tabs

Wednesday, March 16, 2011

Forms Based Authentication in SharePoint 2010 using Sql Memebership Providers

Basically Forms Based Authentication is a part of ASP.NET. So, it supports in all versions of SharePoint which are released after ASP.NET 2.0. In SharePoint 2010 it is the same process as what we did in earlier versions like WSS 3.0 and MOSS 2007 except one thing. In SharePoint 2010 while creating a web application we have an option to choose the application authentication mode Claims Based and Classic Mode. Know more about these authentication modes here.

Creating a web application which uses Claims Based Authentication:

This is pretty much straight forward,

  • Open Central Administration
  • From Application Management - > Manage Web Applications
  • From the top ribbon bar, select New
  • From the create web application page, chose the authentication mode to “Claims Based Authentication”
  • Give the name of web application, chose port number, path of web application.
  • Chose security configuration
  • From Claims Authentication Types, enable both WA and FBA.
  • In FBA section we have to give ASP.NET Membership provider name. In my case I have used “SQLMembershipProvider” and I am not using any roles so I left it blank.
  • Enter Sign in page url [default one], public url and other information and click OK.
  • Once web application is created, then create a site collection.
  • Now go to Manage Web application and from the list of web applications chose the option “Authentication Providers” from the ribbon.
  • From the dialog box you will see the Default zone set to the Claims authentication mode. Click the Default zone link where you can see the settings.

clip_image002

  • OK, application is ready and browse the application, you will see the below screen which gives you the option to choose either Windows Authentication or Forms authentication.

clip_image003

  • The remaining part is linking our application and the Sql Server database.
Create ASPNETDB to configure membership and Role providers

This process should be done on the database server. The result of the process is a database where we can save all the user and role information.

  • Login to the server where SQL Server is installed.
  • Open command prompt and navigate to location “%Sysroot%\Microsoft.NET\Framework\v2.0.50727”.
  • Run the “aspnet_regsql.exe“. Which will open the ASP.NET SQL Server setup wizard?
  • Click “Next” and chose the option “Configure Sql server for application services”

clip_image005

  • Click “Next” and give the SQL Server name and authentication information and in database by default it shows <default> means the name will be ASPNETDB, but you can change the name here if you want.

clip_image007

  • Click “Next” and Finish the wizard. It will create a database for you with the entire schema required to save users and roles.
  • Now, we have to enter some data to the database. For this we have some tools available from Codeplex.
  • Go to this site and download “Membershipseeder.zip
  • Extract it and run it and create n number of users and roles [if you want]. Note that if you have given some name to the database other than the default name aspnetdb then in membershipseeder config file please change connection string.
  • Now, we are ready with database with all some test data in it.

 

Give specific permissions to the service accounts:

We have created the database successfully. Before we proceed,

  • The service account or application pool user account of our FBA application,
  • Application pool account [service account] of central administration and
  • Security token service application pool user accounts

should have access to the database to go and get information of the users and roles. Almost in all environments the system administrators creates the service accounts we have to use in our applications. If you are not following those base rules in using service accounts then you may use different service accounts for all the three applications. In that case you have to go through all the three application we have mentioned above and give them access to database. If you are following the riles of using service accounts then may be only one service account used for all the three applications and give the service account access to database.

Modify web.config files of applications to communicate with database using providers

1. To get the users from sql server database to central administration site we have to change web.config of Central Administration site.

2. To get the users from Sql server database to web application which we created to work FBA, we have to change its web.config.

3. To login to the site using claims based authentication, it uses security token service application. So, we have to change its configuration file.

So, the site we created for FBA to work using forms authentication we have to change 3 web.config files totally.

Note: Before you are making any changes to the web.config file of any application please take the backup of it.

The main changes include connection string and providers.

i. Modify web.config of web application we created:
Adding ConnectionString

Add Connectionstring just above <System.Web> starts or just below </Sharepoint> ends.

<connectionStrings>

<add name="SQLConnectionString" connectionString="data source=SP2010-DB-02;Integrated Security=SSPI;Initial Catalog=aspnetdb" />

</connectionStrings>

Adding providers for membership and role [if needed]

Before you add any providers find are there any membership or rolemanager tags in the web.config file. And add the providers [<rolemanager> and <membership>] to the <System.Web> tag. Make sure that you are not doing any changes to the existing providers. By default there are providers with name “C” and “I”. So, do not touch them and add only the providers which we are adding like “SQLRoleManager” and “SqlMembershipProvider”. Finally the <rolemanager> section and <membership> section as shown below. Highlighted in red tags are I added to web.config.

<roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false">

<providers>

<add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />

<add connectionStringName="SQLConnectionString" applicationName="/" description="Stores and retrieves roles from SQL Server" name="SQLRoleManager" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

</providers>

</roleManager>

<membership defaultProvider="i">

<providers>

<add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />

<add connectionStringName="SQLConnectionString" passwordAttemptWindow="5" enablePasswordRetrieval="false" enablePasswordReset="false" requiresQuestionAndAnswer="true" applicationName="/" requiresUniqueEmail="true" passwordFormat="Hashed" description="Stores and Retrieves membership data from SQL Server" name="SQLMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

</providers>

</membership>

Save all your changes and we are done with configuration changes for FBA site.

ii. Modify web.config of Central Administration site
Add Connectionstring

Add Connectionstring just above <System.Web> starts or just below </Sharepoint> ends.

<connectionStrings>

<add name="SQLConnectionString" connectionString="data source=SP2010-DB-02;Integrated Security=SSPI;Initial Catalog=aspnetdb" />

</connectionStrings>

Adding providers for membership and role [if needed]

Before you add any providers find are there any membership or rolemanager tags in the web.config file. And add the providers [<rolemanager> and <membership>] to the <System.Web> tag. Make sure that you are not doing any changes to the existing providers. Finally the <rolemanager> section and <membership> section as shown below. Highlighted in red tags are I added to web.config.

<roleManager defaultProvider="AspNetWindowsTokenRoleProvider" enabled="true" cacheRolesInCookie="false">

<providers>

<add connectionStringName="SQLConnectionString" applicationName="/" description="Stores and retrieves roles from SQL Server" name="SQLRoleManager" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

</providers>

</roleManager>

<membership defaultProvider="SQLMembershipProvider">

<providers>

<add connectionStringName="SQLConnectionString" passwordAttemptWindow="5" enablePasswordRetrieval="false" enablePasswordReset="false" requiresQuestionAndAnswer="true" applicationName="/" requiresUniqueEmail="true" passwordFormat="Hashed" description="Stores and Retrieves membership data from SQL Server" name="SQLMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

</providers>

</membership>

Save the web.config file and we are done with configuration changes for CA.

iii. Modify web.config of Security Token Service Application

Open inetmgr from run command and open IIS. From the list of sites available expand “SharePoint Web Services” and find SecurityTokenServiceApplication.

clip_image009

Right click on the application and explore, which will opens the file system file location of the application. By default it will be in “%programfiles%\common files\Microsoft Shared\web server extensions\14\WebServices\SecurityToken”. Find the web.config of the application and modify it.

Add connectionstring

Just above <System.Web> starts add the connection strings tag.

<connectionStrings>

<add name="SQLConnectionString" connectionString="data source=SP2010-DB-02;Integrated Security=SSPI;Initial Catalog=aspnetdb" />

</connectionStrings>

Adding providers for membership and role [if needed]

Before you add any providers find are there any membership or rolemanager tags in the web.config file. And add the providers [<rolemanager> and <membership>] to the <System.Web> tag. Make sure that you are not doing any changes to the existing providers. By default there are providers with name “C” and “I”. So, do not touch them and add only the providers which we are adding like “SQLRoleManager” and “SqlMembershipProvider”. Finally the <rolemanager> section and <membership> section as shown below. Highlighted in red tags are I added to web.config.

<roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false">

<providers>

<add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />

<add connectionStringName="SQLConnectionString" applicationName="/" description="Stores and retrieves roles from SQL Server" name="SQLRoleManager" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

</providers>

</roleManager>

<membership defaultProvider="i">

<providers>

<add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />

<add connectionStringName="SQLConnectionString" passwordAttemptWindow="5" enablePasswordRetrieval="false" enablePasswordReset="false" requiresQuestionAndAnswer="true" applicationName="/" requiresUniqueEmail="true" passwordFormat="Hashed" description="Stores and Retrieves membership data from SQL Server" name="SQLMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

</providers>

</membership>

If everything goes well, then in central administration site and your FBA application people picker able to find the users in the sql server aspnetdb database. And you will successfully logged-in to the site without any issues.

7 comments:

  1. I am foolowing the steps, but when i am going to configurate the web config of the security token service app, it doesnt have a tag

    ReplyDelete
  2. Rudy,
    Please give me specific explanation of where you are facing issue in web.config? Which site and which tag?

    ReplyDelete
  3. hi
    Thank you for your doc but I have the same problem. on the web config of the security token service app I don't see the the section and section.

    thank you for your help

    ReplyDelete
  4. Could you please tell me which section or which tag???

    ReplyDelete
  5. hi

    I was trying to add providers for membership and role on the SecurityToken file
    You said that normly we should have
    By default there are providers with name “C” and “I”.
    i found them on the others web.config but not for the securitytoken web.config
    i don't see the section and section

    did I miss something ?

    Sorry for my english and thanks again

    ReplyDelete
  6. If there are no sections with C and T then directly add the tags in the web.config.

    -Praveen.

    ReplyDelete
  7. how many providers can you have in one site?

    can you have AD and SQL?

    ReplyDelete