Home > SharePoint > Configuring Forms Based Authentication for SharePoint 2010 using IIS7

Configuring Forms Based Authentication for SharePoint 2010 using IIS7

11/24/2010 Update.  This has been tested for RTM, and works as expected.  The one difference was the default role provider had to be reset to “c” for the web application you are setting up claims for.

Following on from my article on configuring FBA for SharePoint 2007, writing one for SharePoint 2010 seemed necessary.

There are not a lot of differences with configuring FBA for SharePoint 2010 compared to 2007, but there are a few.  For instance, SharePoint 2010 no longer supports “classic FBA”, rather forms based authentication is provided through Claims Authentication.  There is also the introduction of the Secure Store Service which is the next-gen of the Single Sign On service of old.

Both of these come into play when configuring Forms Based Authentication.

Mission

Configure an extranet web application for Claims based authentication using AD and Forms.  Store membership credentials in a SQL database.  Manage members through IIS Manager.

Game Plan

1. Configure SQL for membership store

  • Create database
  • Create SQL User
  • Add SQL user to database

2. Configure Central Admin to use SQL membership store

3. Configure Secure Store Web Service to use SQL membership store

4. Create new Web Application for extranet site

5. Configure Extranet site to use SQL membership store

So let’s begin…

1. Configure SQL for membership store

The process of creating the store is exactly the same as what we did for 2007, so I’ll just copy and paste that thank you!

The membership store is still created using the ASP.NET SQL Server Setup Wizard.  This is launched from the .NET 2.0 Framework folder on the server at:

C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe

This wizard will take you thorough the steps and will build out the SQL database for you.

alt

Once you select to Configure SQL Server for application services, you will be prompted for the SQL Server name and database name.  You can choose an existing database to add the membership elements to, or you can type in a new name and the database will be created for you.

Once the database is created, we’re going to create and add a SQL user, rather than use integrated authentication.  If your SQL instance is not already running in mixed-mode, you can change it through Server properties in SQL Server Management Studio.  Right-click on Server in Object Explorer and select Properties, then navigate to the Security page.

image

Create SQL user

Back in object Explorer, expand Security –> Logins.  Right-click logins and select “New Login…”  On the New Login page, enter a username, password on the general page, clear all three password options for policy, expiration, and enforce change. Hit Ok and we have our SQL user.

image

Add SQL user to membership database

Now, navigate to the database we created for our membership earlier (ConlosoDevFBA), and expand to Security-> Users.  Right-click on Users and select New User….

image

Enter the name, select Login name, and give this fella the role “db_owner”.

To recap:

We created a database called ConlosoDevFBA.

We created a SQL user called FormsAuthUser

We added FormsAuthUser to ASPNetFormsAuth database and gave them the db_owner role.

We’re done with SQL.

2. Configure Central Admin Web Site to use SQL Membership Provider

SharePoint web sites out of the box are configured to use Active Directory.  So you may be wondering why we’re configuring Central Admin to use FBA when we don’t really want to login in as an FBA user.  Well, we actually don’t want to configure it to to login as a forms user, but we do need to be able to add users from out membership database when configuring site collection admins, and the like.

So all we want to do is tell the Central Admin web application to use our SQL membership provider as well as AD, so when you use the people picker to select users, it will provide results from our membership database.

Open IIS Manager on the WFE server (if more than one, then this needs to be done on every FWE that has Central Admin.  The same goes for the proceeding steps for the other web applications).

Select the SharePoint Central Administration v4 site.  On the Home Page, you’ll see many options for ASP.NET and IIS.  The ones we’re concerned with are

image

Open the Connection Strings Page.  Under Actions menu on the right, select Add… to create a new connection string.  Provide the details for the membership database for the new connection string.

image

Add Role Provider

Go back to the Web Application page and open up Providers page.  Here we will create a provider for Roles and Users.  Set feature to .NET Roles and click Add… in the Actions pane to add a new role provider.  I called it FBARoleProvider and selected the right type and connection string.

Ensure you provide an ApplicationName so the provider knows what uses to authenticate.  For a good explanation on why you need this, see Scott Guthrie’s blog.

image

Add Membership Provider

Now set feature to .NET Users and click Add… from the actions pane to add a membership provider.

image

Select the correct type and connection string, and whatever behaviors you choose.

That’s it for the providers for Central Admin.

To verify that all looks ok, we can check the web.config of the web application.  To get to the right web.config, right-click on the web application under sites, and select Explore.

image

In the web.config, you’ll see sections for the connection string and the providers.  The <roleManager> and <membership> sections should look like:

image

You should also see a <connectionStrings> section close to the bottom of the web.config file.

3. Configure Secure Store Web Service to use SQL Membership Provider

Everything we did for Central Admin site, we are going to do for the SecurityTokenServiceAppliaation which is in the SharePoint Web Services application.

image

Without redo’ing all the steps:

  • Create the connection string
  • Add the .NET role provider
  • Add the .NET users provider
    Verify connection by editing config.xml.

4. Create Extranet Web Application

Ok, finally we are ready to create our web application (called SharePoint – FBA) that will use FBA authentication.

In Central Admin, Select the Application Management page, and select Manage web applications.  Select New from the ribbon to create a new web application.

Select Claims Based Mode Authentication as Authentication Type.  Select values for all the other options until you get to the “Enable Forms Based Authentication”.

Add the values we created earlier in the section “Enable Forms Based Authentication” for role and membership provider.

image

Once the application is created, we should create a site collection.

Create Site Collection

Go to the Create Site Collection page from the Manage Applications section in Central Admin.  Select the team (or blank, or whichever you choose) template then select the site collection administrator.  At this point, we should be able to select from our SQL membership users.  Enter a user you know exists in the membership database and see if you can resolve the names.

image

I have a user with the same name in both AD and SQL, so I know I am hitting both.

Note: I jumped ahead here and added users through IIS Manager.  If you have been following this article to the letter, then you will obviously not see users in your membership database.  Do not worry about this piece for now, as you will add users to your membership store later.

At this point we have told SharePoint what role providers to use for the web app, but we still need to configure the web app through IIS manager to bind the providers.

Configure Membership Providers for Web App through IIS

In IIS Manager, browse to the new site SharePoint – FBA. For our new FBA site we need to do the following:

  • Add connection string
  • Add Providers for members and roles
  • Configure .NET Roles
  • Configure .NET Users
  • Set Authentication to Forms and Integrated
  • Add User as Site Collection Admin

image

1. Add Connection String

Same as we have done before.

image

Note: we could potentially just do this for the machine, and not have to do it for every web application.  I prefer to do it for every web app, as I’ve had mixed results otherwise.

2. Add role and user providers

Again, same as what we did before.  Open Providers page and add an entry for our role and user providers.

image image

3. Configure .NET Roles

This and the next steps are not required for the other two web applications we configured (Central Admin and SSS).

Open the .NET Roles page for our web application.  You will receive a warning that the default role provider is not trusted.  WE just need to set our default role provider to FBARoleProvider.

image

We do not have any roles in our database at this point, so let’s create two (StandardUser, SuperUser) by clicking Add… in the actions pane.

image

4. Configure .NET Users

Now we need to do the same for .NET Users.  Open the .NET Users page.  You will get a similar warning saying the default is not trusted.  Set the default provider to FBAMembershipProvider. If you had members in the database, you would now see them listed.  Assuming you don’t let’s add some.  Click Add… from the Actions pane to add users, and assign them roles.

image image

5. Set Authentication

SharePoint should have done this when you created the web application, but let’s confirm.  From the web application home page in IIS Manager, select Authentication under the IIS section. Confirm that the web application has both Integrated and Forms enabled.

6. Add User as Site Collection Admin

Now that we have everything hopefully configured correctly, we can go back to SharePoint Central Admin and add our new user as the Site Collection Administrator.  From Central Admin Application Management page, click Change site collection administrators.  Select SharePoint – FBA root site collection, and add our new user.

image

Now lets test all this business by trying to login.  Browse to your site and select to login as a forms user.

image

What the…?!  I am authenticated ok, but am not allowed in, even though I’m a site collection admin?!

Caveat

Here’s the caveat – In order for you to use IIS Manager to manage your SQL users, you need to set the default provider to our Forms provider, i.e. FBAMembershipProvider.  In order for it to work we need to set it to the SharePoint claims provider.  Go back to .NET Users and reset the default provider to “i” which is for the Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider

image

You could work around this by creating another IIS web site, configure the same way you did for SharePoint – FBA, and use that for managing users.

You should also check the default Role Provider for the web application and ensure that is set to “c”.  If this is set to the SQL provider that you created, you will get an unexpected error after you logon.

Now let’s try to login again…

image

Success!!

To verify all of the above: here are the three web.config files in play:

Central Admin Web.config

<roleManager>

  <providers>

    <add name="FBARoleProvider" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" applicationName="/" connectionStringName="FBADB" />

  </providers>

</roleManager>

<membership>

  <providers>

    <add name="FBAMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" applicationName="/" connectionStringName="FBADB" enablePasswordReset="true" enablePasswordRetrieval="false" passwordFormat="Clear" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" />

   </providers>

</membership>

Secure Store Web Service web.config

<membership>

   <providers>

       <add name="FBAMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" applicationName="/" connectionStringName="FBADB" enablePasswordReset="true" enablePasswordRetrieval="false" passwordFormat="Clear" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" />

   </providers>

/membership>
roleManager>

   <providers>

       <add name="FBARolePRovider" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" applicationName="/" connectionStringName="FBADB" />

   </providers>

/roleManager>

Web Application (SharePoint – FBA) web.config

<membership defaultProvider="i">

  <providers>

    <add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />

            <add name="FBAMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" applicationName="/" connectionStringName="FBADB" enablePasswordReset="true" enablePasswordRetrieval="false" passwordFormat="Clear" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" />

  </providers>

</membership>
<roleManager cacheRolesInCookie="false" defaultProvider="FBARoleProvider" enabled="true">

  <providers>

    <add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />

            <add name="FBARoleProvider" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" applicationName="/" connectionStringName="FBADB" />

  </providers>

</roleManager>
About these ads
Categories: SharePoint Tags: , ,
  1. Affy
    April 7, 2010 at 5:27 am | #1

    Hi Donal,

    I followed your steps above and have checked the config files. However I seem to be getting the error below when accessing the website.

    Server Error in ‘/’ Application.
    ——————————————————————————–

    The server was unable to process the request due to an internal error. For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework 3.0 SDK documentation and inspect the server trace logs.
    Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

    Exception Details: System.ServiceModel.FaultException: The server was unable to process the request due to an internal error. For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework 3.0 SDK documentation and inspect the server trace logs.

    Source Error:

    An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

    Stack Trace:

    [FaultException: The server was unable to process the request due to an internal error. For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework 3.0 SDK documentation and inspect the server trace logs.]

    Any ideas please?

    • Ry
      May 13, 2010 at 4:03 pm | #2

      I’m encountering the same error. Were you able to resolve this? If so, could you please provide the steps… Thanks!

    • scott
      May 14, 2010 at 4:54 pm | #3

      I have the same problem.

    • Louis
      May 20, 2010 at 2:17 pm | #4

      If you have this problem, you will find more explicit information in the 14\LOGS files and in the system Event Logs. For me, it was SQL permissions because I didn’t quite follow the post and stuck with Windows Auth for the DB instead of Mixed mode.

      Adding the App pool account to the FBA DB fixed it for me. But it could be other issues, check the logs.

  2. Bharat Sukhwal
    April 29, 2010 at 7:30 am | #5

    ON following above steps I am getting the following error

    The server did not provide a meaningful reply; this might be caused by a contract mismatch, a premature session shutdown or an internal server error.

    Any guess. Thanks in advance.

    • May 6, 2010 at 1:34 pm | #6

      @Bharat Sukhwal: Not a clue. I’d say double check your config files. Always backup your configs; so if you hit an issue, you can roll-back to see if it’s related to the web.config.

  3. Brad
    May 6, 2010 at 1:25 pm | #7

    Thank-you VERY MUCH for this article! What you’ve got in your “Caveat” section finally ended many hours of grief and trouble for me. I suppose I don’t mind that kind of quirkiness if it’s well documented, but yours is the first article I was able to find that even mentioned it.

  4. May 6, 2010 at 1:40 pm | #8

    HI, First off i’d like to say i think this is probally the best post i’ve seen so far regarding this process. Thanks for it :)

    I’ve followed it to the end and finally when i create the site and login in FBA mode, i get the following message:

    EVENT ID 8306
    An exception occurred when trying to issue security token: The security token username and password could not be validated..

    -
    -

    8306
    14
    2
    47
    0
    0×4000000000000000

    6530

    Application
    SPS2010.devmoss.com

    -
    The security token username and password could not be validated.

    Do you have any idea what it could be?

    Thanks in advance!!

    • May 6, 2010 at 4:42 pm | #9

      @IIuis Thanks! What version of SP are you running? I will need to re-try this in RTM to see if there are any issues. It’s been a while since I’ve had to do FBA… Is there something blocking your db? Is it on the same server as your SP server?

  5. May 7, 2010 at 2:57 am | #10

    Hi =), Yep the MOSS Farm it’s a RTM running in WIN2K8 R2, if i’m right the DB access it’s ok since i’ve been able to create the .Net Users and sharepoint it’s recognizing them in the admnistrators field when i create the site, Yes, the SQL2008 R2 it’s on the same Server, also a DC. I am going to recheck everything and try to make it work, if you have any suggestion it would be greatly appreciated!

    Many Thanks in advance!

    Lluís

  6. May 7, 2010 at 5:02 am | #11

    Jejeje It’s working out!! Im a bad ass!! i had right man!

    So i can say now it’s such an awesome article, thanks for it, i was typing a bad pass, can you believe that? xD

    Thanks 4 the post!

    Lluís

  7. Eric
    May 12, 2010 at 5:39 am | #12

    Hi! Thank you for this great article…

    I have converted an existing web site to Claims Based Authentication. Everything worked fine and the authentication works perfectly (it detect wrong username/password).

    But, I got “Access is Denied” as described in the last steps of your article. I triple checked the default provider to ‘i’ but no successs…

    I also checked the collection admin but no success…

    Any idea?

    Thank you,

    Eric

    • Eric
      May 19, 2010 at 3:39 am | #13

      In my situation, my sharepoint was an upgrade from 2007 to 2010. I solved it this way:

      - I made a granular backup of all sites.
      - I uninstalled sharepoint 2010 and 2007
      - I made a fresh install of 2010
      - I created new site using the claim authentication
      - In this site I restored the granular backup using powershell

      And it worked perfectly

      Eric

  8. Mikael Bohlin
    May 17, 2010 at 8:26 am | #14

    Thank you very much for this post! Very well written and very usefull. I ended up using the workaround with an user admin site since a had some issues changing back to the OOTB default membership provider “i” and still wanted to use the IIS man for user administration.

    Thank you again!

  9. May 18, 2010 at 10:25 am | #15

    I ran into the “An exception occurred when trying to issue security token: The security token username and password could not be validated” issue – make sure that you use the “/” in the application name in all of the providers.

  10. May 26, 2010 at 3:09 am | #17

    What is the Cavet here?
    Which Website Authentication should I changed to Claims, is it the Fba Site ?

    Please help as I am still getting Access Denied Error.

    • May 26, 2010 at 1:52 pm | #18

      Change the default provider for the users on the web application you are using forms for. In the example case it was SharePoint – FBA.

  11. May 26, 2010 at 7:05 am | #19

    Thank you very much for this great article!
    After some useless attempts, I successfully completed my FBA configuration following these instructions.

  12. oman
    June 7, 2010 at 9:19 pm | #20

    hi, thanks for your great tutorial…

    finally, i successfully configure fba in my web app…

    now i add 1 default asp.net control which is change password…

    strange, seem like i can’t change my password….

    got the message
    “Password incorrect or New Password invalid. New Password length minimum: 7. Non-alphanumeric characters required: 0.” eventhough i give correct password…

    is there something configuration that i miss???

    thanks in advance….

  13. Kevin
    July 1, 2010 at 9:02 pm | #21

    Thanks for making this so understandable. I’ve invested a lot of time trying to figure this out without much luck. My SP2010 FBA is finally working because of your awesome post!

  14. neel
    July 23, 2010 at 1:02 pm | #22

    Dona,

    Thanks for the great article
    I followed your steps, I did follow the caveat, now when I type the URL, I get the sign on page, then either one on iselt for authentication , i get below error help me out

    Neel

    Server Error in ‘/’ Application.
    ——————————————————————————–
    Server Error in ‘/’ Application.
    The remote server returned an error: (404) Not Found.
    Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

    Exception Details: System.Net.WebException: The remote server returned an error: (404) Not Found.

    Source Error:

    An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

    Stack Trace:

    [WebException: The remote server returned an error: (404) Not Found.]
    System.Net.HttpWebRequest.GetResponse() +1126
    System.ServiceModel.Channels.HttpChannelRequest.WaitForReply(TimeSpan timeout) +81

    [EndpointNotFoundException: There was no endpoint listening at http://localhost:32843/SecurityTokenServiceApplication/securitytoken.svc that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details.]
    System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) +10258154
    System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) +539
    Microsoft.IdentityModel.Protocols.WSTrust.IWSTrustContract.Issue(Message message) +0
    Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr) +61
    Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst) +36
    Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext(Uri context, Boolean bearerToken, SecurityToken onBehalfOf, SecurityToken actAs, SecurityToken delegateTo) +26062081
    Microsoft.SharePoint.SPSecurityContext.SecurityTokenForFormsAuthentication(Uri context, String membershipProviderName, String roleProviderName, String username, String password) +172
    Microsoft.SharePoint.IdentityModel.Pages.FormsSignInPage.GetSecurityToken(Login formsSignInControl) +188
    Microsoft.SharePoint.IdentityModel.Pages.FormsSignInPage.AuthenticateEventHandler(Object sender, AuthenticateEventArgs formAuthenticateEvent) +123
    System.Web.UI.WebControls.Login.AttemptLogin() +152
    System.Web.UI.WebControls.Login.OnBubbleEvent(Object source, EventArgs e) +124
    System.Web.UI.Control.RaiseBubbleEvent(Object source, EventArgs args) +70
    System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) +29
    System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +2981
    ——————————————————————————–
    Version Information: Microsoft .NET Framework Version:2.0.50727.4927; ASP.NET Version:2.0.50727.4927

    • July 28, 2010 at 8:32 pm | #23

      Did you manage to fix this? Is your security token service running?

      • Neel
        July 29, 2010 at 12:08 am | #24

        No Donal, It is running, but now for some reason, i am not getting this error, but now i am not able to retrieve users in sharepoint,but if i change the FBA membership provider in iis then i can see users, but it is not getting resolved

        let me know
        thank you
        Neel

  15. Sergio
    July 28, 2010 at 6:21 am | #25

    Hi

    I am getting an error when trying to do step 3.

    3. Configure .NET Roles

    This and the next steps are not required for the other two web applications we configured (Central Admin and SSS).

    Open the .NET Roles page for our web application. You will receive a warning that the default role provider is not trusted. WE just need to set our default role provider to FBARoleProvider.

    The error i get is

    .NET Roles
    There was an error while performing this operation
    Details:
    Login failed for user ‘FormsAuthUser’.

    Obviously it cannot validate the password for the user, can you help with understanding why? i have checked the password and it is entered correctly in all web.config files and also in the ExtranetMembershipStore Database for ther user FormsAuthUser

    Must i add another user to the SQL DB so that IIS can talk to it?

    • Sergio
      July 28, 2010 at 6:42 am | #26

      I think the problem may be that i set the Application Name to be /

      How do i find out the correct application name? or do i just make one up?

      • July 28, 2010 at 8:26 pm | #27

        Why do you think the application name is the issue? How does the error manifest? Is it when you open the .NET roles page in IIS?

      • Sergio
        July 29, 2010 at 2:51 am | #28

        Yes when i open the .Net Roles it tries to connect to the Default Provider which i set as per your instructions, at that point, i get the error
        .NET Roles
        There was an error while performing this operation
        Details:
        Login failed for user ‘FormsAuthUser’.

      • Sergio
        July 29, 2010 at 3:33 am | #29

        Hi Donal

        I have fixed this by restarting the SQL server, i guess when you change the authentication mode from Windows to Mixed you need to restart the server for it to take affect.

        I have done all the steps now though and am at the final part which i cant get to work, ive set the .NET users up and set one of them as Site Collection Administrator and as your post says, when i try to login i get the Access Denied message, however the Caveat that you mentioned isnt working for me as IIS wont allow me to change the .NET Users Default Provider back to the ‘i’ provider.

        I get an error message telling me that this feature cannot be used as the default provider is not a trusted provider.

        Do you know how to fix this?

      • Sergio
        July 29, 2010 at 4:04 am | #30

        Could the error be becuase the

        Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider

        is not in my C;\Windows\Assembly folder?

        There is a Microsoft.SharePoint.Administration.Client and a whole lot of other Micorosft.SharePoint.*****’s in there all with the same Public Key Token.

      • Sergio
        July 29, 2010 at 6:26 am | #31

        So i have added the line:

        into my C:\Windows\System32\inetsrv\config\administration.config file and now i get a different error which is

        There was an error while performing this operation

        Details:

        Object Reference not set to an instance of an object.

        Any ideas?

      • Sergio
        July 29, 2010 at 6:30 am | #32

        for some reason it wont post the line, im not sure why.

        It is the add ‘i’ type=sharepoint line from the config file you have in your post, with the public key token

      • Sergio
        July 29, 2010 at 6:33 am | #33

        I also get the same object refernece not set error if i remove the line from the administration.config file and set the allowuntrustedproviders to true.

      • July 29, 2010 at 5:15 pm | #34

        Not sure why you are going into administration.config, you should not need to at all. I haven’t set this up in a while, so will have to go back and redo, to see.

  16. Neel
    July 30, 2010 at 4:43 pm | #35

    Donal,

    I tried your solution from scratch, I am not able to see any Forms users through sharepoint, but i can see them in IIS 7, if change to FBArole and FBA member.

    I checked everything again and again, it is exactly the same steps mentioned above, could you provide me some clues.

    thank you
    Neel

  17. Pritam Hinger
    May 25, 2011 at 3:38 am | #36

    Nice post. Very descriptive and useful. Thank you very much for coming up with such a nice post.

  18. Randy
    May 26, 2011 at 1:19 pm | #37

    I’m with Neel. It’s too bad this doesn’t work. The FBA users don’t show up in the people picker and I can’t log in as them. There is no error to look into. For me this is an epic fail.

  19. May 27, 2011 at 2:25 pm | #38

    Hi Donal,

    Firstly thanks for the step by step guide! Very helpful…I am having a similar issue to Neel. Have set up the .NET Users in IIS7 but they don’t seem to be listed in Sharepoint when I try to resolve a user. I am trying to set this up on my local Windows 7 machine to test out the scenario. Any ideas…have I missed something? Are the users supposed to show up in the FBADB created as I don’t seem to see them there?

    Thanks

    • May 31, 2011 at 7:21 am | #39

      Please ignore my previous comment. Seems I have got it working now. Thanks.

  20. June 21, 2011 at 7:05 pm | #40

    This has to be the best write up on SharePoint 2010 FBA out there, and ive looked. Save my behind today mate. Great Job.

  21. June 25, 2011 at 4:54 am | #41

    Thanks! Best guide I read so far which help me get my SharePoint 2010 test bed to work with FBA :)

  22. Dan
    June 28, 2011 at 3:30 am | #42

    Thanks for the tip about naming the application in the providers, wish I’d found it last Friday but.

  23. July 9, 2011 at 8:10 pm | #43

    Thanks for the excellent walk though! It was perfect!

    Note: I also got the / error in application but if you look at the event viewer it was because I hadnt setup up my alternate access mappings yet.

    Thanks again for the work!!

    -Jason

  24. Jason
    July 21, 2011 at 11:41 am | #44

    Got it working. I was using a local account as the application pool identity, which apparently doesn’t work when finding the domain accounts. Switched to network service (or you could put in a domain account) and now it works!

  25. July 28, 2011 at 2:33 am | #45

    Great post … I followed the given steps and it works like a charm ..

    Thanks

  26. MIcky Mouse
    September 6, 2011 at 12:45 pm | #46

    Thank you for the detailed explanation. It’s easy to follow and very well explained. And it works!!!! This is the best FBA post I found so far.

  27. September 23, 2011 at 9:44 pm | #47

    Just added this link to my session for tomorrow.. remembered just in time!

  28. October 19, 2011 at 6:21 am | #48

    really help me and save a day.
    Thanks

  29. October 19, 2011 at 6:31 am | #49
  30. Bruno James
    October 28, 2011 at 3:17 pm | #50

    Thank you very much for this tutorial!!! Excelent work!!! :)

  31. November 10, 2011 at 5:07 pm | #51

    Great documentation! Works great for me.

    Thanks

  32. 44kora44
    November 30, 2011 at 6:59 pm | #52

    Hello
    First thank you for this great post. It has gotten me way farther than the WROX publication “SharePoint 2010 Admin”
    I have followed your instructions – with only changing the name of the DB to be something else.
    To change the default provider caveat as mentioned above I had to edit the web.config file for my FBA website to change the default provider as i. When editing this web.config file I noticed that under and the FBA ones that we created were not there. These are listed in IIS as Inherited. Is this an issue?

    Then my website crashed and would not open at all. I did not see any errors about this crash in the event viewer.
    I do have a AD user and FBA user listed as administrators for the website.

    This is the error that I get when I try to even access the log in page
    Error
    Error
    An unexpected error has occurred.

    Troubleshoot issues with Microsoft SharePoint Foundation.

    with Id .. blah

    Date and Time: 11/30/2011 2:34:23 PM
    Using ULS here is what I see:

    System.InvalidOperationException: Operation is not valid due to the current state of the object.
    at Microsoft.SharePoint.SPUserToken.GetClaimsUserLoginName()
    at Microsoft.SharePoint.SPSite.CopyUserToken(SPUserToken userToken)
    at Microsoft.SharePoint.SPSite.SPSiteConstructor(SPFarm farm, Guid applicationId, Guid contentDatabaseId, Guid siteId, Guid siteSubscriptionId, SPUrlZone zone, Uri requestUri, String serverRelativeUrl, Boolean hostHeaderIsSiteName, SPUserToken userToken)
    at Microsoft.SharePoint.SPSite..ctor(Guid id, SPFarm farm, SPUrlZone zone, SPUserToken userToken)
    at Microsoft.SharePoint.SPSite..ctor(Guid id, SPFarm farm, SPUrlZone zone)
    at Microsoft.SharePoint.SPFeatureManager.EnsureSiteAndWeb(SPUrlZone zone, Guid databaseid, Guid siteid, Guid webid, SPSite& site, SPWeb& web)
    at Microsoft.SharePoint.SPFeatureManager.c__DisplayClass19.b__18()
    at Microsoft.SharePoint.SPSecurity.RunAsUser(SPUserToken userToken, Boolean bResetContext, WaitCallback code, Object param)
    at Microsoft.SharePoint.SPFeatureManager.GetFeatureRootAndListSchemaPaths(Byte[]& userToken, Guid& tranLockerId, Int32 nZone, Guid databaseid, Guid siteid, Guid webid, Guid featid, Int32 ltid, String& sPathToFeatureRoot, String& sPathToSchemaXml)
    at Microsoft.SharePoint.Library.SPRequestInternalClass.GetListItemDataWithCallback2(IListItemSqlClient pSqlClient, String bstrUrl, String bstrListName, String bstrViewName, String bstrViewXml, SAFEARRAYFLAGS fSafeArrayFlags, ISP2DSafeArrayWriter pSACallback, ISPDataCallback pPagingCallback, ISPDataCallback pPagingPrevCallback, ISPDataCallback pFilterLinkCallback, ISPDataCallback pSchemaCallback, ISPDataCallback pRowCountCallback, Boolean& pbMaximalView)
    at Microsoft.SharePoint.Library.SPRequest.GetListItemDataWithCallback2(IListItemSqlClient pSqlClient, String bstrUrl, String bstrListName, String bstrViewName, String bstrViewXml, SAFEARRAYFLAGS fSafeArrayFlags, ISP2DSafeArrayWriter pSACallback, ISPDataCallback pPagingCallback, ISPDataCallback pPagingPrevCallback, ISPDataCallback pFilterLinkCallback, ISPDataCallback pSchemaCallback, ISPDataCallback pRowCountCallback, Boolean& pbMaximalView)
    at Microsoft.SharePoint.SPListItemCollection.EnsureListItemsData()
    at Microsoft.SharePoint.SPListItemCollection.get_Count()
    at Microsoft.SharePoint.SPList.GetItemById(String strId, Int32 id, String strRootFolder, Boolean cacheRowsetAndId, String strViewFields, Boolean bDatesInUtc)
    at Microsoft.SharePoint.SPContext.get_Item()
    at Microsoft.SharePoint.SPContext.get_Fields()
    at Microsoft.SharePoint.WebControls.FieldMetadata.get_Field()
    at Microsoft.SharePoint.WebControls.FormField.CreateChildControls()
    at System.Web.UI.Control.EnsureChildControls()
    at Microsoft.SharePoint.WebPartPages.WikiEditPage.OnLoad(EventArgs e)
    at System.Web.UI.Control.LoadRecursive()
    at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

    Any Ideas??
    Hugs
    Kora

  33. 44kora44
    November 30, 2011 at 7:13 pm | #53

    Its me again..
    So I changed back the web.config file to the back up I made before I made the change for the default to be I and now I am getting the caveat message.

  34. Jack
    December 1, 2011 at 5:45 pm | #55

    WOWWWW!!!…Thanks a ton for the documentation….works like a piece of cake..

  35. Edson Augusto Silva Catugy
    June 16, 2012 at 2:45 pm | #56

    Your article is very simple to understand, congratulations, the information was very useful!

  36. August 7, 2012 at 5:28 pm | #57

    Dear Donal Conlon
    Thank you very much for this post. My Sharepoint is singing because of this! And so is my boss!

    • August 7, 2012 at 7:20 pm | #58

      Spoke too soon. So I am able to add users to my sql db using IIS .net Users.
      I add this user to a role that I created.
      I switch my default provider back to “i” so I am able to log in using Windows Auth.
      But when I go to log in my FBA user – nothing happen. It says user name and password is not correct. I did re add my user and added in another password for them.

  1. February 23, 2010 at 5:14 pm | #1
  2. May 17, 2010 at 4:40 am | #2
  3. July 12, 2010 at 6:10 am | #3
  4. May 20, 2011 at 7:31 am | #4
  5. June 23, 2011 at 8:59 am | #5
  6. June 23, 2011 at 12:57 pm | #6
  7. August 30, 2011 at 11:03 pm | #7
  8. February 10, 2012 at 12:13 am | #8

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 38 other followers

%d bloggers like this: