How to configure FBA (Forms-Based Authentication) in SharePoint Server 2010 using IIS 7 and ASP .NET Membership Database (SQL) like in MOSS 2007!!!


After testing many times and configuring FBA in many Virtual environments, finally I think I wrote the easiest and clearest procedure and hope what I’m saying is true, please read carefully and do not skip any step.

To configure FBA using SQL Server with Windows Integrated Authentication (recommended) we’ll follow the following steps.

Pre-requisites        

a)      Knowledge about SharePoint 2010, IIS 7.5 and SQL Server 2008

b)      SQL Server configured as Windows Integrated Authentication

c)       ASP.Net SQL Server Database (Membership database)

d)      Windows Domain user account (Can be SharePoint Farm Administrator)

e)      Make sure you backup web.config files for Central Administration Site, Security Token Service web service and also the Web Application you will use for FBA

Steps to configure FBA

  1. Configure SQL Server security settings to use Windows Integrated Authentication
  2. Add the Domain User Account to SQL Logins
  3. Create SQL FBA database to store non-Windows domain users
  4. Grant SQL Login (Domain user) permissions for the new SQL FBA database
  5. Configure SharePoint Central Administration
  6. Configure  SharePoint Security Token Service
  7. Create the new Web Application to use FBA and Site Collection
  8. Configure IIS Default providers for the new web application
  9. Create IIS Site to administer ASP.NET users

Configure SQL Server to use Windows Integrated Authentication

Basically when you install SQL Server by default Windows Integrated Authentication is already set, in case your DBA team configured SQL Server with Mixed-Mode you have to do the following:

  1. Go into the Management Studio of the instance of your SharePoint database server
  2. Right click on SQL Server Instance name and choose properties
  3. On the left pane go to Security
  4. On the right pane choose the option Windows Authentication mode

If you did the change you MUST restart SQL Server service or reboot the server

Add the Domain User Account to SQL Logins

Now we need to add the Domain user account to the SQL Logins in order to provide full access to the ASP.NET membership database we’ll create later.

Two things are important here, you have to decide if you will use the SharePoint Farm Administrator account you are already using or create a new Windows domain user account to manage the access to the ASP.NET membership database. I recommend using SharePoint Farm administrator, whatever you decide here are the steps. (Ask for your DBA team to help you creating the new login)

  1. Once you have decided which account to use open SQL Server Management Studio
  2. On the left pane expand the SQL Server instance and choose Security folder
  3. On Logins right click and choose New Login
  4. Look for your Windows domain user account and keep Windows authentication option marked
  5. Click OK

 

Create SQL FBA database to store non-Windows domain users

Open the ASP.Net wizard and creating the database which will store non-Windows domain users for your extranet access:

          Go to the path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe

          Choose “Configure SQL Server for application services

          Type the SQL Server name you want. You don’t have to use the SharePoint database server

          Keep Windows Authentication as default

          Use “Default” or type the database name you will create at the end of the process

The first time you create the ASP.NET database you have to choose Windows Authentication and create or USE an existing database*

          Just confirm the settings and that’s it for this part

*You can create a new ASP.NET database to store new users or you ALSO use the one you already have in your MOSS2007, just make sure you are having the correct permissions over the migrated database to the new SQL Login you already created in steps before.

 Grant SQL Login (Domain user) permissions for the new SQL FBA database

          Go back to the SQL Server Management Studio

          Locate the ASP.NET membership database you already created or restored

          Right click and choose properties

          On the right pane click on the square with dots and look for your domain user account (Type domainname\username) and click OK

          Copy the name from the field Login name to the upper field named User name

          At the bottom of the window locate Database Role Membership section and mark db_owner and click OK

Configure SharePoint Central Administration

Now we have to create a Connection String, Role Provider, and Membership Provider in IIS Manager to get access to the ASP.NET membership database that we already created.

Let’s do this once for SharePoint Central Administration site and then repeat the steps for the Security Token service web service, the SharePoint Web Application and at the end for the IIS site that we will use to mange ASP .NET Memberships.

Do not forget to have a backup of web.config file, is very important in case you need to roll-back. Also use a test environment first

          Open IIS Manager and locate SharePoint Central Administration v4 site under Sites folder

          On the right pane double click on Connection Strings

          On the very right pane called Actions click on Add

          Type a name

          Type the name of the SQL Server

          Type the name of the database server you already created

          Keep selected the option Use Windows Integrated Security

          Click OK

          Go back to the IIS to create both providers

          Double click on Providers in IIS Features view and create Role Provider and Membership Provider

–           On Features drop down menu click .Net Roles first to configure role provider, then click on .Net Users to configure Membership provider

 

          This is it for Central Administration site

             

Configure SharePoint Security Token Service

Repeat the steps just before to configure Security Token service web service. Use same Connection String,  Role Provider and Membership Provider names

 

Create the new Web Application to use FBA and Site Collection

Open SharePoint Central Administration Site and let’s create the new Web Application that you will use to configure Forms-Based Authentication

Remember in SharePoint 2010 the only way to configure FBA is creating web applications with Authentication option “Claims Based Authentication” otherwise you won’t be able to do it.

          So open Central Administration web site

          Go to Application Management category and click on Manage Web Application

          On the ribbon click on New

          Choose Claims Based Authentication authentication option in order to enable Forms Based Authentication options

          It is important for you to keep Enable Windows Authentication with NTLM check box marked for two things:

  • Crawl works for that content database
  • Active Directory users will use Authentication page to get the content

          Now check Enable Forms Based Authentication (FBA) and type both Membership Provider and Role Provider

          Now we have to create a Site Collection, you may use the one for Teams or any other, it’s up to you

          At this point the Site Collection Administrator MUST be the SharePoint Farm Administrator since our ASP.NET SQL database is empty

          Create the Connection String, Role Provider, and Membership Provider following the same steps like we did for Central Administration v4 Site

SharePoint Server 2010 has to use “i” as default Membership Provider and “c” as default Role Provider since “I” provider is linked to: Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider. (http://msdn.microsoft.com/en-us/library/microsoft.sharepoint.administration.claims.spclaimsauthmembershipprovider_members.aspx)

 

Create IIS Site to administer ASP.NET users

Create an IIS site to manage roles and user account that will live in our ASP.NET membership database

          Create the IIS Site from IIS Manager

          Review again the steps we performed for Central Administration v4 site in order to configure:

  • Connection String
  • Role Provider
  • Membership Provider

          For the IIS Site you should not revert the default provider to “i” or “c”, this time default providers will be FBARoleProvider & FBAMembershipProvider

 

          Test time, log in to the new SharePoint site configured with FBA

          First use Windows Integrated Authentication, successful?

          Now choose sign in with a different user, successful? I’m sure not since you have not granted permissions for FBA users yet

          Go back to IIS Manager and create FBA roles and users

          Ok, now we can add FBA users to SharePoint sites, login back with SharePoint Farm Administrator

          Open Site Actions > Site Permissions

          Pick a group you want to add the new FBA user

          Click New

          Click the address book or type the name of the FBA user

 

I wish you good luck and remember that feedback is very important for us, please let me know if this post is really useful and if it was easy to configure FBA in SharePoint 2010 as I wrote

Comments (7)

  1. Anonymous says:

    Did it help?

  2. Anonymous says:

    Hi Counie,

    You can create your own application to manage users on SQL Database for FBA, the easiest way to me is creating an IIS Site from IIS Manager and connect that site to the Connection String already created and add the Membership and Role Provider also already created, then you MUST set default providers to FBAMembershipProvider and FBARoleProvider respectively like in this example, these 3 steps will connect the IIS Site to the SQL database storing users and then using IIS Manager Add or Delete users as you need. Click on the IIS Site, on the main or central panel click .NET Users and over the action panel you can add or delete the users, you can also Edit accounts but I'm not really sure if you can reset a password. The role who can handle users is the Windows Administrator or any other role that can manage IIS Manager.

    Greetings!!

  3. Anonymous says:

    Carlos – Seguramente existe algún redireccionamiento incorrecto en tu configuración de SharePoint, si tienes un balanceador confirma que esté apuntando correctamente a los servidores con las ip correctas, valida la configuración de bindings de IIS para el sitio que usa FBA. Me parece extraño lo que comentas porque al final FBA es un proveedor de autenticación y los usuarios que no son del dominio se alojan en una base de datos que vive en un servidor que asumo no se le cambió la IP

  4. Great article says:

    Great article

  5. Counie says:

    Hi Raymond.

    First of all Thanks for posting this article.

    FBA is already configured in my environment ( by someone else) but I was curious to know how to set up the IIS site to manage FBA users.

    The details on how to set up the IIS site are not clear to me.

    Then it jumps straight to "go back to IIS manager…"

    Is IIS manager the place to manage these FBA accounts ? OR is their a website provided whereby FBA users can manage their own accounts/passwords etc. ?

  6. Carlos says:

    Que tal ! me puedes ayudar con la siguiente consulta.

    Cambiamos de ip el servidor que aloja la intranet, pero al cambiar esto el FBA me busca los usuarios de registros de la anterior ip y solo los usuarios creados anteriormente acceden mas no así los nuevos, he visto y es porque se conecta a la ip anterior..

    Que puedo hacer?

Skip to main content