Easy-Bake Forms Based Authentication
In a hosted environment I often see situations where a customer wants to quickly and easily add Forms Based Authentication to their SharePoint Web Application. Unfortunately, it is neither quick nor easy to add this functionality, and often requires development tools outside of SharePoint and SQL to accomplish (such as Visual Web Developer Studio Express).
Since I do this about once a week I came up with an easier and less time consuming method that does not require any tools outside of SQL, SharePoint and the CKS-FBAManagement Solution from the CodePlex community.
This configuration can be broken down into the following tasks:
- Create the FBA database to store user account information, and assign appropriate permissions
- Configure the Web.config files for your SharePoint Web Application
- Deploy FBA Management Utilities from CodePlex to your Web Application
- Jump through a few hoops to get your initial user inserted into your FBA database
- Finish configuring the FBA site and add your first user as a Site collection Administrator
Create the aspnetdb database to store the FBA Users
*Note* – The following instructions assume that you already have a Web Application provisioned in SharePoint and it is configured to use Windows Integrated Authentication
On the web server run:
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql
Follow the wizard as shown below:
In SQL Management Studio add the Application Pool Accounts for the Central Administration website and your Web Application to the Site_ASPNetDB Database with db_owner permissions.
If you haven’t already, extend your web app to a new URL which will be your FBA site.
Add the following to the Windows Auth Site, FBA Site *AND* the Central Admin Site web.config files in IIS
Add the following between </SharePoint> & <system.web>
<connectionStrings>
<add name="AspNetSqlProvider" connectionString="server=YourSQLServer; database=site_FBA; Trusted_Connection=True" />
</connectionStrings>
Add the following after <system.web>
<membership defaultProvider="AspNetSqlMembershipProvider">
<providers>
<remove name="AspNetSqlMembershipProvider" />
<add connectionStringName="AspNetSqlProvider" passwordAttemptWindow="10" enablePasswordRetrieval="false" enablePasswordReset="true" minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="0" requiresQuestionAndAnswer="false" applicationName="/" requiresUniqueEmail="false" passwordFormat="Hashed" description="Stores and retrieves membership data from the Microsoft SQL Server database" name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</membership>
<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">
<providers>
<remove name="AspNetSqlRoleProvider" />
<add connectionStringName="AspNetSqlProvider" applicationName="/" description="Stores and retrieves roles data from the local Microsoft SQL Server database" name="AspNetSqlRoleProvider" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</roleManager>
Install and Deploy FBA User Management Tools
FBA Management
http://www.codeplex.com/CKS/Release/ProjectReleases.aspx?ReleaseId=17901
CMD: deploy site_url
You will see the following error during deployment which you can *IGNORE*
Dependency feature with id 01aa8d8b-000a-4c35-8f4f-5d1280377650 for feature ‘FBAManagementSelf’ (id: 23c44729-fb03-4882-a0bf-c6fb3ddd81fd) is not installed.
Once this completes you should have the “Forms Based Authentication Admin Management Feature” Activated in your Site Collection
Create the first user in the FBA database
At this point you still cannot login to your FBA website because you still do not have any users in your FBA database. Next we are going to add Site_Admin as a new FBA user (*Note* – These steps must be performed in the order below or you will get errors)
In the Windows Auth site go to Site Actions -> Site Settings -> Users and Permissions -> FBA User Management
If you get the following error –> “A Membership Provider has not been configured correctly. Check the web.config setttings for this web application” – Verify your web.config changes in the Windows Auth site in IIS, and also double check your App Pool Permissions on the SQL FBA Database.
Click New User
Enter All of the user’s information, but *DO NOT* click ‘OK’
Open the *Extranet FBA site’s web.config file only* and change the following line:
From:
<roleManager enabled=”true” defaultProvider=”AspNetWindowsTokenRoleProvider”>
To:
<roleManager enabled=”true” defaultProvider=” AspNetSqlRoleProvider”>
Go to Central Admin in a separate window/tab:
Application Settings -> Authentication Providers
Select your Web Application and then click Zone you wish to configure for your Application(Extranet in my case):
Modify the settings for the Zone and click Save:
Switch back to the ‘New Forms Based Authentication User’ page in the Windows Auth Site
Now click OK to finish creating the Site_Admin FBA User and you should be returned to the Manage forms Based Authentication Users where you will see your new user:
Make the Site_Admin users Site Collection Administrators
Now you should be able to browse to your FBA site and login with your new Site Collection Admin:
All Done! Since we added the FBA information to the Web.config files for the Windows Auth site as well as Central Admin you will be able to manipulate permissions for your FBA users through either of those Sites as well as through the FBA site.
-CB
Comments
8 Responses to “Easy-Bake Forms Based Authentication”
Leave a Reply
Great post! I have a question: the command CMD: deploy site_url, which site do i have to use for deployment? the collection-root? or directly the site where i would like to use the webparts?
You would use the URL configured in the default zone for your Web Application -> http://site.domain.com
-Corey
I receive the error that you described and everything seemed to work fine, except, I am not receiving the temp passwords, nor do I see a way to activate a new user. I’ve gone to the Site Settings Member REgistration screen and the user is not listed. However, the new user is listed in the list of members but I can’t login as them without the password. Help would be appreciated.
The password should be provided by you during user creation. If you reset the password it will generate an e-mail to the user’s e-mail address with the new temp password. Make sure your SMTP server and your SharePoint outgoing e-mail is configured properly. Also, make sure you specify a valid e-mail address for the Forms Based authentication user that you created.
User Creation – I didn’t provide enough info. I am attempting to use the CKS Forms Based Authentication Solution from CodePlex that you recommend above. I am able to create Users but they don’t appear in the Member List pending approval and they don’t receive emails. However, to respond to your second item – the SharePoint environment is sending alert emails and welcome emails based on adding users to Groups. Any ideas for configuring the CKS FBA to get this working correctly and completely?
[...] empty SQL database. An excellent one by my co-worker Corey Burke at Rackspace is SharePoint Voodoo: Easy-Bake Forms Based Authentication. There are any that outline the process of using a new FBA with an existing DotNetNuke [...]
How can put a link on the Log in Page for reset password and register new user? that's what I want to do since the CKS FBA Self Management Tool is for, can anyone help.
Thanks
[...] Forms based authentication is this version of SharePoint is much better than the last, in that there is the option to do it. It could use some improvement, but it is a good start. There are plenty of blog posts out there that go over this as well as a few tools on CodePlex, so I wont go into the details. One of the best posts I found on the subject is: http://blog.sharepoint-voodoo.net/?p=6 [...]