Configure forms-based authentication (Windows SharePoint Services)
Applies To: Windows SharePoint Services 3.0
Topic Last Modified: 2009-08-05
In this article:
About forms-based authentication
Configure forms-based authentication across multiple zones
Windows SharePoint Services 3.0 authentication is performed by an authentication mechanism that is supported by one of the available authentication providers. Providers are modules that contain the code necessary to authenticate the credentials of a requestor Authentication for Windows SharePoint Services 3.0 is built on the ASP.NET authentication model and includes three authentication providers:
Windows authentication provider
Forms-based authentication provider
Web Single Sign-On (SSO) authentication provider
In addition, ASP.NET supports the use of pluggable authentication providers, which means that you can write an authentication provider to support any credential store that you want to use.
About forms-based authentication
The forms-based authentication provider supports authentication against credentials stored in Active Directory, in a database such as a SQL Server database, or in a Lightweight Directory Access Protocol (LDAP) data store such as Novell eDirectory, Novell Directory Services (NDS), or Sun ONE. Forms-based authentication enables user authentication based on validation of credential input from a logon form. Unauthenticated requests are redirected to a logon page, where the user must provide valid credentials and submit the form. If the request can be authenticated, the system issues a cookie that contains a key for reestablishing the identity for subsequent requests.
The forms-based authentication provider supports authentication against credentials stored in one of the following:
The Active Directory directory service
A database
An LDAP data store
To enable forms-based authentication for a Windows SharePoint Services 3.0 Web site and add users to the user account database, perform the following procedures.
Create a new site
On the home page of the SharePoint Central Administration Web site, click Application Management.
On the Application Management page, in the SharePoint Web Application Management section, click Create or extend Web application.
On the Create or Extend Web Application page, click Create a new Web application.
On the Create New Web Application page, in the Security Configuration section, make sure NTLM is selected under Authentication provider. Also, select Yes under Allow Anonymous.
Use the default entries to complete the new Web application creation procedure and click OK.
At this point, you have created a new site placeholder. Use the following procedure to create a site collection.
Create a site collection
On the top link bar, click Application Management.
On the Application Management page, in the SharePoint Site Management section, click Create site collection.
On the Create Site Collection page, in the Web Application section, verify that the Web application in which you want to create the site collection is selected.
If it is not, click Change Web Application on the Web Application menu. Then, on the Select Web Application page, click the Web application in which you want to create the site collection.
In the Title and Description section, type the title and description for the site collection.
In the Web Site Address section, under URL, select the path to use for your URL.
Note
If you select a wildcard inclusion path, you must also type the site name to use in the URL of your site. The paths available for the URL option are taken from the list of managed paths that have been defined as wildcard inclusions.
In the Template Selection section, in the Select a template list, select the template that you want to use for the top-level site in the site collection.
In the Primary Site Collection Administrator section, enter the user name (in the form domain\username) for the user who will be the site collection administrator.
If you want to identify a user as the secondary owner of the new top-level Web site (recommended), in the Secondary Site Collection Administrator section, enter the user name for the secondary administrator of the site collection.
If you are using quotas to limit resource use for site collections, in the Quota Template section, click a template in the Select a quota template list.
Click OK.
At this point, you have created a site collection. Use the following procedure to configure a forms-based authentication provider.
Configure a forms-based authentication provider
On the home page of the SharePoint Central Administration Web site, click Application Management.
On the Application Management page, in the SharePoint Web Application Management section, click Web application list.
On the Web Application List page, double-click the new Web application that you created in the previous procedure.
On the Application Management page, in the Application Security section, click Authentication providers.
On the Authentication Providers page, click the zone name for the authentication provider whose settings you want to configure.
On the Edit Authentication page, in the Authentication Type section, select Forms.
If you need to explicitly grant anonymous access to a site collection, in the Anonymous Access section, select the Enable anonymous access check box for all sites within the Web application. To disable anonymous access for all sites within the Web application, clear the Enable anonymous access check box.
Note
If you enable anonymous access here, anonymous access can still be denied at the site collection level or at the site level. However, if you disable anonymous access here, it is disabled at all levels within the Web application.
In the Membership Provider Name section, in the Membership provider name box, type the name of the membership provider that you want to use.
Note
If the Web application is going to support forms-based authentication, the membership provider must be correctly configured in the Web.config file for the IIS Web application that hosts SharePoint content on each Web server. The membership provider must also be added to the Web.config file for the IIS Web application that hosts Central Administration.
In the Client Integration section, under Enable Client Integration, make sure No is selected, and then click Save.
If you select Yes, features that start client applications according to document types will be enabled. This option will not work correctly with some types of forms-based authentication.
If you select No, features that start client applications according to document types will be disabled. Users will have to download documents and then upload them after they make changes.
If you have not installed Windows SharePoint Services 3.0 with Service Pack 2 (SP2), client integration is disabled by default when you use forms-based authentication. This is because client integration does not natively support forms-based authentication prior to Windows SharePoint Services 3.0 with SP2. When client integration is disabled, links to client applications are not visible and documents cannot be opened in client applications; documents can only be opened in a Web browser. However, users can download documents, edit them in client applications locally, and then upload them to the site.
If you have installed Windows SharePoint Services 3.0 with SP2, client integration is supported for Word, Excel, PowerPoint, and SharePoint Designer authoring.
After a user provides credentials, the system issues a cookie that identifies the user. On subsequent requests, the system first checks the cookie to see whether the user has already been authenticated, so the user does not have to supply credentials again.
If the user has not selected the Remember me? box on the logon page, the credential information is not cached on the client computer, and is valid only during the current session. This is especially important in a scenario where users are connecting from public computers or kiosks, where you would not want user credentials to be cached. Users are required to reauthenticate if they close the browser, log off from a session, or navigate to another Web site. Also, you can configure a maximum idle session time-out value to force reauthentication if a user is idle for a prolonged period of time during a session.
Configure forms-based authentication across multiple zones
Implementing forms-based authentication can interfere with search functionality. To enable search across content authenticated using a custom authentication mechanism, you must have the Default zone configured to support NTLM authentication. The Windows SharePoint Services 3.0 crawler polls zones in the following order:
Default zone
Intranet zone
Internet zone
Custom zone
Extranet zone
Note
If you use forms-based authentication and the Windows SharePoint Services 3.0 crawler polls a zone that is configured to support Kerberos authentication, the Windows SharePoint Services 3.0 crawler will fail.
Windows SharePoint Services 3.0 does not allow a Web application to work with the same provider name across multiple zones. You can configure the Web.config file to use the same provider for each zone; however, the name of the provider has to be unique for each zone.
For additional information on authentication mechanisms and samples for configuring forms-based authentication with multiple providers, see Plan for authentication (Windows SharePoint Services).
Download this book
This topic is included in the following downloadable book for easier reading and printing:
See the full list of available books at Downloadable content for Windows SharePoint Services 3.0.