I had worked with form based authentication in SharePoint 2007. However, in SharePoint 2010, there’s few changes in the way form based authentication works. In my another post “Form-Based Authentication with ADAM”, I had described how to implement ADAM form based authentication in SharePoint 2007. Today I’ll show you how you can implement Form Based authentication using Active Directory Lightweight Directory Service. From windows server 2008, ADAM is replaced by Active Directory Lightweight Directory Service and both are LDAP based.
FBA works for only for Claims based authentication sites
In SharePoint 2010 to use FBA, you need to create a web application with Claims based authentication as shown below. Form based authentication will not work for web application created with classical authentication.
Figure 1: Create web application in claims based authentication
If you don’t create the web application with Claims Based Authentication then you’ll find the Forms Authentication type disabled in Authentication Provider settings window as shown below:
Figure 2: Forms authentication is disabled for web application created with “Classic Mode Authentication”
Step 1: Create a web application with Claims Based Authentication
Since form based authentication doesn’t work with “Classical Mode Authentication”, you can’t configure form based authentication with web application created with “classic mode authentication”. So to configure Form based authentication you need to have an web application created with Claims based authentication. (If you want to use windows authentication now and have plan to use forms based authentication later, then the best will be to create the web application with Claims based authentication). FYI,
- Creating a Claims based authentication will allow you to use both windows and form authentication.
- Creating a site with classic authentication mode will not allow you to configure the site to use form authentication easily.
Summary: In this step we’ll create an web application using Claims Based Authentication but use windows authentication as shown below. Later we’ll configure the site to use form authentication.
Figure 3: Create Claims based authentication web application with only windows authentication enabled
Step 2: Add membership provider entries in web.config files
In this example I’m considering you have the member provider configured already. I’ve been used “Active Directory Lightweight Directory Service” to test this form authentication. You need to modify three different web.config files (your web application, central admin and STS config file). Modifications to the three files are adding two entries (providers, connectionstring) to web.config file which are described below for three different places:
Web Application’s web.config:
You need to put the following entries in the web.config file of your web application under Configuration node:
<connectionStrings> <add name="MyProviderConnectionString" connectionString="LDAP://myserver/O=a,OU=b,C=c" /> </connectionStrings>
Code Snippet 1: Connection String to LDAP
Then find the <membership> node under <system.web> and add an entry for your provider (There should be an entry with name i, added by SharePoint already). As shown below I’ve added a provider “MyProvider” in the providers list. The provider with name “i" was already in the web.config file which is added by SharePoint when you create an web application with claims based authentication.
<membership defaultProvider="i"> <providers> <add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=184.108.40.206, Culture=neutral, PublicKeyToken=71e9bce111e9429c" /> <add name="MyProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider,
System.Web,Version=220.127.116.11,Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="MyProviderConnectionString" connectionUsername="CN=aa,CN=Admins,O=a,OU=b,C=c" connectionPassword="***" enableSearchMethods="true" connectionProtection="None" /> </providers> </membership>
Code Snippet 2: My custom provider (MyProvider) added alongside the default SharePoint provider (i).
SharePoint by default add the provider with name ‘i’. I’ve defined my provider with name MyProvider and the provider is using MyProviderConnectionString. so your web.config file will look like as shown below:
Figure 4: ConnectionString and Provider defined in web.config.
Security Token Service’s web.config file
You need to add the same entries for two other web.config files. One is central admin web.config file. Another one is Security Token Service (STS). You can find the STS web config file as shown below. The default location is “C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\WebServices\SecurityToken\Web.config”.
Figure 5: Security Token Service (STS) web.cofig from IIS (Content View)
After opening the config file, add the two entries as shown in code snippet 1 and code snippet 2.
Central Admin’s web.config file
Finally you need to open the web.config file of central administration and add the two entries shown in code snippet 1 and 2.
Step 3: Change the web application’s security settings to use Form Authentication
So in Step 2, you have added the provider information (connection string, provider name, username etc) in three different web.config files. Now you need to tell the web application to use Form based authentication by connecting through your provider defined in web.config file. To do so follow the steps below:
- Login to central administration site and click “Application Management” from left side navigation.
- Select your web application from web application list and click “Authentication Providers” from ribbon as shown below:
Figure 6: Configure Authentication Provider from Central Administration
- From the “Authentication providers” dialog click on the zone (Default, internet etc) you want to configure the form authentication and then you will be redirected to “Edit Authentication” page.
- In the Edit Authentication page, Put your provider name as shown below. You can enable both form and windows authentication if you want. As shown in the read in the image below, if you don’t configure windows authentication in any zone of the web application then crawling will be disabled. If you want you can enable anonymous login from this “Edit Authentication” page.
Figure 7: Enable Form authetication
Step 4: Assign/change site collection administrators for the site collections
As soon you change the authentication type to form, you will have to assign an user (from your provider defined in web config file) to the site collection administrators.
- Click Application Management ==> Change Site Collection Administrators
- Then add the users from your providers in site collection administrator's group as shown below:
Figure 8: Add/Edit Site collection administrators
If you enable both windows and form authentication then it’ll be better to use one site collection administrator from windows and another from your form based authentication’s provider.
You are done!
And if you have followed the steps, you are done. If you try to access the site, you will be prompted for form login page. However, if you enabled both form and windows authentication then you will prompted for authentication type first and based on the authentication type either you will be prompted for form or windows authentication.
For Your Information
Few points to notice here:
- Form based authentication only works for web application created with Claims Based Authentication mode.
- You need to modify three web.config files (your web application, central web app and Security Token Service) to add your provider settings.
- Recommendation is to create an web application with Claims based Authentication mode but using windows authentication. Once you modify those three web.config files, switch the web app to form based.
- You can enable both windows and form authentication in a web application. In that case try to add one site collection administrator from form authentication provider and another from windows.
- If you want the site data to be crawled, then you need to make sure at lease one zone in the web application uses windows authentication.