Configuring Forms Based Authentication in SharePoint 2010

Hopefully folks are starting to get some use out of the multitude of SharePoint 2010 postings I’ve been tossing up here. This is a new one that I was a little hesitant to put together…given my history in SharePoint 2007 I don’t want to become typecast but…in this post I’ll give a quick walk through on creating a forms based authentication site in SharePoint 2010.

For those of you who’ve read my various blogs (https://blogs.msdn.com/sharepoint/archive/2006/08/16/702010.aspx being the most popular) and three-part series on FBA for SharePoint 2010 (part 1 starts here: https://msdn.microsoft.com/en-us/library/bb975136.aspx), most of this should look pretty familiar. We’re going to follow a very similar process to what we did in SharePoint 2007, with a couple of twists. At a high level, we’re going to:

1. Create a new web application

2. Configure support for FBA in central admin, our new web app, and a new thing in SharePoint 2010 called the STS web service

3. Add a User Policy to our web app that will grant an FBA user rights to the site

4. Login to the site and start using it!

For our example we’ll use the LDAP provider that ships in SharePoint 2010 for our directory. Let’s look at each of these steps in more detail now.

Step 1 – Create a New Web Application

Start by going to the Central Administration web site. Click on Manage Web Applications, then click on the New button in the ribbon to create a new web application. In the new web application dialog we’re going to select the following settings:

· Authentication: Claims Based Authentication

· Identity Providers

o Check the Enable Windows Authentication box or you won’t be able to crawl the site

o Check the Enable ASP.NET Membership and Role Provider checkbox

§ In the Membership provider name edit box, type LdapMember

§ In the Role provider name edit boxy, type LdapRole

· I won’t cover all of the other sections in the new web app dialog because they aren’t specific to using FBA, so just fill them in with whatever values are appropriate for your implementation

When you’re all done click the OK button to create the new web application. Now that the web app is created, I Highly Recommend That You Create A New Site Collection In It Now! I’ll move forward assuming you have done as I’ve suggested. Now…okay – step 1 is done, let’s keep moving.

Step 2 – Configure FBA Support

This step is where we go through that same process as 2007, where we need to add some entries to the web.config file for our web application, and we need to do it on each web front end in the farm. The basic chunk of Xml we’re going to work with for the LDAP provider looks like this; I’ve highlighted the parts in yellow that you will want to change for your implementation:

<membership>

      <providers>

        <add name="LdapMember"

             type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"

             server="stevedc.steve.local"

             port="389"

             useSSL="false"

             userDNAttribute="distinguishedName"

             userNameAttribute="sAMAccountName"

             userContainer="CN=Users,DC=steve,DC=local"

             userObjectClass="person"

             userFilter="(ObjectClass=person)"

             scope="Subtree"

             otherRequiredUserAttributes="sn,givenname,cn" />

      </providers>

    </membership>

    <roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider" >

      <providers>

        <add name="LdapRole"

             type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"

             server="stevedc.steve.local"

             port="389"

             useSSL="false"

             groupContainer="CN=Users,DC=steve,DC=local"

             groupNameAttribute="cn"

             groupNameAlternateSearchAttribute="samAccountName"

             groupMemberAttribute="member"

             userNameAttribute="sAMAccountName"

             dnAttribute="distinguishedName"

             groupFilter="(ObjectClass=group)"

      userFilter="(ObjectClass=person)"

             scope="Subtree" />

      </providers>

 </roleManager>

Copy this chunk of Xml into something like notepad and change the parts highlighted in yellow to values that will work in your environment. Now you can copy from there into each of the config files we need to change. Unfortunately we’ll need to use a slightly different version of this in each web.config file. Let’s start with the easy one first – central admin. Find the web.config file for central admin and open it up in your favorite editor, like notepad. Scroll down to the <system.web> entry, and paste the entire chunk of Xml directly below it. Save your changes and the first one’s done.

The next one we’re gonna hit is the web.config for the Security Token Service (STS) virtual directory. Explaining what the STS does, what claims based auth is, etc. is all way beyond the scope of this posting, but we’ll get to those things in time. For now, we need to find the directory where it’s web.config file is and the easiest way to do that is to open the IIS Manager. Expand the plus sign next to the server name. Expand the plus sign next to the Sites object. Expand the plus sign next to the SharePoint Web Services virtual directory. Beneath it, find the SecurityTokenServiceApplication virtual directory. Click on it, then click on the Content View button in the bottom of the middle part of the screen. That will cause the Explore link to appear in the Actions pane on the right hand side of the screen (it’s the third link down from the top). Click the Explore link and Windows Explorer will open up and you will see the web.config file you need to work with. Open up the web.config file in a text editor and scroll all the way down to the bottom. Directly under the </system.net> entry, do the following:

1. Add a <system.web> entry and press enter.

2. Copy and paste in the chunk of Xml shown above.

3. Add a </system.web> closing tag directly below the stuff you pasted in.

4. Find the <roleManager> element in the chunk of Xml you pasted in, and delete the defaultProvider attribute. That leaves your roleManager element looking like this: <roleManager enabled="true">

Save your changes and the second one’s done. Now, go find the web.config file for the new FBA web application you created and open it up in notepad. When you configured the web application to support claims based authentication, it automatically added in some Membership and Role provider information that points to a custom set of providers SharePoint 2010 adds out of the box. So all we need to do is to just add in our provider into the correct section in the web.config. IMPORTANT: For those of you who are used to doing this for SharePoint 2007, please note that the providers are in the opposite order of what you are used to seeing. The Role provider is listed first, and the Membership provider is listed second. Scroll down the web.config file until you find the roleManager element (it’s a ways down there). Copy out just the role provider definition from the chunk of Xml above and paste it below the <roleManager><providers> sections. So you will paste in just this part (with your site specific info replacing the part in yellow):

<add name="LdapRole"   

             type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"

             server="stevedc.steve.local"

             port="389"

             useSSL="false"

             groupContainer="CN=Users,DC=steve,DC=local"

             groupNameAttribute="cn"

             groupNameAlternateSearchAttribute="samAccountName"

             groupMemberAttribute="member"

             userNameAttribute="sAMAccountName"

             dnAttribute="distinguishedName"

             groupFilter="(ObjectClass=group)"

             userFilter="(ObjectClass=person)"

             scope="Subtree" />

Now scroll down a little more and do the same thing to add in your Membership provider. Find the <membership><providers> element and right below paste in membership provider stuff from the chunk of Xml above (with your site specific info replacing the part in yellow):

<add name="LdapMember"

             type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"

             server="stevedc.steve.local"

             port="389"

             useSSL="false"

             userDNAttribute="distinguishedName"

             userNameAttribute="sAMAccountName"

             userContainer="CN=Users,DC=steve,DC=local"

             userObjectClass="person"

             userFilter="(ObjectClass=person)"

             scope="Subtree"

             otherRequiredUserAttributes="sn,givenname,cn" />

Okay, good – now you’ve finished step 2. The hardest part is done.

Step 3 – Add A User Policy

This part is basically exactly the same as you did in SharePoint 2007, with a couple of very minor differences. Go to the central admin site and click on Manage web applications. Click on your new FBA web application, then click on the User Policy button in the ribbon; this brings up the User Policy dialog. Now do the following steps:

1. Click on the Add Users link.

2. In the Zones drop down, select the Default zone and click the Next button.

3. Click the Address Book icon. This will bring up the people picker and will let you know real quickly whether everything is configured correctly or not. The first thing you should notice is the you see a new interface. I think it’s going to be called the Principal Picker or some other equally nerdy name, but you get the point – it allows you to search in one dialog and show matches from all of the directories you have configured. It’s pretty slick. So go ahead and type in the NT login name or account name (use whatever nomenclature you prefer here) and click the search button. If it’s working correctly you should see at least two entries for the account – one that is for the user’s Active Directory account, and one that is for that same account but which was found using the LDAP provider.

4. Select the account in the User section and click the Add button.

5. Click the OK button.

6. Check the Full Control checkbox, then click the Finish button.

That’s it – everything should be all configured now for you to log into your new FBA site.

Step 4 – Login

Go ahead now and navigate to the site in your FBA web application. You should get an initial prompt where it asks you what kind of authentication you want to use to access the site – Windows Authentication or Forms Authentication. Select Forms Authentication from the drop down and the page posts back with a standard forms login page. Enter the credentials of the user to which you granted the Full Control user policy and you should log into the site. Now you can start adding other FBA members and roles into SharePoint groups so they can access the site to.

All Done!

Well, that’s all there is too it. If you’ve never done it before it probably seems kind of complicated, just like the first time folks did it in SharePoint 2007. If you have set it up before in SharePoint 2007 though, the process probably seems pretty straightforward. Hopefully this post will get everyone moving the right direction and able to start using FBA with their new SharePoint 2010 sites. Good luck!

Comments

• Anonymous
  January 01, 2003
  The comment has been removed
• Anonymous
  January 01, 2003
  The comment has been removed
• Anonymous
  January 01, 2003
  Hi Tajeshwar, I will try and answer your questions here:

1. For all scenarios where you need multiple authentication providers but don't need or want different Urls.  This is definitely a smaller case than the typical use of FBA in SharePoint 2007, where you would create a different zone and auth for external users.  I've already seen one case in one of the SharePoint 2010 pre-release programs where this is exactly what the customer wanted.  This is really just a value add; it doesn't preclude you from creating additional zones as you did in SharePoint 2007.
2. You need to configure providers int he STS web.config because all FBA auth in 2010 uses the claims infrastructure, and the SharePoint STS is like our "claims processing engine" in SharePoint 2010.
3.  I'm not aware of any detailed documentation on this yet. Steve

• Anonymous
  January 01, 2003
  Hi , I have  implemented the form authentication in sharepoint . The user are coming nice and authenticating too. but the problem is after authenticating the user the user is not redirected to home page of site instead it redirect to the signin page. Please provide any solution to redirect to the home page. i am using the default login page. kamlesh

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  Thanks Steve.  I managed to get the PeoplePicker working ok.  FBA flat out refuses to work though, with no insight in the logs.  My next move it to use the credentials of an LDAP account, and not use the SharePoint app pool account.  

• Anonymous
  January 01, 2003
  Hi Steve, This is a really great article. Please can you let me know that which are default claims that are available on user authentication using Forms based authentication to SharePoint 2010. Can custom claims about the authenticated user be retrieved? How is it achieved. Thanks.

• Anonymous
  January 01, 2003
  Good stuff.  I just tried this with an ADLDS directory (single machine - SP2010, Ad, SQL). I cannot get it to work for me. I configured the web.configs as described above for all 3 web apps. When I do a peoplepicker in central admin, it cannot find my ADLDS users. Any thoughts?

• Anonymous
  January 01, 2003
  Steve, Very nicely written article. Few questions

1. We have now options for multiple auth methods in same zone. Could you describe some scenarios where this will be applicable.
2. Why do we need to configure provdiers in STS service app web.conifg
3. Do we have some detailed documentation on this new architecture for claims and multiple auth methods in same zone. Thanks Taj

• Anonymous
  January 01, 2003
  This process is working for me but I have recently run into a problem with Visual Studio 2010 in that I am unable to add a new Content Type item or Event Receiver to a project that utilizes a site that has been configured for claims-based authentication.  It works if I use classic authentication but I would prefer the approach taken here.  By any chance, do you receive the error "Attempted to perform and unauthorized operation" if you create an empty project for an existing SharePoint site using claims based authentication and attempt to add a new Content Type item to the empty project? Thanks, Leo

• Anonymous
  January 01, 2003
  In case someone comes here and is looking for similar guide on how to setup an ASPNET SQL provider: http://blogs.msdn.com/sridhara/archive/2010/01/15/setup-claims-using-aspnetsqlmembershipprovider.aspx Also - and it may not be helpful in all cases - but in my case I wanted the custom provider available to ALL sites... So, following this tip:  http://blog.sharepointengine.com/2009/01/iis-70-cannot-get-membership-provider.html, I just setup the providers using IIS 7 (connection string, role, and members) Cheers, Rich

• Anonymous
  January 01, 2003
  I've had pretty good luck configuring this so far, but some problems: When I search on my name in the address book, I come up twice, both listed under AD. Could this be because I have pointing the LDAP provider settings in all the XML above to the same server that is our Active Directory server? My goal here is to be able to have users sign in with an SSL-secured form using their AD credentials when they are accessing from the outside, and just use IWA when they are on the LAN. IWA is working fine. I was hoping that I would not have to authorize people twice to the site, but it looks like that might be the case.

• Anonymous
  June 12, 2010
  Hi Steve Did you do this with IIS 6 or iis 7? I have a custom membership / role provider and have followed everythiing correctly. The authentication fails with error failed to validate user name and password. I can see that my custom provider is not being hit using profiler. It is a provider I have been using in 2007 without any problem. Now, I can see these providers in IIS 7 but when I try to set the default it says its not trusted. The config sections are locked for me, may be permissions issue but can try it later. Do you think this would be the problem i.e. not having it as trusted provider in IIS 7.0 although its listed. I think if I just switch to classic mode in IIS it will islolate it to just sharepoint and asp.net. Any thoughts? Regards Yogesh Pawar

• Anonymous
  July 06, 2010
  Hi Steve, Great article, thank you!  We are purchasing the external connector and I was wondering if I could use FBA. For example, I am Lynne Internet-User and I want this user to read my blog, but register to add content. How do I get Lynne Internet-User as a user in SharePoint? Thanks, Lynne

• Anonymous
  July 23, 2010
  The comment has been removed

• Anonymous
  July 26, 2010
  If you want to use ready-made solutions for the management of FBA users, you should take a look here: www.devit.eu/.../121-fba-manager-sp2010-forms-based-authentication.aspx

• Anonymous
  August 04, 2010
  Hi Steve, Nice article!!! I am working on MOSS2010 site to enable FBA with LdapMembershipProvider. Completed all changes in corresponding web.config and reached till step #4 -Login mentioned above. In this stage I am getting here form login but as I provide user credentials, it can't able to validate them. getting error: The server could not sign you in. Make sure your user name and password are correct, and then try again. (user added successfully under user policy fot MOSS2010 site) Could you please provide some hints on this issue. Thanks.

• Anonymous
  August 09, 2010
  Hi Steve, Thanks for a nice article, I have follow it to the letter, but my peoplepicker is empty - can get any of my user from my LDAP. Is there any way i can test if i have set my connection to the LDAP up correct ?, or do you have any other hints br. Lars

• Anonymous
  August 19, 2010
  Having same issue as nikky.  Did you get any results nikky?

• Anonymous
  August 26, 2010
  Steve, The article was very clear and helpful--thanks. Question (for Steve or anyone else, for that matter): I'm able to see entries in Active Directory and Forms Auth in the People Picker, which I assume means the connection to Active Directory is configured correctly.  When I navigate to the site collection, however, I get a "server error in '/' application" page.  It says that the farm is unavailable (invalidoperationexception). If it's helpful, I can post the Stack Trace. Any ideas or suggestions for what I should try? Thanks, Steven

• Anonymous
  August 28, 2010
  Very comprehensive walk through on configuring FBA.  Thanks a lot!

• Anonymous
  August 30, 2010
  Hi I'm trying to do the same, but for Search Server Express 2010. The XML code over doesn't work, because                        "Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" doesn't exists on SharePoint Foundation and Search Server Express 2010. Do someone has an idea or a site that show how to do ? Regards

• Anonymous
  October 18, 2010
  Thanks for the great post.  I've given this a go but am seeing HTTP 500 Internal Server Error when I try visiting the web application setup for forms based auth.  Any ideas?  I've gone through and reread your post probably fives times trying to figure out where I went wrong

• Anonymous
  November 03, 2010
  So  I resolved the HTTP 500 error message.  It is an issue with alternate access mappings.  Once I fixed this, all was well.

• Anonymous
  November 10, 2010
  Tim you please provide details of what was the issue of alternate access mapping and how you resloved it. I am getting same error as well.

• Anonymous
  November 26, 2010
  Hello, I set it up as you said, and I'm not getting any errors, but when i log in with a FBA user, i get a SharePoint Access denied, even though the user has full control on the web app. Anyone know what i can do about that? Thanks!

• Anonymous
  December 01, 2010
  The comment has been removed

• Anonymous
  December 16, 2010
  Does your configurations above allow us to have forms authentication and window Authentication within the same farm. I am looking to go form auth only on a few web applications.

• Anonymous
  February 17, 2011
  Hi Steve Peschka , Could you please give me full path of three files web.config , I can't not se the path of web.config in central admin part & path of web.cofig in FBA part ? Thank You & Best Your Regards, NVSang

• Anonymous
  April 01, 2011
  Everything work as expected following your post but now I've got weird account names like 'i:0#.f|ldapmember|administrator'. I guess this comes from the membership provider but it looks rally ugly. Is there a way to specify account name format other than changing the full name of every member from the central admin? Thanks.

• Anonymous
  May 31, 2011
  I'm having the same issue as Nikky and Joe. It looks like I've set up everything correctly, I'm able to find users in the CA and add them to the User Policy. But when they try to log in it says "The server could not sign you in". The logs show Event ID 8306 and the message: "The security token username and password could not be validated". Google/Bing results are actually quite limited and not much help at all! Anyone?

• Anonymous
  June 01, 2011
  people who are looking for fba authentication without ldap may find this post useful. <a href="http://www.mroffice365.com">www.MrOffice365.Com</a>

• Anonymous
  July 08, 2011
  I have the same problem as TJ. Users can be added to the site in central admin and in the webapp. But logging in fails! Anyone with a solution for this?

• Anonymous
  July 14, 2011
  The <membership> and <rolemember> tags already exist on in the central admin web.config files just above the </system.web> tag Also, this portion is incorrect, at least it was for me, for the RTM version: IMPORTANT:  For those of you who are used to doing this for SharePoint 2007, please note that the providers are in the opposite order of what you are used to seeing.  The Role provider is listed first, and the Membership provider is listed second.  Scroll down the web.config file until you find the roleManager element (it’s a ways down there).  Copy out just the role provider definition from the chunk of Xml above and paste it below the <roleManager><providers> sections. These tags are in the reverse order that you state.   Also, in my case the people picker didn't work if I didn't add the following to the peoplepickerwildcards entry in central admin and in the web app <clear /> <add key="AspNetSqlMembershipProvider" value="%" /> <add key="LdapMember" value=""/> <add key="LdapRole" value=""/>

• Anonymous
  July 21, 2011
  Hi, I had exactly this problem and the turned out to be the ms-DS-UserAccountAutoLocked and sDS-UserAccountDisabled attributes for the users in ADAM which would not login.  In particular the sDS-UserAccountDisabled was set to TRUE.  Changing this to false resolved the problem.   Worth checking out.... Cheers, Brian.

• Anonymous
  October 14, 2011
  <a "href=http://j2me-aspnet.blogspot.com">how to add user in webconfig please give me any idea thanks</a>

• Anonymous
  November 29, 2011
  Nice Article. Thanks for sharing. Best Regards, Amalaraja Fernando Technical Architect - Mphasis Limited

• Anonymous
  March 07, 2012
  where is it that u specify a connection string?

• Anonymous
  April 09, 2012
  Here is the Article which walks through with step by step instructions on how to configure AD LDS with SharePoint 2010: salaudeen.blogspot.in/.../configuring-ad-lds-with-sharepoint-2010.html

• Anonymous
  August 02, 2012
  Nice post also read how to setup FBA using IIS csharpdotnetfreak.blogspot.com/.../sharepoint2010-forms-based-authentication-fba-claims.html

• Anonymous
  November 22, 2012
  Hello Steve, Thanks for nice article! Its fine working with me. Now i have one more scenario, I have done form based authentication from active directory in sharepoint foundation 2010 intranet application. And i have one more application Sharepoint 2007 which is windows authentication. Now I have to give a link from sharepoint 2010 site which redirect to Sharepoint 2007 site, now i dont want authenticate already logged in user in sharepoint 2010 site in sharepoint 2007 site. One more scenario is we have one syatem and more than one users. Is there any way to authentcate users which scenario i have?????? Thanks in Advance

• Anonymous
  September 16, 2014
  Configuring Forms Based Authentication in SharePoint 2010 - Share-n-dipity - Site Home - TechNet Blogs

• Anonymous
  September 18, 2014
  The comment has been removed