Tuesday 29 October 2013

Configure forms based authentication in SharePoint 2013

How to configure forms based authentication in 2013

·        This is a step by step approach on how to configure claim/form based authentication in SharePoint 2013. If you have configured Forms based authentication in earlier versions of SharePoint like 2010, the process to configure OOB forms based authentication in SharePoint 2013 is not much different. One major difference between SharePoint 2010 and the 2013 beta is that Claims Authentication is the only authentication method available in the User Interface (UI) within Central Administration. If necessary, we can still use PowerShell to create a Web App in “classic” mode. We are using the SharePoint 2013 beta version to show the configuration process here. Similar to earlier versions of SharePoint we need to perform the following steps :
1.       Create the Asp.net DB user/role repository
2.       Create a web application that uses Forms based authentication
3.       Update web.config file of Central Admin.      
4.       Update web.config file of the web application
5.       Update web.config file of the STS (Secure Token Service) Application
6.       Add some users in the database (can use ASP.net configuration wizard).
7.       Create a site collection
8.       Test the connection to the site collection with SQL users using FBA.

Step 1: Create the Asp.net DB user/role repository using SQL database
·        Go to the location: C:\Windows\Microsoft.NET\Framework\v4.0.30319 and find aspnet_regsql.exe and double click on it.

As an alternative you can go to visual studio tools -> developer command prompt for VS -> and type aspnet_regdsql.exe
·        The Asp.Net SQL server setup wizard will open up. Click next and then select “Configure SQL server for application services” as shown below.

·       Provide the server name, select Widows authentication and keep database as default.

·       Click next in the following screens to finish configuration.
·       Make sure that aspnetdb is created in SQL Management Studio on the SQL server and the login user has dbo rights in the aspnetdb database. On server explorer expand security -> logins -> double click on the user -> Select user mapping -> ckeck db_owner rights for the user.


·        Also perform the same steps for the SharePoint service account that you will use to create your web application.
·        Now we are done with our SQL database for Forms users. We will add users to this database in step 6.
Step 2: Create a web application that uses Forms based authentication
      
·        Go to central administration website -> click on application management -> Click new on the top ribbon -> fill all the details as expected.  For Forms based authentication under Claims Authentication Types select “Enable Forms Based Authentication (FBA)”. In our case as we have chosen default configuration, in the “ASP.NET membership provider name” enter “AspNetSqlMembers” and in the “ASP.NET Role manager name” enter “AspSqlRoles”.


Step3: Update web.config file of Central Admin.     
·        Easy way to locate the web.config file is to use IIS Manager and choose Explore after selecting the web site.
·        Before modifying the file please keep a backup of the original file.
·       We will need to update the central admin web.config to add our key to PeoplePicker entry
o   Find the </SafeControls> tag and add the following entry below it :

<PeoplePickerWildcards>
      <clear />
      <add key="AspNetSqlMembers" value="%" />
 </PeoplePickerWildcards>

Refer to the below image


Step 4: Update web.config file of the web application
·        Locate the web.config in a similar way as mentioned in step 3 and please keep a backup of the file before modifying
·        Find the <PeoplePickerWildcards> entry and add our key. It should look like
<PeoplePickerWildcards>
      <clear />
      <add key="AspNetSqlMembers" value="%" />
      <add key="AspNetSqlMembershipProvider" value="%" />
    </PeoplePickerWildcards>
·        Refer to the image below:


·        Next find the “<machineKey validationKey” entry and add the below entry after “<machineKey>” tag ends

<membership defaultProvider="i">
      <providers>
        <add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
        <add connectionStringName="sqlconn" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="true" passwordAttemptWindow="10" applicationName="/" requiresUniqueEmail="false" passwordFormat="Hashed" name="AspNetSqlMembers" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
      </providers>
    </membership>
    <roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false">
      <providers>
        <add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
        <add connectionStringName="sqlconn" applicationName="/" name="AspNetSqlRoles" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
      </providers>
    </roleManager>

Please refer to the image below:

·        Next find the tag “</microsoft.identityModel>” and add the below connection string entry :
<connectionStrings>
    <add name="sqlconn" connectionString="data source=INSPS02;User Id=sa;Password=pass@word1;Initial Catalog=aspnetdb" providerName="System.Data.SqlClient" />
  </connectionStrings>

Please refer to the image below:


Step 5: Update web.config file of the STS (Secure Token Service) Application

·        Here we will add the membership and role provider entries and the connection string entry
·        Find the web.config file same way as done in previous steps and keep a backup of the same.
·        Find <system.web> entry and add the below entry within it. If the system.web entry is not there, please create one.
<membership defaultProvider="AspNetSqlMembers">
      <providers>
        <add connectionStringName="sqlconn" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="true" passwordAttemptWindow="10" requiresUniqueEmail="false" passwordFormat="Hashed" applicationName="/" name="AspNetSqlMembers" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

      </providers>
    </membership>
    <roleManager defaultProvider="AspNetSqlRoles" enabled="true">
      <providers>
        <add connectionStringName="sqlconn" applicationName="/" name="AspNetSqlRoles" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
      </providers>
    </roleManager>

·        Please refer to the image below


·        Below the <stsyem.web> entry add the connection string entry as mentioned below:
<connectionStrings>
    <add name="sqlconn"
   connectionString="data source=INSPS02;User Id=sa;Password=pass@word1;Initial Catalog=aspnetdb"
   providerName="System.Data.SqlClient" />
  </connectionStrings>

·        Please refer to the image below:



Step 6: Add some users to the database:

We will use aspnet configuration wizard to add users the SQL database
·        Create an empty asp.net website in visual studio
·        Modify the web.config by adding the following connection string entry (modify the datasource with your datasource name):
<connectionStrings>
    <remove name="LocalSqlServer"/>
    <add name="LocalSqlServer" connectionString="Data Source=INSPS02;Initial Catalog=aspnetdb;Integrated Security=True" providerName="System.Data.SqlClient"/>
  </connectionStrings>
·        Please refer to the image below:

·        Build the application
·        Navigate to website-> asp.net configuration


·        Navigate to security -> create user and create the desired users.

Step 7: Create a site collection to test the FBA configuration

·        Go to central admin and create a site collection using the web application configured above.

Step 8:  Test the connection to the site collection with SQL users using FBA

·        Navigate to the website url -> choose windows authentication
·        Navigate to users and groups and add the user created in step 6 to the read only user group, then logout from the website.
·        Login the application using forms authentication -> provide the user details of the user created in step 6.
·        Navigate the website as a forms user.