SharePoint 2010: Exaction SharePoint User Manager

I have developed two commercial SharePoint User Manager Products for Exaction:

• Exaction (AD) SharePoint User Manager
• Exaction (SQL) SharePoint User Manager

This product is also available in MOSS 2007.

Please click here to go to the Exaction site and view more details.

The Exaction SharePoint User Manager solutions provide a set of user friendly SharePoint web parts that allow the end-user the ability to easily manage SharePoint user accounts. The Exaction (SQL) SharePoint User Manager solution is designed to typically work in an FBA enabled site with ASP.NET Membership as the provider where the users are stored in an SQL database (please view this post to see how this can be setup) whereas the Exaction (AD) SharePoint User Manager solution is designed to typically work in a site that uses Windows Authentication.

Below are some of the key features it has to offer:

• Ability to view a complete list of users
• Ability to sort and filter User data
• Ability to add, edit and delete FBA Users
• Ability to Reset passwords, unlock, enable and disable accounts
• Configurable password policy settings
• Ability to retrieve forgotten password
• Configurable auto-generated email notifications
• Ability to send out bulk email notifications to all system active or inactive users
• Export user data to excel
• Configurable security
• Easy to use and intuitive user interface
• Quick installation and configuration
• Easily customisable UI
• Several built in skins

The solution contains the following three web parts:

1. User Manager web part
2. Manage My Account web part
3. Forgot My Password web part

1            User Manager web part

The User Manager web part uses a Telerik RadGrid to display a list of Users. Apart from providing the ability to view a list of all users the web part also provides the ability to:

• Filter the data
• Sort the data by any column
• Paginate data and  to specify page size
• Edit existing User accounts
• Add new users
• Delete a user account (Admin function)
• Unlock user accounts
• Activate and de-activate user accounts
• Export data to excel (Admin function)
• Notify All Active And Inactive Users (Admin function)

As it uses the Telerik RadGrid to display the data it comes with several built in Skins and is fully customisable (please refer to http://demos.telerik.com/aspnet-ajax/grid/examples/overview/defaultcs.aspx to see an overview of the features provided by the Telerik RadGrid)

The screen shot below shows the initial view seen by the end user when accessing the Web Part:

1.1            Adding a new User

The User Manager web part provides an easy and convenient way of adding new users to the system and adding them to SharePoint groups at the same time to grant them access to the Site.

When a user is successfully created a password is automatically generated and the details are emailed to the newly created user.

1.2            Deleting existing Users

Users can be easily deleted by clicking on the  icon on the Grid. Clicking on the cross prompts the end user to confirm that they would like to delete this record. Upon confirmation the account is deleted, please look at the screen shot below:

This feature i.e. Deleting a User can be enabled, disabled and you can specify the SharePoint Group that will have permissions to perform this action.

1.3            Activating and Deactivating User Accounts

Based on the status of the User account the Grid will display an action that will allow the end user to Activate or Deactivate an account. For example if the user account is active then it will display the ‘Deactivate’ action. Clicking on this action will de-activate the user account. On the other hand if the user account has already been deactivated then it will display the ‘Activate’ action. Clicking on this action will activate the User Account. Please note that attempting to deactiviate an account will first prompt the end user to confirm that they are sure they want to proceed with the action.

1.4            Editing existing user accounts

Clicking on the edit  icon opens up a modal dialog box that allows the end user to edit existing user account details.

The form also provides the means to change a user’s password and a means to modify the user’s SharePoint Group memberships.

1.5            Unlocking User Accounts

If a user’s account has been locked out due to repeated login failures then the  icon will appear on the Grid for that User Account. Clicking on the icon will unlock the user account.

1.6            Filtering Data

By default the User Manager Grid allows the end user to filter the data by First name, surname, username, email address and full name.

1.7            Export data to excel

Clicking on the export to excel button will export the data to an excel spreads heet. The data that will be exported will take into consideration the filters that have been applied to the view i.e. only data that matches the filtering criteria will be exported.

1.8            Notify System Users

Clicking on the ‘Notify Users’ button allows you to send notifications to all system users.

While the notifications are being generated:

After the process is complete the screen shot below displays a confirmation that the notifications were sent successfully to x number of users:

2            Manage my account web part

The Manage Account Web Part allows the logged in user to manage their account details. Changing the email address, first name and surname also updates the SharePoint profile as well as updating the membership provider store.

The Web Part also allows the user the means to change their password.

3           Forgotten my password web part

This web part allows a user to retrieve their password by filling out the form below:

Once the end user provides the username and the email address for the account an email is sent out to the registered account’s email address confirming the password.

If you require more information on the product then please click here to go to the Exaction site and view more details.

SharePoint 2010 FBA: Enable search by part or full name in People Picker

 
Please refer to this post of mine on how to configure Forms Based Authentication (FBA) on a SharePoint Web Application using ASP.NET SQL Membership Provider.

After you setup FBA the People Picker control by default will only search for user’s by using the username. However, if you would like to search for users by part or full display name then you will need to carry out the following changes to the Membership Database:

• Add a column “ProfileNames” of type nvarchar(255) in the table: aspnet_Users
• Update the stored procedure: aspnet_Membership_FindUsersByName by replacing the following where clause:

  WHERE  u.ApplicationId = @ApplicationId AND m.UserId = u.UserId AND u.LoweredUserName LIKE LOWER(@UserNameToMatch) 
  

  with:
   

  WHERE  u.ApplicationId = @ApplicationId AND m.UserId = u.UserId AND u.ProfileNames LIKE '%' + LOWER(@UserNameToMatch) + '%'
  

• Create the following Trigger on the “aspnet_Profile” table:

  CREATE TRIGGER [dbo].[ProfileProperty_Trigger] 
     ON   [dbo].[aspnet_Profile] 
     AFTER INSERT,UPDATE
  AS 
  BEGIN
  SET NOCOUNT ON;
  DECLARE @Names nvarchar(50)
  DECLARE @UID nvarchar(50)
  
  SELECT 
  @Names = p.PropertyValuesString,
  @UID = p.UserId
  FROM aspnet_Profile p
  INNER JOIN inserted i
  ON p.UserId = i.UserId
  
  UPDATE aspnet_Users SET ProfileNames = @Names WHERE aspnet_Users.UserId = @UID
  END
  

 
That is it, after making these changes the People Picker control should now match by username as well as display name.

SharePoint 2010: Limit People Picker to search only FBA Users

 
Please refer to this post of mine on how to configure Forms Based Authentication (FBA) on a SharePoint Web Application.

Consider the following scenario:

You have configured FBA on a Web Application and created a Site Collection that uses FBA. Your Web Application uses mixed mode authentication (FBA and Windows Authentication). When you search for users in People Picker it shows you matches for both FBA and AD users. You would like to restrict People Picker to only show matches for FBA Users.

You can achieve this by running the following stsadm command:

stsadm -o setproperty -pn peoplepicker-onlysearchwithinsitecollection -url http://www.nameOfMySiteCollection.co.uk/ -pv yes

The ‘peoplepicker-onlysearchwithinsitecollection’ part in there is misleading and doesnt really do what it implies, however, it does get rid of the AD user mataches from People Picker.

Before running the stsadm command:
 

 

 
After running the stsadm command:
 

 

Please note that if you type in the full username of an AD user and click on the Check Names icon it will still resolve the user.

SharePoint 2010: Setting up Form Based Authentication (FBA) using ASP.NET SQL Membership Provider

 
There are a few different ways of setting up Forms Based Authentication on a Web Application using ASP.NET SQL Membership as the Provider and in this post I will explain the approach I have used time and time again over the years. Please note that the method I use involves modifying the config files manually, however, there is another approach where this is done purely via IIS which I plan to blog about some time in the future.

We can break down the setup process into 7 steps (I am assuming here that we are setting it all up from scratch):

• Create the new Web Application
• Set up the Membership Database
• Modify the Web Application Web.config
• Modify the Web.Config of the Central Admin
• Modify the Web.Config of the STS (Security Token Service) Application
• Add a new .NET User
• Create the new Site Collection

1         Create the new Web Application

Go to Central Administration and create a new Web Application. Use the following information to create the Web Application:

• For Authentication select ‘Claims Based’
• Claims Authentication Types
  • Uncheck ‘Enable Windows Authentication’ (optional: if you purely want to use FBA)
  • Check ‘Enable Forms Based Authentication (FBA)
    • ASP.NET Membership provider name: MyMembershipProvider
    • ASP.NET Role manager name : MyRoleProvider

Fill out the rest of the form as per your requirement and create the Web Application.

Please note that the Membership provider and Role Manager names used above are just examples and you can name them according to your requirements.
 

2         Setup the Membership Database

Carry out the following steps to create the membership database:

1. Go to C:\Windows\Microsoft.NET\Framework64\v2.0.50727 and run “aspnet_regsql.exe”
2. Select “Configure SQL Server for Application Services”




3. Choose Windows Authentication
4. Specify the Database name, this can be anything in our example we will use ‘MyWebAppUsers’

To ensure form based authentication works smoothly it is important that the application pool identity account of SharePoint Central Admin, The Web Application we created above and the SecurityTokenServiceApplication have the appropriate rights on the Membership database (MyWebAppUsers). I usually grant them db_owner rights.
 

3         Modify the Web Application Web.Config

Add the following element after the </sharePoint> and before the <system.web> element as below and change the value of ‘DbServername’ with the relevant database server name:

<connectionStrings>
  <add name="MyDbConnectionString" connectionString="data source=DbServername;Integrated Security=SSPI;Initial Catalog=MyWebAppUsers" providerName="System.Data.SqlClient" />
</connectionStrings>

Find the <membership> element and add your own provider as below:

<membership defaultProvider="i">
<providers>
.....
<add name="MyMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="MyDbConnectionString" enablePasswordReset="false" enablePasswordRetrieval="true" passwordFormat="Clear" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" applicationName="/" />
</providers>
</membership>

Find the < roleManager> element and add your own provider as below:

<roleManager cacheRolesInCookie="false" defaultProvider="c" enabled="true">
<providers>
   ......
   <add name="MyRoleProvider" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" applicationName="/" connectionStringName="MyDbConnectionString" />
</providers>
</roleManager>

Locate the <PeoplePickerWildcards> element and add the following element as below:

<PeoplePickerWildcards>
   ......
   <add Key="MyMembershipProvider" value="*" />
</PeoplePickerWildcards>

This enables partial matches when you type in a username in a people picker control. Without this a user will only be matched if you type the exact username. We are basically telling SharePoint here the character to use (asterisk) to do the wilcard search in SQL.

4         Modify the Web.Config of the Central Admin

Add the following after </sharePoint> and before <system.web> element replacing ‘DbServername’ with the relevant database server name.

<connectionStrings>
<add name="MyDbConnectionString" connectionString="data source=DbServername;Integrated Security=SSPI;Initial Catalog=MyWebAppUsers" providerName="System.Data.SqlClient" />
</connectionStrings>

Find the element <membership> and add your own provider as below:

<membership defaultProvider="MyMembershipProvider">
<providers>
   .......
   <add name="MyMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" applicationName="/" connectionStringName="MyDbConnectionString" enablePasswordReset="true" enablePasswordRetrieval="true" passwordFormat="Clear" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" />
</providers>
</membership>

Find the element <roleManager> and add your own provider as below:

<roleManager defaultProvider="AspNetWindowsTokenRoleProvider" enabled="true" cacheRolesInCookie="false">
<providers>
 ......
 <add name="MyRoleProvider" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" applicationName="/" connectionStringName="MyDbConnectionString" />
</providers>
</roleManager>

Locate the <PeoplePickerWildcards> element and add the following element as below:

<PeoplePickerWildcards>
<clear />
   ......
   <add Key="MyMembershipProvider" value="*" />
</PeoplePickerWildcards>

 

5         Modify the Web.Config of the STS Application

Go to the root directory of the “SecurityTokenServiceApplication” which is typically located at: “C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\WebServices\SecurityToken” and open the web.config.

Just before the </configuration> element add the following ensuring you change the database server name to match the details of your database server.

  <connectionStrings>
    <add connectionString="Integrated Security=SSPI;Persist Security Info=False;Initial Catalog=MyWebAppUsers;Data Source=DbServername" name="MyDbConnectionString" providerName="System.Data.SqlClient" />
  </connectionStrings>
    <system.web>
      <membership defaultProvider="i">
            <providers>
                <add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
                <add name="MyMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="MyDbConnectionString" enablePasswordReset="true" enablePasswordRetrieval="true" passwordFormat="Clear" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" applicationName="/" />
            </providers>
        </membership>
      <roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false">
        <providers>
                <add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
                <add name="MyRoleProvider" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" applicationName="/" connectionStringName="MyDbConnectionString" />
            </providers>
        </roleManager>
    </system.web>

Please note that I am making the assumption here that you dont have any other Web Applications in your farm with FBA enabled, if you do then a lot of these elements will already exist and all you need to do is to add the relevant parts from above to the relevant elements.
 

6         Add a new .NET User

Now we need to add a user that we will use to login to the FBA site. To do this we need to carry out the following steps:

• Open up IIS (Start > Run > type inetmgr)
• Select the SharePoint Central Administration v4 site from the list of sites
• Double click on .NET Users from the right hand side (as in the screeshot below).



• From the actions menu on the right click on ‘Set Default Provider’ and select ‘MyMembershipProvider’ from the DropDownList (or whatever name you used to name the MembershipProvider)
• From the actions menu click on ‘Add’ and fill out the form (screenshot below)



• After adding the user reset the Default Provider to what it was originally

 

7         Create the new Site Collection

Create a new Site Collection under the Web Application we created in step 1 and set the user we created in step 6 as the Site Collection Administrator (screenshot below).

Once the Site Collection is created successfully, browse to it and login using the credentials of the user we created in step 6.

Thats it! We have now successfully setup Forms Based Authentication on our Web Application.

SharePoint 2010 Login issue only using IE (Internet Explorer) on an FBA enabled Site

Recently I bought a new laptop (OS: Windows 7 Professional). Using IE9 I opened up one of our SharePoint 2010 sites and tried to login and it just refreshed the login page with no error messages displayed. Using IE9 on my old laptop had never caused this issue.

I searched a lot on the interwebs to see if other people had encountered this issue and I found a lot of people in a similar situation but all the suggestions I found to solve this issue a) did not work for me, b) were unacceptable in any case. They included suggestions like adding the site as a trusted site and then making x,y and z changes to your browser settings.

One of our SharePoint 2010 site is a public facing site where people register and can gain access to the site. Imagine telling those 1000′s of users you need to make x,y,z changes to your browser settings in order to gain access to our site.

What I noticed was that I was having this issue when I clicked on the “remember me” checkbox on the login page (selecting this option issues a persistent cookie). If I did not check this option then I was able to login without any problems.

To cut a long story short, by a complete freak accident, I was able to fix this issue by making a small change in the web.config of the Web Application. If your site uses Claims Based Authentication you will see the following section in your web.config file:

 <microsoft.identityModel>
    <service saveBootstrapTokens="true">
      <audienceUris />
      <issuerNameRegistry type="Microsoft.SharePoint.IdentityModel.SPPassiveIssuerNameRegistry, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
      <securityTokenHandlers>
        <clear />
        <add type="Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
        <add type="Microsoft.SharePoint.IdentityModel.SPSaml11SecurityTokenHandler, Microsoft.SharePoint.IdentityModel, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c">
          <samlSecurityTokenRequirement>
            <nameClaimType value="http://schemas.microsoft.com/sharepoint/2009/08/claims/userid" />
          </samlSecurityTokenRequirement>
        </add>
        <add type="Microsoft.SharePoint.IdentityModel.SPTokenCache, Microsoft.SharePoint.IdentityModel, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
      </securityTokenHandlers>
      <federatedAuthentication>
        <wsFederation passiveRedirectEnabled="false" issuer="https://none" realm="https://none" />
        <cookieHandler mode="Custom" path="/" >
          <customCookieHandler type="Microsoft.SharePoint.IdentityModel.SPChunkedCookieHandler, Microsoft.SharePoint.IdentityModel, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
        </cookieHandler>
      </federatedAuthentication>
    </service>
  </microsoft.identityModel>

I made the following change (persistentSessionLifetime=”60″):

<cookieHandler mode="Custom" path="/" persistentSessionLifetime="60">

I am not sure why but this fixed the issue for me.

Hope this helps someone else.