i:0#.w|Ali.Mazaheri

SharePoint, SharePoint and SharePoint!

Configuring FBA in SharePoint Server 2010

Configuring FBA in SharePoint Server 2010

  • Comments 23

In SharePoint server 2010 deployments in order to allow access to the sites using Form Based Authentication (FBA) the web application hosting the site collection(s) should be provisioned in Claims Mode as opposed the classic Windows auth mode, in this post I provide step by step guide on how to configure the FBA against SQL server and AD using UI (Same can be done via SP 2010 PowerShell cmdlets):

Note: This post is based on Beta 2 and is subject to change in future releases.

Steps

Provisioning a Claims based web application using UI

1. From CA, go to 'Application Management'

2. Click on 'Manage Web Applications' link

3. From the Ribbon Select New

4. make sure to select the 'Claims Based Authentication'
MSS2010PS03 Oct. 26 17.05 

5. In the Authentication Type section select Enable Windows Authentication and select NTLM or Kerberos

6. Click on “OK” button to create the web application

7. If required extend the web application and configure the desired authentication (In 2010 you can select more than one Authentication provider per zone)

8. In the Authentication Type section select Enable ASP.NET Membership and Role Provider and enter in the Membership provider and Role manager
MSS2010PS17 Oct. 16 12.43
MSS2010PS19 Oct. 16 12.44

9. Modify all Web.config files (Central Admin, Security Token Service, Forms Web Applications)

Modifying Web.Config files for the Central Administration, FBA web applications and Secure Token Service

1. Modify all Web.config files (Central Admin, Security Token Service, Forms Web App) and add the following sections:

“connectionStrings” setting (SQL FBA)

<configuration>

<configSections>…

</configSections>

<connectionStrings>

<clear />

<!-- FBA Claims Auth-->

<add name="AspNetSqlMembershipProvider" connectionString="data source=[Server Name];Integrated Security=SSPI;Initial Catalog=aspnetdb"

providerName="System.Data.SqlClient" />

<!-- FBA Claims Auth-->

</connectionStrings>

</configuration>

People Picker Wildcards setting for Central Admin and Extended web application (SQL and LDAP FBA)

<configuration>

<PeoplePickerWildcards>

<clear />

<add key="AspNetSqlMembershipProvider" value="%" />

<add key="LdapMembershipProvider" value="*"/>

<add key="LdapRoleManager" value="*"/>

</PeoplePickerWildcards>

</configuration>

“roleManager” and “membership” sections for Central Administration web.config (SQL and LDAP FBA)

<configuration>

<roleManager enabled="true" cacheRolesInCookie="false" cookieName=".ASPXROLES"

cookieTimeout="30" cookiePath="/" cookieRequireSSL="false" cookieSlidingExpiration="true"

cookieProtection="All" defaultProvider="AspNetWindowsTokenRoleProvider"

createPersistentCookie="false" maxCachedResults="25">

<providers>

<clear />

<add connectionStringName="AspNetSqlMemberShipProvider" applicationName="/"

name="AspNetSqlRoleProvider" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

<add applicationName="/" name="AspNetWindowsTokenRoleProvider"

type="System.Web.Security.WindowsTokenRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

</providers>

</roleManager>

<membership defaultProvider="AspNetSqlMembershipProvider" userIsOnlineTimeWindow="15"

hashAlgorithmType="">

<providers>

<clear />

<add connectionStringName="AspNetSqlMemberShipProvider" enablePasswordRetrieval="false"

enablePasswordReset="true" requiresQuestionAndAnswer="true"

passwordAttemptWindow="10" applicationName="/" requiresUniqueEmail="false"

passwordFormat="Hashed" name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

</providers>

</membership>

</system.web>

</configuration>

“roleManager” and “membership” sections for Extended web application web.config (SQL FBA)

<configuration>

<roleManager enabled="true" cacheRolesInCookie="false" cookieName=".ASPXROLES" cookieTimeout="30" cookiePath="/" cookieRequireSSL="false" cookieSlidingExpiration="true" cookieProtection="All" defaultProvider="c" createPersistentCookie="false" maxCachedResults="25">
      <providers>
        <clear />
        <add connectionStringName="AspNetSqlMemberShipProvider" applicationName="/" name="AspNetSqlRoleProvider" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
        <add applicationName="/" name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
        <add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
      </providers>
    </roleManager>
    <membership defaultProvider="i" userIsOnlineTimeWindow="15" hashAlgorithmType="">
      <providers>
        <clear />
        <add connectionStringName="AspNetSqlMemberShipProvider" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="true" passwordAttemptWindow="10" applicationName="/" requiresUniqueEmail="false" passwordFormat="Hashed" name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
        <add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
      </providers>
    </membership>

</system.web>

</configuration>

“roleManager” and “membership” sections for Extended web application web.config (LDAP FBA)

<configuration>

<roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false">

<providers>

<add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />

<add name="LdapRoleManager" type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="servername.contosocorp.com" port="389" useSSL="false" groupContainer="DC=Contosocorp,DC=com" groupNameAttribute="cn" groupNameAlternateSearchAttribute="samAccountName" groupMemberAttribute="member" userNameAttribute="sAMAccountName" dnAttribute="distinguishedName" groupFilter="(&amp;(ObjectClass=group))" userFilter="(&amp;(ObjectClass=person))" scope="Subtree" />

</providers>

</roleManager>

<membership defaultProvider="i">

<providers>

<add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />

<add name="LdapMembershipProvider" type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="servername.contosocorp.com" port="389" useSSL="false" userDNAttribute="distinguishedName" userNameAttribute="sAMAccountName" userContainer="DC=Contosocorp,DC=com" userObjectClass="person" userFilter="(&amp;(ObjectClass=person))" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn" />

</providers>

</membership>

</configuration>

“roleManager” and “membership” sections for Security Token Service web.config (SQL and LDAP FBA)

Note: Security Token Service web.config can be found under "[14hive]\WebServices\SecurityToken" folder

<configuration>

<system.web>

<membership>

<providers>

<add connectionStringName="AspNetSqlMemberShipProvider" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="true" passwordAttemptWindow="10" applicationName="/" requiresUniqueEmail="false" passwordFormat="Hashed" name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

<add name="LdapMembershipProvider" type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="servername.contosocorp.com" port="389" useSSL="false" userDNAttribute="distinguishedName" userNameAttribute="sAMAccountName" userContainer="DC=Contosocorp,DC=com" userObjectClass="person" userFilter="(&amp;(ObjectClass=person))" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn"/>

</providers>

</membership>

<roleManager enabled="true">

<providers>

<add connectionStringName="AspNetSqlMemberShipProvider" applicationName="/" name="AspNetSqlRoleProvider" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

<add name="LdapRoleManager" type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="servername.contosocorp.com" port="389" useSSL="false" groupContainer="DC=Contosocorp,DC=com" groupNameAttribute="cn" groupNameAlternateSearchAttribute="samAccountName" groupMemberAttribute="member" userNameAttribute="sAMAccountName" dnAttribute="distinguishedName" groupFilter="(&amp;(ObjectClass=group))" userFilter="(&amp;(ObjectClass=person))" scope="Subtree"/>

</providers>

</roleManager>

</system.web>

</configuration>

Post-setup configuration

1. Browse to Central Admin web site.

2. Under ‘Application Management’, click on ‘Policy for Web Application’ link and add the first admin user.

3. Select the Zone (e.g. Extranet)
MSS2010PS21 Oct. 16 12.46

4. Add the selected user
MSS2010PS25 Oct. 16 13.56

5. Make sure to give required permission policy
MSS2010PS24 Oct. 16 13.55

Accessing the site

1. Browse to Extranet site, if both Windows and FBA authenticated is selected for the zone user should be redirected to a landing login page to select the type of authentication
MSS2010PS04 Oct. 22 07.42

2. Select Forms Authentication and provide the credentials
MSS2010PS27 Oct. 16 16.39

3. Make sure users have access to all content and add additional FBA users with required permission level as needed
MSS2010PS02 Oct. 26 16.50

  • hello...

    i'm very new in sharepoint...

    i follow your instruction + additional step to configure asp db..

    in step 3, i can't find the user that i create in db...

    only show the window user....

    so, how can i find the user that i create in db???

  • Ali,

    Do you know of any thrid party tool to configure FBA in SP 2010?

    If we configure one time in Central Admin, is it good for any number of site extended or New in SP 2010

    Let me know

    Neel

  • I've SharePoint Server 2010 latest enterprise edition.

    I've configured the Claims based authentication for my Site. I'm able to validate the User in Central Admin while creating the site collection for my Application.

    My issue is that I"m not able to Login Using the FBA users. Iget the following error.

    Method is only supported if the user name parameter matches the user name in the current Windows Identity.

    Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

    Exception Details: System.ServiceModel.FaultException`1[[System.ServiceModel.ExceptionDetail, System.ServiceModel, Version=3.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]: Method is only supported if the user name parameter matches the user name in the current Windows Identity.

    Source Error:

    An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

    Stack Trace:

    [FaultException`1: Method is only supported if the user name parameter matches the user name in the current Windows Identity.]

    Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.ReadResponse(Message response) +1148437

    Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr) +73

    Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst) +36

    Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext(Uri context, Boolean bearerToken, SecurityToken onBehalfOf, SecurityToken actAs, SecurityToken delegateTo) +26073377

    Microsoft.SharePoint.SPSecurityContext.SecurityTokenForFormsAuthentication(Uri context, String membershipProviderName, String roleProviderName, String username, String password) +26067948

    Microsoft.SharePoint.IdentityModel.Pages.FormsSignInPage.GetSecurityToken(Login formsSignInControl) +188

    Microsoft.SharePoint.IdentityModel.Pages.FormsSignInPage.AuthenticateEventHandler(Object sender, AuthenticateEventArgs formAuthenticateEvent) +123

    System.Web.UI.WebControls.Login.AttemptLogin() +152

    System.Web.UI.WebControls.Login.OnBubbleEvent(Object source, EventArgs e) +124

    System.Web.UI.Control.RaiseBubbleEvent(Object source, EventArgs args) +70

    System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) +29

    System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +2981

  • Many thanks, with the aid of this guide, I successfully configured MOSS2010 on Server 2008 x64 for the first attempt. Richard

  • I am trying to do the same in FBA Sql DB

    I am getting this error, can some provide me some clues

    Server Error in ‘/’ Application.

    ——————————————————————————–

    Server Error in ‘/’ Application.

    The remote server returned an error: (404) Not Found.

    Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

    Exception Details: System.Net.WebException: The remote server returned an error: (404) Not Found.

    Source Error:

    An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

    Stack Trace:

    [WebException: The remote server returned an error: (404) Not Found.]

    System.Net.HttpWebRequest.GetResponse() +1126

    System.ServiceModel.Channels.HttpChannelRequest.WaitForReply(TimeSpan timeout) +81

    [EndpointNotFoundException: There was no endpoint listening at http://localhost:32843/SecurityTokenServiceApplication/securitytoken.svc that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details.]

    System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) +10258154

    System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) +539

    Microsoft.IdentityModel.Protocols.WSTrust.IWSTrustContract.Issue(Message message) +0

    Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr) +61

    Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst) +36

    Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext(Uri context, Boolean bearerToken, SecurityToken onBehalfOf, SecurityToken actAs, SecurityToken delegateTo) +26062081

    Microsoft.SharePoint.SPSecurityContext.SecurityTokenForFormsAuthentication(Uri context, String membershipProviderName, String roleProviderName, String username, String password) +172

    Microsoft.SharePoint.IdentityModel.Pages.FormsSignInPage.GetSecurityToken(Login formsSignInControl) +188

    Microsoft.SharePoint.IdentityModel.Pages.FormsSignInPage.AuthenticateEventHandler(Object sender, AuthenticateEventArgs formAuthenticateEvent) +123

    System.Web.UI.WebControls.Login.AttemptLogin() +152

    System.Web.UI.WebControls.Login.OnBubbleEvent(Object source, EventArgs e) +124

    System.Web.UI.Control.RaiseBubbleEvent(Object source, EventArgs args) +70

    System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) +29

    System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +2981

    ——————————————————————————–

    Version Information: Microsoft .NET Framework Version:2.0.50727.4927; ASP.NET Version:2.0.50727.4927

  • Looking at error, looks like the STS endpoint is not working properly, need to check in the IIS and see if it is running properly.

  • Ali,

    I followed every step of yours, still getting the same issue.

    I have also installed WCF hot fix, IIS is runing fine, refreshed pools

    I am out of thoughts, help meout

    THanks

    Neel

  • Ali, this is good stuff!  I was able to get my SharePoint Foundaton FBA site up and running with this guide.

    However, can I use an existing aspnetdb for users?   I already have a custom web application running that uses one.  I want to point my Sharepoint Foundation to it and allow its users into Sharepoint.

    It almost works.  The problem seems to stem from the "ApplicationName" parameter in the membership provider element in the web.config files.

    If I use "/" and create users by using iis7, it works but does not allowingthe existing user accounts in.  If I set "ApplicationName" to "TheNameOfTheExistingApp" and try to login to Sharepoint as the Site Collection Administrator I get an 'Access Denied' message.

    In the Central Administration site I can set an existing user as the site collection administrator.  

    Thanks,

    John

  • Excellent article bro, it made my day :)

  • Thanks for very nice article.

    I have one doubt. If i want to get application name in my default provider then how can i get ?

    I need application name for validating the user.

  • Excellent article..!

    I followed your article  and unfortunately I stuck with an error..!I think it may be with the Secure Token Service the web services is not working.

    I got an error

    No connection could be made because the target machine actively refused it 127.0.0.1:32843

    Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

    Exception Details: System.Net.Sockets.SocketException: No connection could be made because the target machine actively refused it 127.0.0.1:32843

    Source Error:

    An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

    I am able to view the users created in the database thr central administration..!

  • I also got an error the same before: (Why)

    I followed your article  and unfortunately I stuck with an error..!I think it may be with the Secure Token Service the web services is not working.

    I got an error

    No connection could be made because the target machine actively refused it 127.0.0.1:32843

    Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

    Exception Details: System.Net.Sockets.SocketException: No connection could be made because the target machine actively refused it 127.0.0.1:32843

    Source Error:

    An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

    I am able to view the users created in the database thr central administration..!

  • Had this issue couple of times with Beta builds but not in RTM, re-installing SP 2010 resolved the issue. Assuming you are trying this with RTM build, have you noticed anything extra in the ULS log?

  • After following all this steps i m getting following error when i click sign in button from the page.

    Please let me know what i have done incorrect, as i am new to sharepoing 2010.

    Error

    The resource object with key 'MyAccount' was not found.

    Troubleshoot issues with Microsoft SharePoint Foundation.

    Correlation ID: eadaae5d-e455-41af-a033-b76b4e11a0ef

    Date and Time: 12/23/2010 11:29:32 AM

  • All,

    I am new to Sharepoint 2010 and I have did step by step procedure to create an extranet. But the only issue it when I try to login with the password, its is showing an error in web config file

    <!-- Web.Config Configuration File -->

    <configuration>

       <system.web>

           <customErrors mode="RemoteOnly"/>

       </system.web>

    </configuration>

    Notes: The current error page you are seeing can be replaced by a custom error page by modifying the "defaultRedirect" attribute of the application's <customErrors> configuration tag to point to a custom error page URL.

    <!-- Web.Config Configuration File -->

    <configuration>

       <system.web>

           <customErrors mode="On" defaultRedirect="mycustompage.htm"/>

       </system.web>

    </configuration>

    This is the error I am getting for a long time.. Need help.. Any suggestions are

    always welcome.

Page 1 of 2 (23 items) 12
Leave a Comment
  • Please add 6 and 3 and type the answer here:
  • Post