Life, SAP, Consulting, Programming, Coding, ASP.NET, Sharepoint, MVC, Javascript, PHP, WebDesign, CSS, HTML

A while back a client asked me to set up Forms Based Authentication (FBA) for them.  I said sure (of course) and started to research the steps required to accomplish this.  In my oodles and oodles of research I had found many useful but somewhat partial posts.  What I mean by this is that not one of the posts I have encountered in my research had ALL of the steps required to get this to work, I was left to aggregate steps from different areas.  Most posts assumed you were running as an administrator, maybe even that your SharePoint application pools were running as system accounts with unlimited privileges (on both the operating system and in the database), no “real world” scenarios if you will.  Also, all of the posts never made mention of Office SharePoint Server, they all centered around Windows SharePoint Services (more on that later).  My aim here is to provide a series of posts that include the following:

  1. Each and every step required to setup FBA using the built in Asp.Net Membership and Role providers (Part 1).  I will demonstrate one way to accomplish this.  There are others and they will be mentioned, but not looked at in any detail.
  2. How to enable MySites and the Personalization features included with Office Server and have them actually work with a site using (FBA).
  3. A natural extension of 1 and 2 that will demonstrate how to hook into the ADAM membership provider, and get it functioning with MySites and the Personalization features as well.

Initially, after setting FBA up successfully (Part 1), my client then asked me to enable MySites.  That’s when all hell broke loose.  Not only did this not work right away, but after 3 unsuccessful calls to Microsoft support (they could not get it to work and kept parading me in circles, and still are for that matter, maybe they will read this and call me back), and quotes from Microsoft employees saying “it’s not supposed to work” or “it does not work”, I am pleased to say that it does in fact work and I will show you how (Part 2).

Before we begin I have to say that since I have been told that “it’s not supposed to work” or “it does not work”, and since I have not found any reliable documentation indicating how to do this, I must add a disclaimer that if it does not work for you, something is different between our environments, or to please call Microsoft <shrug>.  I will do my best to be as detailed as possible about my environment and all of the steps involved.  If anything is unclear, please leave a comment and I will do my best to make it a little clearer.  One last thing I would like to mention is that I have successfully implemented MySite functionality as well as the other Personalization features of Office SharePoint Server 2007 with Forms Authentication using both the built in Asp.Net Membership and Role providers as well as with an ADAM Membership provider.  I have recently received an ADAM Role provider from Adam Buenz and plan on testing that soon but fully expect it to integrate seamlessly (with his help if needed, I hope).

So here we go, this is going to be a long one so bear with me.  In the end of the series you will have MySite and the Personalization features working seamlessly with Forms Authentication in your Office SharePoint Server 2007 environment!  Good Luck!

One assumption I have made in this process is that you have already created a Shared Services Provider and started the Office SharePoint Server Search service.  Also, I am logged on to the development machine as a domain administrator.  The term browser in this series means Internet Explorer 7.  All of the below steps are to be performed on the Guest machine.

Environment

My environment is as follows.  Keep in mind that any variation from this could produce different results.  Again, if I forget to mention something obvious, please let me know and I will update the list.

Host Machine

  1. Intel(R) Pentium(R) M processor 1.86GHz 1.86GHz
  2. 2.00 GB of RAM
  3. Microsoft Windows XP Professional, Version 2002, Service Pack 2
  4. VMWare Workstation, Version 5.5.3 build-34685

Guest Machine

  1. Intel(R) Pentium(R) M processor 1.86GHz 1.86GHz
  2. 1.00 GB of RAM
  3. Microsoft Windows Server 2003, Standard Edition, Service Pack 1
  4. Active Directory (Domain Controller)
  5. Microsoft SQL Server 2005, Service Pack 1
  6. Microsoft Visual Studio 2005
  7. Microsoft Office Server 2007, Version 12.0.0.4518

FBA User & Role Store

Database Creation

We need a place to put our users.  The Asp.Net 2.0 Membership and Role providers include a database.  The steps to install the database are as follows:

  1. Open up a command prompt by clicking Start…Run, then typing cmd and pressing Enter.
  2. Switch to the Asp.Net 2.0 Framework directory by typing
    cd c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727
    and pressing Enter.
  3. Type aspnet_regsql to launch the ASP.NET SQL Server Setup Wizard.

  4. Click Next.
  5. Choose Configure SQL Server for application services (the default choice) on the Select a Setup Option screen and click Next.

  6. Specify the SQL Server name (your machine name), database name to create (I used AspNetDb_FBADemo), and the credentials to use for this process (database creation).  I generally prefix my Membership and Role provider databases with AspNetDb_ such that they appear together in Microsoft SQL Server Management Studio and are easily identifiable should I need to access them, such as to update Security (Step 10).  Click Next.

  7. Confirm your settings on the Confirm Your Settings screen and click Next.

  8. The process takes a few seconds and then The database has been created or modified screen appears.  Click Finish to close the wizard.

  9. Open Microsoft SQL Server Management Studio and confirm that the database was successfully created.
  10. One step that I have not seen mentioned ANYWHERE is to make sure that the account that is running the application pool that will be used by the sites you create below have access to the database we just created.  This step is critical as SharePoint will NOT be able to find your users and roles if it does not have the permissions to look for them.  This step is what I like to refer to as the MAGIC step that no one tells you about, so I am ruining the surprise and telling you the secret.  You will thank me later.

User and Role Creation

Microsoft has given us a great database schema to use as a membership and role provider data store but has not really supplied a “good” tool to manage its contents.  When you think about it, this actually makes sense.  The providers are intended to be used by other applications so maybe one of the assumptions made was that the tools to maintain the users and roles will be provided by the applications that consume them.

Thankfully, the Microsoft Visual Studio 2005 team had the foresight to create a somewhat rudimentary web application to help us manage the membership and role provider data store.  The caveat is that the tool must be launched from Microsoft Visual Studio 2005.  You can immediately see that this is not a very good option for those that will be managing the users and roles, i.e.: real users of your application.

I will now walk you thru a set of steps to create a few users and roles that we will be using later.

  1. Create a folder on your desktop called FBA Management Site.
  2. Open Microsoft Visual Studio 2005.
  3. Select File…Open…Web Site.
  4. In the Open Web Site dialog, choose the File System icon on the left side of the dialog, then browse to and select the FBA Management Site folder created in step 1.

  5. Click Open.
  6. In the Solution Explorer, right-click on the web site and select Add New Item.
  7. Select Web Configuration File and click Add.  There is no need to rename the file, web.config is fine.
  8. Replace the empty <connectionStrings/> element with the following snippet.  Be sure to replace both <server name> and <database name> with their appropriate values.<connectionStrings>
    <add
    name=”AspNetDbFBADemoConnectionString”
    connectionString=”Data Source=<server name>;Initial Catalog=<database name>;Integrated Security=True” />
    </connectionStrings>

    My connection string element looks like this:

    <connectionStrings>
    <add
    name=”AspNetDbFBADemoConnectionString”
    connectionString=”Data Source=OSSDEV;Initial Catalog=AspNetDb_FBADemo;Integrated Security=True” />
    </connectionStrings>

  9. Just below the <system.web> element, add the following membership and roleManager elements.  Be sure to update the connectionStringName attributes of each of the two providers to the name of the connection string name you created in step 8.  Also be sure to give both providers meaningful names, in my case, I used FBADemoMember and FBADemoRole.  Remember these names, we will need them later.  Save and close the web.config file.<!– membership provider –>
    <membership defaultProvider=”FBADemoMember“>
    <providers>
    <add
    connectionStringName=”AspNetDbFBADemoConnectionString”
    enablePasswordRetrieval=”false”
    enablePasswordReset=”true”
    requiresQuestionAndAnswer=”false”
    applicationName=”/”
    requiresUniqueEmail=”false”
    passwordFormat=”Hashed”
    maxInvalidPasswordAttempts=”5″
    minRequiredPasswordLength=”1″
    minRequiredNonalphanumericCharacters=”0″
    passwordAttemptWindow=”10″
    passwordStrengthRegularExpression=””
    name=”FBADemoMember
    type=”System.Web.Security.SqlMembershipProvider,System.Web,Version=2.0.0.0,Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a” />
    </providers>
    </membership>

    <!– role provider –>
    <roleManager enabled=”true” defaultProvider=”FBADemoRole“>
    <providers>
    <add
    connectionStringName=”AspNetDbFBADemoConnectionString”
    applicationName=”/”
    name=”FBADemoRole
    type=”System.Web.Security.SqlRoleProvider,System.Web,Version=2.0.0.0,Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a” />
    </providers>
    </roleManager>

  10. Click ASP.NET Configuration under Website.  The ASP.NET Web Site Administration Tool opens in a browser.  If the tool does not appear, or cannot connect, verify the connection string and provider information entered above.

  11. Click on the Security tab.  You are presented with the following.  From here we will create our users and roles.

  12. Click on the Select authentication type link in the Users box on the left.
  13. Select the From the internet radio button then click the Done button in the bottom right hand corner of the window.
  14. Create an Administrator, Manager and Employee role.  This step and the next three are intuitive enough that I am not going to spell them out.
  15. Create a single Administrator user, spadmin.  Be sure to assign the user to the Administrator role as you create it.
  16. Create two Manager users, Manager1 and Manager2.  Be sure to assign these users to the Manager role as you create them.
  17. Create 4 Employee users, Employee1, Employee2, Employee3 and Employee4.  Be sure to assign these users to the Employee role as you create them.
  18. When you are done you should have seven users and three roles defined.  This can be verified by clicking on the Security tab.  Your user and role counts may differ depending on if you followed my instructions to the letter.  It is not critical.  What is important is that you create some roles and users and assign some users to the roles.  This is what my Security screen looks like.

  19. Close the ASP.NET Web Site Administration Tool.
  20. Close Microsoft Visual Studio 2005.

SharePoint Setup

We cannot implement FBA without a SharePoint site.  The first thing we need to do is decide upon some url’s.  For the sake of this example, I will be demonstrating how to expose the same site (content database(s)) to users with NT accounts thru one url and to our FBA users thru another url.  This setup is typical in an extranet scenario where we may want to expose some content to our customers but they may not have Active Directory accounts and their user information is either stored elsewhere (and custom Membership and Role providers written, which is well beyond the scope of this post), or stored in a SQL Database created using the steps earlier in this post and populated either thru your own interface or using the above steps.  I am choosing to create an internal site to be accessed via http://FBAextranet and an external site for my customers to be accessed via http://FBAextranet.attis.org.

Update hosts file

To make these url’s accessible on our development machine, we need to add some hosts file entries.  Here are the steps.

  1. Open up Windows Explorer.
  2. Type C:\WINDOWS\system32\drivers\etc into the address bar and click Enter.
  3. Double click on the hosts file.
  4. Select Notepad and click OK.
  5. Add the following two lines to the bottom of the file, right below the localhost entry.127.0.0.1       FBAextranet
    127.0.0.1       FBAextranet.attis.org

  6. Save and close the hosts file.
  7. Close Windows Explorer.
  8. Opening up a browser and browsing to either of the above two entries should bring up the Under Construction page as shown below.

Create FBAextranet.attis.org

Try to keep the primary purpose of your content in mind.  I say this because it may make your life a little easier when making decisions later, primarily in Part 2 of this series when we setup MySites and Personalization.  In our case, the primary purpose of my site is to serve my customers.  With that said, we should create our external site first, http://FBAextranet.attis.org.  Here are the steps.

  1. Open Central Administration.
  2. Click on the Application Management tab.
  3. Click on Create or extend Web application under SharePoint Web Application Management.
  4. Click Create a new Web application.
  5. Choose to Create a new IIS web site.
  6. Enter 80 in the Port textbox.
  7. Enter FBAextranet.attis.org in the Host Header textbox.
  8. Do not make any changes in the Security Configuration section or the Load Balanced URL section.
  9. Depending on your environment, either create a new application pool or use an existing one.  In my case, I have one that I reuse for all sites on my development machine.
  10. Choose to Restart IIS Automatically.
  11. Ensure that the value in the Database server textbox is accurate.
  12. Enter a meaningful name for the content database.  I generally suffix the default name with an underscore (_) and the name of the primary url for my content (FBAextranet.attis.org), in this case, WSS_Content_FBAextranet.attis.org.
  13. Click OK.
  14. From the Application Created screen, click on the Create Site Collection link.
  15. Enter FBA Extranet in the Title textbox.
  16. Choose the Blank Site template.
  17. I mentioned at the beginning of this post that I was logged on to the development machine as a domain administrator.  Assuming you are as well, make this user the Primary Site Collection Administrator, otherwise, choose an appropriate user.
  18. Click OK.
  19. From the Top-Level Site Successfully Created page, click OK.
  20. Open a browser and browse to http://FBAextranet.attis.org.
  21. You will be prompted for your NT credentials, remember, we have yet to change the site’s authentication mode to forms.

Update FBAextranet.attis.org web.config

  1. Open Internet Information Services (IIS) Manager.
  2. Expand Web Sites and select the SharePoint – FBAextranet.attis.org80 website.
  3. Right click on the above website and select Properties.
  4. Select the Home Directory tab.
  5. In the Local path textbox take note of the entire string.  This is the folder on the file system that contains the web.config for the http://FBAextranet.attis.org web application.  We will be updating this file next.
  6. Open Windows Explorer and browse to the folder noted in step 5.
  7. Make a backup copy of the web.config file.
  8. Copy the connection string and the membership and roleManager elements as described earlier in this post to the appropriate locations in the web.config file.
  9. Save and close the web.config file.

Create FBAextranet

  1. Open Central Administration.
  2. Click on the Application Management tab.
  3. Click on Create or extend Web application under SharePoint Web Application Management.
  4. Click Extend an existing Web application.
  5. In the Web Application section choose to extend http://FBAextranet.attis.org.
  6. Choose to Create a new IIS web site.
  7. Enter 80 in the Port textbox.
  8. Enter FBAextranet in the Host Header textbox.
  9. Do not make any changes in the Security Configuration section.
  10. In Load Balanced URL section, be sure the Zone is set to Intranet.
  11. Click OK.
  12. Open a browser and browse to http://FBAextranet.
  13. You will not be prompted for your credentials because the above url automatically falls into the Local Intranet security zone of your browser (unless you have changed your browser’s default settings) and your NT credentials are simply passed thru to the site by Windows (Integrated Windows authentication).  This is the behavior we want at this url.

Update Central Administration web.config

We need to make Central Administration aware of our new membership and role provider.  Here are the steps.

  1. Open Internet Information Services (IIS) Manager.
  2. Expand Web Sites and select the SharePoint Central Administration v3 website.
  3. Right click on the above website and select Properties.
  4. Select the Home Directory tab.
  5. In the Local path textbox take note of the entire string.  This is the folder on the file system that contains the web.config for the Central Administration web application.  We will be updating this file next.
  6. Open Windows Explorer and browse to the folder noted in step 5.
  7. Make a backup copy of the web.config file.
  8. Copy the connection string and the membership and roleManager elements as described earlier in this post to the appropriate locations in the web.config file of the Central Administration site.
  9. Update the roleManager element from<roleManager enabled=”true” defaultProvider=”FBADemoRole“>to this

    <roleManager enabled=”true” defaultProvider=”AspNetWindowsTokenRoleProvider“>

  10. Save and close the web.config file.

Enable FBA on FBAextranet.attis.org

  1. Open Central Administration.
  2. Click on the Application Management tab.
  3. Click on Authentication providers in the Application Security section.
  4. Be sure to select the http://fbaextranet.attis.org Web Application in the top right hand corner of the screen.
  5. You should see two zones listed, a Default zone and an Intranet zone.  Click on the Default zone.  Remember, earlier we decided that serving our customers was the primary (default) purpose of this site.
  6. Select Forms in the Authentication Type section.  After the page posts back, Membership Provider Name and Role Manager Name textboxes appear.
  7. Enter the appropriate values from the previous sections into both the Membership Provider Name (in my case FBADemoMember) textbox and the Role Manager Name (in  my case FBADemoRole) textbox and click Save.
  8. Open a browser and browse to http://FBAextranet.attis.org.
  9. You will be presented with the stock FBA login form.

Add secondary Site Collection Administrator to FBAextranet.attis.org

  1. Open Central Administration.
  2. Click on the Application Management tab.
  3. Click on Site collection administrators in the SharePoint Site Management section.
  4. Make sure http://fbaextranet.attis.org is selected in the Site Collection dropdown at the top right corner of the screen.
  5. Type spadmin (the admin user we created earlier in this post) into the Secondary site collection administrator textbox, then click the person icon to resolve the user.  It will resolve to your FBA user.
  6. Click OK.

Browse http://FBAextranet.attis.org

  1. Open a browser and browse to http://FBAextranet.attis.org.
  2. On the FBA login screen, logon as spadmin.
  3. You can now add secure your securables using the users and roles stored in SQL Server!  Congratulations.
  4. Notice that MySites are not available.  Be on the lookout for Part 2 to walk you thru the steps to do that!  It’s a doozie and apparently shouldn’t work 🙂

I hope this post is useful.  It’s an aggregation of many sources, coupled with my own experience, all into one, with many the lessons I have learned.  There are a couple of variations to this process, some involve policy.  I am of the thought that one should only use policy when it is absolutely necessary.  I finished writing this at 1 AM so there may be some errors, please let me know if you find any!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: