configuring sharepoint 2013 forms-based authentication with sqlmembershipprovider - partner...

8/10/2019 Configuring SharePoint 2013 Forms-Based Authentication With SQLMemberShipProvider - Partner Technical Service

1/9

20/6/2014 Configuring SharePoint 2013 Forms-Based Authentication with SQLMemberShipProvider - Partner Technical Services Blog - Site Home - TechNet

http://blogs.technet.com/b/ptsblog/archive/2013/09/20/configuring-sharepoint-2013-forms-based-authentication-with-sqlmembershipprovider.aspx 1/9

Configuring SharePoint 2013 Forms-Based Authentication with

SQLMemberShipProvider

11Sean Earp [MSFT] 20 Sep 2013 11:01 AM

Post courtesy Partner Solution Consultant Priyo Lahiri

Background

WithSharePoint 2013, a lot of partners and customers are opening up their on premise deployment to their vendors and

customers. While the way you would configure this is very similar to SharePoint 2010, things get a little tricky when you perform a

real-world deployment spanned across multiple servers. This post is an end-to-end walkthrough of setting up Forms Based

Authentication with SQLMemberShipProvider in a 3 tier SharePoint 2013 Deployment.

Environment

It would be whole lot easier if I had a single server environment with the same account running everything and that account is also

a Domain Admin. However, I chose a different approach since most likely this is how your real-world deployment will be setup and

the steps are little different when your farm is spanned across 3 servers. Here is my environment:

WFE01 Web Server running Microsoft SharePoint Foundation Web Application. I am connecting to the SQL instance using an

Alias. Its a very smart move. If you have ever had to move your SharePoint databases across SQL Servers or decommission an

agingSQL Server, you know thathaving a SQL Alias will save you from a lot of nightmares. If you are looking for a step by step,

click here.

APP01 Central Admin Server. Note: this is NOT running Microsoft SharePoint Foundation Web Application and is configured tobe a True application server. This also means that the Web Application that we create will not reside on this server.

SQL01 SQL Server running SQL Server 2012 with SP1

SharePoint 2013 server RTM and Windows Server 2012 RTM are used for this set up.

Tools to use

While the steps documented below can be done without these tools, they do make your life a whole lot easier.

1. FBA Configuration Manager for SharePoint 2013 Author and Credit goes to Steve Peschka. The download comes with a

ReadMe file. Please read it, since you need to register the WSP that comes with it.

2. SharePoint 2013 FBA Pack Author and Credit goes to Chris Coulson. Here is the documentation that will tell you how to

install/activate/work with it. This not only will this make usonly tested the user management er management a breeze, it has some

very useful features like passwordreset and self-service account management.

NOTE: I have portion of the FBA Pack and didnt have time to play with the rest of the features.

How its done

Step 1 Create the Web Application

In this step we will be creating the web application with Windows Authentication (Claims) and Forms Based Authentication (FBA) on

the same Zone. In SharePoint 2013, you can have multiple authentication providers without extending the web application. Having

said that, at times, you might have to extend the web application depending on your scenario. More on that on a different post

where I will show you how to use LDAPMemberShipProvider to talk to your AD.

From Central Administration, we will create a Web Application and call it Extranet.waterfall.net and enable both Windows Auth and

FBA. Note the names I am using: ASP.NET Membership Provider Name = SQL_Membershipand ASP.NET Role manager name =

SQL_Role. You can ca ll them whatever you want, just ensure you use the same names everywhere.

We will create a new App Pool and use the Web App Pool account. Make a note of this since you would need to give this account

permission in the next step in the ASPNET database.
http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-86-44-metablogapi/4353.clip_5F00_image002_5F00_599AD83F.jpghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-86-44-metablogapi/4353.clip_5F00_image002_5F00_599AD83F.jpghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-86-44-metablogapi/4353.clip_5F00_image002_5F00_599AD83F.jpghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-86-44-metablogapi/4353.clip_5F00_image002_5F00_599AD83F.jpghttp://sharepoint2013fba.codeplex.com/http://www.codeplex.com/site/users/view/ccoulsonhttp://sharepoint2013fba.codeplex.com/documentationhttp://blogs.technet.com/b/speschka/archive/2012/07/28/fba-configuration-manager-for-sharepoint-2013.aspxhttp://social.technet.microsoft.com/profile/steve%20peschka/http://-/?-http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-86-44-metablogapi/4353.clip_5F00_image002_5F00_599AD83F.jpghttp://sharepoint2013fba.codeplex.com/documentationhttp://www.codeplex.com/site/users/view/ccoulsonhttp://sharepoint2013fba.codeplex.com/http://social.technet.microsoft.com/profile/steve%20peschka/http://blogs.technet.com/b/speschka/archive/2012/07/28/fba-configuration-manager-for-sharepoint-2013.aspxhttp://technet.microsoft.com/en-us/library/ff607733.aspx#proc4http://social.technet.microsoft.com/profile/Sean%20Earp%20[MSFT]http://-/?-


2/9



Create the Web App and then the Site Collection, it doesnt matter what template you choose. Once the Site Collection is created,visiting the site collection will take you to our default sign in page where you will be asked to choose an Authentication Provider to

Sign In with. If you want your External Users only to have the option of FBA, you would want to set this default zone with Windows

Auth and extend it and have the FBA on the extended web app. Obviously, the URLs will then be different.

Your sign in page should look like this (make sure your DNS record (CNAME) point to the WFE01)

Do you want to see a custom sign in page with your company brand on it? Well, lets defer that to a different post.

Step 2 Verify Tools

Now that the web app is created, we will make sure FBA Pack and FBA Configuration manager is deployed as it should be. Go to

Central Administration >> System Settings >> Manage Farm Solutions. Make sure fbaConfigFeature.wsp is globally deployed and

visigo.sharepoint.formsbasedauthentication.wsp is deployed to http://extranet.yourdomain.com. See screenshot below. If the

visigo.sharepoint.formsbasedauthentication.wsp is not deployed, click on the WSP and deploy it to your web application.

Login to the site collection created in the above step and activate the following feature:

Site Settings >> Site Collection Administration >> Site Collection Features >> Form based Authentication Management

Once the feature is activated, it should add the following to your Site Settings under User and Permissions

Step 3 Creating the SQL Database for User Management

The first step is to create the SQL Database that would hold the Extranet Users

Browse to c:\Windows\Microsoft .NET\Framwork64\v4.0.30319

Run aspnet_regsql.exe

Click NextChoose Configure SQL Server for Application Services >> Click Next

Enter your SQL Server Name , choose Windows Authentication and type in a Database Name
http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-86-44-metablogapi/7345.clip_5F00_image011_5F00_1D056A53.jpghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-86-44-metablogapi/8507.clip_5F00_image009_5F00_76A38707.pnghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-86-44-metablogapi/1134.clip_5F00_image008_5F00_3430E4D1.jpghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-86-44-metablogapi/7180.clip_5F00_image006_5F00_349D17C6.jpghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-86-44-metablogapi/0640.clip_5F00_image004_5F00_071BF803.jpg


3/9



Click Next twice to provision the database

Now we need to add the Application Pool that runs the web application and give it required permission. In this case, the

application pool name is waterfall\spweb. Perform the following steps:

Open up SQL Management Studio, Expand the database we created and expand Security

Right click Users and add a new User

User Type = Windows User

User name = choose

Login name = browse and choose the login name (should be same as the app pool name above)

Click Owned Schemas and choose the following:

aspnet_Membership_FullAccess

aspnet_Persolalization_FullAccess

aspnet_Profile_FullAccess

aspnet_Roles_FullAccess

aspnet_WebEvent_FullAccess

Step 4 Editing the web.config files

We need edit the following web.config files:

Web Application Web.config WFE server

STS Application web.config WFE server and Application Server

Central Admin web.config CA Server

If you have more WFEs and App Servers, you need to edit them as well. A lot of people puts these in there machine.config

file as well so that it gets inherited to the web.config file. I am not too keen on editing the machine.config file.

Lets login to our WFE server and fire up FBAConfigMgr.exe. While you can get the code you need from here and edit web.config

yourself, if you just let the tool run its course, it will create a Timer Job and do the task for you. In the FBAConfigMgr type in your

application URL and from the sample configuration choose the following:

People Picker Wildcard

Connection String

Membership Provider
http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-86-44-metablogapi/3108.clip_5F00_image017_5F00_6384EB0C.jpghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-86-44-metablogapi/5635.clip_5F00_image015_5F00_4F6BCE83.jpghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-86-44-metablogapi/8053.clip_5F00_image013_5F00_141868C5.jpg


4/9



Role Provider

Here is what the screen looks like when default values are chosen:

We will modify the default values to reflect the following (highlighted items need modification per your environment):

Web Application URL - http://extranet.waterfall.net

People Picker Wildcard -

Connection String -

Membership Provider -

Role Provider -

The screen should now look like this:

Its time to hit Apply Config. This will create a timer job to update your web.config files. Though it creates a backup, you should be

proactive and take a backup of your web application web.config and sts web.config file. Here is how to back up the web.config file

and here is how to find the STS web.config file.

Once you click Apply Config, the tool will tell you when its done. It might take a few mins before you see any changes, so wait for it

(you should see a new backup file created for your web.config file with time stamp and _FBAConfigMgr in the end of the file). To

verify that the job is done, open up the web.config for your web application and search for


5/9



Open up the STS Web.Config and you should see the following:

The ConnectionStrings gets added to the end of the file as well just like web.config of the web application.

If you go back to the application server and open up the web.config file for the Central Admin site, you will see there are no

changes made there. So we will make that change manually. Create a backup of the file then open up the file and find

2. Under paste the following

The screen should now look like this:

3. Scroll to the end of the document and paste the following right before

Just like the Central Admin web.config make the same changes on this web.config as well. Just make sure you are pasting the

information from RoleManager Providers and Membership Providers in the right place. Here is what the code looks like (you can

use the code below are make changes to the highlighted areas to suit your environment):
http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-86-44-metablogapi/8267.clip_5F00_image033_5F00_31B1F5D7.jpghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-86-44-metablogapi/6012.clip_5F00_image031_5F00_1D98D94E.jpghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-86-44-metablogapi/7144.clip_5F00_image029_5F00_5B263717.jpghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-86-44-metablogapi/1362.clip_5F00_image027_5F00_6DDB30CE.jpghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-86-44-metablogapi/7612.clip_5F00_image025_5F00_3287CB10.jpg


6/9



Here is a screenshot

Step 5 - Use FBA Pack to add and manage users

Our configurations are done. We will now go to our site collection and use the FBA Pack to add / manage users and Roles

Go to Site Settings and click on FBA User Management >> Click New User and create a dummy user and add him to the

contributor group

Step 6 Verify Forms user

Now open up IE in InPrivate mode and visit your s ite collection and this time choose Forms Authentication and enter the account

information you just created to log in. Youre done!

Click on the user name and My Settings, you will see the account information coming from SQL Membership Provider

If you go to a document library and try and add the user there, you will see it resolves from your SQL database
http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-86-44-metablogapi/7043.clip_5F00_image041_5F00_23760D98.jpghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-86-44-metablogapi/4314.clip_5F00_image039_5F00_0EF0BE1A.jpghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-86-44-metablogapi/4478.clip_5F00_image037_5F00_4C7E1BE3.jpghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-86-44-metablogapi/8686.clip_5F00_image035_5F00_0D206853.jpg


7/9



Appendix

How to create SQL Alias for SharePoint

Follow the steps below to create a SQL Alias on all your SharePoint Servers:

TechNet Reference: http://technet.microsoft.com/en-us/library/ff607733.aspx#clientalias

1. Perform this on the Application Server that is hosting Central Administration

a. Stop all SharePoint Services

b. Open CLICONFIG.exe from C:\Windows\System32\cliconfg.exe (64 bit version of cliconfig.exe)

c. Enable TCP/IP under general tab

d. Click on Alias Tab

e. Type Current SQL Server Name in the Alias Name field

f. Type Current SQL Server Name in the Server field (see screenshot below. In your case SQL Alias and SQL Server name is the

same)

g. Validate SQL Alias

i. Create a new text file on SharePoint Server and name it TestDBConnection.udl

ii. Double click to open the file and enter your SQL Server Alias name

iii. Use Windows Integrated Security

iv. You should be able to see all your SharePoint databases when you click on Select the database on the Server

h. Start all services for SharePoint Server / Reboot SharePoint Server

i. Perform the steps above on all other SharePoint servers

How to backup web.config file

To back up web.config file, perform the following:

From IIS Manager (start >> Run > inetmgr)

Right click on the web site and click Explore

Copy the web.config file somewhere else, or the in the same location with a different name
http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-86-44-metablogapi/6835.clip_5F00_image047_5F00_79959962.jpghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-86-44-metablogapi/4331.clip_5F00_image045_5F00_6C2F865C.jpghttp://technet.microsoft.com/en-us/library/ff607733.aspx#clientaliashttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-86-44-metablogapi/4010.clip_5F00_image043_5F00_77C5439B.jpg


8/9



Where is the STS web.config file?

On your WFE open up IIS Manager and expand SharePoint Web Services

Right click on SecurityTockenServiceApplication and click Explore

Comments

Durval Ramos15 Oct 2013 3:24 PM

Good job. Thanks for sharing

Deepak Solanki 12 Dec 2013 2:23 AM

Nice post, i am able to configure FBA following this. Thanks

Shawn Miller 17 Jan 2014 1:45 AM

Great walkthrough! I for some reason also had to add the app pool user (windows service account) to SQL Server's

Logins (under Security) and grant the user db_owner membership under the User Mappings of the user to get the

FBA Pack to work right so I could add in new users.

Tom 4 Feb 2014 11:29 PM

Still cant get it working right... I am able to manage users in iis 7 via a "blank website" running on appPool 2.0 so I can

manage users.. I have FBAPACK installed and deployed globally. When in Site Settinges > Manage Forms Based

Authentication Users: I still have the error "membership provider has not been config correctly.. all my configs are

setup correctly, and are able to be read via iis "feature view". Not sure what else is left..? All accts are same for install,

SQL, and web app. Please help..

Muzaffar 21 Feb 2014 4:16 PM

I am getting an error 'A Membership Provider has not been configured correctly. Check the web.config setttings for

this web application.'

I did double check but couldn't find any difference.

Please help.

Kent 28 Mar 2014 4:15 AM

THANKS SO MUCH! I have been trying to do this for over a week - your blog is the only one that got me through to

completion.

Jason 2 Apr 2014 3:52 PM

I am having this same is sue with the 'A Membership Provider has not been configured correctly. Check the web.config

setttings for this web application.' error when I click on FBA User Mgmt or FBA Role Mgmt under site settings.

Everything else seems to work correctly including FBA authentication itself.
http://social.technet.microsoft.com/profile/Durval%20Ramoshttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-86-44-metablogapi/8400.clip_5F00_image051_5F00_30727E5A.jpghttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-86-44-metablogapi/1541.clip_5F00_image049_5F00_2716B926.jpg


9/9


http://blogs technet com/b/ptsblog/archive/2013/09/20/configuring sharepoint 2013 forms based authentication with sqlmembershipprovider aspx 9/9

Amjad Majeed 12 May 2014 2:23 PM

@Jason!

Please check that database user has correct "User Mapping", it seems it is due to mapping.

Amjad Majeed 12 May 2014 2:23 PM

@Jason!

Please check that database user has correct "User Mapping", it seems it is due to mapping.

Kunu 17 Jun 2014 2:45 PM

Under Step 3, "User name = choose ", do I get yourAppPoolAccountName from my network admin? Sorry, but I'm

very new to this.

configuring sharepoint 2013 forms-based authentication with sqlmembershipprovider - partner...

Documents