Monday, December 6, 2010

Forms Based Authentication in SharePoint 2010 - Part 1

We can create web applications either using Classic Based Authentication or Claims based Authentication in SharePoint 2010. Classic Mode Authentication refers to the integrated windows authentication. Claims Based Authentication is built on Windows Identity Foundation , we can enable windows as well as form authentication on this mode. Forms based authentication can only be configured with web applications created using Claims Based Authentication. You cannot configure the FBA on Classic Mode Authentication. Using Powershell Script, you can convert your existing Classic mode web application to Claim Based.
In this article, we will see how to configure SQL Server based authentication on SharePoint 2010 site. The Process involve following step of configuration …

  1. Create SqlServer User membership database

  2. Create Sharepoint Web application based on Claim Authentication. OR Convert any exisiting Classic mode web application to Claim based web

  3. Modify Web.Config files for following we applications

    1. Central Administration virtual directory

    2. Security Token Service (STS) virtual directory

    3. New Web application virtual directory


  4. Create Custom Login Form




Setup SqlServer User database

  1. Run aspnet_regsql.exe Located at C:\Windows\Microsoft.NET\Framework\ v2.0.5027 or C:\Windows\Microsoft.NET\Framework64\ v2.0.5027 Directory

  2. ASP.NET SQL Server Setup Wizard Will appears, select “Configure SQL Server for application services”, and then click next

  3. Enter the SQL Server and FBA Database name; E.g. Server = FBADBServer ; Database = FBADB

  4. Complete the Wizard and close;

  5. Make sure the Application Pool accounts (your web application and the Central Administration web site) have access to the FBA database.

  6. Create some test user on this database ; You can use MembershipSeeder tool from codeplex - http://www.codeplex.com/CKS/Release/ProjectReleases.aspx?ReleaseId=7450


Create a new web application

  1. Go to Central Administration -> Application Management -> Manage Web Applications -> Click New

  2. Select Claims Based Authentication

  3. In Claims Based Authentication Type Section ,

    • Check the Enable Windows Authentication Check box

    • Check the Enable Forms Based Authentication(FBA) checkbox

      • In the ASP.NET Membership provider name text box, type AspNetSqlMembershipProvider

      • * In the ASP.NET Role manager name text box, type AspNetSqlRoleProvider







  4. Create a new site collection on this newly created web application.



Convert Web application from Classic Mode to Claims based Authentication

  • On the Start menu, click All Programs -> Microsoft SharePoint 2010 Products -> Click SharePoint 2010 Management Shell

  • From the Windows PowerShell command prompt, type the following:

    $webApp = Get-SPWebApplication “URL”
    $webApp.UseClaimsAuthentication = "True";
    $webApp.Update();
    $webApp.ProvisionGlobally();

  • This script will convert your Classic mode web application into Claim Based; Now you can enable Form authentication on this web application -

  • Go to your web app’s authentication provider settings -> Click on Default Zone -> select your identity provider for FBA





Modify Central Administration site’s web.config File

  • "ConnectionStrings" Entry


    <configSections>…</configSections>
    <connectionStrings>
    <clear />
    <add name="AspNetSqlMembershipProvider" connectionString="data source=FBADBSERVER;Integrated Security=SSPI;Initial Catalog=FBADB" providerName="System.Data.SqlClient" />
    </connectionStrings>



  • "PeoplePickerWildcards" Entry


    <SafeControls>…</SafeControls>
    <PeoplePickerWildcards>
    <clear />
    <add key="AspNetSqlMembershipProvider" value="%" />
    <add key="AspNetWindowsTokenRoleProvider" value="%"/>
    </PeoplePickerWildcards>




  • "RoleManager & Membership" Entries


    <system.web>
    <roleManager enabled="true"
    cacheRolesInCookie="false"
    cookieName=".ASPXROLES"
    cookieTimeout="30"
    cookiePath="/"
    cookieRequireSSL="false"
    cookieSlidingExpiration="true"
    cookieProtection="All"
    defaultProvider="AspNetWindowsTokenRoleProvider"
    createPersistentCookie="false"
    maxCachedResults="25">
    <providers>
    <clear />
    <add connectionStringName="AspNetSqlMembershipProvider"
    applicationName="/"
    name="AspNetSqlRoleProvider"
    type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
    <add applicationName="/"
    name="AspNetWindowsTokenRoleProvider"
    type="System.Web.Security.WindowsTokenRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
    </providers>
    </roleManager>

    <membership defaultProvider="AspNetSqlMemberShipProvider"
    userIsOnlineTimeWindow="15" hashAlgorithmType="">
    <providers>
    <clear />
    <add connectionStringName="AspNetSqlMembershipProvider"
    enablePasswordRetrieval="false"
    enablePasswordReset="true"
    requiresQuestionAndAnswer="true"
    passwordAttemptWindow="10"
    applicationName="/"
    requiresUniqueEmail="false"
    passwordFormat="Hashed"
    name="AspNetSqlMemberShipProvider"
    type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
    </providers>
    </membership>


    </system.web>





Modify Security Token Service (STS) Site’s web.config
(Located at - %programfiles%\common files\Microsoft Shared\web server extensions\14\WebServices\SecurityToken\web.config)

  • Add Following code for connectionStrings , roleManager & membership Entries. Add just before

    <configuration>

    <system.net>

    </system.net>
    <connectionStrings>
    <clear />
    <add name="AspNetSqlMembershipProvider" connectionString="data source=FBADBSERVER;Integrated Security=SSPI;Initial Catalog=FBADB" providerName="System.Data.SqlClient" />
    </connectionStrings>
    <system.web>
    <membership>
    <providers>
    <add connectionStringName="AspNetSqlMembershipProvider"
    enablePasswordRetrieval="false"
    enablePasswordReset="true"
    requiresQuestionAndAnswer="true"
    passwordAttemptWindow="10"
    applicationName="/"
    requiresUniqueEmail="false"
    passwordFormat="Hashed"
    name="AspNetSqlMemberShipProvider"
    type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0,
    Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
    </providers>
    </membership>

    <roleManager enabled="true">
    <providers>
    <add connectionStringName="AspNetSqlMembershipProvider" applicationName="/"
    name="AspNetSqlRoleProvider"
    type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
    </providers>
    </roleManager>
    </system.web>

    </configuration>




Modify claims based web application’s web.config file

  • "ConnectionStrings" Entry

    </configSections>
    <connectionStrings>
    <clear />
    <add name="AspNetSqlMembershipProvider" connectionString="data source=FBADBSERVER;Integrated Security=SSPI;Initial Catalog=FBADB" providerName="System.Data.SqlClient" />
    </connectionStrings>


  • "PeoplePickerWildcards" Entry

    </SafeControls>
    <PeoplePickerWildcards>
    <clear />
    <add key="AspNetSqlMembershipProvider" value="%" />
    <add key="AspNetWindowsTokenRoleProvider" value="%"/>
    </PeoplePickerWildcards>



  • "RoleManager & Membership" Entries


    <membership defaultProvider="i" userIsOnlineTimeWindow="15" hashAlgorithmType="">
    <providers>
    <clear />
    <add connectionStringName="AspNetSqlMemberShipProvider"
    enablePasswordRetrieval="false"
    enablePasswordReset="true"
    requiresQuestionAndAnswer="true"
    passwordAttemptWindow="10"
    applicationName="/"
    requiresUniqueEmail="false"
    passwordFormat="Hashed"
    name="AspNetSqlMemberShipProvider"
    type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
    <add name="i"
    type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
    </providers>
    </membership>
    <roleManager enabled="true"
    cacheRolesInCookie="false"
    cookieName=".ASPXROLES"
    cookieTimeout="30"
    cookiePath="/"
    cookieRequireSSL="false"
    cookieSlidingExpiration="true"
    cookieProtection="All"
    defaultProvider="c"
    createPersistentCookie="false"
    maxCachedResults="25">
    <providers>
    <clear />
    <add connectionStringName="AspNetSqlMemberShipProvider"
    applicationName="/"
    name="AspNetSqlRoleProvider"
    type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
    <add applicationName="/"
    name="AspNetWindowsTokenRoleProvider"
    type="System.Web.Security.WindowsTokenRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
    <add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
    </providers>
    </roleManager>

    </system.web>





Save all the web.config files and do an IISRESET ;
Now open your web site in new browser , Below login form will open which will allow You to select authentication type while login



Custom Login Form

Forms Based Authentication in SharePoint 2010 - Part 2 >>

No comments: