Share-n-dipity

SharePoint serendipity is the effect by which one accidentally discovers something fortunate, especially while looking for something else entirely. In this case, it is the occassional musings, observations, and Ouija board readings about the phabulously

Configuring Forms Based Authentication in SharePoint 2010

Configuring Forms Based Authentication in SharePoint 2010

  • Comments 40
  • Likes

Hopefully folks are starting to get some use out of the multitude of SharePoint 2010 postings I’ve been tossing up here.  This is a new one that I was a little hesitant to put together…given my history in SharePoint 2007 I don’t want to become typecast but…in this post I’ll give a quick walk through on creating a forms based authentication site in SharePoint 2010.

For those of you who’ve read my various blogs (http://blogs.msdn.com/sharepoint/archive/2006/08/16/702010.aspx being the most popular) and three-part series on FBA for SharePoint 2010 (part 1 starts here: http://msdn.microsoft.com/en-us/library/bb975136.aspx), most of this should look pretty familiar.  We’re going to follow a very similar process to what we did in SharePoint 2007, with a couple of twists.  At a high level, we’re going to:

1.       Create a new web application

2.       Configure support for FBA in central admin, our new web app, and a new thing in SharePoint 2010 called the STS web service

3.       Add a User Policy to our web app that will grant an FBA user rights to the site

4.       Login to the site and start using it!

For our example we’ll use the LDAP provider that ships in SharePoint 2010 for our directory.  Let’s look at each of these steps in more detail now.

Step 1 – Create a New Web Application

Start by going to the Central Administration web site.  Click on Manage Web Applications, then click on the New button in the ribbon to create a new web application.  In the new web application dialog we’re going to select the following settings:

·         Authentication:  Claims Based Authentication

·         Identity Providers

o   Check the Enable Windows Authentication box or you won’t be able to crawl the site

o   Check the Enable ASP.NET Membership and Role Provider checkbox

§  In the Membership provider name edit box, type LdapMember

§  In the Role provider name edit boxy, type LdapRole

·         I won’t cover all of the other sections in the new web app dialog because they aren’t specific to using FBA, so just fill them in with whatever values are appropriate for your implementation

When you’re all done click the OK button to create the new web application.  Now that the web app is created, I Highly Recommend That You Create A New Site Collection In It Now!  I’ll move forward assuming you have done as I’ve suggested.  Now…okay – step 1 is done, let’s keep moving.

Step 2 – Configure FBA Support

This step is where we go through that same process as 2007, where we need to add some entries to the web.config file for our web application, and we need to do it on each web front end in the farm.  The basic chunk of Xml we’re going to work with for the LDAP provider looks like this; I’ve highlighted the parts in yellow that you will want to change for your implementation:

<membership>

      <providers>

        <add name="LdapMember"

             type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"

             server="stevedc.steve.local"

             port="389"

             useSSL="false"

             userDNAttribute="distinguishedName"

             userNameAttribute="sAMAccountName"

             userContainer="CN=Users,DC=steve,DC=local"

             userObjectClass="person"

             userFilter="(ObjectClass=person)"

             scope="Subtree"

             otherRequiredUserAttributes="sn,givenname,cn" />

      </providers>

    </membership>

    <roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider" >

      <providers>

        <add name="LdapRole"   

             type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"

             server="stevedc.steve.local"

             port="389"

             useSSL="false"

             groupContainer="CN=Users,DC=steve,DC=local"

             groupNameAttribute="cn"

             groupNameAlternateSearchAttribute="samAccountName"

             groupMemberAttribute="member"

             userNameAttribute="sAMAccountName"

             dnAttribute="distinguishedName"

             groupFilter="(ObjectClass=group)"

             userFilter="(ObjectClass=person)"

             scope="Subtree" />

      </providers>

 </roleManager>

 

Copy this chunk of Xml into something like notepad and change the parts highlighted in yellow to values that will work in your environment.  Now you can copy from there into each of the config files we need to change.  Unfortunately we’ll need to use a slightly different version of this in each web.config file.  Let’s start with the easy one first – central admin.  Find the web.config file for central admin and open it up in your favorite editor, like notepad.  Scroll down to the <system.web> entry, and paste the entire chunk of Xml directly below it.  Save your changes and the first one’s done.

The next one we’re gonna hit is the web.config for the Security Token Service (STS) virtual directory.  Explaining what the STS does, what claims based auth is, etc. is all way beyond the scope of this posting, but we’ll get to those things in time.  For now, we need to find the directory where it’s web.config file is and the easiest way to do that is to open the IIS Manager.  Expand the plus sign next to the server name.  Expand the plus sign next to the Sites object.  Expand the plus sign next to the SharePoint Web Services virtual directory.  Beneath it, find the SecurityTokenServiceApplication virtual directory.  Click on it, then click on the Content View button in the bottom of the middle part of the screen.  That will cause the Explore link to appear in the Actions pane on the right hand side of the screen (it’s the third link down from the top).  Click the Explore link and Windows Explorer will open up and you will see the web.config file you need to work with.  Open up the web.config file in a text editor and scroll all the way down to the bottom.  Directly under the </system.net> entry, do the following:

1.       Add a <system.web> entry and press enter.

2.       Copy and paste in the chunk of Xml shown above.

3.       Add a </system.web> closing tag directly below the stuff you pasted in.

4.       Find the <roleManager> element in the chunk of Xml you pasted in, and delete the defaultProvider attribute.  That leaves your roleManager element looking like this: <roleManager enabled="true"> 

Save your changes and the second one’s done.  Now, go find the web.config file for the new FBA web application you created and open it up in notepad.  When you configured the web application to support claims based authentication, it automatically added in some Membership and Role provider information that points to a custom set of providers SharePoint 2010 adds out of the box.  So all we need to do is to just add in our provider into the correct section in the web.config.  IMPORTANT:  For those of you who are used to doing this for SharePoint 2007, please note that the providers are in the opposite order of what you are used to seeing.  The Role provider is listed first, and the Membership provider is listed second.  Scroll down the web.config file until you find the roleManager element (it’s a ways down there).  Copy out just the role provider definition from the chunk of Xml above and paste it below the <roleManager><providers> sections.  So you will paste in just this part (with your site specific info replacing the part in yellow):

<add name="LdapRole"   

             type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"

             server="stevedc.steve.local"

             port="389"

             useSSL="false"

             groupContainer="CN=Users,DC=steve,DC=local"

             groupNameAttribute="cn"

             groupNameAlternateSearchAttribute="samAccountName"

             groupMemberAttribute="member"

             userNameAttribute="sAMAccountName"

             dnAttribute="distinguishedName"

             groupFilter="(ObjectClass=group)"

             userFilter="(ObjectClass=person)"

             scope="Subtree" />

 

Now scroll down a little more and do the same thing to add in your Membership provider.  Find the <membership><providers> element and right below paste in membership provider stuff from the chunk of Xml above (with your site specific info replacing the part in yellow):

<add name="LdapMember"

             type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"

             server="stevedc.steve.local"

             port="389"

             useSSL="false"

             userDNAttribute="distinguishedName"

             userNameAttribute="sAMAccountName"

             userContainer="CN=Users,DC=steve,DC=local"

             userObjectClass="person"

             userFilter="(ObjectClass=person)"

             scope="Subtree"

             otherRequiredUserAttributes="sn,givenname,cn" />

 

 

Okay, good – now you’ve finished step 2.  The hardest part is done.

 

Step 3 – Add A User Policy

This part is basically exactly the same as you did in SharePoint 2007, with a couple of very minor differences.  Go to the central admin site and click on Manage web applications.  Click on your new FBA web application, then click on the User Policy button in the ribbon; this brings up the User Policy dialog.  Now do the following steps:

1.       Click on the Add Users link.

2.       In the Zones drop down, select the Default zone and click the Next button.

3.       Click the Address Book icon.  This will bring up the people picker and will let you know real quickly whether everything is configured correctly or not.  The first thing you should notice is the you see a new interface.  I think it’s going to be called the Principal Picker or some other equally nerdy name, but you get the point – it allows you to search in one dialog and show matches from all of the directories you have configured.  It’s pretty slick.  So go ahead and type in the NT login name or account name (use whatever nomenclature you prefer here) and click the search button.  If it’s working correctly you should see at least two entries for the account – one that is for the user’s Active Directory account, and one that is for that same account but which was found using the LDAP provider. 

4.       Select the account in the User section and click the Add button.

5.       Click the OK button.

6.       Check the Full Control checkbox, then click the Finish button.

That’s it – everything should be all configured now for you to log into your new FBA site.

Step 4 – Login

Go ahead now and navigate to the site in your FBA web application.  You should get an initial prompt where it asks you what kind of authentication you want to use to access the site – Windows Authentication or Forms Authentication.  Select Forms Authentication from the drop down and the page posts back with a standard forms login page.  Enter the credentials of the user to which you granted the Full Control user policy and you should log into the site.  Now you can start adding other FBA members and roles into SharePoint groups so they can access the site to.

All Done!

Well, that’s all there is too it.  If you’ve never done it before it probably seems kind of complicated, just like the first time folks did it in SharePoint 2007.  If you have set it up before in SharePoint 2007 though, the process probably seems pretty straightforward.  Hopefully this post will get everyone moving the right direction and able to start using FBA with their new SharePoint 2010 sites.  Good luck!

Comments
  • Steve,

    Very nicely written article. Few questions

    1. We have now options for multiple auth methods in same zone. Could you describe some scenarios where this will be applicable.

    2. Why do we need to configure provdiers in STS service app web.conifg

    3. Do we have some detailed documentation on this new architecture for claims and multiple auth methods in same zone.

    Thanks

    Taj

  • Hi Tajeshwar, I will try and answer your questions here:

    1. For all scenarios where you need multiple authentication providers but don't need or want different Urls.  This is definitely a smaller case than the typical use of FBA in SharePoint 2007, where you would create a different zone and auth for external users.  I've already seen one case in one of the SharePoint 2010 pre-release programs where this is exactly what the customer wanted.  This is really just a value add; it doesn't preclude you from creating additional zones as you did in SharePoint 2007.

    2. You need to configure providers int he STS web.config because all FBA auth in 2010 uses the claims infrastructure, and the SharePoint STS is like our "claims processing engine" in SharePoint 2010.

    3.  I'm not aware of any detailed documentation on this yet.

    Steve

  • Good stuff.  I just tried this with an ADLDS directory (single machine - SP2010, Ad, SQL).

    I cannot get it to work for me.

    I configured the web.configs as described above for all 3 web apps.

    When I do a peoplepicker in central admin, it cannot find my ADLDS users.

    Any thoughts?

  • Hi Donal; I do know there are some issues (at least in the beta) with running SharePoint on a domain controller.  I don't know if this specific case is one or not.  Unfortunately having it all on one box also makes it tougher to troubleshoot.  If they were on different boxes for example, we could look at a netmon sniff between the SharePoint and AD server to see what's going back and forth between them.  In the absence of that, my best advice is not great, which is just to really double check all of the custom settings you created for all three web.config files.  It can be tedious business and anytime I have had a problem some typo or bad info on my part was usually the culprit.  Sorry I don't have much more to help you with here.

    Steve

  • Thanks Steve.  I managed to get the PeoplePicker working ok.  FBA flat out refuses to work though, with no insight in the logs.  My next move it to use the credentials of an LDAP account, and not use the SharePoint app pool account.  

  • In case someone comes here and is looking for similar guide on how to setup an ASPNET SQL provider:

    http://blogs.msdn.com/sridhara/archive/2010/01/15/setup-claims-using-aspnetsqlmembershipprovider.aspx

    Also - and it may not be helpful in all cases - but in my case I wanted the custom provider available to ALL sites...

    So, following this tip:  http://blog.sharepointengine.com/2009/01/iis-70-cannot-get-membership-provider.html, I just setup the providers using IIS 7 (connection string, role, and members)

    Cheers,

    Rich

  • This process is working for me but I have recently run into a problem with Visual Studio 2010 in that I am unable to add a new Content Type item or Event Receiver to a project that utilizes a site that has been configured for claims-based authentication.  It works if I use classic authentication but I would prefer the approach taken here.  By any chance, do you receive the error "Attempted to perform and unauthorized operation" if you create an empty project for an existing SharePoint site using claims based authentication and attempt to add a new Content Type item to the empty project?

    Thanks,

    Leo

  • I've had pretty good luck configuring this so far, but some problems:

    When I search on my name in the address book, I come up twice, both listed under AD. Could this be because I have pointing the LDAP provider settings in all the XML above to the same server that is our Active Directory server? My goal here is to be able to have users sign in with an SSL-secured form using their AD credentials when they are accessing from the outside, and just use IWA when they are on the LAN. IWA is working fine.

    I was hoping that I would not have to authorize people twice to the site, but it looks like that might be the case.

  • Hi ,

    I have  implemented the form authentication in sharepoint . The user are coming nice and authenticating too. but the problem is after authenticating the user the user is not redirected to home page of site instead it redirect to the signin page. Please provide any solution to redirect to the home page. i am using the default login page.

    kamlesh

  • I'm having the same exact issue as kamleshpndy.  I'm using an extended site and out-of-the-box AspNetSqlMembershipProvider and RoleProvider with Sharepoint Foundation 2010 Beta2.  I was able to add the sql user I created to site collection administrators but when I go to log in the login acts like it's working but just redirects back to the login page.  If you enter a wrong username or password it lets you know right away.  It appears like the user is being authenticated, but it seems like the cookie sharepoint needs isn't being created (just a guess).

    Does anyone know if this is a limitation of the Beta software or some configuration shortcoming on our part?

  • Hi Steve,

    This is a really great article.

    Please can you let me know that which are default claims that are available on user authentication using Forms based authentication to SharePoint 2010.

    Can custom claims about the authenticated user be retrieved? How is it achieved.

    Thanks.

  • Hi Steve

    Did you do this with IIS 6 or iis 7?

    I have a custom membership / role provider and have followed everythiing correctly. The authentication fails with error failed to validate user name and password. I can see that my custom provider is not being hit using profiler.

    It is a provider I have been using in 2007 without any problem.

    Now, I can see these providers in IIS 7 but when I try to set the default it says its not trusted. The config sections are locked for me, may be permissions issue but can try it later.

    Do you think this would be the problem i.e. not having it as trusted provider in IIS 7.0 although its listed. I think if I just switch to classic mode in IIS it will islolate it to just sharepoint and asp.net.

    Any thoughts?

    Regards

    Yogesh Pawar

  • Hi Steve,

    Great article, thank you!  We are purchasing the external connector and I was wondering if I could use FBA. For example, I am Lynne Internet-User and I want this user to read my blog, but register to add content. How do I get Lynne Internet-User as a user in SharePoint?

    Thanks, Lynne

  • Great Article

    I hope you can help, I am having FBA issues

    I followed the steps in settingup FBA, created db, role, providers in central admin as well as security token, add users added roles, authentication. then created web application with claims and did the same set up for the new site collection

    Now when i try to open the page, it comes with default sign in, i have already added forms users, i tried to select forms entered useri and pwd, i get the below error, can you provide me some clues on what went wrong in my set up

    Neel

    Server Error in ‘/’ Application.

    ——————————————————————————–

    Server Error in ‘/’ Application.

    The remote server returned an error: (404) Not Found.

    Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

    Exception Details: System.Net.WebException: The remote server returned an error: (404) Not Found.

    Source Error:

    An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

    Stack Trace:

    [WebException: The remote server returned an error: (404) Not Found.]

    System.Net.HttpWebRequest.GetResponse() +1126

    System.ServiceModel.Channels.HttpChannelRequest.WaitForReply(TimeSpan timeout) +81

    [EndpointNotFoundException: There was no endpoint listening at http://localhost:32843/SecurityTokenServiceApplication/securitytoken.svc that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details.]

    System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) +10258154

    System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) +539

    Microsoft.IdentityModel.Protocols.WSTrust.IWSTrustContract.Issue(Message message) +0

    Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr) +61

    Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst) +36

    Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext(Uri context, Boolean bearerToken, SecurityToken onBehalfOf, SecurityToken actAs, SecurityToken delegateTo) +26062081

    Microsoft.SharePoint.SPSecurityContext.SecurityTokenForFormsAuthentication(Uri context, String membershipProviderName, String roleProviderName, String username, String password) +172

    Microsoft.SharePoint.IdentityModel.Pages.FormsSignInPage.GetSecurityToken(Login formsSignInControl) +188

    Microsoft.SharePoint.IdentityModel.Pages.FormsSignInPage.AuthenticateEventHandler(Object sender, AuthenticateEventArgs formAuthenticateEvent) +123

    System.Web.UI.WebControls.Login.AttemptLogin() +152

    System.Web.UI.WebControls.Login.OnBubbleEvent(Object source, EventArgs e) +124

    System.Web.UI.Control.RaiseBubbleEvent(Object source, EventArgs args) +70

    System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) +29

    System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +2981

    ——————————————————————————–

    Version Information: Microsoft .NET Framework Version:2.0.50727.4927; ASP.NET Version:2.0.50727.4927

  • If you want to use ready-made solutions for the management of FBA users, you should take a look here:

    www.devit.eu/.../121-fba-manager-sp2010-forms-based-authentication.aspx

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment