Home > SharePoint 2010 > SharePoint 2010: Setting up Form Based Authentication (FBA) using ASP.NET SQL Membership Provider

SharePoint 2010: Setting up Form Based Authentication (FBA) using ASP.NET SQL Membership Provider


 
There are a few different ways of setting up Forms Based Authentication on a Web Application using ASP.NET SQL Membership as the Provider and in this post I will explain the approach I have used time and time again over the years. Please note that the method I use involves modifying the config files manually, however, there is another approach where this is done purely via IIS which I plan to blog about some time in the future.

We can break down the setup process into 7 steps (I am assuming here that we are setting it all up from scratch):

  • Create the new Web Application
  • Set up the Membership Database
  • Modify the Web Application Web.config
  • Modify the Web.Config of the Central Admin
  • Modify the Web.Config of the STS (Security Token Service) Application
  • Add a new .NET User
  • Create the new Site Collection

1         Create the new Web Application

Go to Central Administration and create a new Web Application. Use the following information to create the Web Application:

  • For Authentication select ‘Claims Based’
  • Claims Authentication Types
    • Uncheck ‘Enable Windows Authentication’ (optional: if you purely want to use FBA)
    • Check ‘Enable Forms Based Authentication (FBA)
      • ASP.NET Membership provider name: MyMembershipProvider
      • ASP.NET Role manager name : MyRoleProvider

Fill out the rest of the form as per your requirement and create the Web Application.

Please note that the Membership provider and Role Manager names used above are just examples and you can name them according to your requirements.
 

2         Setup the Membership Database

Carry out the following steps to create the membership database:

  1. Go to C:\Windows\Microsoft.NET\Framework64\v2.0.50727 and run “aspnet_regsql.exe”
  2. Select “Configure SQL Server for Application Services”
  3. Creating the Membership Database

  4. Choose Windows Authentication
  5. Specify the Database name, this can be anything in our example we will use ‘MyWebAppUsers’
  6. Creating the Membership Database

To ensure form based authentication works smoothly it is important that the application pool identity account of SharePoint Central Admin, The Web Application we created above and the SecurityTokenServiceApplication have the appropriate rights on the Membership database (MyWebAppUsers). I usually grant them db_owner rights.
 

3         Modify the Web Application Web.Config

Add the following element after the </sharePoint> and before the <system.web> element as below and change the value of ‘DbServername’ with the relevant database server name:

<connectionStrings>
  <add name="MyDbConnectionString" connectionString="data source=DbServername;Integrated Security=SSPI;Initial Catalog=MyWebAppUsers" providerName="System.Data.SqlClient" />
</connectionStrings>

Find the <membership> element and add your own provider as below:

<membership defaultProvider="i">
<providers>
.....
<add name="MyMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="MyDbConnectionString" enablePasswordReset="false" enablePasswordRetrieval="true" passwordFormat="Clear" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" applicationName="/" />
</providers>
</membership>

Find the < roleManager> element and add your own provider as below:

<roleManager cacheRolesInCookie="false" defaultProvider="c" enabled="true">
<providers>
   ......
   <add name="MyRoleProvider" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" applicationName="/" connectionStringName="MyDbConnectionString" />
</providers>
</roleManager>

Locate the <PeoplePickerWildcards> element and add the following element as below:

<PeoplePickerWildcards>
   ......
   <add Key="MyMembershipProvider" value="*" />
</PeoplePickerWildcards>

This enables partial matches when you type in a username in a people picker control. Without this a user will only be matched if you type the exact username. We are basically telling SharePoint here the character to use (asterisk) to do the wilcard search in SQL.

4         Modify the Web.Config of the Central Admin

Add the following after </sharePoint> and before <system.web> element replacing ‘DbServername’ with the relevant database server name.

<connectionStrings>
<add name="MyDbConnectionString" connectionString="data source=DbServername;Integrated Security=SSPI;Initial Catalog=MyWebAppUsers" providerName="System.Data.SqlClient" />
</connectionStrings>

Find the element <membership> and add your own provider as below:

<membership defaultProvider="MyMembershipProvider">
<providers>
   .......
   <add name="MyMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" applicationName="/" connectionStringName="MyDbConnectionString" enablePasswordReset="true" enablePasswordRetrieval="true" passwordFormat="Clear" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" />
</providers>
</membership>

Find the element <roleManager> and add your own provider as below:

<roleManager defaultProvider="AspNetWindowsTokenRoleProvider" enabled="true" cacheRolesInCookie="false">
<providers>
 ......
 <add name="MyRoleProvider" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" applicationName="/" connectionStringName="MyDbConnectionString" />
</providers>
</roleManager>

Locate the <PeoplePickerWildcards> element and add the following element as below:

<PeoplePickerWildcards>
<clear />
   ......
   <add Key="MyMembershipProvider" value="*" />
</PeoplePickerWildcards>

 

5         Modify the Web.Config of the STS Application

Go to the root directory of the “SecurityTokenServiceApplication” which is typically located at: “C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\WebServices\SecurityToken” and open the web.config.

Just before the </configuration> element add the following ensuring you change the database server name to match the details of your database server.

  <connectionStrings>
    <add connectionString="Integrated Security=SSPI;Persist Security Info=False;Initial Catalog=MyWebAppUsers;Data Source=DbServername" name="MyDbConnectionString" providerName="System.Data.SqlClient" />
  </connectionStrings>
    <system.web>
      <membership defaultProvider="i">
            <providers>
                <add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
                <add name="MyMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="MyDbConnectionString" enablePasswordReset="true" enablePasswordRetrieval="true" passwordFormat="Clear" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" applicationName="/" />
            </providers>
        </membership>
      <roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false">
        <providers>
                <add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
                <add name="MyRoleProvider" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" applicationName="/" connectionStringName="MyDbConnectionString" />
            </providers>
        </roleManager>
    </system.web>

Please note that I am making the assumption here that you dont have any other Web Applications in your farm with FBA enabled, if you do then a lot of these elements will already exist and all you need to do is to add the relevant parts from above to the relevant elements.
 

6         Add a new .NET User

Now we need to add a user that we will use to login to the FBA site. To do this we need to carry out the following steps:

  • Open up IIS (Start > Run > type inetmgr)
  • Select the SharePoint Central Administration v4 site from the list of sites
  • Double click on .NET Users from the right hand side (as in the screeshot below).
  • Add .NET user

  • From the actions menu on the right click on ‘Set Default Provider’ and select ‘MyMembershipProvider’ from the DropDownList (or whatever name you used to name the MembershipProvider)
  • From the actions menu click on ‘Add’ and fill out the form (screenshot below)
  • Adding a new .NET user

  • After adding the user reset the Default Provider to what it was originally

 

7         Create the new Site Collection

Create a new Site Collection under the Web Application we created in step 1 and set the user we created in step 6 as the Site Collection Administrator (screenshot below).

Adding a new .NET user

Once the Site Collection is created successfully, browse to it and login using the credentials of the user we created in step 6.

Login to the newly created Site Collection

Thats it! We have now successfully setup Forms Based Authentication on our Web Application.

Advertisements
  1. Gopal
    January 15, 2013 at 2:54 pm

    I already have Web Application with AD login. I have created new app with your steps but I am not able to set primary administrator while creating site collection. I have created user named as admin
    Error: “No exact match was found. Click the item(s) that did not resolve for more options. ”
    “Gopal-PC\admin”

    • jasear
      January 15, 2013 at 3:34 pm

      Hi Gopal,

      If you want to set an AD account to your FBA Site Collection as a Site Collection Administrator you need to extend your Web Application and set Windows Authentication on the extended Web Application. You will then be able to choose AD Users. I am not sure if there is a different more easier way to achieve the same but this is usually what I have done in the past.

  2. January 8, 2015 at 6:17 am

    Yesterday i spent 300 $ for platinium roulette system , i hope that i will earn my first $$ online

  1. March 16, 2012 at 10:02 pm
  2. March 18, 2012 at 1:33 am
  3. April 9, 2012 at 11:14 pm
  4. August 22, 2012 at 11:24 pm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: