Showing posts with label FBA. Show all posts
Showing posts with label FBA. Show all posts

Thursday, 12 December 2013

How to configure FBA in SharePoint 2013



Here we are going to do the following list of things:
I. Create membership provider database.
II. Setup database Permissions.
III. Create membership User/Roles.
IV. Configuring membership provider.
V. Configuring FBA for a website in Central Administration.
VI. Login using membership user.

I. Create membership provider database

The first step is to create the database using the ASP.net SQL server setup wizard. Install the new database on the database server hosting the other SharePoint databases for this app. The wizard can be accessed from the following command from the run menu.

%windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe

This wizard will guide you through the creation of the new SQL database.

 A welcome screen will appear. Click Next.




Select "Configure SQL Server for application services" and click Next.




Enter the name of your server and your authentication information.  In this case SQL Server is installed on the same server as SharePoint 2013 and I am logged in as an administrator and have full access to SQL Server, so I choose Windows Authentication. For the database name, I just leave it as <default>, which creates a database called "aspnetdb". Unless you want a specific name for your FBA database.




A Confirm Your Settings screen will appear. Click Next.




A "database has been created or modified" screen will appear. Click finish and the wizard will close.




II. Setup database Permissions

Now that the database has been created, we'll have to give SharePoint permissions to read and write to it. We're going to connect to the database with Windows Authentication, so we're going to have to give those permissions to the service account that is being used to run SharePoint. First, let's find out the service account that's being used to run SharePoint. Open IIS, go to "Application Pools". Take a look at the "Identity" that is being used to run the SharePoint application pools.




Now that we know what account is being used to run SharePoint, we can assign it the appropriate permissions to the membership database we created.  Open up SQL Server Management Studio and log in as an administrator.

Under Security/Logins find the user that SharePoint runs as.  Assuming this is the same database server that SharePoint was installed on, the user should already exist. Right click on the user and click ‘Properties'

Go to the "User Mapping" Page. Check the "Map" checkbox for the aspnetdb database. With the aspnetdb database selected, check the "db_owner" role membership and click OK. This user should now have full permissions to read and write to the aspnetdb membership database.




III. Create membership User/Roles

There are different ways to create aspnet users.

here am using one tool for create aspnet users, can download from here.

Once download the file unzip it and open "MembershipSeeder.exe" xml file and change server name ,database name then save the file and open "MembershipSeeder" application file and create users.

here the application interface for creation of users,roles.




Here am creating single user so selected "Only create or delete 1 user; dont use the # of Users field" check box. Then click on Create button.(other fields remains same);


IV. Configuring membership provider

The next thing that has to be done to get forms based authentication working with SharePoint is setting up the membership provider.  A membership provider is an interface from the program to the credential store.  This allows the same program to work against many different methods of storing credentials.

SharePoint is actually divided up into several web applications – Central Administration, the Security Token Service and all of the SharePoint web applications that you create. Each of those web applications needs to know about the membership provider.

SharePoint is actually divided up into several web applications – Central Administration, the Security Token Service and all of the SharePoint web applications that you create. Each of those web applications needs to know about the membership provider. i like to change this in machine.config because, By adding it to the machine.config, the configuration is inherited by all of the web.config files on the machine – so you only have to make the changes once, and don't have to remember to make the changes every time you create a new SharePoint web application.

If you don't have access to the machine.config, or prefer not to edit it, you will have to make all of these changes to the following web.config files:

1. SharePoint Central Administration

2. SecurityTokenServiceApplication

3. Every SharePoint web application you create that you would like to access via FBA.

Here we go with machine.config,

Navigate to "C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Config" and open "machine.config".



In the <ConnectionString> section, add the following line:
<add connectionString="Server=<ServerName>;Database=aspnetdb;Integrated Security=true" name="FBADB" />

In the <membership><providers> section add the following:

<add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="LocalSqlServer" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="true" applicationName="/" requiresUniqueEmail="false" passwordFormat="Hashed" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="1" passwordAttemptWindow="10" passwordStrengthRegularExpression=""/>
<add name="FBAMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="FBADB"
enablePasswordRetrieval="false" enablePasswordReset="true"
requiresQuestionAndAnswer="false" applicationName="/"
requiresUniqueEmail="true" passwordFormat="Hashed"
maxInvalidPasswordAttempts="5" minRequiredPasswordLength="7"
minRequiredNonalphanumericCharacters="1" passwordAttemptWindow="10" passwordStrengthRegularExpression="" />

In the <roleManager><providers> section add the following:

<add name="FBARoleProvider" connectionStringName="FBADB" applicationName="/" type="System.Web.Security.SqlRoleProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

Now,Save and close the machine.config file.

The SharePoint Web Services configuration overrides the machine.config and clears the entries we created. For that reason, the membership and role providers also need to be added to the SecurityTokenService First we need to find the web.config for the SecurityTokenService.

Open up IIS. Under sites, SharePoint Web Services, right click on SecurityTokenServiceApplication and click on Explore. Edit the web.config in the folder that opens.




Add the following to the web.config, just before the closing </configuration> tag:

<system.web>
<membership>
<providers>
<add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="LocalSqlServer" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="true" applicationName="/" requiresUniqueEmail="false" passwordFormat="Hashed" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="1" passwordAttemptWindow="10" passwordStrengthRegularExpression=""/>
<add name="FBAMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="FBADB"
enablePasswordRetrieval="false" enablePasswordReset="true"
requiresQuestionAndAnswer="false" applicationName="/"
requiresUniqueEmail="true" passwordFormat="Hashed"
maxInvalidPasswordAttempts="5" minRequiredPasswordLength="7"
minRequiredNonalphanumericCharacters="1" passwordAttemptWindow="10" passwordStrengthRegularExpression="" />

</providers>
</membership>
<roleManager>
<providers>
<add name="FBARoleProvider" connectionStringName="FBADB" applicationName="/" type="System.Web.Security.SqlRoleProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

</providers>
</roleManager>
</system.web>

Now that the membership and role provider have been configured, we can configure SharePoint to use them.

V. Configuring FBA for a website in Central Administration

Configure SharePoint to use new membership provider

Open SharePoint Central Administration -> Application Management -> Manage Web Applications.

Click the Web Application you want the authentication model and select the Authentication Providers button from ribbon.




Click the Zone you want to change the membership provider.




Check "Enable Forms Based Authentication (FBA)". Enter the ASP.Net Membership Provider Name and ASP.NET Role Provider Name that you configured in the web.config. For this example we used "FBAMembershipProvider" and "FBARoleProvider" (Without the quotation marks).Also, for this example we left "Enable Windows Authentication" checked. This allows us to login either via Windows Authentication or Forms Based Authentication (SharePoint will prompt you when you login for which method you'd like to use).  Click OK.



Now we need to add the user to SharePoint site.

select web application and select UserPolicy.



Click on Add Users and select zone.





Then choose user and give permissions( here am giving full control) and click finish.




VI. Login using membership user

Now we will check FBA, 

Till now FBA configuration is over now i want to check FBA is working for my FBA site or not.
Open FBA site in the browser and select "Forms Authentication".




Enter Aspnet user complete name and password.




if the FBA configuration successfully implemented then u should login to the site otherwise somewhere went wrong in the FBA configuration.




Posted by at No comments:
Labels: , , ,

Monday, 3 September 2012

How To: Configure Forms Base Authentication in SharePoint 2010 (without opening web.config)


I have much researched about configuring Forms Based Authentication by viewing different blogs. After i succeed, i have to decided to write the details steps to configure FBA in SharePoint 2010(in an easy way without opening web.config file).


In MOSS 2007, it is required to configure the web.config file of the FBA site and Central Administration site. In SharePoint 2010, it is required to configure the web.config file of the FBA site, Central Administration site, and the Security Token Service (STS) web.config file. STS is one of the next generation Single Sign On services used to store credentials of an application in SharePoint 2010.

Below are the steps required to configure FBA in SharePoint 2010. I will be using MS SQL database as membership store for users.  

A) Setting up ASP.NET Forms Authentication User and Role Data Source 

1. Create Database 

2. Create User

B) Create Web Application and Site Collections

C) Configure Web.Config file 

1. Configuring FBA web application web.config file from IIS

2. Configuring Central Administration web application web.config file from IIS

3. Configuring Security Token Service web.config file from IIS

D) Adding User Policy to the FBA Web Application

E) Verification Steps.

A) Setting up ASP.NET Forms Authentication User and Role Data Source 

1.Create Database

Database is created using the ASP.NET SQL server setup wizard.

To open the wizard just type the following command in Run (windows+R)

"%windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql"

Then it will open wizard 

i. Click on "Next".

ii. select "Configure SQL server for application services and click on "Next".

iii. Specify Server name , login details , and Database name. then click on "Next".
iv. Click on Next to create Database with specified Database name.

v. After successfully database creation is over click on "Finish".

vi. After creation of Database now we can check the database on server.

2. Create User

There are different ways to create aspnet users.

here am using one tool for create aspnet users, can download from here.

Once download the file unzip it and open "MembershipSeeder.exe" xml file and change server name ,database name then save the file and open "MembershipSeeder" application file and create users.

here the application interface for creation of users,roles.


Here am creating single user so selected "Only create or delete 1 user; dont use the # of Users field" check box. Then click on Create button.(other fields remains same);

We can check whether the user is created or not.

Open SQL server and select database then write the following query
"select * from aspnet_users".
 now u can find the user name in the result set.


Till now successfully created Database and aspnet users.

B) Create Web Application and Site Collections

i. Go to Central Administration and create new web application
ii. new web application's authentication is Claims Based Authentication and Check "Enable Forms Based Authentication(FBA) then specify ASP.NET Membership provider name and ASP.NET Role Manager Name. These two names will be used while adding providers to web applications in the next step.
Note: Membership provider name and Role Manager Name should be unique in all step while configuring FBA.


iii. After successfully creation of web application create site collection with any template.

C) Configure Web.Config file 

Now it is required to configure the web.config file of the FBA site, Central Administration site, and the Security Token Service (STS) web.config file. 

But here am not interested to open web.config file add connection string,sqlmembershipprovider and sql roleprovider details.

Simply i will open iis add connection string, membership provider and role provider to each web application namely FBA site (created in Step B), Central Administration site and the Security Token Service.

1. Configuring FBA web application web.config file from IIS

i. Type the following command "inetmgr" in Run(windows+R) and press enter.

ii. Select FBA site and double click on Connection string.

iii. Now click on Add.. link and specify connection string name, SQL server name and login details. Then click on "OK".





iv. Now select FBA site and Click on Providers.
v. From the Feature dropdown select .Net Roles and click on Add..
vi. Now specify
                      Provider Type: SqlRoleProvider, 
                      Name: SqlRoles(because while creating FBA site we specify RoleProvider name as SqlRoles so we have to use that name while adding RoleProvider), 
                     Connection string name: select name from dropdown 
                     ApplicationName:  "/" 


v. Now change Feature type to .Net Users and click on add..
vi. Now specify
                      Type: SqlMembershipProvider
                      Name: SqlMembers
                      ConnectionstringName:select name from dropdown which point 2 aspnetDB
                      ApplicationName: /



Till now we done configuration with FBA site follow the above same steps with central administration and SecurityTokenService.

2. Configuring Central Administration web application web.config file from IIS

i. Select central administration website and click on Connection String.
 ii. click on Add..
 iii. Specify details server name, database details
 iv. Now select central administration site and click on provider.
 v. Click on Add..
 vi. Specify
                Type: SqlRoleProvider
                Name: SqlRoles
                ConnectionStringName: select name from dropdown
                ApplicationName: /

 Now select .Net Users and click on Add..

 Specify as
                Type: SqlMembershipProvider
                Name: SqlMembers
                ConnectionStringName: Select from dropdown
                ApplicationName: /


3. Configuring Security Token Service web.config file from IIS


Repeat above step which are done in Step2

i.Select SecurityTokenService site and click on ConnnectionString

 ii. Click on Add..
 iii. Specify Server, Database login details and click "OK".
 iv. Now select STS site and Click Providers
 v. Select .Net Roles from Features dropdown and click on Add...
 vi. Specify

                Type: SqlRoleProvider
                Name: SqlRoles
                ConnectionStringName: select name from dropdown
                ApplicationName: /


 vii. Now change Features to .Net Users and click on Add...
 viii. Specify
                Type: SqlMembershipProvider
                Name: SqlMembers
                ConnectionStringName: Select from dropdown
                ApplicationName: /


D) Adding User Policy to the FBA Web Application

i. Go to Central Administration site --> Application Management
ii. select FBA site and click User Policy tab in Ribbon.

iii.Click on Add Users

iv. select zones as (All zones) and click on Next.


v. Type complete aspnet user and press(ctrl+K) then check "Full control" check box and finish.


E) Verification Steps

Till now FBA configuration is over now i want to check FBA is working for my FBA site or not.
i. Open FBA site in the browser and select "Forms Authentication".

ii. Enter Aspnet user complete name and password.

iii. if the FBA configuration successfully implemented then u should login to the site otherwise somewhere went wrong in the FBA configuration.


Thats its.

FBA configuration so easy, isnt it?

you can find all screenshots in a single file from here.
Pls feel free to send feedback to me.
Posted by at No comments:
Labels: , , ,
Subscribe to: Comments (Atom)