Configuring claims and forms based authentication for use with a SQL provider in SharePoint 2010

Today I worked on configuring forms based authentication for SharePoint 2010. Using forms based authentication automatically means using claims based authentication in Sharepoint 2010.
I tried using both an LDAP provider and a SQL provider. My initial goal was to get them both working in the same environment, but after a lot of hours of staring at XML in web.config files I gave up on that one. Instead I created separate environments for using LDAP and SQL providers. Because of this I will also write two separate blog posts. This one will explain how to set up forms based authentication while using a SQL provider.
If you want to configure forms based authentication for use with an LDAP provider check out my other post here.

Using a SQL provider with forms based authentication means that users will use usernames and passwords that are stored in SQL Server Database. They will use a sign-in page to fill in their credentials and log in.

You can of course create your own database for storing credentials, but if you want one to be set up for you very quickly you can create the ASPNETDB by performing these steps:

  • Go to the SQL Server database server
  • On the database server, open Windows Explorer.
  • Navigate to the path %System Drive%\Windows\Microsoft.NET\Framework\v2.0.50727.
  • To start the ASP.NET SQL Server Setup Wizard, double-click aspnet_regsql.exe.
  • Complete the wizard
  • Make sure the Application Pool accounts of the web application(s) and the Central Administration web site have access to the database

In order to load up your database with test data you can use the membership seeder tool from CodePlex

  • Download the MembershipSeeder tool from http://www.codeplex.com/CKS/Release/ProjectReleases.aspx?ReleaseId=7450
  • To run the MembershipSeeder tool
         * Start the MembershipSeeder tool.
         * Click Configure.
         * In the dialog box that opens, type the name of the computer running SQL Server that hosts your SQL membership database.
         * Save your changes, and then restart MembershipSeeder so that it will use the new server name.
  • To create users for testing purposes
         * In the User Prefix field, type a value.
         * In the Password field, type the password you want each user to have.
         * In the # of Users field, select the number of users to create.
         * Click Create to create users where the user name is the value of the User Prefix field with an incrementing number added to the end

 

These are the steps you will need to take to set up the forms based authentication:

Create a new web application

  • Go to Central Administration
  • Go to Application Management
  • Click on Manage Web Applications
  • Click New
  • Select Claims Based Authentication
  • Identity Providers
         * Check the Enable Windows Authentication box or you won’t be able to crawl the site
         * Check the Enable ASP.NET Membership and Role Provider checkbox
              * In the Membership provider name edit box, type SqlMember
              * In the Role provider name edit box, type SqlRole

  CreateWebAppSql


Create a new site collection

  • Go to Central Administration
  • Go to Application Management
  • Click Create site collections
  • Select the newly created web application
  • Fill in a name and select a template

 

Adjust the web.config of the Central Administration site

  • Open the Central Administration site's web.config file
  • Find the </configSections> entry
  • Paste the following XML directly below it
<connectionStrings>
   <clear />
   <add name="AspNetSqlMembershipProvider"
connectionString="data source=sql.sharepoint.com;Integrated Security=SSPI;Initial Catalog=aspnetdb"
providerName="System.Data.SqlClient" /> </connectionStrings>
  • Find the <system.web> entry
  • Paste the following XML directly below it
<roleManager enabled="true" 
   cacheRolesInCookie="false" 
   cookieName=".ASPXROLES" 
   cookieTimeout="30" 
   cookiePath="/" 
   cookieRequireSSL="false" 
   cookieSlidingExpiration="true" 
   cookieProtection="All" 
   defaultProvider="AspNetWindowsTokenRoleProvider" 
   createPersistentCookie="false" 
   maxCachedResults="25">
   <providers>
      <clear />
      <add connectionStringName="AspNetSqlMembershipProvider" 
         applicationName="/" 
         name="SqlRole" 
         type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0,
Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
" /> <add applicationName="/" name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider, System.Web, Version=2.0.0.0,
Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
" /> </providers> </roleManager> <membership defaultProvider="SqlMember" userIsOnlineTimeWindow="15" hashAlgorithmType=""> <providers> <clear /> <add connectionStringName="AspNetSqlMembershipProvider" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="true" passwordAttemptWindow="10" applicationName="/" requiresUniqueEmail="false" passwordFormat="Hashed" name="SqlMember" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0,
Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
" /> </providers> </membership>
  • Double check whether the <membership> and <rolemanager> entries only exist ones. Delete any double entries.
  • Paste the following XML below the <PeoplePickerWildcards> entry
<clear />
<add key="AspNetSqlMembershipProvider" value="%" />
<add key="SqlMember" value="%"/>
<add key="SqlRole" value="%"/>

 

Adjust the web.config of the Security Token Service (STS) virtual directory

NB: you will need to make the changes to the Security Token Service virtual directory on each server hosting either Central Administration or the claims based web application

  • Open the Security Token Service (STS) virtual directory's web.config file
  • Find the </system.net> entry
  • Paste the following XML directly below it
<connectionStrings>
   <clear />
   <add name="AspNetSqlMembershipProvider"
connectionString="data source=sql.sharepoint.com;Integrated Security=SSPI;Initial Catalog=aspnetdb"
providerName="System.Data.SqlClient" /> </connectionStrings>
  • Add a <system.web> entry directly below the </connectionStrings>
  • Paste the following XML directly below the <system.web> entry
<membership>
   <providers>
     <add connectionStringName="AspNetSqlMembershipProvider" 
        enablePasswordRetrieval="false" 
        enablePasswordReset="true" 
        requiresQuestionAndAnswer="true" 
        passwordAttemptWindow="10" 
        applicationName="/" 
        requiresUniqueEmail="false" 
        passwordFormat="Hashed" 
        name="SqlMember" 
        type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, 
Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
   </providers>
</membership>

<roleManager enabled="true">
   <providers>
      <add connectionStringName="AspNetSqlMembershipProvider"
applicationName="/" name="SqlRole" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0,
Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
" /> </providers> </roleManager>
  • Add a </system.web> entry directly below it

 

Adjust the web.config of the claims based web application

  • Open the claims based web application's web.config file
  • Find the </configSections> entry
  • Paste the following XML directly below it
<connectionStrings>
   <clear />
   <add name="AspNetSqlMembershipProvider"
connectionString="data source=sql.sharepoint.com;Integrated Security=SSPI;Initial Catalog=aspnetdb"
providerName="System.Data.SqlClient" /> </connectionStrings>
  • Locate the <membership> entry
  • Replace everything from <membership> to </membership> with the following XML
<membership defaultProvider="i" 
   userIsOnlineTimeWindow="15" 
   hashAlgorithmType=""> 
   <providers> 
      <clear /> 
      <add connectionStringName="AspNetSqlMemberShipProvider" 
         enablePasswordRetrieval="false" 
         enablePasswordReset="true" 
         requiresQuestionAndAnswer="true" 
         passwordAttemptWindow="10" 
         applicationName="/" 
         requiresUniqueEmail="false" 
         passwordFormat="Hashed" 
         name="SqlMember" 
         type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, 
Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /> 
     <add name="i" 
        type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, 
Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" /> 
   </providers> 
</membership>
  • Locate the <roleManager> entry
  • Replace everything from <roleManager> to </roleManager> with the following XML:
<roleManager enabled="true" 
   cacheRolesInCookie="false" 
   cookieName=".ASPXROLES" 
   cookieTimeout="30" 
   cookiePath="/" 
   cookieRequireSSL="false" 
   cookieSlidingExpiration="true" 
   cookieProtection="All" 
   defaultProvider="c" 
   createPersistentCookie="false" 
   maxCachedResults="25"> 
      <providers> 
         <clear /> 
         <add connectionStringName="AspNetSqlMemberShipProvider" 
            applicationName="/" 
            name="AspNetSqlRoleProvider" 
            type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, 
Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /> 
         <add applicationName="/" 
            name="SqlRole" 
            type="System.Web.Security.WindowsTokenRoleProvider, System.Web, Version=2.0.0.0, 
Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /> 
         <add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, 
Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" /> 
   </providers> 
</roleManager> 
  • Paste the following XML below the PeoplePickerWildcards entry
<clear />
<add key="AspNetSqlMembershipProvider" value="%" />
<add key="SqlMember" value="%"/>
<add key="SqlRole" value="%"/>

 

Add a user policy to the web application

  • Go to Central Administration
  • Go to Application Management
  • Click on Manage Web Applications
  • Select the claims based web application
  • Click on User Policy
  • Click on the Add Users link
  • Click the Next button.
  • Click the Address Book icon.
  • Type in the NT login name or account name and click the search button. If it’s working correctly you should see at least two entries for the account – one that is for the user’s Active Directory account, and one that is for that same account but which was found using the LDAP provider.
  • Select the account in the User section and click the Add button
  • Click the OK button
  • Check the Full Control checkbox, then click the Finish button

 

addPolicySql 

You can now browse to the web application and log in using forms based authentication.

signin

Select Forms Authentication

 signin2

And fill in the username and password

I used the following blog posts to get things working, so I would like to thank Ali for his post:
http://blogs.msdn.com/alimaz/archive/2009/10/30/configuring-fba-in-sharepoint-server-2010-beta-2.aspx

I also want to thank Spence for his help and advice.

Comments -
  1. Gravatar

    I walked through your steps, which appear to be more detailed than anything I've found on the internet by the way. Unfortunately, when I go to log in using FBA the page sends me right back to the login page. And oddly enough, when I select Windows authentication it does nothing. I'm using an Extended site when I do this. The main site is port 180 using Claims based Windows authentication only authentication. Port 181 is the extended site claims based both windows auth and SQLProvider. I can explain why I'm doing this if necessary.

      
  2. Gravatar

    Hi Peter,

    So if you try to give users permissions through the web application policy in Central Administration that works?
    Are there any error messages in the ULS logs or in the event viewer?

      
  3. Gravatar

    I was able to add my SqlMember user "fbauser" to the "extranet" zone. I even set the fbauser as a secondary site collection administrator of the main site (port 180). fbauser resolves which I've never been able to achieve so kudos to your documentation. I looked in the ULS and it was a bunch of "you have old logs we deleted them" messages. Nothing related to permissions. And I checked all the different event logs and didn't find anything.

      
  4. Gravatar

    Hi,

    After following all the steps I am getting this error in stack trace on login.

    Server Error in '/' Application.
    --------------------------------------------------------------------------------

    The requested service, 'localhost:32843/.../securitytoken.svc' could not be activated. See the server's diagnostic trace logs for more information.
    Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

    Exception Details: System.ServiceModel.ServiceActivationException: The requested service, 'localhost:32843/.../securitytoken.svc' could not be activated. See the server's diagnostic trace logs for more information.

    Source Error:

    An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

    Stack Trace:


    [ServiceActivationException: The requested service, 'localhost:32843/.../securitytoken.svc' could not be activated. See the server's diagnostic trace logs for more information.]
    System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) +10258154
    System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) +539
    Microsoft.IdentityModel.Protocols.WSTrust.IWSTrustContract.Issue(Message message) +0
    Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr) +61
    Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst) +36
    Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext(Uri context, Boolean bearerToken, SecurityToken onBehalfOf, SecurityToken actAs, SecurityToken delegateTo) +25993809
    Microsoft.SharePoint.SPSecurityContext.SecurityTokenForFormsAuthentication(Uri context, String membershipProviderName, String roleProviderName, String username, String password) +172
    Microsoft.SharePoint.IdentityModel.Pages.FormsSignInPage.GetSecurityToken(Login formsSignInControl) +188
    Microsoft.SharePoint.IdentityModel.Pages.FormsSignInPage.AuthenticateEventHandler(Object sender, AuthenticateEventArgs formAuthenticateEvent) +123
    System.Web.UI.WebControls.Login.AttemptLogin() +152
    System.Web.UI.WebControls.Login.OnBubbleEvent(Object source, EventArgs e) +124
    System.Web.UI.Control.RaiseBubbleEvent(Object source, EventArgs args) +70
    System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) +29
    System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +2981




    --------------------------------------------------------------------------------
    Version Information: Microsoft .NET Framework Version:2.0.50727.4927; ASP.NET Version:2.0.50727.4927

      
  5. Gravatar

    Check the event viewer of the server hosting the service. You should get an explanation on which mistake in the xml you made.

      
  6. Gravatar

    Hi Peter,

    I'm sorry to say, but the best advice I can give you is to quadruple check the web.config XML...

      
  7. Gravatar

    Hi Bharat,

    You need to create a Security Token Service service application and start the Security Token Service on the server. This should be done while you're running PSConfig, but apparently something went wrong there on your environment.

      
  8. Gravatar

    Hello

    Mind me if this is a stupid question, but what do you mean by when you say

    •Make sure the Application Pool accounts of the web application(s) and the Central Administration web site have access to the database.

    I created aspnet db at location sj-b3-ws08, and when I create a new web app, the default db is sj-b3-ws08\Sharepoint, and the name is some WSS_Content*. Also I selected the option of creating a new application pool. Are these settings right?

    Sajat

      
  9. Gravatar

    In the web.config modifications for the claims based application you have the role provider named "SqlRole" set to use WindowsToken. That doesn't seem right. Shouldn't the SqlRole provider be using the SQLRoleProvider that you have configured as "AspNetSqlRoleProvider"? If it is correct as it is listed, can you explain why?

      
  10. Gravatar

    hello mirjam...

    i successfully configure my web app using claim based... thanks for your great article...

    now i want to use asp.net login control (login, password recovery, change password, create user)...
    can u guide me how to use these controls???

      
  11. Gravatar

    Hi Sajat,

    You need to make sure that the Central Administration account and the application pool account of the web application that will be using FBA have can access the aspnetdb database. If you don't know what these accounts are you can go into IIS, view the advanced settings of the central administration site and the web application site and find out from there what the application pool is that is being used. Then you go (still in IIS) to the application pools and for both the application pools you found in the last step you lookup what account is being used for them. These accounts need access on the aspnetdb.

    Hope that helps.

    Mirjam

      
  12. Gravatar

    Hi Mike,

    The reason for this is that SharePoint if you use FBA with SharePoint 2010 you will have to use claims based authentication. SharePoint will translate the FBA account to a SAML token that is then translated into an SPUser account, which is what is actually being used by SharePoint.

      
  13. Gravatar
    Afe

    Hi Mirjam,
    I would like to thank you for posting this valuable and far clear step by step procedures to setup claims based Authentication. Saying that, I strictly followed all your steps and every thing works fine. I looked up even user% and returns all the users from the aspnetdb as expected. Finally when I brows the site collection created from a claims based web application, the defaul sign in page comes up but there's no option for me to choos Forms Authentication or Windows Authentication. When I create the web application, I chose Default Sign In Page, assuming that I can use the login url /_login/default.aspx" /> with no custom code. Please help to get this working.

    Thank you all in advance.
    Cheers,

      
  14. Gravatar

    Hi Afe,

    Where did you choose the default sign in page exactly?
    Did you adjust the web.config of the web application you want to log into? If you extended the web application you need to make the changes to the web.config of the extended web application as well.

    Hope that helps.

    Mirjam

      
  15. Gravatar

    Hi,

    Thanks for this post.
    I followed your instructions and created site with both authentication.

    I want to create a custom login page for both Windows Authentication and Form Based Authentication.

    I mean to I have to create only single login page for both authentication.

    How can I create this kind of page?

      
  16. Gravatar

    I've configured the Claims based authentication for my Site. I'm able to validate the User in Central Admin while creating the site collection for my Application.

    My issue is that I"m not able to Login Using the FBA users. Iget the following error.

    Method is only supported if the user name parameter matches the user name in the current Windows Identity.
    Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

    Exception Details: System.ServiceModel.FaultException`1[[System.ServiceModel.ExceptionDetail, System.ServiceModel, Version=3.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]: Method is only supported if the user name parameter matches the user name in the current Windows Identity.

    Source Error:

    An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

    Stack Trace:


    [FaultException`1: Method is only supported if the user name parameter matches the user name in the current Windows Identity.]
    Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.ReadResponse(Message response) +1148437
    Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr) +73
    Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst) +36
    Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext(Uri context, Boolean bearerToken, SecurityToken onBehalfOf, SecurityToken actAs, SecurityToken delegateTo) +26073377
    Microsoft.SharePoint.SPSecurityContext.SecurityTokenForFormsAuthentication(Uri context, String membershipProviderName, String roleProviderName, String username, String password) +26067948
    Microsoft.SharePoint.IdentityModel.Pages.FormsSignInPage.GetSecurityToken(Login formsSignInControl) +188
    Microsoft.SharePoint.IdentityModel.Pages.FormsSignInPage.AuthenticateEventHandler(Object sender, AuthenticateEventArgs formAuthenticateEvent) +123
    System.Web.UI.WebControls.Login.AttemptLogin() +152
    System.Web.UI.WebControls.Login.OnBubbleEvent(Object source, EventArgs e) +124
    System.Web.UI.Control.RaiseBubbleEvent(Object source, EventArgs args) +70
    System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) +29
    System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +2981



      
  17. Gravatar

    My SharePoint Version is SharePoint Server 2010 Enterprise Edition

      
  18. Gravatar

    Mirjam,

    I have followed your steps to Claims set up, everything looks fine, but wheni try to login as windows or forms i get the below error, please provide me some clues, by the way your aticle is great, it looks like i am doing some mistake.
    thak you
    Neel

    ========================================================================
    Server Error in ‘/’ Application.

    The remote server returned an error: (404) Not Found.
    Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

    Exception Details: System.Net.WebException: The remote server returned an error: (404) Not Found.

    Source Error:

    An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

    Stack Trace:

    [WebException: The remote server returned an error: (404) Not Found.]
    System.Net.HttpWebRequest.GetResponse() +1126
    System.ServiceModel.Channels.HttpChannelRequest.WaitForReply(TimeSpan timeout) +81

    [EndpointNotFoundException: There was no endpoint listening at localhost:32843/.../securitytoken.svc that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details.]
    System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) +10258154
    System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) +539
    Microsoft.IdentityModel.Protocols.WSTrust.IWSTrustContract.Issue(Message message) +0
    Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr) +61
    Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst) +36
    Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext(Uri context, Boolean bearerToken, SecurityToken onBehalfOf, SecurityToken actAs, SecurityToken delegateTo) +26062081
    Microsoft.SharePoint.SPSecurityContext.SecurityTokenForFormsAuthentication(Uri context, String membershipProviderName, String roleProviderName, String username, String password) +172
    Microsoft.SharePoint.IdentityModel.Pages.FormsSignInPage.GetSecurityToken(Login formsSignInControl) +188
    Microsoft.SharePoint.IdentityModel.Pages.FormsSignInPage.AuthenticateEventHandler(Object sender, AuthenticateEventArgs formAuthenticateEvent) +123
    System.Web.UI.WebControls.Login.AttemptLogin() +152
    System.Web.UI.WebControls.Login.OnBubbleEvent(Object source, EventArgs e) +124
    System.Web.UI.Control.RaiseBubbleEvent(Object source, EventArgs args) +70
    System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) +29
    System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +2981

    ——————————————————————————–
    Version Information: Microsoft .NET Framework Version:2.0.50727.4927; ASP.NET Version:2.0.50727.4927

      
  19. Gravatar

    I'hv configured similar way. But when I select windows authentication from options it asks for credentials and then just redirects to this default sign in page again. Selecting the Forms options works perfect. We already checked the LSA and possible AAM mappings.

      
  20. Gravatar
    Joe

    Can this be applied to SharePont 3. I need to create the same FBA for Project Server Environment

      
  21. Gravatar

    Hi Joe,

    The settings for SharePoint 2007 will be different from the ones in this post.

    Mirjam

      
  22. Gravatar

    Could you give us an example of these web.configs for setting up more than one FBA application? I have multiple sites and can't seem to get past setting up the first one correctly. I get my first app, "/", setup, but can't get a second app, say "site2", setup. All was fine with my setup in 2007, but getting them working with the new claims system is stumping me. Any help is greatly appreciated.

      
  23. Gravatar

    Hi Jim,

    Do you want to use two Web Applications that both use the same FBA provider or two different FBA providers?

    Thanks,
    Mirjam

      
  24. Gravatar

    Hi Mirjam,

    I'm using one Sql membership database for multiple apps. I have the web.configs for the apps and STS down, and I've worked around having to declare a default membership provider in the CA web.config by changing the default provider and app long enough to setup User Policies and add users and roles permissions for that app, then changing it to the next app and doing the same. I've done that for 5 apps so far, and all are working with forms login. I've tried not declaring a defult provider in CA and just list all providers, like I did in my 2007 CA web.config, but that breaks the CA site. Am I being a dolt or missing something obvious?

    Thanks,
    Jim

      
  25. Gravatar
    Afe

    Hi Mirjam,
    I just wnated to extend my appreciation to your hard work to support the broader SharePoint community. Following your post I managed to implment Claims based authentication successfully. I even extend the same web application using intranet and extranet zone for access by internal staff which defulats to NTLM and access by external partners to the FBA page. Users need not to choose from the drop down list (Windows authentication or Forms Authentication) which is great deal for users interms of accessbility.

    Thanks for all your hard work again.
    Afe

      
  26. Gravatar
    Ron

    Thanks, Mirjam.

    I am so close to get this FBA finished. I changed the 3 web.configs for the CA, STS, and Claim based Web App....Even re-started the server. Upon listing the users in CA or Web App, I am still not seeing the Users that was created in the SQLExpress aspnetdb. When I query
    SELECT [ApplicationId]
    ,[UserId]
    ,[UserName]
    ,[LoweredUserName]
    ,[MobileAlias]
    ,[IsAnonymous]
    ,[LastActivityDate]
    FROM [aspnetdb].[dbo].[aspnet_Users]

    All the users are there?

    Please shine some light on this.

    Thanks in advance,
    Ron

      
  27. Gravatar

    hi ,

    i knw wht's web app. web.config and central admin web.config file, can u pls let knw wht's this (Adjust the web.config of the Security Token Service (STS) virtual directory)

      
  28. Gravatar
    Max

    Hi Mirjam
    What is the simplest way for "•Make sure the Application Pool accounts of the web application(s) and the Central Administration web site have access to the database"

    Thank you

    Max

      
  29. Gravatar

    Hi Max,

    You can go into SQL Server Management Studio, look up the database with the FBA users, go to security and give permissions to the Application Pool accounts.

    Hope that helps.

    Mirjam

      
  30. Gravatar

    Hi Mirjam,

    I have custom login page (branded) that inherits from FormsSignInPage. This page will receive some parameters (querystring, headers or something like that)? Based on this header/querystring I know the username/password. How do I log into the SharePoint 2010 website? Thank you for your help.

      
  31. Gravatar

    Hi Jim,

    I must admit that I have no clue on how to accomplish that in SharePoint 2010. I hope you figured out a way to get it working.

    Mirjam

      
  32. Gravatar

    Hi Mirjam,
    Thanks for the article. Got my Forms setup using it.

    Why do you use, System.Web.Security.SqlRoleProvider for STS and Central Admin role provider and System.Web.Security.WindowsTokenRoleProvider for the FBA web application?

    Is this a mistake or intended behaviour?

    Thanks
    Arshad

      
  33. Gravatar

    Hi Arshad,

    The configuration above is the correct one, so it's not a mistake. This it he way it's supposed to be configured.

    Mirjam

      
  34. Gravatar

    Hi Mirjam,
    Thank you for the reply. Issue I ran into way when I tried creating Roles or iterating list of roles with in the context of the FBA database.
    WindowsTokenRoleProvider only allows GetUsersInRole and another method. It does not allow any role manipulation.

    So I had to update the role provider to SQLRoleProvider to get this to work. FBA setup did not break. I am not sure if there are any repurcusions in doing this.

    Thanks
    Arshad

      
  35. Gravatar

    Hi SharepointChick,
    Excellent article.
    I followed the steps as per your article atlast i got an error



    No connection could be made because the target machine actively refused it 127.0.0.1:32843

    Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

    Exception Details: System.Net.Sockets.SocketException: No connection could be made because the target machine actively refused it 127.0.0.1:32843

    Source Error:

    An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

      
  36. Gravatar

    Hi sashidhar,

    This error has nothing to do with setting up FBA. It's probably a problem with permissions. Try and run the SharePoint Configuration Wizard again to fix any broken permissions.

    Mirjam

      
  37. Gravatar

    Hi!
    I get the same error that sashidhar


    No connection could be made because the target machine actively refused it 127.0.0.1:32843

    Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

    Exception Details: System.Net.Sockets.SocketException: No connection could be made because the target machine actively refused it 127.0.0.1:32843

    Source Error:

    An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

      
  38. Gravatar

    Thank you for the excellent article! I have been struggling to get this setup for a few days now, and your article and code was the best I've found. I have a small follow-up question. I'm using this as an extranet for customers and want to redirect them to a specific site when they login (different for each FBA user). Do you have a suggestion on how to do this, or, can you point me in the right direction? I'm not even sure how to bing that request?

      
  39. Gravatar

    Mirjam ,

    Its now Working thanx 4 ur article and ur reply .I did wrong in Security token configuration thank you very much 4 such an great article Now i will try using LDAP :)

      
  40. Gravatar

    Hi, thanks for the article, I trying to follow the steps that are mentioned however I'm stuck at this one "Adjust the web.config of the Security Token Service (STS) virtual directory". I do at my virtual directories Central Admin, and the site I configured in the first steps, however I don't see anything related to STS, am I missing something ?

    Thanks in advanced for your help.

      
  41. Gravatar

    Nevermind, I found it :) and after I modified the web.config it worked like a charm, thanks!

      
  42. Gravatar

    I got this error:

    No connection could be made because the target machine actively refused it 127.0.0.1:32843

    Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

    Exception Details: System.Net.Sockets.SocketException: No connection could be made because the target machine actively refused it 127.0.0.1:32843

    Source Error:

    An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

    Could you help me to solve it? And could you please advise one provider that support sharepoint 2010? My boss is looking for sharepoint 2010 provider. One provider that I found is Asphostportal.com. I think they are one provider that support sharepoint 2010 with er low cost? If you have another provider, please advise me.

    Thank you

      
  43. Gravatar

    Hi David,

    This error has nothing to do with FBA, it is an error in the Security Token Service. You could try restarting the server, or just leaving it for a while...
    I have no other brilliant solution. You might have to reinstall.

    The best SharePoint hoster is Microsoft. Just check out SharePoint Online, or as it's now called Office 365.
    http://www.office365.com/

    Mirjam

      
  44. Gravatar

    Hi,

    I am newbie to Sharepoint. I am trying to setup internet site for my employer. I am trying to setup Claim Base Security but wondering about two things.
    1) In Setting up Claim Based Security I am using windows local account to create users for internet site would that be a right approach?
    2) If so I would like to know how in Sharepoint I can create new user or create password recovery option for somebody who is none technical IT person?

    Note:- I don't want to FBA which is also a type of Claim Based Authentication as there is built in interface for that to administer user accounts.

    Famie

      
  45. Gravatar

    Continuing from previous post I found that I could use User Profile Service to manage users on Active Directory which I will be creating based on Claim Based Authentication windows local accounts. This will solve my one problem which is a non IT personal with proper rights can manage Users but still coming to my next question is their anyway I can allow internet users to change their password once they logged on the site?
    In addition to that User Profile is mainly used for social computing which means a user can search another user as my site will have search capability and I don't want users to be able to search for other users?

    Am I thinking in right direction? Any sort of comments would be great.

      
  46. Gravatar

    Hi Famie,

    1. You shouldn't use local accounts for SharePoint. Always use AD accounts. Both for your service accounts and for your users.
    2. You can't create users or change passwords in SharePoint out of the box no matter what user store you are using. You will have to build something custom for it, or buy a third party solution.

    A user profile contains information about a user, but it has nothing to do with permissions. A default user profile import will only import users from an LDAP store.
    I don't really see how this would work with internet users getting an account. Are they going to create their own accounts and give themselves permissions? That doesn't sound like a great idea to me..
    I would say internet users are anonymous by default. If they need to log in you could create an account for them, for instance in a SQL database and have them log in using claims based auth. You'll need someone and someway to manage this. You also need to think carefully about how you'll handle security for these users.
    Search is just a small part of that. There are several ways to make sure users can't find other users.

      
  47. Gravatar

    Hi Mirjam!

    I want to say Thank You for the great post!! It worked perfectly!! I did not have to change a thing. Worked just as you posted it.

    This is the best post on the internet ... without exception!

    I searched for quite a while looking for new instructions for SharePoint 2010. Even the book I bought "SharePoint 2010 Unleashed" does not explain as well ... though it is a good book.

    FYI - I copied the web page and pasted in Microsoft Word. Then I highlighted yellow the steps as I completed them. That way I would not miss anything. Just a suggestion for others that may be having difficulty.

    Thanks again and have a Great Thanksgiving!

    Regards,
    Terry

      
  48. Gravatar

    I have followed your steps and set up FBA in both a Test Farm and a Production farm environment.
    I created 5 Users in both farms.

    In Production everything works fine, but, when I add any of the Users created via the seeder tool they are found in "Organizations (5)" on the left side of the UI (People Picker) but on the right side the header says "User: Forms Auth".
    In the Test Farm the users appeard in "Forms Auth" on both the right and the left panes in People Picker.
    I have checked everything I know of to check and everything seems fine.
    I even deleted all 5 Users and then re-created them (via the Seeder tool) and in Prod this still happens.
    Any thoughts as to what might be causing this?
    Thanks

      
  49. Gravatar

    Thanks Mirjam, it worked at first shot!

      
  50. Gravatar

    Great post, followed it through and all worked. Many thanks as enabling FBA had caused quite a problem for a while.

    I think my current problem is an IIS 7 configuration problem but perhaps you have come accross it before and could help?:

    The FBA enabled site needs to be accessed as an extranet site and has its own domain. When I bind the domain to the FBA enabled Sharepoint site and then visit from another machine I get an error. It looks like security token issue. Do I need to make any changes in IIS to allow external access to my new FBA enabled site?

    Hope you can help - if not than many thanks anyway for a great article that's got me this far!

    Cheers,

      
  51. Gravatar

    Hello ,
    your blog helped me to configure FBA but as i try to login with Admin it gives below errro

    The remote server returned an error: (500) Internal Server Error.

    Please help me !!

      
  52. Gravatar

    Hello,
    Thanks for this article, it really helped!

    The only problem that I am facing is that my roles do not show up in the PeoplePicker when I search; however, my users do show up when I search for them. Any ideas what is going on?

    Thanks,

      
  53. Gravatar

    Hello,

    I followed your steps and it really worked for me. Thanks for you post.

    But I am facing one issue. I created 5 users and I am able to login with one user only :(. Can you please help me in this?

    Thanks
    Ankit

      
  54. Gravatar

    Question on running aspnet_regsql.exe --- on a Windows 2008 R2 64 bit server there are two subdirectories (Framework and Framework64) that both contain aspnet_regsql.exe, Which one should I be using ?

      
  55. Gravatar

    Please explain or provide details to your instruction: "Make sure the Application Pool accounts of the web application(s) and the Central Administration web site have access to the database"

    I've used Sharepoint extensively in a domain environment. However, I'm trying to setup a separate Sharepoint instance on a separate non-domain joined server for collaboration with external users and need a means to create these user accounts.

      
  56. Gravatar

    Thank you so much for this post! I was finally able to get this going with your assistance.

      
  57. Gravatar

    Hi Kevin,

    As far as I know you can use both versions of aspnet_regsql.exe. That tool only generates the database aspnetdb database.
    Both the Application Pool accounts of the web application(s) that will use forms based authentication and the Central Administration web site need to have access to the aspnetdb database generated by the aspnet_regsql.exe tool.

    A non-domain joined SharePoint environment is only supported if you use a single server install (which among other things means using SQL express). I would not recommend that for a serious production environment. If you don't want the machine running the extranet joined to your corporate domain you would be better off setting up a different domain for it, instead of using a non-domain joined SharePoint environment.

    If you still want to go with non-domain joined the application pool accounts (and all other service accounts) will be local accounts and you will have to give those access to the aspnetdb database.

    Hope that helps.

    Mirjam

      
  58. Gravatar

    Great.. Steps worked in first attempt.

    But I am seeing one problem. On "Select People and Group" dialog box, I am seeing the group "SqlMember" in the Right Pane rather than user1, user2 ,.. list. Also In left Pane, Form Auth(0). Though I am able to login with Form Auth and user1, user2,...

    I have triple checked and made at least 5 site using given steps but problem remains.

    Please let me know where I am missing.

    Thanks
    Mahesh

      
  59. Gravatar

    Hi,

    Thanks for the explanation on how to set this up. I have managed to get things working. But now I made an Extranet with CLAIMS / FBA. I have made 5 test users (user1 / user5). I gave them full read in the Central Administration.

    But how can i now configure them to only get access to some sites and not all the sites in the SharePoint collection?

      
  60. Gravatar

    Hi Bram,

    Giving users permissions in an FBA/claims web application works in the same way as it does in a classic web application. You would give one or a couple of administrators permissions via the policies in Central Administrations and all the other users will simply get permissions via the site collection and site permissions.

    Hope that helps.

    Mirjam

      
  61. Gravatar

    Mirjam,

    Thanks for taking the time to write up the instructions on setting up FBA. This is one of the best write-ups to date. I'm trying to get up to speed. I've gone through all of the steps and I'm at the point where the accounts in the sql database should show up in the Select People and Groups window. Basically, I get a "no results were found to match your search item. Please enter a new term...." Is there somewhere to look to see if something is wrong? There's no error. I've given the app pool accounts writes to the database, modified the xml files and created the user accounts. Not sure where to look to see where the disconnect is. Thanks for your time. Once again, great article.

    Steve

      
  62. Gravatar

    Mirjam,

    I figured out my problem.. Still an awesome site. One question for you. What are the minimum rights that are needed for the app pool service accounts on the aspnetdb?

    Thanks for your time.

    Steve

      
  63. Gravatar

    This is wierd...but i could implement this without adjusting the web.config file of claims based application with an NT AUTHORITY\NETWORK SERVICE Account...Thnks for the guidance of the other parts of the article.

      
  64. Gravatar

    I read so many articles.. but i didn't proper way to configure the FBA..
    I followed your instructions and i did it well..................thank you so much

      
  65. Gravatar

    Hi Steve,

    The app pool account needs dlreader permissions on the aspnetdb.

    Cheers,
    Mirjam

      
  66. Gravatar

    Hi anamika,

    I'm not sure what approach you took, but I'm sure it's not a best practice way to set this up.

    Mirjam

      
  67. Gravatar

    Mirjam,

    Thank you for the great write-up. I'm having a problem getting my users to appear in the PeoplePicker. I've granted access (or at least I think I have) to the application pools to the aspnetdb, but I still receive the error: "No results were found to match your search item. Please enter a new term or less specific term."

    Perhaps you could tell me exactly how to find the application pool accounts --- I read up above where you assisted someone with that but I only see the one Managed App Account and then Network Service for the identity used by the application pools.

    Also, I'm doing this on a standalone server disconnected from a domain for external users to access for a few months -- I'm also using Foundation. Ultimately, I'd like to implement this solution with SSL enabled, but I first need to get the non-ssl working to prove that it can be done to my employer.

    Your assistance would be GREATLY appreciated!

    Thank You,
    Jerry

      
  68. Gravatar

    Mirjam,

    I was able to correct the error that I reported in the post above by changing the following line (I made the data source reference my SQL server . . . I should have known that I had to change that but took your instructions at face value).

    Since I was able to get this to work, I'd now like to get this to work as an SSL site. Could you please tell me what changes I need to make so that this will work?

    Thank You,
    Jerry

    P.S.
    Your instructions are some of the best around.

      
  69. Gravatar

    Hi Jerry,

    Setting up FBA with a SQL provider is no different for an SSL web app than it is for a normal web app. In order to make your current web app accessible through SSL you would have to extend (do extend, don't just use alternate access mappings!) the web application in SharePoint to the SSL url that you want to use the access the site. After you've done that you'll have to adjust the web.config file for that web application in the same way you adjusted the original web application's web.config.

    Hope that helps.

    Mirjam

      
  70. Gravatar

    Hi Mirijam, thanks for the great post!!!

    >"In order to load up your database with test data you can use the membership seeder tool from CodePlex"

    Could admin in a SharePoint 2010 with Claims-Based Authentication create users in UsersDB? If no is it possible to create a solution which do this?
    Many thanks
    Tiho

      
  71. Gravatar

    Mirjam,

    Thank you! I got everything working with the SSL piece . . . my test users are able to login to the site, however, I am not able to limit their access to certain pages because they do not appear in the PeoplePicker. I have added the following to the web.config sections of the Central Admin and the FBA enabled web application so i'm not understanding why they aren't showing up:

    <clear />
    <add key="AspNetSqlMembershipProvider" value="%" />
    <add key="SqlMember" value="%"/>
    <add key="SqlRole" value="%"/>

    Could you please help me?

      
  72. Gravatar

    Mirjam,

    I apologize for posting so soon, but here is the error that I receive when I type User1 into the PeoplePicker:

    No exact match was found for i:0#.f|sqlmember|user1.

    Thank You and Regards,
    Jerry

      
  73. Gravatar

    Mirjam,

    I just wanted to let you know that I was able to figure out why I was receiving the error that I referenced above. I had had to change my managed account that was used for the FBA enabled web application, when I did this, I had forgotten to add the managed account to the list of accounts that are able to access the aspnetdb. Once I added the new managed account, I had no problems.

    I hope that this is able to be of some use to anyone reading these comments. You really have produced an excellent post.

    Regards,
    Jerry

      
  74. Gravatar

    Thanks for the article first of all. I have a trouble when configuring the application for FBA. Probably peculiar I dont see any one telling such a problem is there for them.

    I have configured a Web Application as per your article for FBA. My setup is having one Web Server and one app server and one db server.

    After I have configured FBA, the application works as expected for both Windows / FBA authentication from within app server but When I access from web server or from outside the servers, I am not getting login page, getting Webapplication Http://vmapp1/_login/default.aspx not found......."

    In case, I extend the application to Extranet with FBA alone and restrict Default Zone to Windows Authentication only then I get Application working on Windows Authentication and getting an 401 Unauthorized on FBA (I dont get a login page).

    Please help me, I am stuck with this issue for past two weeks.

      
  75. Gravatar

    Mirjam,

    Is it possible for the users to change their password via SharePoint when using this solution? That would be ideal.

    Thank You,
    Gerald

      
  76. Gravatar

    Hi Tihomir,

    The usernames and passwords are stored in a SQL Server database when you are using this approach, which means that if the admin has access to the SQL database he (or she :) ) can add users to it. Obviously you can also create a custom web part that creates the users in the SQL database, or download a third party solution from the internet.

    Hope that helps.

    Mirjam

      
  77. Gravatar

    Hi Gerald,

    If you want users to be able to change their password via SharePoint you will have to build or buy a web part or solution for that, you can't do it out of the box.
    As a side note, users can't change their password using SharePoint when you use Windows Authentication either.

    Cheers,
    Mirjam

      
  78. Gravatar

    Mirjam,

    Thank you! You are the best.

    -Gerald

      
  79. Gravatar

    Hi Mirjam,

    thanks for your answer!

    Tihomir

      
  80. Gravatar

    Mirjam,

    Again, I have to say that your tutorial is excellent! I can't tell you the rave reviews it has helped me receive!

    My question to you is this . . . is it possible to make it so that the first page that users see when they browse to my website is the following page:

    MYWEBSITEURL/.../default.aspx

    rather than the dropdown page where they select "Windows Authentication" or "Forms Authentication"? If I knew how to do it in IIS I would, but I'm not sure how to do it that way.

    Regards,
    Gerald

      
  81. Gravatar

    Mirjam,

    Actually, if it were possible to eliminate the whole dropdown boxes page in general, that would be helpful as well, since when users sign out they are automatically directed to that page. I'm just concerned that malicious people could try to login via my windows authentication login.

    Any insight into this would be greatly appreciated

    Thank You,
    Gerald

      
  82. Gravatar

    there are 3 web cofig files in this post, can anyone tell me where all these web cofig files are located so that i can edit accordingly.

      
  83. Gravatar

    Hi Deepak,

    The web.config files are located in the folders for their respective web applications in the C:\inetpub\wwwroot\wss\virtualdirectories folder on the server.

    Mirjam

      
  84. Gravatar

    I was recently working through an issue in which I needed to setup the SQL Membership provider to use

      
  85. Gravatar

    Configuring claims and forms based authentication for use with a SQL provider in SharePoint 2010

      
Comments have been closed on this topic.