Sunday, April 22, 2012

Configure Forms Based Authentication (FBA) with SharePoint 2010

SharePoint 2010 FBA, is different in configuration than WSS 3.0 or MOSS 2007. It needs create web applications Claims based Authentication.  
Classic Mode Authentication: It is only integrated windows authentication.
Claims Based Authentication: It is based Windows Identity Foundation. It enables authentication for any type of authentication, It is also provides the capability to have multiple authentication in a single URL.

You can convert a web application from Classic Mode Authentication to Claims Based Authentication. However, that can only be done using PowerShell commands:
http://blogs.technet.com/b/mahesm/archive/2010/04/07/configure-forms-based-authentication-fba-with-sharepoint-2010.aspx

   
    $App = get-spwebapplication “URL”
    $app.useclaimsauthentication = “True”
    $app.Update()

Here is the steps of configuring FBA. I am assume here you have already created a membership and role Manager:
  1. A. Creating web application using Central administration
    • Open Central Administration Console.
    • Click on Manage Web application Under Application Management.
    • Click on new on the Ribbon.
    • Chose Claims based Authentication From the top of the page.
    • Choose the port no for the web application.
    • Click on Enable Forms Based Authentication (FBA) Under Claims Authentication Types. Windows Authentication is enabled by default and if you dont need windows authentication then you need to remove the check the box.
    • Add the Membership Provider & Role Manager Name. I am using Membership Provider as "SQL-MembershipProvider" and Role Manager as "SQL-RoleManager". These names are case sensitive. 
  2. Modify the web.config file for Membership Provider and Role Manager:
    We need to modify 3 different web.config files for FBA to work. Web.config of FBA Web application, web.config of Central Administration Site & Web.config of STS. 
    • A. Modify web.config of FBA web application:
      Add connection string:
    • <connectionStrings>
      <add name="SQLConnectionString" connectionString="data source=SQL;Integrated Security=SSPI;Initial Catalog=SQL-Auth" />
      </connectionStrings>

      Add membership Provider and Role Manager:
      <roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false">
      <providers>
      <add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
      <add connectionStringName="SQLConnectionString" applicationName="/" description="Stores and retrieves roles from SQL Server" name="SQL-RoleManager" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
      </providers>
      </roleManager>
      <membership defaultProvider="i">
      <providers>
      <add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
      <add connectionStringName="SQLConnectionString" passwordAttemptWindow="5" enablePasswordRetrieval="false" enablePasswordReset="false" requiresQuestionAndAnswer="true" applicationName="/" requiresUniqueEmail="true" passwordFormat="Hashed" description="Stores and Retrieves membership data from SQL Server" name="SQL-MembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
      </providers>
      </membership>
      </system.web>

    • Modify web.config of STS. You can locate the STS web.config from %programfiles%\common files\Microsoft Shared\web server extensions\14\WebServices\SecurityToken:
      Add connection string:
    • <connectionStrings>
      <add name="SQLConnectionString" connectionString="data source=SQL;Integrated Security=SSPI;Initial Catalog=SQL-Auth" />
      </connectionStrings>
      Add membership Provider and Role Manager:
      <roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false">
      <providers>
      <add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
      <add connectionStringName="SQLConnectionString" applicationName="/" description="Stores and retrieves roles from SQL Server" name="SQL-RoleManager" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
      </providers>
      </roleManager>
      <membership defaultProvider="i">
      <providers>
      <add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
      <add connectionStringName="SQLConnectionString" passwordAttemptWindow="5" enablePasswordRetrieval="false" enablePasswordReset="false" requiresQuestionAndAnswer="true" applicationName="/" requiresUniqueEmail="true" passwordFormat="Hashed" description="Stores and Retrieves membership data from SQL Server" name="SQL-MembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
      </providers>
    • Modify web.config of the Central Administration web application:
      This modification is optional. You need it only if you want give Forms User authentication through central administration.
    • <connectionStrings>
      <add name="SQLConnectionString" connectionString="data source=SQL;Integrated Security=SSPI;Initial Catalog=SQL-Auth" />
      </connectionStrings>
      Add membership Provider and Role Manager:
      <roleManager defaultProvider="AspNetWindowsTokenRoleProvider" enabled="true" cacheRolesInCookie="false">
      <providers>
      <add connectionStringName="SQLConnectionString" applicationName="/" description="Stores and retrieves roles from SQL Server" name="SQL-RoleManager" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
      </providers>
      </roleManager>
      <membership defaultProvider="SQL-MembershipProvider">
      <providers>
      <add connectionStringName="SQLConnectionString" passwordAttemptWindow="5" enablePasswordRetrieval="false" enablePasswordReset="false" requiresQuestionAndAnswer="true" applicationName="/" requiresUniqueEmail="true" passwordFormat="Hashed" description="Stores and Retrieves membership data from SQL Server" name="SQL-MembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
      </providers>
      </membership>\
    Notes:
    • You should set default providers:
      • Default providers are SPClaimsAuthRoleProvider and SPClaimsAuthMembershipProvider for FBA Site and STS.
      • Default providers are AspNetWindowsTokenRoleProvider and SQL-MembershipProvider for Central Administrator.
    •  If you failed to log-in after configuration check machine key in your web site and STS site are same, else check database connection string.
    • If you want to seaech for FBA users using wildcard, add the Membership and Role providers into the PeoplePickerWildcards section of the web.config:

    • <configuration>
          …
          <SharePoint>
              …
              <PeoplePickerWildcards>
                <clear />
                <add key="SQL-RoleManager" value="%" />
                <add key="SQL-MembershipProvider" value="%" />
              </PeoplePickerWildcards>
              …
          </SharePoint>
          …
      </configuration>
  1. Give permissions to users in SQL database:
    • Access Central Administration console and click on manage web applications under Application Management.
    • Select the web application and click on user Policy on ribbon.
    • Click on Add user and select Default Zone.
    • Now type the user name, add the user to the web application by defining appropriate permission.

No comments: