Home > SharePoint > Configuring Forms Based Authentication for SharePoint 2007 using IIS 7.

Configuring Forms Based Authentication for SharePoint 2007 using IIS 7.

Enabling Forms based authentication is much easier with IIS 7.  With IIS 6, you were required to create your membership store (database), then modify the config.xml file to add connection strings, membership, and role details.  Once you had everything configured, you then needed to populate the store; the typical approach was to use the web site administration web application through Visual Studio.  Not ideal if you’re on a production farm!

With IIS7, you still need to create the membership store, but you no longer need to edit the xml config file manually, or whip up an ASP.NET app just for the purpose of managing the users.  Everything is handled through the IIS Management console.

The new IIS Management page offers many options.  You will notice four that we will use for configuring FBA:

  • Connection Strings
  • Providers
  • .NET Roles
  • .NET Users

image

The Membership Store

The membership store is still created using the ASP.NET SQL Server Setup Wizard.  This is launched from the .NET 2.0 Framework folder on the server at:

C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe

This wizard will take you thorough the steps and will build out the SQL database for you.

Once you select to Configure SQL Server for application services, you will be prompted for the SQL Server name and database name.  You can choose an existing database to add the membership elements to, or you can type in a new name and the database will be created for you.

Once the database is created, we need to configure IIS to use it.  Switch to IIS Manager, and select the web site that we want to enable FBA on (in this case it’s SharePoint – Extranet), we then need to configure the connection string, the provider, roles, and users.

The Connection String

From the ASP.NET section in IIS Manger, open the Connection Strings page.  Add a new string for the membership database.

image

NOTE: We are using a sql account, so mixed-mode is in use.

Make sure to spell the database name correctly, as you do not get to pick it from a list.

The Provider

We need to add a role provider and a membership provider.  To do this, open the Providers window and click Add while in each feature:

.NET Roles

image

.NET Users

image

The .NET Roles

Once we have defined the providers for our Roles and Members, we can define the roles we want to use.

Open the .NET Roles page.  Set the default provider to FormsAuthRoles.

Click add to add roles for:

  • StandardUser
  • SuperUser

image

The .NET Users

Switching to the .NET Users page, we set the default provider:

image

Then we can add users.

image

At this point we have configure everything we need for FBA using ASP.NET.  We now need to enable the authentication methods for the web site in IIS, by enabling FBA, and disabling Windows Authentication.  For the SharePoint – Extranet web site, open the Authentication page under IIS.

image

On this page, disable Windows Authentication and enable FBA.

image

Now we are set for SharePoint – Extranet.

Before we leave the IIS Management console, we need to setup the connection string, roles and membership providers for the Central admin site.  We do this so we can reference the membership database when managing users through Central Admin.

So for the SharePoint Central Administration site repeat the steps above for:

  • Create connection string
  • Add .NET roles provider
  • Add .NET users provider Use all the same settings as you did previously.
    Once this is done, we can launch Central Admin web site to make the switch out SharePoint – Extranet site to Forms Authentication.
    Central Administration
    Under the Central Admin Applications Page, click Authentication Providers under Application Security.

image

Making sure you are on the correct web application, click ‘Default’ to edit the provider details.

image

Here we can set the authentication type to Forms, and then provide the details for the Membership and Role providers.

We also disable Client integration.

Were we to test the application now, it would not authenticate us, as we have not added any members.  So we first need to define our site collection administrator.

Back under Central Admin > Applications > SharePoint Site Management section, click Site collection administrators.

Now when you add a user, you will be selecting from the FormsAuthMembers provider!

image

A quick test of the site will now display the default FBA form login.aspx

Next we need to throw some style on that login page!

Advertisements
Categories: SharePoint Tags:
  1. Robert Ireland
    January 6, 2010 at 7:51 am

    Nice work, exactly what I needed.

  2. oman
    January 13, 2010 at 9:54 am

    how about sharepoint 2010 (using claim based) ???

    si it still same step???

    thanks in advance…

    • January 13, 2010 at 10:29 am

      Claims based authentication is not the same as FBA. The majority of the steps will still apply in SharePoint 2010 for FBA. I will post an update soon on FBA in SharePoint 2010, and eventually one on claims-based auth (although it’s not certain how well this will be supported in RTM).

  3. Darren Jorgensen
    February 11, 2010 at 2:26 am

    I’m following your guide on a Windows 2008 R2 server w/- IIS7 and WSS 3.0.

    Adding the connection string is no problem, but when I go to add the .NET Role in providers, the connection string doesn’t show up in the drop down list. Only connection string listed in “LocalSqlServer”.

    Any ideas on what I am missing?

    • February 18, 2010 at 2:31 pm

      Not sure why your connection string is not showing up. I just did same on a Windows Server R2 box and the connection string showed up fine.
      Check your connecting string is ok, db name, credentials, etc.

  4. Sohaib Khan
    March 29, 2010 at 8:54 am

    Hi Donal,

    I’ve created membership and role provider with users and roles in the SharePoint site but i’ve only mentioned role provider and membership provider in Central Admin site. If i configure role and membership provider in Central Admin then Central Admin web app starts generating error ‘Unknown Error’.

    Also, it is not adding the user in the Site Collection Administrators.

    Please let me know where i am going wrong.

    Thanks.

  5. James Shidell
    May 6, 2010 at 11:04 am

    Mr. Conlon –

    Thanks for sharing. My scenario is a little different but not by much. I had to extend an existing web application first and then place it inside the extranet zone. I couldn’t update the Site Collection Administrators because that account runs all my other Web Apps so I didn’t want me mess anything up. I ended up edited the Policy for Web Application and selected the Extranet zone and added a new user and selected the user from the membership store and gave it full control

    Everything seems to be working fine. I can browse to my extranet site, click login and i’m presented with the default login.aspx page. I can login with the account just fine and it authenticates I have no permissions. Only thing i’m able to do is read.

    Any idea on what I might be missing. Any help on this would be of great help. Thank you.

  6. James Shidell
    May 6, 2010 at 11:15 am

    Mr. Conlon –

    I found out the issue. I had to change the default Role and User providers and then I was able to login with the correct permissions.

    Thanks for your help.

    v/r
    JShidell

  7. May 7, 2010 at 3:47 am

    I had the same trouble with the connection string, i got it fixed by just doing a IISRESET then restarting the serverManager/IIS 🙂

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: