An awesome feature with SharePoint is the ability to use another authentication store for your users. This is especially helpful when you want to extend your site to an extranet or internet zone and you don’t want your external users in your company Active Directory. I walk through configuring and setting up CBA here. Once you’ve configured your web application to use FBA, the typical login page is plain. If you setup mixed mode (as in my example) the login page simply prompts for Windows or Forms authentication. Most users don’t understand the difference.
Seriously, what end user doesn’t know they’re using a Windows account? And my extranet users, seriously, they should know they’re forms…
Fortunately, we can change these options and give the user a little more to work with. For my example, I have my web application setup and I want my customers to login so we can collaborate on orders and projects. I would like a login page that is painfully obvious as to which how the user should login. We’ll dive into how to do so now. I walk through creating a new project with the end result being a feature. I prefer this method because it gives us the most flexibility with a code behind file. We could add CAPTCHA verification, or additional components as we need to make this work.
- Open Visual Studio 2010, create a new Empty SharePoint Project, and name it CustomLoginPage.
- Add the reference to Microsoft.SharePoint.IndentityModel. This isn’t available in the browser, you’ll have to browse to it at C:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.IdentityModel\ 14.0.0.0__71e9bce111e9429c\Microsoft.SharePoint.IdentityModel.dll
- Add a new application page, call it Login.aspx.
-
Replace the content of Login.aspx with the following, updating a few items as necessary (highlighted)
<%@ Assembly Name="$SharePoint.Project.AssemblyFullName$" %><%@ Assembly Name="Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" %><%@ Assembly Name="Microsoft.SharePoint.IdentityModel, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" %><%@ Import Namespace="Microsoft.SharePoint" %><%@ Import Namespace="Microsoft.SharePoint.WebControls" %><%@ Register Tagprefix="SharePoint"Namespace="Microsoft.SharePoint.WebControls"Assembly="Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" %><%@ Register Tagprefix="asp" Namespace="System.Web.UI"Assembly="System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" %><%@ Page Language="C#" AutoEventWireup="true" CodeBehind="Login.aspx.cs" Inherits="CustomLoginPage.Login" MasterPageFile="~/_layouts/simple.master" %><asp:Content ID="contentHEAD" ContentPlaceHolderID="PlaceHolderAdditionalPageHead" runat="server"><style type="text/css">body{background-color: #d5d5d5;background-image: url(images/ACME-Catalog.jpg);background-position: center;}body #s4-simple-content{margin-left: 0px}.s4-simple-iconcont{display:none}h1{font-size:24px;font-weight:bold}</style></asp:Content><asp:Content ID="Content1" ContentPlaceHolderID="PlaceHolderPageTitle"runat="server"><SharePoint:EncodedLiteral runat="server"EncodeMethod="HtmlEncode" ID="ClaimsFormsPageTitle"Visible="false" />Acme Login</asp:Content><asp:Content ID="Content2" ContentPlaceHolderID="PlaceHolderPageTitleInTitleArea"runat="server"><SharePoint:EncodedLiteral runat="server"EncodeMethod="HtmlEncode" ID="ClaimsFormsPageTitleInTitleArea"Visible="false" />Log into the Acme Portal</asp:Content><asp:Content ID="Content3" ContentPlaceHolderID="PlaceHolderSiteName"runat="server" /><asp:Content ID="Content4" ContentPlaceHolderID="PlaceHolderMain"runat="server"><table width="100%" cellpadding="0" cellspacing="30" border="0"><tr><td><h2>Customer Login</h2>Enter your username and password below and click Sign In.<asp:login id="signInControl" FailureText="<%$Resources:wss,login_pageFailureText%>" runat="server" width="100%"><layouttemplate><asp:label id="FailureText" class="ms-error" runat="server"/><table width="100%"><tr><td nowrap="nowrap"><SharePoint:EncodedLiteral ID="EncodedLiteral1" runat="server" text="<%$Resources:wss,login_pageUserName%>" EncodeMethod='HtmlEncode'/></td><td width="100%"><asp:textbox id="UserName" autocomplete="off" runat="server" class="ms-inputuserfield" width="99%" /></td></tr><tr><td nowrap="nowrap"><SharePoint:EncodedLiteral ID="EncodedLiteral2" runat="server" text="<%$Resources:wss,login_pagePassword%>" EncodeMethod='HtmlEncode'/></td><td width="100%"><asp:textbox id="password" TextMode="Password" autocomplete="off" runat="server" class="ms-inputuserfield" width="99%"/></td></tr><tr><td colspan="2" align="right"><asp:button id="login" commandname="Login" text="<%$Resources:wss,login_pagetitle%>" runat="server" /></td></tr></table></layouttemplate></asp:login></td></tr><tr><td><h2>Personnel Login</h2>Acme Personnel can log in below. Login with your Acme account, i.e. acme\username.<br /><br /><a href="/_windows/default.aspx?ReturnUrl=<%=Request.QueryString["Source"] %>">click here to login</a></td></tr></table><div id="SslWarning" style="color:red;display:none"><SharePoint:EncodedLiteral runat="server" EncodeMethod="HtmlEncode" Id="ClaimsFormsPageMessage" /></div><script language="javascript" >if (document.location.protocol != 'https:') {var SslWarning = document.getElementById('SslWarning');//SslWarning.style.display = ''; //show the warning if applicable}</script></asp:Content>
You’ll see that I’m overriding some of the CSS elements, this will let me customize this to exactly what I want.
-
Replace the content of Login.aspx.cs with the following
using System;using Microsoft.SharePoint.IdentityModel.Pages;namespace CustomLoginPage{public partial class Login : FormsSignInPage{protected void Page_Load(object sender, EventArgs e){} }} - Deploy your feature.
- Go to Central Administration > Manage Web Applications. Select your web application and click Authentication Providers
- Click your zone that has Claims Based Authentication.
- Scroll down a little to Sign In Page URL and enter the path to your custom page: ~/_layouts/CustomLoginPage/Login.aspx
- Scroll to the bottom and click Save.
- Close the Authentication Provider Window.
- Now browse to your site, you should now see your new login page
So my login page went from
To
References
RSS - Posts
Hi David,
I have successfully deployed FBA but have into a roadblock with custom login page for AD users. I have googled a lot with no success. No solution seems to be working. I am not familiar enough with ASP.NET, SharePoint and C# to troubleshoot it on my own as most of my experience lies with PHP.
Here is the scenario:
I have a site collection in the root of my web application (for example: http://myintranetsite.com:1234/) and I use the following link for AD user authentication.
/_windows/default.aspx?ReturnUrl=%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252F&Source=%2F
This works with no issues.
But when I remove the root site collection to enable the use of multiple site collections (for example: http://myintranetsite.com:1234/departments/sales) when using the above link the page redirects back to the login page instead of redirecting the user to the site collection. It does however, authenticate the user because if I open the above mentioned URL in a new tab I see that I can get in without any prompt for login.
Can you please advise if I am missing anything? To me it seems like the link I am using is not correct for multiple site collections. I also tried using the link in your article but it removes the entire anchor from the page.
Any help would highly be appreciated.
Hi, thanks for all the info. I am deploying this for SharePoint 2013 and thought i better mention, if no one else has yet, that the reference model is found at: “C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.SharePoint.IdentityModel\v4.0_15.0.0.0__71e9bce111e9429c” Since framework 4
Got thru to the last step. Where exactly is: Login.aspx.cs?
I can’t find it in the VS project files. I also can’t find it underneath the solution directory. I can find it if I search the entire C drive of the SHarePoint server (in fact it is in two places). So I don’t get it, am I supposed to do a computer hard drive search for it or should it be associated with the VS project? Thanks for your posts.
By the way, I followed the steps right up until the last one, could not find the login.aspx.cs file to edit (or had to do a hard disk search for it). And the error message that I get when I go to the site is: ‘CustomLoginPage.Login’ is not allowed here because it does not extend class ‘System.Web.UI.Page’.
The problem was that while I was creating a blank SharePoint project, it was a VB SharePoint project. I changed it to a Visual C# SharePoint 2010 Empty SharePoint Project — I assume that is correct? In any event, the error message that I am getting now is: Correlation ID 03ee6c67-be4d-42e5-a72e-4a129a273e25
Hi Bob,
If you take the correlation ID, you can search the logs for the associated error message. Unfortunately, the ID alone doesn’t help.
Nice articles, I followed the steps and got it working for the first time. I logged out and then tried sign in again, but I kept on receiving 402 Forbidden Error. Any idea what could be the cause
unfortunately I haven’t run into this. Post it over at sharepoint.stackexchange.com, see if the community has.
Dear all,
i have a question.
i am using both FBA and Windows Authentication for a web application according to your steps.
i have developed a login form instead of the default sharepoint web page. and if using VS2010, i can deploy it very well.
then comes to the production environment, i use ps file to deploy that to the whole farm, using Install-SPSolution:
Add-SPSolution -literalpath C:\CustomLoginPageEx.wsp
Install-SPSolution -Identity CustomLoginPageEx.wsp -AllWebApplications -GACDeployment -Force
the solution is well deployed, but when i go to the web application that using FBA and Windows authentication, i will receive a security exception error as below:
———————————————————————————————————————————————————————
Security Exception
Description: The application attempted to perform an operation not allowed by the security policy. To grant this application the required permission please contact your system administrator or change the application’s trust level in the configuration file.
Exception Details: System.Security.SecurityException: Request failed.
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[SecurityException: Request failed.]
System.Reflection.Assembly._GetType(String name, Boolean throwOnError, Boolean ignoreCase) +0
System.Web.UI.Util.GetTypeFromAssemblies(ICollection assemblies, String typeName, Boolean ignoreCase) +201
System.Web.UI.TemplateParser.GetType(String typeName, Boolean ignoreCase, Boolean throwOnError) +323
System.Web.UI.TemplateParser.ProcessInheritsAttribute(String baseTypeName, String codeFileBaseTypeName, String src, Assembly assembly) +10891548
System.Web.UI.TemplateParser.PostProcessMainDirectiveAttributes(IDictionary parseData) +365
———————————————————————————————————————————————————————
while after i have modified the web applicaton web.config trust level to Full, the login page can be used.
but since Full is not so good, is there another to solve this?
besides, i have set the VS project Assembly property to webapplication instead of GAC….., will that matter?
thank you so much if you can help me solve this!!!!!!!
Mezzo
I haven’t tried a web application assembly with this solution. It is a full farm solution, GAC and full trust level required.
Hi
Im getting this error
‘CustomLoginPage.Login’ is not allowed here because it does not extend class ‘System.Web.UI.Page’.
Any help would be appreciated…
Thanks …
Hi sonali,
I’m not sure why you’d be getting this error. Where are you seeing it? In VS or in SP?
Hi David thanks for reply , the error get solved now, it was my mistake in code,
Yes please…
YEs im developer in c# but beginner to sharepoint, but would like to develop my own but dont know how and where to start…
I need to develop 3 things, custom Login scrren for Windows authintication, (which should not include FBA option ), Forgot Password and change password, as far as I see playing with Active directory is not easy….
You should probably look for some resources on starting off in development. There’s a list of prereqs you should know and understand before diving down this road. Authentication is one of the more advanced chapters. Check out sharepoint.stackexchange.com, post your questions there around starting development, you’ll get some great free resources for learning it.
Found one link all with Active directory, I will give a try. to piece of code for Resetting password,.
http://www.codeproject.com/Articles/18102/Howto-Almost-Everything-In-Active-Directory-via-C#46
Hi Nice article , I am goggling for Forgot Password link which recovers password and send the new password to the email of active directory user, Any help would be appreciated.
This would be a highly custom piece, updating an AD password can get tricky. Unfortunately there’s not a quick and dirty fix, especially for AD accounts. Most SharePoint implementations are on networks where users have other methods of changing their passwords. If you’re familiar with C# and SharePoint solutions, you can see about adding the functionality. If you’re not, then see what you can find for a 3rd party solution.
I’ve done something like this before. I will dig up my code and see about sharing it, I don’t know when though.
David, Great article! Can you clarify whether Active Directory users (Windows users) should be able to login to SharePoint externally from outside our LAN over SSL? At present they can login when in the office using Windows Integration but when trying to login externally the page refreshes and goes blank. FBA users can login externally no problem.
Hi Dan,
Thanks for the comment. Short answer is Yes. Windows authentication can and normally does work over SSL. When accessing the site from outside the network, make sure users are logging in as domain\username (unless you configured IIS differently), and disable friendly errors in IE (http://technet.microsoft.com/en-us/library/cc778248.aspx), this might give you more to work with. Also, check out the SharePoint logs for any errors and messages.
If you want, you can email me at david at lozzi dot net, and I can work with you some more in figuring out the issue. Or you can post your issue to sharepoint.stackexchange.com.
More on SharePoint’s extranets: http://www.microsoft.com/en-us/download/details.aspx?displaylang=en&id=24079.
Thanks – David
Thanks for the advice! When I went to retest with friendly errors disabled it miraculously started working I have since tested it in various browsers and it now works! Strange but good!
David – thanks for the blog. It really help but I do have one issue and I’m not sure why. My company has many domains. If a users logs into Windows with domain XYZ but their SharePoint access is through domain 123 they will receive “Access Denied” when logging in – this is okay. When they click on “Sign-on as a Different Use” the loopback to the Custom Page but cannot login. Any ideas?
They should go back to the custom page so they can login as a valid user. But are you saying when they do, they can’t login using a valid user? If they close the browser and come in fresh, can they login using a valid user initially?
They do go back to the custom page and when they click on “Employee Login” for a second time it takes them to a blank page (no errors, nothing). They would then have to close and re-open the browser. I guess I need a way for them to login as a different user. i.e. when they click on Log in as a Different user they should get a prompt for their credentials.
Ah, understood. I don’t know off the top of my head on this one. I will have to test it out and see if I can recreate the issue. You may also want to post it on sharepoint.stackexchange.com, to get more feedback.
Thanks. I will post it at sharepoint.stackexchange.com I have a go around for now – changed security on IE to prompt for login
i am getting an error
while trying to run the application.
can u help me out
I’m not familiar with this error, where is it occurring? If it’s regarding the web.config file, review it, make sure you put the elements in the right positions. Make sure you’re not missing a quote or a close bracket somewhere.
No joy :( – I tried
/_layouts/accessdenied.aspx?loginasanotheruser=true&Source=
all I got was a page refresh. Then I tried
/_windows/default.aspx?ReturnUrl=&loginasanotheruser=true
and things seem to be functioning as expected. I guess my question is… should they be :) Thanks again!
Ooohh… right since you’re in FBA, it prompts you to login. Sorry, I tried this on my NTLM site.
If it works, I’d say you’re good to go!
Great post David – works as planned! Is there a way to allow users to login with a different windows account? The current link for windows login just reauthenticates the current user, I’m looking to allow them to login as a different user. Any insight would be appreciated. Thx
Hi Robert,
For the link to login, try linking to
/_layouts/accessdenied.aspx?loginasanotheruser=true&Source=targetUrltoSendAfterTheyLogin
This is the URL for when a user clicks Sign In as Different User
logging in from a mobile device gives this error: Cannot access protected member ‘Microsoft.SharePoint.MobileControls.SPMobilePage.strReturnURL via qualifier of type……
there is nothing on the web about this, any ideas?
I haven’t seen this happen. Are there other customizations on your site? If you create another zone for the web app and not use FBA, use windows instead, does it work then?