Thursday, January 13, 2011

SharePoint 2010: Configure Form Based Authentication (FBA)

I had worked with form based authentication in SharePoint 2007. However, in SharePoint 2010, there’s few changes in the way form based authentication works. In my another post “Form-Based Authentication with ADAM”, I had described how to implement ADAM form based authentication in SharePoint 2007. Today I’ll show you how you can implement Form Based authentication using Active Directory Lightweight Directory Service. From windows server 2008, ADAM is replaced by Active Directory Lightweight Directory Service and both are LDAP based.

 

FBA works for only for Claims based authentication sites

In SharePoint 2010 to use FBA, you need to create a web application with Claims based authentication as shown below. Form based authentication will not work for web application created with classical authentication.

image

Figure 1: Create web application in claims based authentication

 

If you don’t create the web application with Claims Based Authentication then you’ll find the Forms Authentication type disabled in Authentication Provider settings window as shown below:

image

Figure 2: Forms authentication is disabled for web application created with “Classic Mode Authentication”

 

Step 1: Create a web application with Claims Based Authentication

Since form based authentication doesn’t work with “Classical Mode Authentication”, you can’t configure form based authentication with web application created with “classic mode authentication”. So to configure Form based authentication you need to have an web application created with Claims based authentication. (If you want to use windows authentication now and have plan to use forms based authentication later, then the best will be to create the web application with Claims based authentication). FYI,

  • Creating a Claims based authentication will allow you to use both windows and form authentication.
  • Creating a site with classic authentication mode will not allow you to configure the site to use form authentication easily.

 

Summary: In this step we’ll create an web application using Claims Based Authentication but use windows authentication as shown below. Later we’ll configure the site to use form authentication.

image

Figure 3: Create Claims based authentication web application with only windows authentication enabled

 

Step 2: Add membership provider entries in web.config files

In this example I’m considering you have the member provider configured already. I’ve been used “Active Directory Lightweight Directory Service” to test this form authentication. You need to modify three different web.config files (your web application, central admin and STS config file). Modifications to the three files are adding two entries (providers, connectionstring) to web.config file which are described below for three different places:

Web Application’s web.config:

You need to put the following entries in the web.config file of your web application under Configuration node:

<connectionStrings>
    <add name="MyProviderConnectionString" 
         connectionString="LDAP://myserver/O=a,OU=b,C=c" />
</connectionStrings>

Code Snippet 1: Connection String to LDAP

 

Then find the <membership> node under <system.web> and add an entry for your provider (There should be an entry with name i, added by SharePoint already). As shown below I’ve added a provider “MyProvider” in the providers list. The provider with name “i" was already in the web.config file which is added by SharePoint when you create an web application with claims based authentication.

<membership defaultProvider="i">
  <providers>
    <add name="i" 
         type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
    <add name="MyProvider" 
         type="System.Web.Security.ActiveDirectoryMembershipProvider,
System.Web,Version=2.0.0.0,Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="MyProviderConnectionString" connectionUsername="CN=aa,CN=Admins,O=a,OU=b,C=c" connectionPassword="***" enableSearchMethods="true" connectionProtection="None" /> </providers> </membership>

Code Snippet 2: My custom provider (MyProvider) added alongside the default SharePoint provider (i).

 

SharePoint by default add the provider with name ‘i’. I’ve defined my provider with name MyProvider and the provider is using MyProviderConnectionString. so your web.config file will look like as shown below:

image

Figure 4: ConnectionString and Provider defined in web.config.

Security Token Service’s web.config file

You need to add the same entries for two other web.config files. One is central admin web.config file. Another one is Security Token Service (STS). You can find the STS web config file as shown below. The default location is “C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\WebServices\SecurityToken\Web.config”.

image

Figure 5: Security Token Service (STS) web.cofig from IIS (Content View)

 

After opening the config file, add the two entries as shown in code snippet 1 and code snippet 2.

Central Admin’s web.config file

Finally you need to open the web.config file of central administration and add the two entries shown in code snippet 1 and 2.

 

Step 3: Change the web application’s security settings to use Form Authentication

So in Step 2, you have added the provider information (connection string, provider name, username etc) in three different web.config files. Now you need to tell the web application to use Form based authentication by connecting through your provider defined in web.config file. To do so follow the steps below:

  1. Login to central administration site and click “Application Management” from left side navigation.
  2. Select your web application from web application list and click “Authentication Providers” from ribbon as shown below:

    image

    Figure 6: Configure Authentication Provider from Central Administration

  3. From the “Authentication providers” dialog click on the zone (Default, internet etc) you want to configure the form authentication and then you will be redirected to “Edit Authentication” page.
  4. In the Edit Authentication page, Put your provider name as shown below. You can enable both form and windows authentication if you want. As shown in the read in the image below, if you don’t configure windows authentication in any zone of the web application then crawling will be disabled. If you want you can enable anonymous login from this “Edit Authentication” page.

image

Figure 7: Enable Form authetication

 

Step 4: Assign/change site collection administrators for the site collections

As soon you change the authentication type to form, you will have to assign an user (from your provider defined in web config file) to the site collection administrators.

  1. Click Application Management ==> Change Site Collection Administrators
  2. Then add the users from your providers in site collection administrator's group as shown below:

image

Figure 8: Add/Edit Site collection administrators

If you enable both windows and form authentication then it’ll be better to use one site collection administrator from windows and another from your form based authentication’s provider.

 

You are done!

And if you have followed the steps, you are done. If you try to access the site, you will be prompted for form login page. However, if you enabled both form and windows authentication then you will prompted for authentication  type first and based on the authentication type either you will be prompted for form or windows authentication.

 

For Your Information

Few points to notice here:

  • Form based authentication only works for web application created with Claims Based Authentication mode.
  • You need to modify three web.config files (your web application, central web app and Security Token Service) to add your provider settings.
  • Recommendation is to create an web application with Claims based Authentication mode but using windows authentication. Once you modify those three web.config files, switch the web app to form based.
  • You can enable both windows and form authentication in a web application. In that case try to add one site collection administrator from form authentication provider and another from windows.
  • If you want the site data to be crawled, then you need to make sure at lease one zone in the web application uses windows authentication.

19 comments:

  1. Awesome. i was reading Claims based authentication and this post helped me through

    ReplyDelete
  2. Thanks for the awesome post on how to do this. I cannot get my forms-based authentication to work. when I try to login, I get 'The security token username and password could not be validated' followed by an ASP.NET error. Could this mean my LDAP settings are incorrect?

    ReplyDelete
  3. Can you please check the log files in '14\logs' for more details errors? The log file may dump more error description that might be helpful.

    ReplyDelete
  4. Nice Article !!
    For sharepoint 2007...

    http://kalashnikovtechnoblogs.blogspot.com/2011/04/change-windows-authentication-to-form.html

    ReplyDelete
  5. Awesome post - this was very helpful to me in accomplishing this important activity. I found myself referring to this post along with this one:

    http://www.c-sharpcorner.com/UploadFile/nipuntomar/5105/

    Your post was more helpful in completing the web.config edits - the other post provided missing pieces in getting the sites running.

    Thank you for the effort - I'm sure this will save lots of folks time going forward.

    ReplyDelete
  6. You can convert an existing web application to use Claims Based Authentiation from Powershell and afterwards you can enable FBA on that one. I already tested it. It works!

    ReplyDelete
  7. @Morshed, It's good to know. what powershell command u used?

    ReplyDelete
  8. What is the meaning on o and c here? LDAP://myserver/O=a,OU=b,C=c"

    ReplyDelete
  9. If you are familiar with Active Directory, then it's easy to understand. You can get details of object naming here: http://technet.microsoft.com/en-us/library/cc977992.aspx

    ReplyDelete
  10. Will you provide a Poweshell Script for the same steps.

    ReplyDelete
  11. which tool did you use for editing the code. Looks really nice.

    ReplyDelete
  12. soooperrrb...you have explained so easy !!! :) thanks a lott as you save my tones of time without worry !!

    one addition in your step is after following first 3 steps "add "Membership provider name" as group in owners group using windows authentication in site collection and get log off and log in by forms authentication users created before."

    ReplyDelete
  13. Hello

    you can change authentication methods used by Web Application after the creation
    This works only from Classic to Claims Based
    see http://blog.hametbenoit.info/Lists/Posts/Post.aspx?ID=305

    Don't forget to change the site admin and all other User policies at the Central admin level as after the change 'classic' user account are unknown and you may get Access denied

    ReplyDelete
  14. Sohel, could you please also share how to do this but to a Redhat Directory 7.1 LDAP server instead of AD LDAP?
    My LDAP info:
    EntryDN="uid=XXYYYYYY,ou=XX,o=HKSARG,c=HK"
    server host: test.try.hksarg

    thanks

    ReplyDelete
  15. @LionCat, You got me :-((
    I'm not sure about Linux as I have never tried the settings with Linux, but do you have any specific problem in Linux based LDAP configuration? I think the LDAP connection details provided in this post should work, but I'm not sure.

    ReplyDelete
  16. I'm so happy to have your reply Sohel!
    i tried your solution,
    but still cannot lookup any users while "browse for users", shown "no Users found"
    and i need an urgent solution from guru like you

    let me clarify my problem:
    -i don't have the LDAP root or any superuser account, only an ordinary test account due to the security control design (should i simply omit the connectionUsername and connectionPassword?)

    -LDAP server port:401 (instead of default 389) but the code you posted seems didn't addressed port change

    -how should I replace the EntryDN parameter in connectionString and connectionUsername ?
    my LDAP admin gave me this:
    . EntryDN="uid=XXYYYYYY,ou=XX,o=HKSARG,c=HK"
    . server host: test.asl.hksarg
    . LDAP guest account:
    . -LDAP Username: 00asl009
    . -User Password: password

    -Upon lookup user failed, how could i troubleshoot whether its connection failure or LDAP lookup parameter misconfigured?

    looking forward for your precious reply

    ReplyDelete
  17. @LionCat, I think you should try to use the LDAP with Asp.Net Membership provider. Basically what you are doing in the web.config file, is using asp.net membership provider. Also when you are getting user not found error, you might find related error message in sharepoit log, or window event viewer or maybe linux log (if exists)

    ReplyDelete
  18. its my pleasure to have your timely reply ^_^
    now i'm able to lookup users on ldap using the config here:
    http://www.advantive.nl/advantive/blog/Pages/SharePoint2010withOpenLDAPnotsosmooth.aspx

    but then i cannot login using FBA, it keeps saying:
    "The server could not sign you in. Make sure your user name and password are correct, and then try again. "

    the sharepoint2010 logs showing the following related msg, please suggest what should I do next:

    12/17/2012 10:57:26.63 w3wp.exe (0x0E48) 0x0E10 SharePoint Foundation Claims Authentication 0000 Unexpected Password check on '00api009' generated exception: 'System.ServiceModel.FaultException`1[Microsoft.IdentityModel.Tokens.FailedAuthenticationException]: (Fault Detail is equal to Microsoft.IdentityModel.Tokens.FailedAuthenticationException: The security token username and password could not be validated.).'.

    12/17/2012 10:57:26.63 w3wp.exe (0x0E48) 0x0E10 SharePoint Foundation Claims Authentication fo1t Monitorable SPSecurityTokenService.Issue() failed: System.ServiceModel.FaultException`1[Microsoft.IdentityModel.Tokens.FailedAuthenticationException]: The security token username and password could not be validated. (Fault Detail is equal to Microsoft.IdentityModel.Tokens.FailedAuthenticationException: The security token username and password could not be validated.).

    12/17/2012 10:57:26.63 w3wp.exe (0x13E8) 0x1A6C SharePoint Foundation Claims Authentication fsq7 High Request for security token failed with exception: System.ServiceModel.FaultException: The security token username and password could not be validated. at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.ReadResponse(Message response) at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr) at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst) at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext(Uri context, Boolean bearerToken, SecurityToken onBehalfOf, SecurityToken actAs, SecurityToken delegateTo) 46b8c1b7-b81b-40d7-a294-c4652167e02f

    12/17/2012 10:57:26.63 w3wp.exe (0x13E8) 0x1A6C SharePoint Foundation Claims Authentication 8306 Critical An exception occurred when trying to issue security token: The security token username and password could not be validated.. 46b8c1b7-b81b-40d7-a294-c4652167e02f

    ReplyDelete
  19. Followed all the steps here.. When I try to add a forms auth user to the site I get the ever popular "Unexpected Error" Any thoughts?

    ReplyDelete