Skip Links

Network World

Enabling Forms-based Authentication for SharePoint 2007

By Michael Noel on Tue, 08/21/2007 - 2:26am.

One of the more useful features in SharePoint 2007 from an extranet perspective is the ability to use an alternate authentication provider other than Active Directory to authenticate users.  This allows organizations to use ADAM, other AD Forests, LDAP providers, and even a simple SQL table for authentication.  Often this is the scenario desired when SharePoint is opened up to external access by extranet partners or other non-employees.

When using an alternate authentication provider, SharePoint 2007 presents a form that utilizes forms-based authentication (FBA) to the SharePoint Site.  Out of the box, SharePoint 2007 products and technologies provides the ability to setup and use an ASP.NET SQL Database that can contain usernames, passwords, email addresses, and roles (the equivalent of AD Groups) for users.  Finding information on exactly how to set this up is difficult, unfortunately, so I've compiled a list of steps that can be used to enable FBA using the standard ASP.NET SQL Database.

A few caveats about using FBA before you enable it.  First, the crawler in SharePoint for indexing cannot crawl a web application that uses FBA.  You must have the same content extended onto a separate web application that is configured to use Integrated Windows Authentication or Basic Authentication/SSL for this to work properly.  Secondly, Office client integration can be impacted when using FBA.  It is best used for scenarios where users download Office content for reading, not necessarily scenarios where they contribute to document content.  This is due to limitations in the Office client software and how it handles FBA.

Incidentally, one HUGE advantage to enabling FBA for extranet users is that the extranet users can share the same SharePoint content/site collections with internally authenticated users from AD.  To do so simply requires extending an existing Web application so that there are two Web Applications that point to the same set of SharePoint content.

I've divided the process into six distinct steps as follows:

Step 1: Create ASP.NET SQL Database to house the user accounts

  • SQL Server 2005 contains a built-in tool that will create an ASP.NET Users Database
  • Run the tool from the C:\Windows\Microsoft.NET\Framework\v2.0.50727 directory on the SQL Server
  • Tools syntax is aspnet_regsql to launch

Step 2: Create the Web Application in SharePoint for the FBA Interface

  • Create a Web Application dedicated to FBA
  • Can be a new web application, or can be connected to existing content with the ‘Extend an Existing Web Application' option
  • Specify a Windows Auth Site Administrator at first (you'll change this later)

Step 3: Edit web.config files for FBA Web App and the Central Admin tool Web App

  • Add the servername, member, provider, and database info into the web.config file for the newly created FBA Web Application. The web.config file is located in the root of the web site directory (i.e. C:\inetpub\wwwroot). You can use any variables for the member and provider, I included sample variables below in the code snippet that you can use.
  • Add the same syntax for the Web Application for the Central Admin Web Application. The web.config file will be located in the root directory for the Central Admin IIS Virtual Server, find the root directory in IIS Manager. The syntax and location of the web.config snippet are exactly the same, except change the rolemanager line to this:

<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">

  • It is Critical that the syntax is correct. Double-check both the web.config of the FBA web.config and the Central Admin web.config for errors. They should exactly match except for the rolemanager element.

Step 4: Provision users in ASP.NET Database using full version of Visual Studio 2005

  • Create a brand new project, add a fresh web.config file (Web application definition file)
  • Copy the excerpt below and place in the blank web.config file
  • This will allow Visual Studio to access the Users database
  • Use the ASP.NET Web Site Administration Tool to create Users and Groups (Website - ASP.NET Configuration). If you do not see the WebSite option, you have the wrong version of Visual Studio 2005 (you need the full version.)
  • Create Roles and then add Users to Roles.

Step 5: Enable FBA in the SharePoint Central Admin Tool

  • Under the Application Management tab, click on Authentication Providers
  • Click on Default
  • Select Forms
  • Enter the Membership and Role Provider names from the web.config file (in this example, they are FBARoleProvider and FBAMembershipProvider)

Step 6: Configure FBA User as Site Administrator

  • Under Application Management, click on Site Collection Administrators
  • Select the web application
  • Type the name of the admin user created
  • Once added, you can login as the site admin and set the additional security rights

The final bit of text I've included below is the sample syntax to include in the web.config file. Cut/Paste it directly I place it right under the </SharePoint> line in the web.config and before the <securityPolicy> line.  This will overwrite the <system.web> line and replace it with the snippet.  Note that the variables are highlighted in red.  Change the servername to match the SQL Server name and the database name to match the name the one you used in Step 1.

Cheers,

Michael

***Web.config SNIPPET BELOW***

<connectionStrings>
  <add name="FBAConnectionString" connectionString="server=SPSERVER; database=SharePointUsersDB;

Trusted_Connection=True" />
 </connectionStrings>
 <system.web>
  <!-- membership provider -->
  <membership defaultProvider="FBAMembershipProvider">
   <providers>
    <add
      connectionStringName="FBAConnectionString"
      enablePasswordRetrieval="false"
      enablePasswordReset="true"
      requiresQuestionAndAnswer="false"
      applicationName="/"
      requiresUniqueEmail="false"
      passwordFormat="Hashed"
      maxInvalidPasswordAttempts="5"
      minRequiredPasswordLength="1"
      minRequiredNonalphanumericCharacters="0"
      passwordAttemptWindow="10"
      passwordStrengthRegularExpression=""
      name="FBAMembershipProvider"
     

type="System.Web.Security.SqlMembershipProvider,System.Web,Version=2.0.0.0,Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a"

/>
   </providers>
  </membership>
  <!-- role provider -->
  <roleManager enabled="true" defaultProvider="FBARoleProvider">
   <providers>
    <add
      connectionStringName="FBAConnectionString"
      applicationName="/"
      name="FBARoleProvider"
     

type="System.Web.Security.SqlRoleProvider,System.Web,Version=2.0.0.0,Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a" />
   </providers>
  </roleManager>

Tags: