configuring sharepoint 2013 forms-based authentication with sqlmembershipprovider - partner...

Upload: fabio-carvalho

Post on 02-Jun-2018

219 views

Category:

Documents


0 download

TRANSCRIPT

  • 8/10/2019 Configuring SharePoint 2013 Forms-Based Authentication With SQLMemberShipProvider - Partner Technical Service

    1/9

    20/6/2014 Configuring SharePoint 2013 Forms-Based Authentication with SQLMemberShipProvider - Partner Technical Services Blog - Site Home - TechNet

    http://blogs.technet.com/b/ptsblog/archive/2013/09/20/configuring-sharepoint-2013-forms-based-authentication-with-sqlmembershipprovider.aspx 1/9

    Configuring SharePoint 2013 Forms-Based Authentication with

    SQLMemberShipProvider

    11Sean Earp [MSFT] 20 Sep 2013 11:01 AM

    Post courtesy Partner Solution Consultant Priyo Lahiri

    Background

    WithSharePoint 2013, a lot of partners and customers are opening up their on premise deployment to their vendors and

    customers. While the way you would configure this is very similar to SharePoint 2010, things get a little tricky when you perform a

    real-world deployment spanned across multiple servers. This post is an end-to-end walkthrough of setting up Forms Based

    Authentication with SQLMemberShipProvider in a 3 tier SharePoint 2013 Deployment.

    Environment

    It would be whole lot easier if I had a single server environment with the same account running everything and that account is also

    a Domain Admin. However, I chose a different approach since most likely this is how your real-world deployment will be setup and

    the steps are little different when your farm is spanned across 3 servers. Here is my environment:

    WFE01 Web Server running Microsoft SharePoint Foundation Web Application. I am connecting to the SQL instance using an

    Alias. Its a very smart move. If you have ever had to move your SharePoint databases across SQL Servers or decommission an

    agingSQL Server, you know thathaving a SQL Alias will save you from a lot of nightmares. If you are looking for a step by step,

    click here.

    APP01 Central Admin Server. Note: this is NOT running Microsoft SharePoint Foundation Web Application and is configured tobe a True application server. This also means that the Web Application that we create will not reside on this server.

    SQL01 SQL Server running SQL Server 2012 with SP1

    SharePoint 2013 server RTM and Windows Server 2012 RTM are used for this set up.

    Tools to use

    While the steps documented below can be done without these tools, they do make your life a whole lot easier.

    1. FBA Configuration Manager for SharePoint 2013 Author and Credit goes to Steve Peschka. The download comes with a

    ReadMe file. Please read it, since you need to register the WSP that comes with it.

    2. SharePoint 2013 FBA Pack Author and Credit goes to Chris Coulson. Here is the documentation that will tell you how to

    install/activate/work with it. This not only will this make usonly tested the user management er management a breeze, it has some

    very useful features like passwordreset and self-service account management.

    NOTE: I have portion of the FBA Pack and didnt have time to play with the rest of the features.

    How its done

    Step 1 Create the Web Application

    In this step we will be creating the web application with Windows Authentication (Claims) and Forms Based Authentication (FBA) on

    the same Zone. In SharePoint 2013, you can have multiple authentication providers without extending the web application. Having

    said that, at times, you might have to extend the web application depending on your scenario. More on that on a different post

    where I will show you how to use LDAPMemberShipProvider to talk to your AD.

    From Central Administration, we will create a Web Application and call it Extranet.waterfall.net and enable both Windows Auth and

    FBA. Note the names I am using: ASP.NET Membership Provider Name = SQL_Membershipand ASP.NET Role manager name =

    SQL_Role. You can ca ll them whatever you want, just ensure you use the same names everywhere.

    We will create a new App Pool and use the Web App Pool account. Make a note of this since you would need to give this account

    permission in the next step in the ASPNET database.

    http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-86-44-metablogapi/4353.clip_5F00_image002_5F00_599AD83F.jpghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-86-44-metablogapi/4353.clip_5F00_image002_5F00_599AD83F.jpghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-86-44-metablogapi/4353.clip_5F00_image002_5F00_599AD83F.jpghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-86-44-metablogapi/4353.clip_5F00_image002_5F00_599AD83F.jpghttp://sharepoint2013fba.codeplex.com/http://www.codeplex.com/site/users/view/ccoulsonhttp://sharepoint2013fba.codeplex.com/documentationhttp://blogs.technet.com/b/speschka/archive/2012/07/28/fba-configuration-manager-for-sharepoint-2013.aspxhttp://social.technet.microsoft.com/profile/steve%20peschka/http://-/?-http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-86-44-metablogapi/4353.clip_5F00_image002_5F00_599AD83F.jpghttp://sharepoint2013fba.codeplex.com/documentationhttp://www.codeplex.com/site/users/view/ccoulsonhttp://sharepoint2013fba.codeplex.com/http://social.technet.microsoft.com/profile/steve%20peschka/http://blogs.technet.com/b/speschka/archive/2012/07/28/fba-configuration-manager-for-sharepoint-2013.aspxhttp://technet.microsoft.com/en-us/library/ff607733.aspx#proc4http://social.technet.microsoft.com/profile/Sean%20Earp%20[MSFT]http://-/?-
  • 8/10/2019 Configuring SharePoint 2013 Forms-Based Authentication With SQLMemberShipProvider - Partner Technical Service

    2/9

    20/6/2014 Configuring SharePoint 2013 Forms-Based Authentication with SQLMemberShipProvider - Partner Technical Services Blog - Site Home - TechNet

    http://blogs.technet.com/b/ptsblog/archive/2013/09/20/configuring-sharepoint-2013-forms-based-authentication-with-sqlmembershipprovider.aspx 2/9

    Create the Web App and then the Site Collection, it doesnt matter what template you choose. Once the Site Collection is created,visiting the site collection will take you to our default sign in page where you will be asked to choose an Authentication Provider to

    Sign In with. If you want your External Users only to have the option of FBA, you would want to set this default zone with Windows

    Auth and extend it and have the FBA on the extended web app. Obviously, the URLs will then be different.

    Your sign in page should look like this (make sure your DNS record (CNAME) point to the WFE01)

    Do you want to see a custom sign in page with your company brand on it? Well, lets defer that to a different post.

    Step 2 Verify Tools

    Now that the web app is created, we will make sure FBA Pack and FBA Configuration manager is deployed as it should be. Go to

    Central Administration >> System Settings >> Manage Farm Solutions. Make sure fbaConfigFeature.wsp is globally deployed and

    visigo.sharepoint.formsbasedauthentication.wsp is deployed to http://extranet.yourdomain.com. See screenshot below. If the

    visigo.sharepoint.formsbasedauthentication.wsp is not deployed, click on the WSP and deploy it to your web application.

    Login to the site collection created in the above step and activate the following feature:

    Site Settings >> Site Collection Administration >> Site Collection Features >> Form based Authentication Management

    Once the feature is activated, it should add the following to your Site Settings under User and Permissions

    Step 3 Creating the SQL Database for User Management

    The first step is to create the SQL Database that would hold the Extranet Users

    Browse to c:\Windows\Microsoft .NET\Framwork64\v4.0.30319

    Run aspnet_regsql.exe

    Click NextChoose Configure SQL Server for Application Services >> Click Next

    Enter your SQL Server Name , choose Windows Authentication and type in a Database Name

    http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-86-44-metablogapi/7345.clip_5F00_image011_5F00_1D056A53.jpghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-86-44-metablogapi/8507.clip_5F00_image009_5F00_76A38707.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-86-44-metablogapi/1134.clip_5F00_image008_5F00_3430E4D1.jpghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-86-44-metablogapi/7180.clip_5F00_image006_5F00_349D17C6.jpghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-86-44-metablogapi/0640.clip_5F00_image004_5F00_071BF803.jpg
  • 8/10/2019 Configuring SharePoint 2013 Forms-Based Authentication With SQLMemberShipProvider - Partner Technical Service

    3/9

    20/6/2014 Configuring SharePoint 2013 Forms-Based Authentication with SQLMemberShipProvider - Partner Technical Services Blog - Site Home - TechNet

    http://blogs.technet.com/b/ptsblog/archive/2013/09/20/configuring-sharepoint-2013-forms-based-authentication-with-sqlmembershipprovider.aspx 3/9

    Click Next twice to provision the database

    Now we need to add the Application Pool that runs the web application and give it required permission. In this case, the

    application pool name is waterfall\spweb. Perform the following steps:

    Open up SQL Management Studio, Expand the database we created and expand Security

    Right click Users and add a new User

    User Type = Windows User

    User name = choose

    Login name = browse and choose the login name (should be same as the app pool name above)

    Click Owned Schemas and choose the following:

    aspnet_Membership_FullAccess

    aspnet_Persolalization_FullAccess

    aspnet_Profile_FullAccess

    aspnet_Roles_FullAccess

    aspnet_WebEvent_FullAccess

    Step 4 Editing the web.config files

    We need edit the following web.config files:

    Web Application Web.config WFE server

    STS Application web.config WFE server and Application Server

    Central Admin web.config CA Server

    If you have more WFEs and App Servers, you need to edit them as well. A lot of people puts these in there machine.config

    file as well so that it gets inherited to the web.config file. I am not too keen on editing the machine.config file.

    Lets login to our WFE server and fire up FBAConfigMgr.exe. While you can get the code you need from here and edit web.config

    yourself, if you just let the tool run its course, it will create a Timer Job and do the task for you. In the FBAConfigMgr type in your

    application URL and from the sample configuration choose the following:

    People Picker Wildcard

    Connection String

    Membership Provider

    http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-86-44-metablogapi/3108.clip_5F00_image017_5F00_6384EB0C.jpghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-86-44-metablogapi/5635.clip_5F00_image015_5F00_4F6BCE83.jpghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-86-44-metablogapi/8053.clip_5F00_image013_5F00_141868C5.jpg
  • 8/10/2019 Configuring SharePoint 2013 Forms-Based Authentication With SQLMemberShipProvider - Partner Technical Service

    4/9

    20/6/2014 Configuring SharePoint 2013 Forms-Based Authentication with SQLMemberShipProvider - Partner Technical Services Blog - Site Home - TechNet

    http://blogs.technet.com/b/ptsblog/archive/2013/09/20/configuring-sharepoint-2013-forms-based-authentication-with-sqlmembershipprovider.aspx 4/9

    Role Provider

    Here is what the screen looks like when default values are chosen:

    We will modify the default values to reflect the following (highlighted items need modification per your environment):

    Web Application URL - http://extranet.waterfall.net

    People Picker Wildcard -

    Connection String -

    Membership Provider -

    Role Provider -

    The screen should now look like this:

    Its time to hit Apply Config. This will create a timer job to update your web.config files. Though it creates a backup, you should be

    proactive and take a backup of your web application web.config and sts web.config file. Here is how to back up the web.config file

    and here is how to find the STS web.config file.

    Once you click Apply Config, the tool will tell you when its done. It might take a few mins before you see any changes, so wait for it

    (you should see a new backup file created for your web.config file with time stamp and _FBAConfigMgr in the end of the file). To

    verify that the job is done, open up the web.config for your web application and search for

  • 8/10/2019 Configuring SharePoint 2013 Forms-Based Authentication With SQLMemberShipProvider - Partner Technical Service

    5/9

    20/6/2014 Configuring SharePoint 2013 Forms-Based Authentication with SQLMemberShipProvider - Partner Technical Services Blog - Site Home - TechNet

    http://blogs.technet.com/b/ptsblog/archive/2013/09/20/configuring-sharepoint-2013-forms-based-authentication-with-sqlmembershipprovider.aspx 5/9

    Open up the STS Web.Config and you should see the following:

    The ConnectionStrings gets added to the end of the file as well just like web.config of the web application.

    If you go back to the application server and open up the web.config file for the Central Admin site, you will see there are no

    changes made there. So we will make that change manually. Create a backup of the file then open up the file and find

    2. Under paste the following

    The screen should now look like this:

    3. Scroll to the end of the document and paste the following right before

    Just like the Central Admin web.config make the same changes on this web.config as well. Just make sure you are pasting the

    information from RoleManager Providers and Membership Providers in the right place. Here is what the code looks like (you can

    use the code below are make changes to the highlighted areas to suit your environment):

    http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-86-44-metablogapi/8267.clip_5F00_image033_5F00_31B1F5D7.jpghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-86-44-metablogapi/6012.clip_5F00_image031_5F00_1D98D94E.jpghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-86-44-metablogapi/7144.clip_5F00_image029_5F00_5B263717.jpghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-86-44-metablogapi/1362.clip_5F00_image027_5F00_6DDB30CE.jpghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-86-44-metablogapi/7612.clip_5F00_image025_5F00_3287CB10.jpg
  • 8/10/2019 Configuring SharePoint 2013 Forms-Based Authentication With SQLMemberShipProvider - Partner Technical Service

    6/9

    20/6/2014 Configuring SharePoint 2013 Forms-Based Authentication with SQLMemberShipProvider - Partner Technical Services Blog - Site Home - TechNet

    http://blogs.technet.com/b/ptsblog/archive/2013/09/20/configuring-sharepoint-2013-forms-based-authentication-with-sqlmembershipprovider.aspx 6/9

    Here is a screenshot

    Step 5 - Use FBA Pack to add and manage users

    Our configurations are done. We will now go to our site collection and use the FBA Pack to add / manage users and Roles

    Go to Site Settings and click on FBA User Management >> Click New User and create a dummy user and add him to the

    contributor group

    Step 6 Verify Forms user

    Now open up IE in InPrivate mode and visit your s ite collection and this time choose Forms Authentication and enter the account

    information you just created to log in. Youre done!

    Click on the user name and My Settings, you will see the account information coming from SQL Membership Provider

    If you go to a document library and try and add the user there, you will see it resolves from your SQL database

    http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-86-44-metablogapi/7043.clip_5F00_image041_5F00_23760D98.jpghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-86-44-metablogapi/4314.clip_5F00_image039_5F00_0EF0BE1A.jpghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-86-44-metablogapi/4478.clip_5F00_image037_5F00_4C7E1BE3.jpghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-86-44-metablogapi/8686.clip_5F00_image035_5F00_0D206853.jpg
  • 8/10/2019 Configuring SharePoint 2013 Forms-Based Authentication With SQLMemberShipProvider - Partner Technical Service

    7/9

    20/6/2014 Configuring SharePoint 2013 Forms-Based Authentication with SQLMemberShipProvider - Partner Technical Services Blog - Site Home - TechNet

    http://blogs.technet.com/b/ptsblog/archive/2013/09/20/configuring-sharepoint-2013-forms-based-authentication-with-sqlmembershipprovider.aspx 7/9

    Appendix

    How to create SQL Alias for SharePoint

    Follow the steps below to create a SQL Alias on all your SharePoint Servers:

    TechNet Reference: http://technet.microsoft.com/en-us/library/ff607733.aspx#clientalias

    1. Perform this on the Application Server that is hosting Central Administration

    a. Stop all SharePoint Services

    b. Open CLICONFIG.exe from C:\Windows\System32\cliconfg.exe (64 bit version of cliconfig.exe)

    c. Enable TCP/IP under general tab

    d. Click on Alias Tab

    e. Type Current SQL Server Name in the Alias Name field

    f. Type Current SQL Server Name in the Server field (see screenshot below. In your case SQL Alias and SQL Server name is the

    same)

    g. Validate SQL Alias

    i. Create a new text file on SharePoint Server and name it TestDBConnection.udl

    ii. Double click to open the file and enter your SQL Server Alias name

    iii. Use Windows Integrated Security

    iv. You should be able to see all your SharePoint databases when you click on Select the database on the Server

    h. Start all services for SharePoint Server / Reboot SharePoint Server

    i. Perform the steps above on all other SharePoint servers

    How to backup web.config file

    To back up web.config file, perform the following:

    From IIS Manager (start >> Run > inetmgr)

    Right click on the web site and click Explore

    Copy the web.config file somewhere else, or the in the same location with a different name

    http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-86-44-metablogapi/6835.clip_5F00_image047_5F00_79959962.jpghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-86-44-metablogapi/4331.clip_5F00_image045_5F00_6C2F865C.jpghttp://technet.microsoft.com/en-us/library/ff607733.aspx#clientaliashttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-86-44-metablogapi/4010.clip_5F00_image043_5F00_77C5439B.jpg
  • 8/10/2019 Configuring SharePoint 2013 Forms-Based Authentication With SQLMemberShipProvider - Partner Technical Service

    8/9

    20/6/2014 Configuring SharePoint 2013 Forms-Based Authentication with SQLMemberShipProvider - Partner Technical Services Blog - Site Home - TechNet

    http://blogs.technet.com/b/ptsblog/archive/2013/09/20/configuring-sharepoint-2013-forms-based-authentication-with-sqlmembershipprovider.aspx 8/9

    Where is the STS web.config file?

    On your WFE open up IIS Manager and expand SharePoint Web Services

    Right click on SecurityTockenServiceApplication and click Explore

    Comments

    Durval Ramos15 Oct 2013 3:24 PM

    Good job. Thanks for sharing

    Deepak Solanki 12 Dec 2013 2:23 AM

    Nice post, i am able to configure FBA following this. Thanks

    Shawn Miller 17 Jan 2014 1:45 AM

    Great walkthrough! I for some reason also had to add the app pool user (windows service account) to SQL Server's

    Logins (under Security) and grant the user db_owner membership under the User Mappings of the user to get the

    FBA Pack to work right so I could add in new users.

    Tom 4 Feb 2014 11:29 PM

    Still cant get it working right... I am able to manage users in iis 7 via a "blank website" running on appPool 2.0 so I can

    manage users.. I have FBAPACK installed and deployed globally. When in Site Settinges > Manage Forms Based

    Authentication Users: I still have the error "membership provider has not been config correctly.. all my configs are

    setup correctly, and are able to be read via iis "feature view". Not sure what else is left..? All accts are same for install,

    SQL, and web app. Please help..

    Muzaffar 21 Feb 2014 4:16 PM

    I am getting an error 'A Membership Provider has not been configured correctly. Check the web.config setttings for

    this web application.'

    I did double check but couldn't find any difference.

    Please help.

    Kent 28 Mar 2014 4:15 AM

    THANKS SO MUCH! I have been trying to do this for over a week - your blog is the only one that got me through to

    completion.

    Jason 2 Apr 2014 3:52 PM

    I am having this same is sue with the 'A Membership Provider has not been configured correctly. Check the web.config

    setttings for this web application.' error when I click on FBA User Mgmt or FBA Role Mgmt under site settings.

    Everything else seems to work correctly including FBA authentication itself.

    http://social.technet.microsoft.com/profile/Durval%20Ramoshttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-86-44-metablogapi/8400.clip_5F00_image051_5F00_30727E5A.jpghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-86-44-metablogapi/1541.clip_5F00_image049_5F00_2716B926.jpg
  • 8/10/2019 Configuring SharePoint 2013 Forms-Based Authentication With SQLMemberShipProvider - Partner Technical Service

    9/9

    20/6/2014 Configuring SharePoint 2013 Forms-Based Authentication with SQLMemberShipProvider - Partner Technical Services Blog - Site Home - TechNet

    http://blogs technet com/b/ptsblog/archive/2013/09/20/configuring sharepoint 2013 forms based authentication with sqlmembershipprovider aspx 9/9

    Amjad Majeed 12 May 2014 2:23 PM

    @Jason!

    Please check that database user has correct "User Mapping", it seems it is due to mapping.

    Amjad Majeed 12 May 2014 2:23 PM

    @Jason!

    Please check that database user has correct "User Mapping", it seems it is due to mapping.

    Kunu 17 Jun 2014 2:45 PM

    Under Step 3, "User name = choose ", do I get yourAppPoolAccountName from my network admin? Sorry, but I'm

    very new to this.