Configuring Forms Based Authentication in SharePoint 2010

Hopefully folks are starting to get some use out of the multitude of SharePoint 2010 postings I’ve been tossing up here.  This is a new one that I was a little hesitant to put together…given my history in SharePoint 2007 I don’t want to become typecast but…in this post I’ll give a quick walk through on creating a forms based authentication site in SharePoint 2010.
For those of you who’ve read my various blogs ( being the most popular) and three-part series on FBA for SharePoint 2010 (part 1 starts here:, most of this should look pretty familiar.  We’re going to follow a very similar process to what we did in SharePoint 2007, with a couple of twists.  At a high level, we’re going to:

1.       Create a new web application

2.       Configure support for FBA in central admin, our new web app, and a new thing in SharePoint 2010 called the STS web service

3.       Add a User Policy to our web app that will grant an FBA user rights to the site

4.       Login to the site and start using it!

For our example we’ll use the LDAP provider that ships in SharePoint 2010 for our directory.  Let’s look at each of these steps in more detail now.

Step 1 – Create a New Web Application

Start by going to the Central Administration web site.  Click on Manage Web Applications, then click on the New button in the ribbon to create a new web application.  In the new web application dialog we’re going to select the following settings:

·         Authentication:  Claims Based Authentication

·         Identity Providers

o   Check the Enable Windows Authentication box or you won’t be able to crawl the site

o   Check the Enable ASP.NET Membership and Role Provider checkbox

§  In the Membership provider name edit box, type LdapMember

§  In the Role provider name edit boxy, type LdapRole

·         I won’t cover all of the other sections in the new web app dialog because they aren’t specific to using FBA, so just fill them in with whatever values are appropriate for your implementation

When you’re all done click the OK button to create the new web application.  Now that the web app is created, I Highly Recommend That You Create A New Site Collection In It Now!  I’ll move forward assuming you have done as I’ve suggested.  Now…okay – step 1 is done, let’s keep moving.

Step 2 – Configure FBA Support

This step is where we go through that same process as 2007, where we need to add some entries to the web.config file for our web application, and we need to do it on each web front end in the farm.  The basic chunk of Xml we’re going to work with for the LDAP provider looks like this; I’ve highlighted the parts in yellow that you will want to change for your implementation:
        <add name="LdapMember"
             type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
             otherRequiredUserAttributes="sn,givenname,cn" />
    <roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider" >
        <add name="LdapRole"   
             type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
             scope="Subtree" />
Copy this chunk of Xml into something like notepad and change the parts highlighted in yellow to values that will work in your environment.  Now you can copy from there into each of the config files we need to change.  Unfortunately we’ll need to use a slightly different version of this in each web.config file.  Let’s start with the easy one first – central admin.  Find the web.config file for central admin and open it up in your favorite editor, like notepad.  Scroll down to the <system.web> entry, and paste the entire chunk of Xml directly below it.  Save your changes and the first one’s done.
The next one we’re gonna hit is the web.config for the Security Token Service (STS) virtual directory.  Explaining what the STS does, what claims based auth is, etc. is all way beyond the scope of this posting, but we’ll get to those things in time.  For now, we need to find the directory where it’s web.config file is and the easiest way to do that is to open the IIS Manager.  Expand the plus sign next to the server name.  Expand the plus sign next to the Sites object.  Expand the plus sign next to the SharePoint Web Services virtual directory.  Beneath it, find the SecurityTokenServiceApplication virtual directory.  Click on it, then click on the Content View button in the bottom of the middle part of the screen.  That will cause the Explore link to appear in the Actions pane on the right hand side of the screen (it’s the third link down from the top).  Click the Explore link and Windows Explorer will open up and you will see the web.config file you need to work with.  Open up the web.config file in a text editor and scroll all the way down to the bottom.  Directly under the </> entry, do the following:

1.       Add a <system.web> entry and press enter.

2.       Copy and paste in the chunk of Xml shown above.

3.       Add a </system.web> closing tag directly below the stuff you pasted in.

4.       Find the <roleManager> element in the chunk of Xml you pasted in, and delete the defaultProvider attribute.  That leaves your roleManager element looking like this: <roleManager enabled="true"> 

Save your changes and the second one’s done.  Now, go find the web.config file for the new FBA web application you created and open it up in notepad.  When you configured the web application to support claims based authentication, it automatically added in some Membership and Role provider information that points to a custom set of providers SharePoint 2010 adds out of the box.  So all we need to do is to just add in our provider into the correct section in the web.config.  IMPORTANT:  For those of you who are used to doing this for SharePoint 2007, please note that the providers are in the opposite order of what you are used to seeing.  The Role provider is listed first, and the Membership provider is listed second.  Scroll down the web.config file until you find the roleManager element (it’s a ways down there).  Copy out just the role provider definition from the chunk of Xml above and paste it below the <roleManager><providers> sections.  So you will paste in just this part (with your site specific info replacing the part in yellow):
<add name="LdapRole"   
             type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
             scope="Subtree" />
Now scroll down a little more and do the same thing to add in your Membership provider.  Find the <membership><providers> element and right below paste in membership provider stuff from the chunk of Xml above (with your site specific info replacing the part in yellow):
<add name="LdapMember"
             type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
             otherRequiredUserAttributes="sn,givenname,cn" />

Okay, good – now you’ve finished step 2.  The hardest part is done.


Step 3 – Add A User Policy

This part is basically exactly the same as you did in SharePoint 2007, with a couple of very minor differences.  Go to the central admin site and click on Manage web applications.  Click on your new FBA web application, then click on the User Policy button in the ribbon; this brings up the User Policy dialog.  Now do the following steps:

1.       Click on the Add Users link.

2.       In the Zones drop down, select the Default zone and click the Next button.

3.       Click the Address Book icon.  This will bring up the people picker and will let you know real quickly whether everything is configured correctly or not.  The first thing you should notice is the you see a new interface.  I think it’s going to be called the Principal Picker or some other equally nerdy name, but you get the point – it allows you to search in one dialog and show matches from all of the directories you have configured.  It’s pretty slick.  So go ahead and type in the NT login name or account name (use whatever nomenclature you prefer here) and click the search button.  If it’s working correctly you should see at least two entries for the account – one that is for the user’s Active Directory account, and one that is for that same account but which was found using the LDAP provider. 

4.       Select the account in the User section and click the Add button.

5.       Click the OK button.

6.       Check the Full Control checkbox, then click the Finish button.

That’s it – everything should be all configured now for you to log into your new FBA site.

Step 4 – Login

Go ahead now and navigate to the site in your FBA web application.  You should get an initial prompt where it asks you what kind of authentication you want to use to access the site – Windows Authentication or Forms Authentication.  Select Forms Authentication from the drop down and the page posts back with a standard forms login page.  Enter the credentials of the user to which you granted the Full Control user policy and you should log into the site.  Now you can start adding other FBA members and roles into SharePoint groups so they can access the site to.

All Done!

Well, that’s all there is too it.  If you’ve never done it before it probably seems kind of complicated, just like the first time folks did it in SharePoint 2007.  If you have set it up before in SharePoint 2007 though, the process probably seems pretty straightforward.  Hopefully this post will get everyone moving the right direction and able to start using FBA with their new SharePoint 2010 sites.  Good luck!
Comments (43)

  1. Anonymous says:

    I’m having the same exact issue as kamleshpndy.  I’m using an extended site and out-of-the-box AspNetSqlMembershipProvider and RoleProvider with Sharepoint Foundation 2010 Beta2.  I was able to add the sql user I created to site collection administrators but when I go to log in the login acts like it’s working but just redirects back to the login page.  If you enter a wrong username or password it lets you know right away.  It appears like the user is being authenticated, but it seems like the cookie sharepoint needs isn’t being created (just a guess).

    Does anyone know if this is a limitation of the Beta software or some configuration shortcoming on our part?

  2. Hi Donal; I do know there are some issues (at least in the beta) with running SharePoint on a domain controller.  I don’t know if this specific case is one or not.  Unfortunately having it all on one box also makes it tougher to troubleshoot.  If they were on different boxes for example, we could look at a netmon sniff between the SharePoint and AD server to see what’s going back and forth between them.  In the absence of that, my best advice is not great, which is just to really double check all of the custom settings you created for all three web.config files.  It can be tedious business and anytime I have had a problem some typo or bad info on my part was usually the culprit.  Sorry I don’t have much more to help you with here.


  3. Hi Tajeshwar, I will try and answer your questions here:

    1. For all scenarios where you need multiple authentication providers but don’t need or want different Urls.  This is definitely a smaller case than the typical use of FBA in SharePoint 2007, where you would create a different zone and auth for external users.  I’ve already seen one case in one of the SharePoint 2010 pre-release programs where this is exactly what the customer wanted.  This is really just a value add; it doesn’t preclude you from creating additional zones as you did in SharePoint 2007.

    2. You need to configure providers int he STS web.config because all FBA auth in 2010 uses the claims infrastructure, and the SharePoint STS is like our "claims processing engine" in SharePoint 2010.

    3.  I’m not aware of any detailed documentation on this yet.


  4. Anonymous says:

    Hi ,

    I have  implemented the form authentication in sharepoint . The user are coming nice and authenticating too. but the problem is after authenticating the user the user is not redirected to home page of site instead it redirect to the signin page. Please provide any solution to redirect to the home page. i am using the default login page.


  5. alexandrad9x says:

  6. Anonymous says:

    Thanks Steve.  I managed to get the PeoplePicker working ok.  FBA flat out refuses to work though, with no insight in the logs.  My next move it to use the credentials of an LDAP account, and not use the SharePoint app pool account.  

  7. Anonymous says:

    Hi Steve,

    This is a really great article.

    Please can you let me know that which are default claims that are available on user authentication using Forms based authentication to SharePoint 2010.

    Can custom claims about the authenticated user be retrieved? How is it achieved.


  8. Anonymous says:

    Good stuff.  I just tried this with an ADLDS directory (single machine – SP2010, Ad, SQL).

    I cannot get it to work for me.

    I configured the web.configs as described above for all 3 web apps.

    When I do a peoplepicker in central admin, it cannot find my ADLDS users.

    Any thoughts?

  9. Steve,

    Very nicely written article. Few questions

    1. We have now options for multiple auth methods in same zone. Could you describe some scenarios where this will be applicable.

    2. Why do we need to configure provdiers in STS service app web.conifg

    3. Do we have some detailed documentation on this new architecture for claims and multiple auth methods in same zone.



  10. Anonymous says:

    This process is working for me but I have recently run into a problem with Visual Studio 2010 in that I am unable to add a new Content Type item or Event Receiver to a project that utilizes a site that has been configured for claims-based authentication.  It works if I use classic authentication but I would prefer the approach taken here.  By any chance, do you receive the error "Attempted to perform and unauthorized operation" if you create an empty project for an existing SharePoint site using claims based authentication and attempt to add a new Content Type item to the empty project?



  11. Anonymous says:

    In case someone comes here and is looking for similar guide on how to setup an ASPNET SQL provider:

    Also – and it may not be helpful in all cases – but in my case I wanted the custom provider available to ALL sites…

    So, following this tip:, I just setup the providers using IIS 7 (connection string, role, and members)



  12. Anonymous says:

    I’ve had pretty good luck configuring this so far, but some problems:

    When I search on my name in the address book, I come up twice, both listed under AD. Could this be because I have pointing the LDAP provider settings in all the XML above to the same server that is our Active Directory server? My goal here is to be able to have users sign in with an SSL-secured form using their AD credentials when they are accessing from the outside, and just use IWA when they are on the LAN. IWA is working fine.

    I was hoping that I would not have to authorize people twice to the site, but it looks like that might be the case.

  13. Yogesh says:

    Hi Steve

    Did you do this with IIS 6 or iis 7?

    I have a custom membership / role provider and have followed everythiing correctly. The authentication fails with error failed to validate user name and password. I can see that my custom provider is not being hit using profiler.

    It is a provider I have been using in 2007 without any problem.

    Now, I can see these providers in IIS 7 but when I try to set the default it says its not trusted. The config sections are locked for me, may be permissions issue but can try it later.

    Do you think this would be the problem i.e. not having it as trusted provider in IIS 7.0 although its listed. I think if I just switch to classic mode in IIS it will islolate it to just sharepoint and

    Any thoughts?


    Yogesh Pawar

  14. lynne says:

    Hi Steve,

    Great article, thank you!  We are purchasing the external connector and I was wondering if I could use FBA. For example, I am Lynne Internet-User and I want this user to read my blog, but register to add content. How do I get Lynne Internet-User as a user in SharePoint?

    Thanks, Lynne

  15. Neel says:

    Great Article

    I hope you can help, I am having FBA issues

    I followed the steps in settingup FBA, created db, role, providers in central admin as well as security token, add users added roles, authentication. then created web application with claims and did the same set up for the new site collection

    Now when i try to open the page, it comes with default sign in, i have already added forms users, i tried to select forms entered useri and pwd, i get the below error, can you provide me some clues on what went wrong in my set up


    Server Error in ‘/’ Application.


    Server Error in ‘/’ Application.

    The remote server returned an error: (404) Not Found.

    Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

    Exception Details: System.Net.WebException: The remote server returned an error: (404) Not Found.

    Source Error:

    An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

    Stack Trace:

    [WebException: The remote server returned an error: (404) Not Found.]

    System.Net.HttpWebRequest.GetResponse() +1126

    System.ServiceModel.Channels.HttpChannelRequest.WaitForReply(TimeSpan timeout) +81

    [EndpointNotFoundException: There was no endpoint listening at http://localhost:32843/SecurityTokenServiceApplication/securitytoken.svc that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details.]

    System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) +10258154

    System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) +539

    Microsoft.IdentityModel.Protocols.WSTrust.IWSTrustContract.Issue(Message message) +0

    Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr) +61

    Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst) +36

    Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext(Uri context, Boolean bearerToken, SecurityToken onBehalfOf, SecurityToken actAs, SecurityToken delegateTo) +26062081

    Microsoft.SharePoint.SPSecurityContext.SecurityTokenForFormsAuthentication(Uri context, String membershipProviderName, String roleProviderName, String username, String password) +172

    Microsoft.SharePoint.IdentityModel.Pages.FormsSignInPage.GetSecurityToken(Login formsSignInControl) +188

    Microsoft.SharePoint.IdentityModel.Pages.FormsSignInPage.AuthenticateEventHandler(Object sender, AuthenticateEventArgs formAuthenticateEvent) +123

    System.Web.UI.WebControls.Login.AttemptLogin() +152

    System.Web.UI.WebControls.Login.OnBubbleEvent(Object source, EventArgs e) +124

    System.Web.UI.Control.RaiseBubbleEvent(Object source, EventArgs args) +70

    System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) +29

    System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +2981


    Version Information: Microsoft .NET Framework Version:2.0.50727.4927; ASP.NET Version:2.0.50727.4927

  16. Pavel Novotny says:

    If you want to use ready-made solutions for the management of FBA users, you should take a look here:…/121-fba-manager-sp2010-forms-based-authentication.aspx

  17. Nikky says:

    Hi Steve,

    Nice article!!!

    I am working on MOSS2010 site to enable FBA with LdapMembershipProvider.

    Completed all changes in corresponding web.config and reached till step #4 -Login mentioned above.

    In this stage I am getting here form login but as I provide user credentials, it can't able to validate them.

    getting error:

    The server could not sign you in. Make sure your user name and password are correct, and then try again.

    (user added successfully under user policy fot MOSS2010 site)

    Could you please provide some hints on this issue.


  18. lars says:

    Hi Steve,

    Thanks for a nice article, I have follow it to the letter, but my peoplepicker is empty – can get any of my user from my LDAP. Is there any way i can test if i have set my connection to the LDAP up correct ?, or do you have any other hints



  19. Joe says:

    Having same issue as nikky.  Did you get any results nikky?

  20. Steven says:


    The article was very clear and helpful–thanks.

    Question (for Steve or anyone else, for that matter):

    I'm able to see entries in Active Directory and Forms Auth in the People Picker, which I assume means the connection to Active Directory is configured correctly.  When I navigate to the site collection, however, I get a "server error in '/' application" page.  It says that the farm is unavailable (invalidoperationexception).

    If it's helpful, I can post the Stack Trace.

    Any ideas or suggestions for what I should try?



  21. Very comprehensive walk through on configuring FBA.  Thanks a lot!

  22. cedric says:


    I'm trying to do the same, but for Search Server Express 2010.

    The XML code over doesn't work, because

                           "Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=, Culture=neutral, PublicKeyToken=71e9bce111e9429c"

    doesn't exists on SharePoint Foundation and Search Server Express 2010.

    Do someone has an idea or a site that show how to do ?


  23. Tim says:

    Thanks for the great post.  I've given this a go but am seeing HTTP 500 Internal Server Error when I try visiting the web application setup for forms based auth.  Any ideas?  I've gone through and reread your post probably fives times trying to figure out where I went wrong

  24. Tim says:

    So  I resolved the HTTP 500 error message.  It is an issue with alternate access mappings.  Once I fixed this, all was well.

  25. Qasim says:

    Tim you please provide details of what was the issue of alternate access mapping and how you resloved it. I am getting same error as well.

  26. nico says:


    I set it up as you said, and I'm not getting any errors, but when i log in with a FBA user, i get a SharePoint Access denied, even though the user has full control on the web app.

    Anyone know what i can do about that?


  27. Merill Fernando says:

    Making the web.config changes becomes really tiring. Especially when you have multiple dev, test and prod environments.

    I've created a utility as well as a PowerShell script to automate the changes. Hope you find it useful. The source is available on CodePlex.


  28. Kipp says:

    Does your configurations above allow us to have forms authentication and window Authentication within the same farm. I am looking to go form auth only on a few web applications.

  29. Sang says:

    Hi Steve Peschka ,

    Could you please give me full path of three files web.config , I can't not se the path of web.config in central admin part & path of web.cofig in FBA part ?

    Thank You & Best Your Regards,


  30. Everything work as expected following your post but now I've got weird account names like 'i:0#.f|ldapmember|administrator'. I guess this comes from the membership provider but it looks rally ugly. Is there a way to specify account name format other than changing the full name of every member from the central admin?


  31. TJ says:

    I'm having the same issue as Nikky and Joe. It looks like I've set up everything correctly, I'm able to find users in the CA and add them to the User Policy. But when they try to log in it says "The server could not sign you in". The logs show Event ID 8306 and the message: "The security token username and password could not be validated". Google/Bing results are actually quite limited and not much help at all! Anyone?

  32. ashraf says:

    people who are looking for fba authentication without ldap may find this post useful.

    <a href="">www.MrOffice365.Com</a&gt;

  33. LB says:

    I have the same problem as TJ. Users can be added to the site in central admin and in the webapp. But logging in fails! Anyone with a solution for this?

  34. Tyler Bithell says:

    The <membership> and <rolemember> tags already exist on in the central admin web.config files just above the </system.web> tag

    Also, this portion is incorrect, at least it was for me, for the RTM version:

    IMPORTANT:  For those of you who are used to doing this for SharePoint 2007, please note that the providers are in the opposite order of what you are used to seeing.  The Role provider is listed first, and the Membership provider is listed second.  Scroll down the web.config file until you find the roleManager element (it’s a ways down there).  Copy out just the role provider definition from the chunk of Xml above and paste it below the <roleManager><providers> sections.

    These tags are in the reverse order that you state.  

    Also, in my case the people picker didn't work if I didn't add the following to the peoplepickerwildcards entry in central admin and in the web app

    <clear />

    <add key="AspNetSqlMembershipProvider" value="%" />

    <add key="LdapMember" value="*"/>

    <add key="LdapRole" value="*"/>

  35. Brian says:

    Hi, I had exactly this problem and the turned out to be the ms-DS-UserAccountAutoLocked and sDS-UserAccountDisabled attributes for the users in ADAM which would not login.  In particular the sDS-UserAccountDisabled was set to TRUE.  Changing this to false resolved the problem.   Worth checking out….



  36. arun says:

    <a "href=">how to add user in webconfig please give me any idea thanks</a>

  37. Amal Fernando says:

    Nice Article. Thanks for sharing.

    Best Regards,

    Amalaraja Fernando

    Technical Architect – Mphasis Limited

  38. connection string says:

    where is it that u specify a connection string?

  39. a_burdujan says:

    Here is the Article which walks through with step by step instructions on how to configure AD LDS with SharePoint 2010:…/configuring-ad-lds-with-sharepoint-2010.html

  40. says:

    Nice post also read how to setup FBA using IIS…/sharepoint2010-forms-based-authentication-fba-claims.html

  41. Rahul K says:

    Hello Steve,

    Thanks for nice article!

    Its fine working with me.

    Now i have one more scenario,

    I have done form based authentication from active directory in sharepoint foundation 2010 intranet application. And i have one more application Sharepoint 2007 which is windows authentication. Now I have to give a link from sharepoint 2010 site which redirect to Sharepoint 2007 site, now i dont want authenticate already logged in user in sharepoint 2010 site in sharepoint 2007 site. One more scenario is we have one syatem and more than one users. Is there any way to authentcate users which scenario i have??????

    Thanks in Advance

  42. Anonymous says:

    Configuring Forms Based Authentication in SharePoint 2010 – Share-n-dipity – Site Home – TechNet Blogs

  43. SDF says:

Skip to main content