1. Create a new web application
2. Configure support for FBA in central admin, our new web app, and a new thing in SharePoint 2010 called the STS web service
3. Add a User Policy to our web app that will grant an FBA user rights to the site
4. Login to the site and start using it!
Step 1 – Create a New Web Application
· Authentication: Claims Based Authentication
· Identity Providers
o Check the Enable Windows Authentication box or you won’t be able to crawl the site
o Check the Enable ASP.NET Membership and Role Provider checkbox
§ In the Membership provider name edit box, type LdapMember
§ In the Role provider name edit boxy, type LdapRole
· I won’t cover all of the other sections in the new web app dialog because they aren’t specific to using FBA, so just fill them in with whatever values are appropriate for your implementation
Step 2 – Configure FBA Support
1. Add a <system.web> entry and press enter.
2. Copy and paste in the chunk of Xml shown above.
3. Add a </system.web> closing tag directly below the stuff you pasted in.
4. Find the <roleManager> element in the chunk of Xml you pasted in, and delete the defaultProvider attribute. That leaves your roleManager element looking like this: <roleManager enabled="true">
Okay, good – now you’ve finished step 2. The hardest part is done.
Step 3 – Add A User Policy
1. Click on the Add Users link.
2. In the Zones drop down, select the Default zone and click the Next button.
3. Click the Address Book icon. This will bring up the people picker and will let you know real quickly whether everything is configured correctly or not. The first thing you should notice is the you see a new interface. I think it’s going to be called the Principal Picker or some other equally nerdy name, but you get the point – it allows you to search in one dialog and show matches from all of the directories you have configured. It’s pretty slick. So go ahead and type in the NT login name or account name (use whatever nomenclature you prefer here) and click the search button. If it’s working correctly you should see at least two entries for the account – one that is for the user’s Active Directory account, and one that is for that same account but which was found using the LDAP provider.
4. Select the account in the User section and click the Add button.
5. Click the OK button.
6. Check the Full Control checkbox, then click the Finish button.
Step 4 – Login
Very nicely written article. Few questions
1. We have now options for multiple auth methods in same zone. Could you describe some scenarios where this will be applicable.
2. Why do we need to configure provdiers in STS service app web.conifg
3. Do we have some detailed documentation on this new architecture for claims and multiple auth methods in same zone.
Hi Tajeshwar, I will try and answer your questions here:
1. For all scenarios where you need multiple authentication providers but don't need or want different Urls. This is definitely a smaller case than the typical use of FBA in SharePoint 2007, where you would create a different zone and auth for external users. I've already seen one case in one of the SharePoint 2010 pre-release programs where this is exactly what the customer wanted. This is really just a value add; it doesn't preclude you from creating additional zones as you did in SharePoint 2007.
2. You need to configure providers int he STS web.config because all FBA auth in 2010 uses the claims infrastructure, and the SharePoint STS is like our "claims processing engine" in SharePoint 2010.
3. I'm not aware of any detailed documentation on this yet.
Good stuff. I just tried this with an ADLDS directory (single machine - SP2010, Ad, SQL).
I cannot get it to work for me.
I configured the web.configs as described above for all 3 web apps.
When I do a peoplepicker in central admin, it cannot find my ADLDS users.
Hi Donal; I do know there are some issues (at least in the beta) with running SharePoint on a domain controller. I don't know if this specific case is one or not. Unfortunately having it all on one box also makes it tougher to troubleshoot. If they were on different boxes for example, we could look at a netmon sniff between the SharePoint and AD server to see what's going back and forth between them. In the absence of that, my best advice is not great, which is just to really double check all of the custom settings you created for all three web.config files. It can be tedious business and anytime I have had a problem some typo or bad info on my part was usually the culprit. Sorry I don't have much more to help you with here.
Thanks Steve. I managed to get the PeoplePicker working ok. FBA flat out refuses to work though, with no insight in the logs. My next move it to use the credentials of an LDAP account, and not use the SharePoint app pool account.
In case someone comes here and is looking for similar guide on how to setup an ASPNET SQL provider:
Also - and it may not be helpful in all cases - but in my case I wanted the custom provider available to ALL sites...
So, following this tip: http://blog.sharepointengine.com/2009/01/iis-70-cannot-get-membership-provider.html, I just setup the providers using IIS 7 (connection string, role, and members)
This process is working for me but I have recently run into a problem with Visual Studio 2010 in that I am unable to add a new Content Type item or Event Receiver to a project that utilizes a site that has been configured for claims-based authentication. It works if I use classic authentication but I would prefer the approach taken here. By any chance, do you receive the error "Attempted to perform and unauthorized operation" if you create an empty project for an existing SharePoint site using claims based authentication and attempt to add a new Content Type item to the empty project?
I've had pretty good luck configuring this so far, but some problems:
When I search on my name in the address book, I come up twice, both listed under AD. Could this be because I have pointing the LDAP provider settings in all the XML above to the same server that is our Active Directory server? My goal here is to be able to have users sign in with an SSL-secured form using their AD credentials when they are accessing from the outside, and just use IWA when they are on the LAN. IWA is working fine.
I was hoping that I would not have to authorize people twice to the site, but it looks like that might be the case.
I have implemented the form authentication in sharepoint . The user are coming nice and authenticating too. but the problem is after authenticating the user the user is not redirected to home page of site instead it redirect to the signin page. Please provide any solution to redirect to the home page. i am using the default login page.
I'm having the same exact issue as kamleshpndy. I'm using an extended site and out-of-the-box AspNetSqlMembershipProvider and RoleProvider with Sharepoint Foundation 2010 Beta2. I was able to add the sql user I created to site collection administrators but when I go to log in the login acts like it's working but just redirects back to the login page. If you enter a wrong username or password it lets you know right away. It appears like the user is being authenticated, but it seems like the cookie sharepoint needs isn't being created (just a guess).
Does anyone know if this is a limitation of the Beta software or some configuration shortcoming on our part?
This is a really great article.
Please can you let me know that which are default claims that are available on user authentication using Forms based authentication to SharePoint 2010.
Can custom claims about the authenticated user be retrieved? How is it achieved.
Did you do this with IIS 6 or iis 7?
I have a custom membership / role provider and have followed everythiing correctly. The authentication fails with error failed to validate user name and password. I can see that my custom provider is not being hit using profiler.
It is a provider I have been using in 2007 without any problem.
Now, I can see these providers in IIS 7 but when I try to set the default it says its not trusted. The config sections are locked for me, may be permissions issue but can try it later.
Do you think this would be the problem i.e. not having it as trusted provider in IIS 7.0 although its listed. I think if I just switch to classic mode in IIS it will islolate it to just sharepoint and asp.net.
Great article, thank you! We are purchasing the external connector and I was wondering if I could use FBA. For example, I am Lynne Internet-User and I want this user to read my blog, but register to add content. How do I get Lynne Internet-User as a user in SharePoint?
I hope you can help, I am having FBA issues
I followed the steps in settingup FBA, created db, role, providers in central admin as well as security token, add users added roles, authentication. then created web application with claims and did the same set up for the new site collection
Now when i try to open the page, it comes with default sign in, i have already added forms users, i tried to select forms entered useri and pwd, i get the below error, can you provide me some clues on what went wrong in my set up
Server Error in ‘/’ Application.
The remote server returned an error: (404) Not Found.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Net.WebException: The remote server returned an error: (404) Not Found.
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
[WebException: The remote server returned an error: (404) Not Found.]
System.ServiceModel.Channels.HttpChannelRequest.WaitForReply(TimeSpan timeout) +81
[EndpointNotFoundException: There was no endpoint listening at http://localhost:32843/SecurityTokenServiceApplication/securitytoken.svc that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details.]
System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) +10258154
System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) +539
Microsoft.IdentityModel.Protocols.WSTrust.IWSTrustContract.Issue(Message message) +0
Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr) +61
Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst) +36
Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext(Uri context, Boolean bearerToken, SecurityToken onBehalfOf, SecurityToken actAs, SecurityToken delegateTo) +26062081
Microsoft.SharePoint.SPSecurityContext.SecurityTokenForFormsAuthentication(Uri context, String membershipProviderName, String roleProviderName, String username, String password) +172
Microsoft.SharePoint.IdentityModel.Pages.FormsSignInPage.GetSecurityToken(Login formsSignInControl) +188
Microsoft.SharePoint.IdentityModel.Pages.FormsSignInPage.AuthenticateEventHandler(Object sender, AuthenticateEventArgs formAuthenticateEvent) +123
System.Web.UI.WebControls.Login.OnBubbleEvent(Object source, EventArgs e) +124
System.Web.UI.Control.RaiseBubbleEvent(Object source, EventArgs args) +70
System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) +29
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +2981
Version Information: Microsoft .NET Framework Version:2.0.50727.4927; ASP.NET Version:2.0.50727.4927
If you want to use ready-made solutions for the management of FBA users, you should take a look here: