Configuring Forms Based Authentication in SharePoint 2010

Hopefully folks are starting to get some use out of the multitude of SharePoint 2010 postings I’ve been tossing up here.  This is a new one that I was a little hesitant to put together…given my history in SharePoint 2007 I don’t want to become typecast but…in this post I’ll give a quick walk through on creating a forms based authentication site in SharePoint 2010.

For those of you who’ve read my various blogs (http://blogs.msdn.com/sharepoint/archive/2006/08/16/702010.aspx being the most popular) and three-part series on FBA for SharePoint 2010 (part 1 starts here: http://msdn.microsoft.com/en-us/library/bb975136.aspx), most of this should look pretty familiar.  We’re going to follow a very similar process to what we did in SharePoint 2007, with a couple of twists.  At a high level, we’re going to:

1.       Create a new web application

2.       Configure support for FBA in central admin, our new web app, and a new thing in SharePoint 2010 called the STS web service

3.       Add a User Policy to our web app that will grant an FBA user rights to the site

4.       Login to the site and start using it!

For our example we’ll use the LDAP provider that ships in SharePoint 2010 for our directory.  Let’s look at each of these steps in more detail now.

Step 1 – Create a New Web Application

Start by going to the Central Administration web site.  Click on Manage Web Applications, then click on the New button in the ribbon to create a new web application.  In the new web application dialog we’re going to select the following settings:

·         Authentication:  Claims Based Authentication

·         Identity Providers

o   Check the Enable Windows Authentication box or you won’t be able to crawl the site

o   Check the Enable ASP.NET Membership and Role Provider checkbox

§  In the Membership provider name edit box, type LdapMember

§  In the Role provider name edit boxy, type LdapRole

·         I won’t cover all of the other sections in the new web app dialog because they aren’t specific to using FBA, so just fill them in with whatever values are appropriate for your implementation

When you’re all done click the OK button to create the new web application.  Now that the web app is created, I Highly Recommend That You Create A New Site Collection In It Now!  I’ll move forward assuming you have done as I’ve suggested.  Now…okay – step 1 is done, let’s keep moving.

Step 2 – Configure FBA Support

This step is where we go through that same process as 2007, where we need to add some entries to the web.config file for our web application, and we need to do it on each web front end in the farm.  The basic chunk of Xml we’re going to work with for the LDAP provider looks like this; I’ve highlighted the parts in yellow that you will want to change for your implementation:

<membership>

      <providers>

        <add name=”LdapMember”

             type=”Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c”

             server=”stevedc.steve.local

             port=”389″

             useSSL=”false”

             userDNAttribute=”distinguishedName”

             userNameAttribute=”sAMAccountName”

             userContainer=”CN=Users,DC=steve,DC=local

             userObjectClass=”person”

             userFilter=”(ObjectClass=person)”

             scope=”Subtree”

             otherRequiredUserAttributes=”sn,givenname,cn” />

      </providers>

    </membership>

    <roleManager enabled=”true” defaultProvider=”AspNetWindowsTokenRoleProvider” >

      <providers>

        <add name=”LdapRole”   

             type=”Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c”

             server=”stevedc.steve.local

             port=”389″

             useSSL=”false”

             groupContainer=”CN=Users,DC=steve,DC=local

             groupNameAttribute=”cn”

             groupNameAlternateSearchAttribute=”samAccountName”

             groupMemberAttribute=”member”

             userNameAttribute=”sAMAccountName”

             dnAttribute=”distinguishedName”

             groupFilter=”(ObjectClass=group)”

             userFilter=”(ObjectClass=person)”

             scope=”Subtree” />

      </providers>

 </roleManager>

 

Copy this chunk of Xml into something like notepad and change the parts highlighted in yellow to values that will work in your environment.  Now you can copy from there into each of the config files we need to change.  Unfortunately we’ll need to use a slightly different version of this in each web.config file.  Let’s start with the easy one first – central admin.  Find the web.config file for central admin and open it up in your favorite editor, like notepad.  Scroll down to the <system.web> entry, and paste the entire chunk of Xml directly below it.  Save your changes and the first one’s done.

The next one we’re gonna hit is the web.config for the Security Token Service (STS) virtual directory.  Explaining what the STS does, what claims based auth is, etc. is all way beyond the scope of this posting, but we’ll get to those things in time.  For now, we need to find the directory where it’s web.config file is and the easiest way to do that is to open the IIS Manager.  Expand the plus sign next to the server name.  Expand the plus sign next to the Sites object.  Expand the plus sign next to the SharePoint Web Services virtual directory.  Beneath it, find the SecurityTokenServiceApplication virtual directory.  Click on it, then click on the Content View button in the bottom of the middle part of the screen.  That will cause the Explore link to appear in the Actions pane on the right hand side of the screen (it’s the third link down from the top).  Click the Explore link and Windows Explorer will open up and you will see the web.config file you need to work with.  Open up the web.config file in a text editor and scroll all the way down to the bottom.  Directly under the </system.net> entry, do the following:

1.       Add a <system.web> entry and press enter.

2.       Copy and paste in the chunk of Xml shown above.

3.       Add a </system.web> closing tag directly below the stuff you pasted in.

4.       Find the <roleManager> element in the chunk of Xml you pasted in, and delete the defaultProvider attribute.  That leaves your roleManager element looking like this: <roleManager enabled=”true”> 

Save your changes and the second one’s done.  Now, go find the web.config file for the new FBA web application you created and open it up in notepad.  When you configured the web application to support claims based authentication, it automatically added in some Membership and Role provider information that points to a custom set of providers SharePoint 2010 adds out of the box.  So all we need to do is to just add in our provider into the correct section in the web.config.  IMPORTANT:  For those of you who are used to doing this for SharePoint 2007, please note that the providers are in the opposite order of what you are used to seeing.  The Role provider is listed first, and the Membership provider is listed second.  Scroll down the web.config file until you find the roleManager element (it’s a ways down there).  Copy out just the role provider definition from the chunk of Xml above and paste it below the <roleManager><providers> sections.  So you will paste in just this part (with your site specific info replacing the part in yellow):

<add name=”LdapRole”   

             type=”Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c”

             server=”stevedc.steve.local

             port=”389″

             useSSL=”false”

             groupContainer=”CN=Users,DC=steve,DC=local

             groupNameAttribute=”cn”

             groupNameAlternateSearchAttribute=”samAccountName”

             groupMemberAttribute=”member”

             userNameAttribute=”sAMAccountName”

             dnAttribute=”distinguishedName”

             groupFilter=”(ObjectClass=group)”

             userFilter=”(ObjectClass=person)”

             scope=”Subtree” />

 

Now scroll down a little more and do the same thing to add in your Membership provider.  Find the <membership><providers> element and right below paste in membership provider stuff from the chunk of Xml above (with your site specific info replacing the part in yellow):

<add name=”LdapMember”

             type=”Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c”

             server=”stevedc.steve.local

             port=”389″

             useSSL=”false”

             userDNAttribute=”distinguishedName”

             userNameAttribute=”sAMAccountName”

             userContainer=”CN=Users,DC=steve,DC=local

             userObjectClass=”person”

             userFilter=”(ObjectClass=person)”

             scope=”Subtree”

             otherRequiredUserAttributes=”sn,givenname,cn” />

 

 

Okay, good – now you’ve finished step 2.  The hardest part is done.

 

Step 3 – Add A User Policy

This part is basically exactly the same as you did in SharePoint 2007, with a couple of very minor differences.  Go to the central admin site and click on Manage web applications.  Click on your new FBA web application, then click on the User Policy button in the ribbon; this brings up the User Policy dialog.  Now do the following steps:

1.       Click on the Add Users link.

2.       In the Zones drop down, select the Default zone and click the Next button.

3.       Click the Address Book icon.  This will bring up the people picker and will let you know real quickly whether everything is configured correctly or not.  The first thing you should notice is the you see a new interface.  I think it’s going to be called the Principal Picker or some other equally nerdy name, but you get the point – it allows you to search in one dialog and show matches from all of the directories you have configured.  It’s pretty slick.  So go ahead and type in the NT login name or account name (use whatever nomenclature you prefer here) and click the search button.  If it’s working correctly you should see at least two entries for the account – one that is for the user’s Active Directory account, and one that is for that same account but which was found using the LDAP provider. 

4.       Select the account in the User section and click the Add button.

5.       Click the OK button.

6.       Check the Full Control checkbox, then click the Finish button.

That’s it – everything should be all configured now for you to log into your new FBA site.

Step 4 – Login

Go ahead now and navigate to the site in your FBA web application.  You should get an initial prompt where it asks you what kind of authentication you want to use to access the site – Windows Authentication or Forms Authentication.  Select Forms Authentication from the drop down and the page posts back with a standard forms login page.  Enter the credentials of the user to which you granted the Full Control user policy and you should log into the site.  Now you can start adding other FBA members and roles into SharePoint groups so they can access the site to.

All Done!

Well, that’s all there is too it.  If you’ve never done it before it probably seems kind of complicated, just like the first time folks did it in SharePoint 2007.  If you have set it up before in SharePoint 2007 though, the process probably seems pretty straightforward.  Hopefully this post will get everyone moving the right direction and able to start using FBA with their new SharePoint 2010 sites.  Good luck!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s