims Based Authentication'
5. In the Authentication Type section select Enable Windows Authentication and select NTLM or Kerberos
6. Click on “OK” button to create the web application
7. If required extend the web application and configure the desired authentication (In 2010 you can select more than one Authentication provider per zone)
8. In the Authentication Type section select Enable ASP.NET Membership and Role Provider and enter in the Membership provider and Role manager
9. Modify all Web.config files (Central Admin, Security Token Service, Forms Web Applications)
Modifying Web.Config files for the Central Administration, FBA web applications and Secure Token Service
1. Modify all Web.config files (Central Admin, Security Token Service, Forms Web App) and add the following sections:
“connectionStrings” setting (SQL FBA)
<configuration>
<configSections>…
</configSections>
<connectionStrings>
<clear />
<!-- FBA Claims Auth-->
<add name="AspNetSqlMembershipProvider" connectionString="data source=[Server Name];Integrated Security=SSPI;Initial Catalog=aspnetdb"
providerName="System.Data.SqlClient" />
<!-- FBA Claims Auth-->
</connectionStrings>
…
</configuration>
People Picker Wildcards setting for Central Admin and Extended web application (SQL and LDAP FBA)
<configuration>
…
<PeoplePickerWildcards>
<clear />
<add key="AspNetSqlMembershipProvider" value="%" />
<add key="LdapMembershipProvider" value="*"/>
<add key="LdapRoleManager" value="*"/>
</PeoplePickerWildcards>
…
</configuration>
“roleManager” and “membership” sections for Central Administration web.config (SQL and LDAP FBA)
<configuration>
…
<roleManager enabled="true" cacheRolesInCookie="false" cookieName=".ASPXROLES"
cookieTimeout="30" cookiePath="/" cookieRequireSSL="false" cookieSlidingExpiration="true"
cookieProtection="All" defaultProvider="AspNetWindowsTokenRoleProvider"
createPersistentCookie="false" maxCachedResults="25">
<providers>
<clear />
<add connectionStringName="AspNetSqlMemberShipProvider" applicationName="/"
name="AspNetSqlRoleProvider" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
<add applicationName="/" name="AspNetWindowsTokenRoleProvider"
type="System.Web.Security.WindowsTokenRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</roleManager>
<membership defaultProvider="AspNetSqlMembershipProvider" userIsOnlineTimeWindow="15"
hashAlgorithmType="">
<providers>
<clear />
<add connectionStringName="AspNetSqlMemberShipProvider" enablePasswordRetrieval="false"
enablePasswordReset="true" requiresQuestionAndAnswer="true"
passwordAttemptWindow="10" applicationName="/" requiresUniqueEmail="false"
passwordFormat="Hashed" name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</membership>
</system.web>
…
</configuration>
“roleManager” and “membership” sections for Extended web application web.config (SQL FBA)
<configuration>
…
<roleManager enabled="true" cacheRolesInCookie="false" cookieName=".ASPXROLES"
cookieTimeout="30" cookiePath="/" cookieRequireSSL="false" cookieSlidingExpiration="true"
cookieProtection="All" defaultProvider="AspNetWindowsTokenRoleProvider"
createPersistentCookie="false" maxCachedResults="25">
<providers>
<clear />
<add connectionStringName="AspNetSqlMemberShipProvider" applicationName="/"
name="AspNetSqlRoleProvider" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
<add applicationName="/" name="AspNetWindowsTokenRoleProvider"
type="System.Web.Security.WindowsTokenRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</roleManager>
<membership defaultProvider="AspNetSqlMembershipProvider" userIsOnlineTimeWindow="15"
hashAlgorithmType="">
<providers>
<clear />
<add connectionStringName="AspNetSqlMemberShipProvider" enablePasswordRetrieval="false"
enablePasswordReset="true" requiresQuestionAndAnswer="true"
passwordAttemptWindow="10" applicationName="/" requiresUniqueEmail="false"
passwordFormat="Hashed" name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</membership>
</system.web>
…
</configuration>
“roleManager” and “membership” sections for Extended web application web.config (LDAP FBA)
<configuration>
…
<roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false">
<providers>
<add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
<add name="LdapRoleManager" type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="servername.contosocorp.com" port="389" useSSL="false" groupContainer="DC=Contosocorp,DC=com" groupNameAttribute="cn" groupNameAlternateSearchAttribute="samAccountName" groupMemberAttribute="member" userNameAttribute="sAMAccountName" dnAttribute="distinguishedName" groupFilter="(&(ObjectClass=group))" userFilter="(&(ObjectClass=person))" scope="Subtree" />
</providers>
</roleManager>
<membership defaultProvider="i">
<providers>
<add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
<add name="LdapMembershipProvider" type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="servername.contosocorp.com" port="389" useSSL="false" userDNAttribute="distinguishedName" userNameAttribute="sAMAccountName" userContainer="DC=Contosocorp,DC=com" userObjectClass="person" userFilter="(&(ObjectClass=person))" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn" />
</providers>
</membership>
…
</configuration>
“roleManager” and “membership” sections for Security Token Service web.config (SQL and LDAP FBA)
Note: Security Token Service web.config can be found under "[14hive]\WebServices\SecurityToken" folder
<configuration>
…
<membership defaultProvider="i">
<providers>
<clear />
<add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
<add connectionStringName="AspNetSqlMemberShipProvider" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="true" passwordAttemptWindow="10" applicationName="/" requiresUniqueEmail="false" passwordFormat="Hashed" name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
<add name="LdapMembershipProvider" type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="servername.contosocorp.com" port="389" useSSL="false" userDNAttribute="distinguishedName" userNameAttribute="sAMAccountName" userContainer="DC=Contosocorp,DC=com" userObjectClass="person" userFilter="(&(ObjectClass=person))" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn"/>
</providers>
</membership>
<roleManager enabled="true" defaultProvider="c">
<providers>
<clear />
<add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
<add connectionStringName="AspNetSqlMemberShipProvider" applicationName="/" name="AspNetSqlRoleProvider" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
<add name="LdapRoleManager" type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="servername.contosocorp.com" port="389" useSSL="false" groupContainer="DC=Contosocorp,DC=com" groupNameAttribute="cn" groupNameAlternateSearchAttribute="samAccountName" groupMemberAttribute="member" userNameAttribute="sAMAccountName" dnAttribute="distinguishedName" groupFilter="(&(ObjectClass=group))" userFilter="(&(ObjectClass=person))" scope="Subtree"/>
</providers>
</roleManager>
</system.web>
…
</configuration>
Post-setup configuration
1. Browse to Central Admin web site.
2. Under ‘Application Management’, click on ‘Policy for Web Application’ link and add the first admin user.
3. Select the Zone (e.g. Extranet)
4. Add the selected user
5. Make sure to give required permission policy
Accessing the site
1. Browse to Extranet site, if both Windows and FBA authenticated is selected for the zone user should be redirected to a landing login page to select the type of authentication
2. Select Forms Authentication and provide the credentials
3. Make sure users have access to all content and add additional FBA users with required permission level as needed
