The following will explain how to create an extended web
application in your SharePoint 2010 environment and how to set up Forms Based
Authentication with its own database on it.
We first create our ASP.Net membership database, then configure our providers for Central Admin and the Secure Store Web Service, then extend the web application, then finally we configure our extended web application and the default web site.
(Note that Forms Based Authentication can only be added onto web applications that have Claims Authentication enabled. You can activate this using a PowerShell command in section 5 of this walkthrough.)
We first create our ASP.Net membership database, then configure our providers for Central Admin and the Secure Store Web Service, then extend the web application, then finally we configure our extended web application and the default web site.
(Note that Forms Based Authentication can only be added onto web applications that have Claims Authentication enabled. You can activate this using a PowerShell command in section 5 of this walkthrough.)
1. Create the database for the ASP.Net
Membership and Role Providers:
a.
Using Microsoft SQL Server Management Studio,
create a new empty database on your server called aspnetdb_claim.
b.
Open Command Prompt and browse to the following
location:
i.
C:\Windows\Microsoft.NET\Framework64\v2.0.50727
c.
Run the following command:
aspnet_regsql -S <SPSSERVER> -E -A mr –d aspnetdb_claim
aspnet_regsql -S <SPSSERVER> -E -A mr –d aspnetdb_claim
·
-S Specifies the server.
·
-E Specifies that Windows authentication should
be used to connect to SQL Server.
·
-A mr Specifies that the membership and role
feature should be added.
·
-d Specifies the database name.
d.
Give your web application AppPool account full
permissions on the database
2. Create FBAMembershipProvider and
FBARoleProvider providers in IIS for Central Admin
a.
On your application server, select the Central
Administration v4 website in IIS
b.
Open Connection Strings and click Add in the
right hand pane. Then add a connection string to your previously created
database and call it FBADB
c.
Select the Central Admin site again, open Providers,
select .NET Roles from the Feature dropdown at the top and click Add in the
right hand pane.
a.
Set the Type as SqlRoleProvider
b.
Name the provider FBARoleProvider
c.
Set the ConnectionStringName property to FBADB
d.
Set the ApplicationName property to /
d.
Select the Central Admin site again, open
Providers, select .NET Users from the Feature dropdown at the top and click Add
in the right hand pane.
a.
Set the Type as SqlMembershipProvider
b.
Name the provider FBAMembershipProvider
c.
Set the EnablePasswordReset property to True
d.
Set the ConnectionStringName property to FBADB
e.
Set the ApplicationName property to /
3. Configure Secure Store Web Service and
Default Website
The default website will be your
site running on port 80 by default e.g. (SharePoint – 80). The Secure Store web
site can be found by expanding the SharePoint Web Services site and selecting
the SecurityTokenServiceApplication
a.
Repeat Section 2, steps A to D, to create the
Membership and Role Providers for both of these websites.
4. Extend the Web Application
a.
Open Central Administration and select
Application Management from the left hand pane
b.
Select Manage Web Applications and click on the
default SharePoint application (SharePoint – 80) so that it is highlighted
c.
Click on Extend in the Ribbon controls
d.
Give the new extended application name (e.g.
SharePoint – 81)
e.
Set the port number (e.g. 81)
f.
Uncheck the Enable Windows Authentication box
and check Enable Forms Based Authentication (FBA) (If this is not available,
see next section)
g.
Set the ASP.NET Membership provider name
property to the Membership provider name created previously (i.e.
FBAMembershipProvider)
h.
Set the ASP.NET Role manager name to the Role
Provider name created previously (i.e. FBARoleProvider)
i.
Click OK
5. Activate Claims authentication if Forms
Based Authentication is not available
·
NOTE: This only has to be done if the Forms
Based Authentication (FBA) option is not available when extending the web
application:
o
Open PowerShell on the application server and
run the following commands:
§
$webapp = Get-SPWebApplication http://<spsserver>/
$webapp.UseClaimsAuthentication = $true $webapp.Update()
6. Configure Extended Web Application
Note: This has to be done on all
application- and web front end servers
a.
On your application server, select the Extended website
in IIS (e.g. SharePoint – 81)
b.
Repeat Section 2, steps A to D, to create the
Membership and Role Providers
c.
Select the Extended website again and open the
.Net Roles section
o
You will probably get the following error:
o
There is another configuration file that
contains a list of all the trusted providers and for some reason the default
claims providers are not in there. This does however not break anything and can
be ignored.
d.
Click on Set Default Provider, then select the
FBARoleProvider and click OK. This will allow you to add a new administrator
role for your administrator user.
e.
On the right hand pane, click on Add, type in administrator as the name and click ok.
Your new Role should appear on screen.
f.
Select the Extended website again and open the
.Net Roles section
o
You will get the same error as before and can
just ignore it again.
g.
Click on Set Default Provider, then select the FBAMembershipProvider
and click OK. This will allow you to add a new administrator user for your FBA
site.
h.
On the right hand pane and click on Add. Type in
your Username, email, password and click Next.
i.
Now you can tick the user group called administrator that was created in the
previous step and click Finish.
7. Set up site collection administrators
a.
From Central Administration, click on
Application management and select Change site collection administrators
b.
For the secondary site collection administrator,
add the user created previously in the .NET Users in IIS for the extended web
application
c.
Click OK
8. Reset the default providers
The default providers have to be
set back to the claims authentication providers before the site can work. The
providers are only changed temporarily in the set up to allow for adding the
admin users.
a.
Open IIS and select the extended web application
on the left (i.e. SharePoint – 81)
b.
Open the .NET Users and set the default provider
to i
c.
Open the .NET Roles and set the default provider
to c
