Project Server 2010 - SQL+Claims Authentication
1 Introduction
Purpose
This document describes how to configure the Forms Based authentication using ASP NET SQL Membership provider to authenticate users for a Project Server 2010 instance.
This configuration is done for SharePoint 2010, and Project Server 2010 can then use this configuration to authenticate users.
Summary of Steps
The following steps need to be done:
1. Create the AspNet DB user/role repository: SQL database
2. Create a web application that uses claim based authentication
3. Update web.config file of Central Admin
4. Add some users in the database using IIS Manager
5. Update web.config file of the web application
6. Update web.config file of the STS (Secure Token Service) Application
7. Create a site collection specifying a Windows users as a primary admin and a user from SQL membership as the secondary admin
8. Test the connection to the root of the site collection as the secondary admin using FBA
9. Create the PWA instance
10. Test the connection to this PWA instance as the admin user
11. Create FBA users in PWA
The following examples values are used in these steps.
Variables |
Values |
SQL Server Instance Name |
SQLServer\instance1 |
Aspnet Database name |
aspnetDB |
Role Provider name |
AspNetSqlRoles |
Membership Provider Name |
AspNetSqlMembers |
Login as contoso\administrator.
a. Open c:\Windows\Microsoft.NET\Framework64\v2.0.50727, and find the aspnet_regsql.exe and double-click to launch.
b. Choose ‘Configure SQL Server for Application Services’ and click Next.
c. Click Next and enter the name of the SQL Server, in this case the server name will be SQL.
d. Confirm that we have our aspnetdb created in SQL Management Studio on the SQL server.
Create the AspNet DB user/role SQL repository in command prompt:
To create the SQL server database that will store the users and the roles, we can use the following tool from the .Net Framework: “aspnet_regsql”.
%WINDIR%\Microsoft.NET\Framework64\v2.0.50727\aspnet_regsql /? Lists the parameters
To create the SQL authentication store
1. Log on to any Windows Server on the farm running ASP.NET as a user with the DBCreate and SecurityAdmin permissions for the computer running SQL Server that will be used.
2. At a command prompt, run %WINDIR%\Microsoft.NET\Framework64\v2.0.50727\aspnet_regsql.exe -S <InsertSQLServerName> -d <InsertDBName> -E –A mr to create the authentication store database on the computer running SQL Server.
3. Add all farm accounts to the DBO role for this newly created database.
For the following steps we assume that the database name is called aspnetdb and the SQL instance is SQLServer\sqlInstance1
aspnet_regsql.exe -S SQLServer\Instance1 -d aspnetDB -E –A mr
OPTION 1: Create Users with Visual Studio 2010. Switch to your Client machine that has Visual Studio installed.
Important: |
Only use Option 1 if you have already installed Visual Studio 2010 in a previous Lab. |
2.
a. Launch the application. When you do you may see a prompt asking what environmental variables to use. Choose Visual C# Development Settings.
b. Click New Project on the Quick Launch bar.
c. Create an ASP.NET Web Application.
d. In Solution Explorer open up the web.config. We will need to change the connection string (see the Code entry below).
<connectionStrings>
<add name="ApplicationServices"
connectionString="Data Source=SQL;Integrated Security=SSPI;Initial Catalog=aspnetdb;" providerName="System.Data.SqlClient" />
</connectionStrings>
e. Click Build and then Build Solution in the Visual Studio menu. After the solution builds, click Project and ASP.NET Configuration.
f. Click the Security tab on the Web Site Administration tool that launches. You will see headings for Users, Roles, and Access Rules.
g. Click the Enable Roles link in the middle pane and Create or Manage Roles.
h. Create new Roles:
i. Click Create User and create users.
We now have Roles and Users in the aspnetdb database for use in the rest of this lab.
Important: |
You may be prompted for which coding interface to use. If so, choose Visual C#. |
OPTION 2: Create Users in IIS 7.x. Using IIS to Populate Data for ASPNETDB We Created in Step Before.
a. Open IIS Manger on MSF1 Server
b. Select Default Web Site and Make Sure you are in Features View
c. Open Connection Strings Option under ASP.NET Section.
d. Click on LocalSqlServer Connection Sting & Provide SQL Server Name where you Created aspnetdb in Earlier Step also Provide name of Database Created.
e. Click ok
f. Once again Select Default Web Site & from Features View Click on .net Roles
g. Click on enable from Actions
h. Now Click on Add and Add .net Role to Database
i. Create few more Roles.
j. Now Go back to Features View for Default Web Site and Click on .NET Users
k. Click on Add and Create New user in aspnetdb
Create a web application that uses claim based authentication
1. Create a new Web application in Claims mode.
2. Go to the SharePoint Central Administration Web site.
3. Click Application Management.
4. On the ribbon, click New. A pop-up window appears.
5. In the pop-up window, select the Claims Based Authentication option.
6. In the pop-up window, in the IIS Web Site section, select a unique name and port number.
7. In the pop-up window, in the Security Configuration section, set Allow Anonymous = No and set User SSL to Yes or No, depending on whether the site you are extending will be SSL-enabled.
8. In the pop-up window, in the Identity Providers section, select Enable ASP.NET Membership and Role Provider and specify a provider name and role manager. For this example AspNetSqlRoles and AspNetSqlMembers and used respectively.
9. In the pop-up window, keep the default setting for Public URL.
10. In the pop-up window, in the Application Pool section, choose to create a new pool with a pool name and the account that will be used.
11. In the pop-up window, after Database Name set the value for the SQL server and database names for the content database.
12. Click OK to close the window. A new Web App will be created.
13. A Site Collection will be created later
Update web.config file of Central Admin
The web.config file of the Central administration needs to be updated in three places.
· PeoplePicker
· Add the membershitp/Role tags
· Add the SQL connection String
Before modifying the file do a backup of the original file.
To locate the web.config file, use IIS Manager and choose Explore after selecting the web site.
The parts in bold need to be added in the XML file.
And the grayed parts are the part where the values of the chosen variables need to be updated.
</SafeControls>
<PeoplePickerWildcards>
<clear />
<add key="AspNetSqlMembers" value="%" />
</PeoplePickerWildcards>
(…)
<sessionState mode="InProc" timeout="20" cookieless="UseCookies" />
<roleManager enabled="true" cacheRolesInCookie="false" cookieName=".ASPXROLES" cookieTimeout="30" cookiePath="/" cookieRequireSSL="false" cookieSlidingExpiration="true" cookieProtection="All"
defaultProvider="AspNetWindowsTokenRoleProvider" createPersistentCookie="false" maxCachedResults="25">
<providers>
<clear />
<add connectionStringName="SqlConn"
applicationName="/"
name="AspNetSqlRoles"
type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
<add applicationName="/"
name="AspNetWindowsTokenRoleProvider"
type="System.Web.Security.WindowsTokenRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</roleManager>
<membership defaultProvider="AspNetSqlMembers" userIsOnlineTimeWindow="15" hashAlgorithmType="">
<providers>
<clear />
<add connectionStringName="SqlConn"
enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="true" passwordAttemptWindow="10"
applicationName="/"
requiresUniqueEmail="false" passwordFormat="Hashed"
name="AspNetSqlMembers"
type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</membership>
</system.web>
(…)
</appSettings>
<connectionStrings>
<clear />
<!-- FBA Claims Auth-->
<add name="SqlConn" connectionString="data source= SQLServer\instance1;Integrated Security=SSPI;Initial Catalog=aspnetdb" providerName="System.Data.SqlClient" />
<!-- FBA Claims Auth-->
</connectionStrings>
</configuration>
Add some users in the database using IIS Manager:
Using IIS Manager Select the Central Admin web site and .Net Users command and add Users
Update web.config file of the web application
The web.config file of the new web application (the one you’ve setup with the claims authentication type) needs to be updated in three places.
· PeoplePicker
· Add/update the membership/Role tags (AspNetSqlRoles, AspNetSqlMembers)
· Add the SQL connection String
Caution: Some values are different then in the Central Admin configuration file
Before modifying the file do a backup of the original file.
To locate the web.config file, use IIS Manager and choose Explore after selecting the web site.
</SafeControls>
<PeoplePickerWildcards>
<clear />
<add key="AspNetSqlMembers" value="%" />
</PeoplePickerWildcards>
(…)
<machineKey validationKey (…)/>
<roleManager cacheRolesInCookie="false" cookieName=".ASPXROLES" cookiePath="/" cookieProtection="All" cookieRequireSSL="false" cookieSlidingExpiration="true" cookieTimeout="30" createPersistentCookie="false" defaultProvider="c" enabled="true" maxCachedResults="25">
<providers>
<clear />
<add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
<add connectionStringName="SqlConn" applicationName="/" name="AspNetSqlRoles" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</roleManager>
<membership defaultProvider="i" hashAlgorithmType="" userIsOnlineTimeWindow="15">
<providers>
<clear />
<add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
<add connectionStringName="SqlConn" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="true" passwordAttemptWindow="10" applicationName="/" requiresUniqueEmail="false" passwordFormat="Hashed" name="AspNetSqlMembers" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</membership>
(…)
</microsoft.identityModel>
<connectionStrings>
<clear />
<!-- FBA Claims Auth-->
<add name="SqlConn" connectionString="data source=SQLServer\instance1;Integrated Security=SSPI;Initial Catalog=aspnetdb" providerName="System.Data.SqlClient" />
<!-- FBA Claims Auth-->
</connectionStrings>
</configuration>
Update web.config file of the STS (Secure Token Service) Application
The web.config file of the new STS web application (the one you’ve setup with the claims authentication type) needs to be updated in two places.
· Add the membershitp/Role tags (AspNetSqlRoles, AspNetSqlMembers)
· Add the SQL connection String
This web.config file should be located at: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\WebServices\SecurityToken.
Before modifying the file do a backup of the original file.
The original file:
</system.serviceModel>
<system.webServer>
<security>
To update the file add this section:
</system.serviceModel>
<connectionStrings>
<clear />
<!-- FBA Claims Auth-->
<add name="SqlConn" connectionString="data source=SQLServer\instance1;Integrated Security=SSPI;Initial Catalog=aspnetdb"
providerName="System.Data.SqlClient" />
<!-- FBA Claims Auth-->
</connectionStrings>
<system.web>
<membership defaultProvider="AspNetSqlMembers">
<providers>
<add connectionStringName="SqlConn"
enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="true" passwordAttemptWindow="10"
requiresUniqueEmail="false" passwordFormat="Hashed"
applicationName="/"
name="AspNetSqlMembers"
type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</membership>
<roleManager enabled="true">
<providers>
<add connectionStringName="SqlConn"
applicationName="/"
name="AspNetSqlRoles"
type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</roleManager>
</system.web>
<system.webServer>
<security>
Create a site collection specifying a Windows users as a primary admin and a user from SQL membership as the secondary admin
We will now create a site collection on this web application.
1. Go to Central Administration site
2. Create site collections (under Application Management)
3. Ensure the web application with claims authentication enabled is selected in the web application drop-down.
4. Provide a title and description for the site collection
5. Select a template.
6. Specify a normal Windows user as primary site collection administrator
7. For the secondary site collection administration, specify the administrator user from the AspNetSqlMembers provider.
Test the connection to the root of the site collection as the secondary admin using FBA
Enter your FBA admin account username and password
Create the PWA instance
Create a new Project Web App instance using the Web application created in step 2.
Specify as the admin account either a Windows account or a membership user.
Test the connection to this PWA instance as the admin user
Create FBA users in PWA
To create FBA users in PWA go to Manager Users.
Use the following syntax “membershipname|username” ,for example AspNetSqlMembers|Jason