Configuring Forms Based Authentication for SharePoint 2007 using IIS 7.
Enabling Forms based authentication is much easier with IIS 7. With IIS 6, you were required to create your membership store (database), then modify the config.xml file to add connection strings, membership, and role details. Once you had everything configured, you then needed to populate the store; the typical approach was to use the web site administration web application through Visual Studio. Not ideal if you’re on a production farm!
With IIS7, you still need to create the membership store, but you no longer need to edit the xml config file manually, or whip up an ASP.NET app just for the purpose of managing the users. Everything is handled through the IIS Management console.
The new IIS Management page offers many options. You will notice four that we will use for configuring FBA:
- Connection Strings
- .NET Roles
- .NET Users
The Membership Store
The membership store is still created using the ASP.NET SQL Server Setup Wizard. This is launched from the .NET 2.0 Framework folder on the server at:
This wizard will take you thorough the steps and will build out the SQL database for you.
Once you select to Configure SQL Server for application services, you will be prompted for the SQL Server name and database name. You can choose an existing database to add the membership elements to, or you can type in a new name and the database will be created for you.
Once the database is created, we need to configure IIS to use it. Switch to IIS Manager, and select the web site that we want to enable FBA on (in this case it’s SharePoint – Extranet), we then need to configure the connection string, the provider, roles, and users.
The Connection String
From the ASP.NET section in IIS Manger, open the Connection Strings page. Add a new string for the membership database.
NOTE: We are using a sql account, so mixed-mode is in use.
Make sure to spell the database name correctly, as you do not get to pick it from a list.
We need to add a role provider and a membership provider. To do this, open the Providers window and click Add while in each feature:
The .NET Roles
Once we have defined the providers for our Roles and Members, we can define the roles we want to use.
Open the .NET Roles page. Set the default provider to FormsAuthRoles.
Click add to add roles for:
The .NET Users
Switching to the .NET Users page, we set the default provider:
Then we can add users.
At this point we have configure everything we need for FBA using ASP.NET. We now need to enable the authentication methods for the web site in IIS, by enabling FBA, and disabling Windows Authentication. For the SharePoint – Extranet web site, open the Authentication page under IIS.
On this page, disable Windows Authentication and enable FBA.
Now we are set for SharePoint – Extranet.
Before we leave the IIS Management console, we need to setup the connection string, roles and membership providers for the Central admin site. We do this so we can reference the membership database when managing users through Central Admin.
So for the SharePoint Central Administration site repeat the steps above for:
- Create connection string
- Add .NET roles provider
- Add .NET users provider Use all the same settings as you did previously.
- Once this is done, we can launch Central Admin web site to make the switch out SharePoint – Extranet site to Forms Authentication.
- Central Administration
- Under the Central Admin Applications Page, click Authentication Providers under Application Security.
Making sure you are on the correct web application, click ‘Default’ to edit the provider details.
Here we can set the authentication type to Forms, and then provide the details for the Membership and Role providers.
We also disable Client integration.
Were we to test the application now, it would not authenticate us, as we have not added any members. So we first need to define our site collection administrator.
Back under Central Admin > Applications > SharePoint Site Management section, click Site collection administrators.
Now when you add a user, you will be selecting from the FormsAuthMembers provider!
A quick test of the site will now display the default FBA form login.aspx
Next we need to throw some style on that login page!