Friday, January 13, 2012

SharePoint 2010 Forms Based Authentication on an Extended Web Application



The following will explain how to create an extended web application in your SharePoint 2010 environment and how to set up Forms Based Authentication with its own database on it.

We first create our ASP.Net membership database, then configure our providers for Central Admin and the Secure Store Web Service, then extend the web application, then finally we configure our extended web application and the default web site.

(Note that Forms Based Authentication can only be added onto web applications that have Claims Authentication enabled. You can activate this using a PowerShell command in section 5 of this walkthrough.)
1.       Create the database for the ASP.Net Membership and Role Providers:

a.       Using Microsoft SQL Server Management Studio, create a new empty database on your server called aspnetdb_claim. 
b.      Open Command Prompt and browse to the following location:
                         i.      C:\Windows\Microsoft.NET\Framework64\v2.0.50727
c.       Run the following command:
aspnet_regsql -S <SPSSERVER> -E -A mr –d aspnetdb_claim
·   -S Specifies the server.
·   -E Specifies that Windows authentication should be used to connect to SQL Server.
·   -A mr Specifies that the membership and role feature should be added.
·   -d Specifies the database name.
d.      Give your web application AppPool account full permissions on the database
2.       Create FBAMembershipProvider and FBARoleProvider providers in IIS for Central Admin

a.       On your application server, select the Central Administration v4 website in IIS
b.      Open Connection Strings and click Add in the right hand pane. Then add a connection string to your previously created database and call it FBADB

c.       Select the Central Admin site again, open Providers, select .NET Roles from the Feature dropdown at the top and click Add in the right hand pane.

a.       Set the Type as SqlRoleProvider
b.      Name the provider FBARoleProvider
c.       Set the ConnectionStringName property to FBADB
d.      Set the ApplicationName property to /

d.      Select the Central Admin site again, open Providers, select .NET Users from the Feature dropdown at the top and click Add in the right hand pane.

a.       Set the Type as SqlMembershipProvider
b.      Name the provider FBAMembershipProvider
c.       Set the EnablePasswordReset property to True
d.      Set the ConnectionStringName property to FBADB
e.      Set the ApplicationName property to /

3.       Configure Secure Store Web Service and Default Website
The default website will be your site running on port 80 by default e.g. (SharePoint – 80). The Secure Store web site can be found by expanding the SharePoint Web Services site and selecting the SecurityTokenServiceApplication
a.       Repeat Section 2, steps A to D, to create the Membership and Role Providers for both of these websites.
4.       Extend the Web Application

a.       Open Central Administration and select Application Management from the left hand pane
b.      Select Manage Web Applications and click on the default SharePoint application (SharePoint – 80) so that it is highlighted
c.       Click on Extend in the Ribbon controls
d.      Give the new extended application name (e.g. SharePoint – 81)
e.      Set the port number (e.g. 81)
f.        Uncheck the Enable Windows Authentication box and check Enable Forms Based Authentication (FBA) (If this is not available, see next section)
g.       Set the ASP.NET Membership provider name property to the Membership provider name created previously (i.e. FBAMembershipProvider)
h.      Set the ASP.NET Role manager name to the Role Provider name created previously (i.e. FBARoleProvider)
i.         Click OK


5.       Activate Claims authentication if Forms Based Authentication is not available

·         NOTE: This only has to be done if the Forms Based Authentication (FBA) option is not available when extending the web application:
o   Open PowerShell on the application server and run the following commands:
§ $webapp = Get-SPWebApplication http://<spsserver>/ $webapp.UseClaimsAuthentication = $true $webapp.Update()
6.       Configure Extended Web Application
Note: This has to be done on all application- and web front end servers
a.       On your application server, select the Extended website in IIS (e.g. SharePoint – 81)
b.      Repeat Section 2, steps A to D, to create the Membership and Role Providers
c.       Select the Extended website again and open the .Net Roles section
o   You will probably get the following error:

o   There is another configuration file that contains a list of all the trusted providers and for some reason the default claims providers are not in there. This does however not break anything and can be ignored.
d.      Click on Set Default Provider, then select the FBARoleProvider and click OK. This will allow you to add a new administrator role for your administrator user.
e.      On the right hand pane, click on Add, type in administrator as the name and click ok. Your new Role should appear on screen. 
f.        Select the Extended website again and open the .Net Roles section
o   You will get the same error as before and can just ignore it again.
g.       Click on Set Default Provider, then select the FBAMembershipProvider and click OK. This will allow you to add a new administrator user for your FBA site.
h.      On the right hand pane and click on Add. Type in your Username, email, password and click Next.
i.         Now you can tick the user group called administrator that was created in the previous step and click Finish.

7.       Set up site collection administrators
a.       From Central Administration, click on Application management and select Change site collection administrators
b.      For the secondary site collection administrator, add the user created previously in the .NET Users in IIS for the extended web application
c.       Click OK
8.       Reset the default providers
The default providers have to be set back to the claims authentication providers before the site can work. The providers are only changed temporarily in the set up to allow for adding the admin users.
a.       Open IIS and select the extended web application on the left (i.e. SharePoint – 81)
b.      Open the .NET Users and set the default provider to i
c.       Open the .NET Roles and set the default provider to c

4 comments:

  1. Nice article. A very minor correction though. Step 6 f should be adding tne user to .NET Users instead of .NET Roles.

    I found this very helpful.

    ReplyDelete
  2. Also, if when adding the .NET User, you get an invalid password error, you can set password policies for the Membership provider in the extended web site's web.config file, found in the root of the virtual directory for the site.

    See http://msdn.microsoft.com/en-us/library/system.web.security.membership.minrequiredpasswordlength.aspx for the syntax.

    ReplyDelete
    Replies
    1. Thanks for the feedback Simon. I have been able to install the solution as is on certain environments while also having had to make adjustments on other client environments. I think it depends on where it's installed.

      Delete
  3. A very very nice article but step 6 f to be corrected to .net users instead of .net roles

    ReplyDelete