Tag Archives: FBA

SharePoint 2010: Forms Based Authentication using Active Directory

This post is a close mirror to my other post SharePoint 2010: Claims Based Authentication using .Net SQL Membership Provider, just tweaked to use AD instead of SQL. In this post I want to use Active Directory instead of SQL, and allow users to login using a friendly form instead of the ugly Windows grey authentication window.

SharePoint 2010 has a great feature called Claims Based Authentication. You specify this when you create your web application. If you created a web application as Classic Mode Authentication, you can change it to Claims Based Authentication, see this blog post http://weblogs.asp.net/sreejukg/archive/2011/03/25/change-sharepoint-authentication-from-classic-mode-to-claims-based.aspx on how to change it.

Our plan of attack is

  • Modify your web application, central admin and the web services’ web.config files.
  • Update web application to use forms.
  • Install free feature to add user management to SharePoint.

Modify your web application, central admin and the web services’ web.config files. This part can be a little tricky. We need to modify the web.config file for your

  • Web Application so your web app can authenticate users
  • Central Administration so users are recognized
  • Web Services so users can log in.

Update the web application’s web.config file.
IMPORTANT: These steps will have to be completed on every web front end in your farm.

  • Go to C:\inetpub\wwwroot\wss\virtualdirectories\appname.
  • Copy the web.config to web.config_preCBA as a backup.
  • Open the web.config file.
  • Find <roleManager add the following provider highlighted below. Change the items in green to match your domain.
<roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false"> 
<providers> 
<add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, 
Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" /> 
<add name="CONTOSOROLE" type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, 
Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="contoso.com" port="389" 
useSSL="false" groupContainer="DC=contoso,DC=com" groupNameAttribute="cn" groupMemberAttribute="member" 
userNameAttribute="sAMAccountName" dnAttribute="distinguishedName" groupFilter="(ObjectClass=group)" 
scope="Subtree" /> </providers> 
</roleManager> 
  • Find <membership and add the following provider highlighted
<membership defaultProvider="i"> 
 <providers> 
<add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, 
Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" /> 
<add name="CONTOSO" type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, 
Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="contoso.com" port="389" 
useSSL="false" userDNAttribute="distinguishedName" userNameAttribute="sAMAccountName" 
userContainer="DC=contoso,DC=com" userObjectClass="person" userFilter="(|(ObjectCategory=group)
(ObjectClass=person))" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn" /> 
 </providers> 
</membership> 

Update central admin’s web.config file
IMPORTANT: These steps will have to be performed on all servers hosting central admin.

  • Go to C:\inetpub\wwwroot\wss\virtualdirectories\portnum.
  • Copy the web.config to web.config_preCBA as a backup.
  • Open the web.config file.
  • Perform the same steps above on this web.config file.
    • The roleManager and membership sections may look a little different. You’re only adding the highlighted elements, not modifying it to match.

And that should take care of your Central Admin.

Update web services’ web.config file
IMPORTANT: These steps will have to be completed on every web front end in your farm.

  • Go to C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\WebServices\SecurityToken.
  • Copy the web.config to web.config_preCBA as a backup.
  • Open the web.config file.
  • Find </configuration> (bottom of page) and add the following right above it
<system.web> 
<roleManager enabled="true" cacheRolesInCookie="false" cookieName=".ASPXROLES" cookieTimeout="30" 
cookiePath="/" cookieRequireSSL="false" cookieSlidingExpiration="true" cookieProtection="All" 
createPersistentCookie="false" maxCachedResults="25"> 
<providers> 
<add name="CONTOSOROLE" type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"  server="contoso.com" port="389" useSSL="false" groupContainer="DC=contoso,DC=com" groupNameAttribute="cn" groupMemberAttribute="member" userNameAttribute="sAMAccountName" dnAttribute="distinguishedName" groupFilter="(ObjectClass=group)" scope="Subtree" /> </providers> 
</roleManager> 
<membership userIsOnlineTimeWindow="15" hashAlgorithmType=""> 
<providers> 
<add name="CONTOSO" type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="contoso.com" port="389" useSSL="false" userDNAttribute="distinguishedName" userNameAttribute="sAMAccountName" userContainer="DC=contoso,DC=com" userObjectClass="person" userFilter="(|(ObjectCategory=group) (ObjectClass=person))" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn" /> </providers> 
</membership> 
</system.web> 

And now we’re done with the tricky part.

Update web application to use forms. Next we’re going to tell Central Admin about our desires and tell the web application to use our configured authentication.

  1. Go to Central Administration > Manage Web Applications.
  2. Select your web application and click Authentication Providers.
  3. Click the zone marked as Claims Based Authentication
  4. Scroll down to Claims Authentication Type.
  5. Check Enable Forms Based Authentication, and enter SQLMembershipProvider and SQLRoleManager in the two options
  6. Scroll to the bottom and click Save.
  7. Close the Authentication Providers window.

Browse to your site and if you’re lucky, you should see a login prompt, and you should be able to login as the user we created before or a Windows account.

Pretty plain eh? Check out my other blog post on how to customize this page some more.

Advertisements

SharePoint 2010: Claims Based Authentication using .Net SQL Membership Provider

Often when a company wants to extend their SharePoint site to the extranet or internet, they’ll need to accommodate new users who are currently not in their company’s Active Directory. For instance, extending the application to the extranet to allow vendors to access product information, or extend to the internet to allow customers to log in and access order info and status.

SharePoint 2010 has a great feature called Claims Based Authentication. You specify this when you create your web application. If you created a web application as Classic Mode Authentication, you can change it to Claims Based Authentication, see this blog post http://weblogs.asp.net/sreejukg/archive/2011/03/25/change-sharepoint-authentication-from-classic-mode-to-claims-based.aspx on how to change it.

Our plan of attack is

  • Install the .Net SQL Membership Provider tables in SQL.
  • Modify your web application, central admin and the web services’ web.config files.
  • Update web application to use forms.
  • Install free feature to add user management to SharePoint.

Install the .Net SQL Membership Provider tables in SQL.

This is rather easy.

  • Run C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
  • In the wizard, enter in a new database name, I named mine CBAUsers.
  • After it completes, go into SQL and ensure the farm accounts have rights to database.
  • Run this quick script in the new database to create a user for testing
 declare @now datetime
 set @now= GETDATE()
 exec aspnet_Membership_CreateUser 'CBA','admin1','pass@word1','','admin1@contoso.com','','',1,@now,@now,0,0,null

Modify your web application, central admin and the web services’ web.config files.

This part can be a little tricky. We need to modify the web.config file for your

  • Web Application so your web app can authenticate users
  • Central Administration so users are recognized
  • Web Services so users can log in.

Update the web application’s web.config file.

IMPORTANT: These steps will have to be completed on every web front end in your farm.

  • Go to C:\inetpub\wwwroot\wss\virtualdirectories\appname.
  • Copy the web.config to web.config_preCBA as a backup.
  • Open the web.config file.
  • Find </configSections> and add the following right after it
<connectionStrings>
<add name="SQLAuthConnectionString" connectionString="Data Source=OPTIMUS;Integrated Security=SSPI;
Initial Catalog=CBAUsers" />
</connectionStrings>
  • Find <roleManager add the following provider highlighted
<roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false">
<providers>
<add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider,
Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
<add connectionStringName="SQLAuthConnectionString" applicationName="CBA" description="Stores and 
retrieves roles from SQL Server" name="SQLRoleManager" type="System.Web.Security.SqlRoleProvider, 
System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</roleManager>
  • Find <membership and add the following provider highlighted
<membership defaultProvider="i">
<providers>
<add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider,
Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
<add connectionStringName="SQLAuthConnectionString" passwordAttemptWindow="5" 
enablePasswordRetrieval="false" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" 
enablePasswordReset="false" requiresQuestionAndAnswer="true" applicationName="CBA" 
requiresUniqueEmail="true" passwordFormat="Hashed" description="Stores and Retrieves membership data 
from SQL Server" name="SQLMembershipProvider" type="System.Web.Security.SqlMembershipProvider, 
System.Web, Version=2.0.3600.0,Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</membership>

The above specifies your password requirements and complexity.

That should do it there.

Update central admin’s web.config file

IMPORTANT: These steps will have to be performed on all servers hosting central admin.

  • Go to C:\inetpub\wwwroot\wss\virtualdirectories\portnum.
  • Copy the web.config to web.config_preCBA as a backup.
  • Open the web.config file.
  • Perform the same steps above on this web.config file.
    • The roleManager and membership sections may look a little different. You’re only adding the highlighted elements, not modifying it to match.

And that should take care of your Central Admin.

Update web services’ web.config file

IMPORTANT: These steps will have to be completed on every web front end in your farm.

  • Go to C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\WebServices\SecurityToken.
  • Copy the web.config to web.config_preCBA as a backup.
  • Open the web.config file.
  • Find <configuration> (top of page) and add the following right after it
<connectionStrings>
<add name="SQLAuthConnectionString" connectionString="Data Source=OPTIMUS;Integrated Security=SSPI;
Initial Catalog=CBAUsers" />
</connectionStrings>
  • Find </configuration> (bottom of page) and add the following right above it
<system.web>
<roleManager enabled="true" cacheRolesInCookie="false" cookieName=".ASPXROLES" cookieTimeout="30"
cookiePath="/" cookieRequireSSL="false" cookieSlidingExpiration="true" cookieProtection="All"
createPersistentCookie="false" maxCachedResults="25">
<providers>
<add connectionStringName="AspNetSqlMembershipProvider" applicationName="/" name="AspNetSqlRoleProvider"
type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a" />
<add connectionStringName="SQLAuthConnectionString" applicationName="CBA" description="Stores and
retrieves roles from SQL Server" name="SQLRoleManager" type="System.Web.Security.SqlRoleProvider,
System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</roleManager>
<membership userIsOnlineTimeWindow="15" hashAlgorithmType="">
<providers>
<add connectionStringName="AspNetSqlMembershipProvider" enablePasswordRetrieval="false"
enablePasswordReset="true" requiresQuestionAndAnswer="true" passwordAttemptWindow="10"
applicationName="/" requiresUniqueEmail="false" passwordFormat="Hashed" name="AspNetSqlMembershipProvider"
type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a" />
<add connectionStringName="SQLAuthConnectionString" passwordAttemptWindow="5" enablePasswordRetrieval="false"
enablePasswordReset="false" requiresQuestionAndAnswer="true" applicationName="CBA" requiresUniqueEmail="true"
passwordFormat="Hashed" description="Stores and Retrieves membership data from SQL Server"
name="SQLMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web,
Version=2.0.3600.0,Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</membership>
</system.web>

And now we’re done with the tricky part.

Update web application to use forms.

Next we’re going to tell Central Admin about our desires and tell the web application to use our configured authentication.

  1. Go to Central Administration > Manage Web Applications.
  2. Select your web application and click Authentication Providers.
  3. Click the zone marked as Claims Based Authentication
  4. Scroll down to Claims Authentication Type.
  5. Check Enable Forms Based Authentication, and enter SQLMembershipProvider and SQLRoleManager in the two options
  6. Scroll to the bottom and click Save.
  7. Close the Authentication Providers window.

Browse to your site and if you’re lucky, you should see a login prompt, and you should be able to login as the user we created before or a Windows account.

Pretty plain eh? Check out my other blog post on how to customize this page some more.

Install free feature to add user management to SharePoint.

Go to http://sharepoint2010fba.codeplex.com/ and download and install the feature. Once it’s activated on your site, you’ll have the options in site settings to manage your FBA users. I won’t go into how to install and use this add on since it’s documented on its site.

SharePoint 2010: Create unique login page with forms based authentication

An awesome feature with SharePoint is the ability to use another authentication store for your users. This is especially helpful when you want to extend your site to an extranet or internet zone and you don’t want your external users in your company Active Directory. I walk through configuring and setting up CBA here. Once you’ve configured your web application to use FBA, the typical login page is plain. If you setup mixed mode (as in my example) the login page simply prompts for Windows or Forms authentication. Most users don’t understand the difference.

Seriously, what end user doesn’t know they’re using a Windows account? And my extranet users, seriously, they should know they’re forms…

Fortunately, we can change these options and give the user a little more to work with. For my example, I have my web application setup and I want my customers to login so we can collaborate on orders and projects. I would like a login page that is painfully obvious as to which how the user should login. We’ll dive into how to do so now. I walk through creating a new project with the end result being a feature. I prefer this method because it gives us the most flexibility with a code behind file. We could add CAPTCHA verification, or additional components as we need to make this work.

  • Open Visual Studio 2010, create a new Empty SharePoint Project, and name it CustomLoginPage.
  • Add the reference to Microsoft.SharePoint.IndentityModel. This isn’t available in the browser, you’ll have to browse to it at C:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.IdentityModel\ 14.0.0.0__71e9bce111e9429c\Microsoft.SharePoint.IdentityModel.dll
  • Add a new application page, call it Login.aspx.
  • Replace the content of Login.aspx with the following, updating a few items as necessary (highlighted)
    <%@ Assembly Name="$SharePoint.Project.AssemblyFullName$" %> 
    <%@ Assembly Name="Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" %> 
    <%@ Assembly Name="Microsoft.SharePoint.IdentityModel, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" %> 
    <%@ Import Namespace="Microsoft.SharePoint" %> 
    <%@ Import Namespace="Microsoft.SharePoint.WebControls" %> 
    <%@ Register Tagprefix="SharePoint" 
    Namespace="Microsoft.SharePoint.WebControls" 
    Assembly="Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" %> 
    <%@ Register Tagprefix="asp" Namespace="System.Web.UI" 
    Assembly="System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" %> 
    <%@ Page Language="C#" AutoEventWireup="true" CodeBehind="Login.aspx.cs" Inherits="CustomLoginPage.Login" MasterPageFile="~/_layouts/simple.master" %> 
    <asp:Content ID="contentHEAD" ContentPlaceHolderID="PlaceHolderAdditionalPageHead" runat="server"> 
    <style type="text/css"> 
    body 
    { 
    background-color: #d5d5d5; 
    background-image: url(images/ACME-Catalog.jpg); 
    background-position: center; 
    } 
    body #s4-simple-content 
    { 
    margin-left: 0px 
    } 
    .s4-simple-iconcont 
    { 
    display:none 
    } 
    h1 
    { 
    font-size:24px; 
    font-weight:bold 
    } 
    </style> 
    </asp:Content> 
    <asp:Content ID="Content1" ContentPlaceHolderID="PlaceHolderPageTitle" 
    runat="server"> 
    <SharePoint:EncodedLiteral runat="server" 
    EncodeMethod="HtmlEncode" ID="ClaimsFormsPageTitle" 
    Visible="false" /> 
    Acme Login 
    </asp:Content> 
    <asp:Content ID="Content2" ContentPlaceHolderID="PlaceHolderPageTitleInTitleArea" 
    runat="server"> 
    <SharePoint:EncodedLiteral runat="server" 
    EncodeMethod="HtmlEncode" ID="ClaimsFormsPageTitleInTitleArea" 
    Visible="false" /> 
    Log into the Acme Portal 
    </asp:Content> 
    <asp:Content ID="Content3" ContentPlaceHolderID="PlaceHolderSiteName" 
    runat="server" /> 
    <asp:Content ID="Content4" ContentPlaceHolderID="PlaceHolderMain" 
    runat="server"> 
    <table width="100%" cellpadding="0" cellspacing="30" border="0"> 
    <tr> 
    <td><h2>Customer Login</h2> 
    Enter your username and password below and click Sign In. 
    <asp:login id="signInControl" FailureText="<%$Resources:wss,login_pageFailureText%>" runat="server" width="100%"> 
        <layouttemplate> 
            <asp:label id="FailureText" class="ms-error" runat="server"/> 
            <table width="100%"> 
            <tr> 
                <td nowrap="nowrap"><SharePoint:EncodedLiteral ID="EncodedLiteral1" runat="server" text="<%$Resources:wss,login_pageUserName%>" EncodeMethod='HtmlEncode'/></td> 
                <td width="100%"><asp:textbox id="UserName" autocomplete="off" runat="server" class="ms-inputuserfield" width="99%" /></td> 
            </tr> 
            <tr> 
                <td nowrap="nowrap"><SharePoint:EncodedLiteral ID="EncodedLiteral2" runat="server" text="<%$Resources:wss,login_pagePassword%>" EncodeMethod='HtmlEncode'/></td> 
                <td width="100%"><asp:textbox id="password" TextMode="Password" autocomplete="off" runat="server" class="ms-inputuserfield" width="99%"/></td> 
            </tr> 
            <tr> 
                <td colspan="2" align="right"><asp:button id="login" commandname="Login" text="<%$Resources:wss,login_pagetitle%>" runat="server" /></td> 
            </tr> 
            </table> 
        </layouttemplate> 
    </asp:login> 
    </td></tr><tr> 
    <td><h2>Personnel Login</h2> 
    Acme Personnel can log in below. Login with your Acme account, i.e. acme\username.<br /><br /> 
    <a href="/_windows/default.aspx?ReturnUrl=<%=Request.QueryString["Source"] %>">click here to login</a></td> 
    </tr> 
    </table> 
    <div id="SslWarning" style="color:red;display:none"> 
    <SharePoint:EncodedLiteral runat="server" EncodeMethod="HtmlEncode" Id="ClaimsFormsPageMessage" /> 
    </div> 
    <script language="javascript" > 
    if (document.location.protocol != 'https:') { 
    var SslWarning = document.getElementById('SslWarning'); 
    //SslWarning.style.display = ''; //show the warning if applicable 
    } 
    </script> 
    </asp:Content> 

You’ll see that I’m overriding some of the CSS elements, this will let me customize this to exactly what I want.

  • Replace the content of Login.aspx.cs with the following
    using System; 
    using Microsoft.SharePoint.IdentityModel.Pages; 
    namespace CustomLoginPage 
    { 
    public partial class Login : FormsSignInPage 
    { 
    protected void Page_Load(object sender, EventArgs e) 
    { 
    } }} 
  • Deploy your feature.
  • Go to Central Administration > Manage Web Applications. Select your web application and click Authentication Providers
  • Click your zone that has Claims Based Authentication.
  • Scroll down a little to Sign In Page URL and enter the path to your custom page: ~/_layouts/CustomLoginPage/Login.aspx
  • Scroll to the bottom and click Save.
  • Close the Authentication Provider Window.
  • Now browse to your site, you should now see your new login page

So my login page went from

To

References