Wednesday, November 27, 2013

Forms Based Authentication (FBA) in SharePoint 2013

Setting Forms Based Authentication (FBA) in SharePoint 2013 is almost same as to SharePoint 2010 [ http://gj80blogtech.blogspot.in/2010/12/forms-based-authentication-in.html ]. Some differences are in .net framework version (4.0),  web.config entries ,  .Net 4.0 membership provider configuration not supported in IIS directly, No option for classic mode authentication now etc.

In this article, we will see how to configure SQL Server based authentication on SharePoint 2010 site. The Process involve following step of configuration …

  1.     Create SqlServer User membership database
  2.     Create or Extend SharePoint Web application
  3.     Modify Web.Config files for following we applications
  4.     Create Custom Login Form   

Step 1: Create SqlServer User membership database

  • Run aspnet_regsql.exe Located at "C:\Windows\Microsoft.NET\Framework64\v4.0.30319" Directory
  • ASP.NET SQL Server Setup Wizard Will appears, On welcome screen . Click Next 
  • Select “Configure SQL Server for application services”, and then click next
  • Enter the SQL Server, authentication information  and FBA Database name; E.g. Server = SP2013 ;  Windows Authentication;   Database = FBADB
  • Complete the Wizard and close;
  • Make sure the Application Pool accounts (your web application, Security Token Site, Central Administration web site) have access [dbowner role] to the FBA database.
  • Create some test user on this database ;You can use some Membership tools for this e.g. http://www.codeplex.com/CKS/Release/ProjectReleases.aspx?ReleaseId=7450.Or alternatively do it from any asp.net website in IIS. Create a dummy asp.net web site only for managing users. –
    • Open IIS - inetmgr. Right click on Sites and select “Add Web Site…”
    • Enter the field values, e.g. site name = TestASPFBAUser , physical Path = C:\ TestASPFBAUser VirtualDirectory , port =12345 and click OK.
    • Open “Application Pools”. Check framework for this new application pool “TestASPFBAUser”, it should be “2.0″.  Note: IIS does not support management of users and roles for .NET 4.0.
    • Set the identity of application pool “TestASPFBAUser”  to the account that has read/write permissions to the membership database [FBADB]. – Right Click application pool -> click Advanced Settings -> click Identity.
    • Add Connection String :
      • Select your new site “TestASPFBAUser”   and open the “Connection Strings” page.
      • On Connection Strings page, click “Add…”
      • On the Add Connection String dialog, Enter the field values , e.g. name = FBADBConnection , server = SP2013 , database = FBADB , Credentials - “Use Windows Integrated Security” and click OK.
    • Add Provider :
      • Select your new site “TestASPFBAUser”   and open the “Providers” Page.
      • On Providers page, select Feature = ‘.Net Users’. Click “Add…”
      • In Add dialog, choose type = “SQLMembershipProvider”. Enter a name, e.g. FBAASPMembershipProvider.
      • Set Profile Properties. Note: The options selected here must match with the options in SharePoint web.config provider settings. e.g. I chose: [EnablePasswordReset=True, RequiresUniqueEmail    = True , StorePasswordInSecureFormat=True and left others as default false]. 
      • Set ConnectionStringName = FBADBConnection (we just created) and ApplicationName = /
      • Click OK to close the dialog
    • Add User:
      • Select your new site “TestASPFBAUser”   and open the “.Net Users” page.
      • Set default membership provider. Click “Set Default Provider…” in the right side panel.  Choose the membership provider “FBAASPMembershipProvider” (we just created )and click OK.
      • Click “Add…” in the right side panel to add a user.
      • From the “Add .Net User” dialog, give the user a name, email and password. E.g. User -  FBAAdmin , password  - admin@1234, email – abc@test.com, left Question and Answer fields blank. Click OK to create the user and close the dialog.
  • Now we have one test user in FBADB , we will use this user as a admin for FBA. You can use this page to add and edit other users.

Create or Extend SharePoint Web application

You Can create a new site for testing and can use both windows authentication and FBA on same site. Or you can extend any existing site and use FBA for extended site & windows authentication for existing site.E.g. in my case i have extended port 80 site (http://server/) to port 90 (http://server:90)
  • Create a new web application
    • Open SharePoint Central Administration -> Application Management -> Manage Web Applications -> Click New
    • Select “Create a new IIS web site” and enter other fields – Name , Port , Path etc.
    • Check the Enable Forms Based Authentication(FBA) checkbox
    • Enter the ASP.Net Membership Provider Name and ASP.NET Role Provider Name that you are planning to configure in the web.config. e.g. FBAMembershipProvider and FBARoleProvider
    • Left “Enable Windows Authentication” checked, to use dual authentication, Click OK.
    • An Application Created dialog will appear. Click the “Create Site Collection” link to create the first site collection for this web application.
    • On Create Site Collection dialog, enter name,  URL , template, Primary Site Collection administrator [domain account], leave Secondary Site Collection Administrator blank for now. 
    • Click OK.
  • Extend existing web application
    • Open SharePoint Central Administration -> Application Management -> Manage Web Applications ->Select Existing Web Application
    • Click on Extend in ribbon menu
    • Select “Create a new IIS web site” and enter other fields – Name , Port , Path etc.
    • Uncheck Enable Windows Authentication
    • Check the Enable Forms Based Authentication(FBA) checkbox
    • Enter the ASP.Net Membership Provider Name and ASP.NET Role Provider Name that you are planning to configure in the web.config. e.g. FBAMembershipProvider and FBARoleProvider
    • Select Zone = Intranet , click Ok

Edit Web.Config Files

Modify Web.Config files for following web applications
  1. Central Administration
  2. Security Token Service (STS)
  3. Web application 
Modify Central Administration site’s web.config File

•  "ConnectionStrings" Entry 
<configSections>…</configSections>
<connectionStrings>
<clear />
<add name="FBADBConnection" connectionString="data source=SP2013; Integrated Security=SSPI; Initial Catalog=FBADB" providerName="System.Data.SqlClient" />
</connectionStrings>

•  "PeoplePickerWildcards" Entry
<PeoplePickerWildcards>
<clear />
<add key="FBAMembershipProvider" value="%" />
<add key="AspNetWindowsTokenRoleProvider" value="%"/> 
</PeoplePickerWildcards>

•  "RoleManager & Membership" Entries
<system.web>
.......
  <roleManager enabled="true"
cacheRolesInCookie="false"
cookieName=".ASPXROLES"
cookieTimeout="30"
cookiePath="/"
cookieRequireSSL="false"
cookieSlidingExpiration="true"
cookieProtection="All"
defaultProvider="AspNetWindowsTokenRoleProvider"
createPersistentCookie="false"
maxCachedResults="25">
      <providers>
        <!-- FBA -->
        <clear />
        <add connectionStringName="FBADBConnection" applicationName="/" name="FBARoleProvider" type=" System.Web.Security.SqlRoleProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a " />
      <add applicationName="/" name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />  
      <!-- FBA end -->
      </providers>
    </roleManager>
    <membership defaultProvider="FBAMembershipProvider" userIsOnlineTimeWindow="15" hashAlgorithmType="">
      <providers>
        <!-- FBA -->
        <clear />
        <add connectionStringName="FBADBConnection" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" passwordAttemptWindow="10" applicationName="/" requiresUniqueEmail="true" passwordFormat="Hashed" name="FBAMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
        <!-- FBA end -->
      </providers>
    </membership>

</system.web>

Security Token Service web.config

<configuration>
….
<!-- FBA -->
  <connectionStrings>
    <clear />
    <add name="FBADBConnection" connectionString="data source=SP2013; Integrated Security=SSPI; Initial Catalog=FBADB" providerName="System.Data.SqlClient" />
  </connectionStrings>
  <system.web>
    <membership>
      <providers>
        <add connectionStringName="FBADBConnection"
        enablePasswordRetrieval="false"
        enablePasswordReset="true"
        requiresQuestionAndAnswer="false"
        passwordAttemptWindow="10"
        applicationName="/"
        requiresUniqueEmail="true"
        passwordFormat="Hashed"
        name="FBAMembershipProvider"
        type="System.Web.Security.SqlMembershipProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
      </providers>
    </membership>

    <roleManager enabled="true">
      <providers>
        <add connectionStringName="FBADBConnection" applicationName="/"
        name="FBARoleProvider"
        type="System.Web.Security.SqlRoleProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
      </providers>
    </roleManager>
  </system.web>
  <!-- FBA end -->
</configuration>

Web Application Web.config file
"ConnectionStrings" Entry
<!-- FBA -->
  <connectionStrings>
    <clear />
    <add name="FBADBConnection" connectionString="data source=SP2013; Integrated Security=SSPI; Initial Catalog=FBADB" providerName="System.Data.SqlClient" />
  </connectionStrings>
  <!-- FBA End -->

<PeoplePickerWildcards>
      <clear />
      <add key="AspNetSqlMembershipProvider" value="%" />
      <!-- FBA -->
      <add key="FBAMembershipProvider" value="%" />
      <!-- FBA end-->
    </PeoplePickerWildcards>

<membership defaultProvider="i">
      <providers>
         <!-- FBA -->
        <clear />
        <add connectionStringName="FBADBConnection" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" passwordAttemptWindow="10" applicationName="/" requiresUniqueEmail="true" passwordFormat="Hashed" name="FBAMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
        <!-- FBA end -->
        <add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
      </providers>
    </membership>
    <roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false">
      <providers>
        <!-- FBA -->
        <clear />
        <add connectionStringName="FBADBConnection" applicationName="/" name="FBARoleProvider" type=" System.Web.Security.SqlRoleProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a " />
        <!-- FBA end -->
        <add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
     </providers>
    </roleManager>
  </system.web>
Save all the web.config files and do an IISRESET ;


Add admin user for FBA site
  • Open SharePoint Central Administration Site
  • Open Application Management page -  Central administration -> application managmenet
  • Select your web application - e.g. SharePoint-80
  • Click ok "userpolicy" button in the Ribbon control 
  • On User-Policy window , click on Add Users, then Next [default all zone]
  • Search for your FBA admin user , e.g. fbaadmin, and add it
  • Give full control permission to the user.
Now open your FBA site in new browser , it  will open login form - 
  • In case of single site with dual authentication , form ,will allow You to select authentication type while login - Form or window 
  • In Case of extended site with single FBA authentication , it will open directly the FBA default login form
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)