Enable Forms Based Authentication (FBA) for SharePoint 3.0 on IIS 7

This is Part 1 in a 3 Part Series regarding the setup of SharePoint zones:

• Enable Forms Based Authentication for Windows SharePoint Services 3.0 (WSS)
• Enable Dual Zone Authentication (FBA and Windows)
• Enable Anonymous Access for SharePoint 3.0 with FBA

Why another tutorial on Forms Based Authentication Setup?

You can never have too many tutorials, right? But seriously, all of the setups I’ve seen online have the following challenges:

• Assume default setup of the ASP.NET membership store
• Were pre-IIS 7.0 and thus required a lot of hacks to the web.config files
• Demonstrate the use of the only moderately useful tool to create a user account using a Visual Studio web project of all things!

So what’s different in this series?

• *Mostly* GUI based setup with SharePoint and IIS 7 Manager
• Setup with only minimal manual touch to the web.config (and even that part is optional)
• No need for the wacky ASP.NET web site for user setup
• Demonstrate usage of the CodePlex FBA User Management module to, guess what? Manage users from within SharePoint
• Adds Anonymous site access procedures and considerations

Why use Forms Based Authentication?

There are several reasons to use FBA for SharePoint. For one, your external users might not exist in the Windows AD, might have no reason to be included or perhaps you’d like to enable anonymous access to certain resources of your SharePoint site. Not that if you only use the SQL Server to provide FBA authentication of users, there is no need to hold Windows CALs.

Setup your SharePoint site

1. In Central Admin, we created a site on port 500. 500 will be the future FBA site and 501 will be the Windows site.
2. Since we haven’t setup FBA yet, we need to setup the Web Application first as a Windows site.
3. Create the Web Application
4. Create a default Site Collection, and make a windows user (below we’ve used the Administrator account) a Site Administrator.
   

Setup your User Database

1. Setup the ASP.NET Membership Database. Note: You can use custom membership stores, DotNetNuke, even Live! credentials. But the .NET membership database is very simple to setup. This requires the SQL Server database. You can use the integrated version that is supplied with SharePoint, Express or a fully featured SQL Server (Standard or Enterprise) Edition.
2. Find the setup file aspnet_regsql.exe located at either of the following locations depending upon your OS:
   %windir%\Microsoft.NET\Framework\v2.0.5027
   %windir%\Microsoft.NET\Framework64\v2.0.5027
3. When the ASP.NET SQL Server Setup Wizard appears, select “Configure SQL Server for application services”, then click Next
4. Enter the SQL Server and Database name.
   
5. Above, I have named the database FBADB
6. Click Next and Finish

Provide Access to the Membership Database

As an administrator, you’ll be able to add and modify user accounts. But from the SharePoint runtime, we’ll have to provide access to the membership store. This can be done in two ways. If using SSPI (Integrated Security) for the connectionstring from SharePoint, you’ll need to determine the Service Account that runs the Application Pool. Then you’ll provide access to this windows (or service) account in SQL Server to the FBADB database. Or, if you don’t want to use SSPI, or don’t want to take the time to figure out the startup service account for SharePoint you can simply create a login to the FBADB database. Following are steps for the second approach.

1. Open SQL Server Management Studio (SSMS 2008) and select Security , then Logins
2. Right Click Logins and Select “New Login”
3. Create a SQL Server account. Below, we’d created the account FBAService with password pw
   
4. Select “User Mapping”
5. Mark the checkbox next to FBADB, and select the row.
6. In “Database role membership”, make the user a dbo_owner.
   
7. Click OK to save the new user.

Setup IIS 7.0 Defaults

1. Open up Internet Information Services Manager 
2. Select the Web Server, then double click Connection Strings
   
3. Click Add..
4. Enter the Server (.), Database (FBADB) and the Credentials for the user FBAService (by clicking the Set button). If you want to use SSPI, simpy select “Use Windows Integrated Security” instead.
   
5. Click OK to save
6. Click to Select the Server from the Connections pane again, and double click Providers.
7. On the Feature dropdown, select .NET Users. Your machine may take a while to respond while the configuration is read.
8. On the Actions menu, click Add..
9. On the Add Provider form, select SqlMembershipProvider as the Type
10. Provide a name: FBA.
11. Drop down ConnectionStringName and select FBADB
12. Set any other parameters you’d like. I set some Password related options for user interaction later.
    
13. Click OK to save
14. From the Feature dropdown, select .NET Roles, then click Add..
15. Provide a name: FBARole, and select Type: SqlRoleProvider
16. Select the ConnectionStringName: FBADB
    
17. Click OK to save the .NET role.

Last Prep – Install the CKS FBA Solution

As you’ll see later, we can administer users in IIS 7.0 in a very rudimentary fashion. By using the Community Kit for SharePoint, available on CodePlex, you’ll be able to maintain users from within the SharePoint site as well as providing some self-service user control (password reset, etc.)

1. Download the bits from here. (* Disclaimer: It’s codeplex, and it’s beta *)
2. After unpacking, deploy via commandline with the following syntax to your web application:
   deploy [site]
   ex: c:\temp\deploy http://scdev01:400

Setup the FBA Zone in SharePoint

1.  Browse to SharePoint Central Admin, Select Application Management
2. In Application Security, select Authentication Providers
3. Select the Web Application.
4. Click the Default Zone.
   
5. Ensure the Web Application is the correct one on the next page!
6. Change Authentication Type to Forms
7. Check Enable Anonymous (* note that this does not immediately enable Anonymous access; it merely makes the option available on the front-end web application *)
   
8. Click Save.
9. When the process is finished, the membership provider should now display FBA.

What SharePoint has done behind the scenes is make the necessary changes to the IIS website to support Forms based authentication. But we still have a little problem. If we browse to the site right now, we won’t be prompted for Windows credentials anymore. Not only do we NOT have a user in the .NET membership database, but we have no FBA based administrators. Let’s tackle that next.

IIS Web Site Configuration

1. In IIS Manager, select the SharePoint site. Earlier we called it FBA Demo- FBA – 500
2. Double click the .NET Users icon
3. Click Set Default Provider and select FBA
   
4. Click OK to save.
5. While we’re here, let’s add our first user. This will be used as an administrative account on the FBA site. Click Add..
   
6. Select a User, Email and Password. Depending upon parameters you defined earlier you may be prompted with challenge/response questions.
   ** The password may require some strength by default. If you receive an error message that states the “password is invalid”, simply add a number or non-alpha character.
7. Next, select the SharePoint Central Administation web site from the connections menu.
8. Click .Net Users, then in the Actions menu select “Set Default Provider” and set that to FBA.

Set the User as Site Administrator on the Web Site

1. In SharePoint Central Admin, go to Application Management
2. In SharePoint Site Management, select “Site Collection Administrators“
3. On the next page, select the Site Collection we’ve been using.
4. You’ll note that the primary site collection administrator has a little red squiggly. Why? We don’t have Windows Authentication enabled for this site and therefore no way to resolve. Delete the Administator account.
5. In the field type the user created above (we used fbaadmin), then click the Check Names button. You should see a black underline noting that the name was resolved.
   

Test the site

1. In a Web Browser, when you access the site http://localhost:500 (if that’s what you used), you’ll be presented with the SharePoint login screen, not a Windows login pop-up.
   
2. Login with the fbaadmin credentials and you should be able to access the site.
   

Add the reference to the user friendly people picker

You know the picker…so you can easily find those needles in the haystack. For that to work in Central Admin and this site against your .NET membership database, you need to add a reference to the provider.

1. In IIS Manager, browse to the Central Admin web application. Explore the folder and find the web.config file. Open in Notepad.
2. Find the <PeoplePickerWildcards> node and use the following:

<PeoplePickerWildcards>
<clear />
<add key=”FBA” value=”%” />
 </PeoplePickerWildcards>

User Management

You could manage .NET users from within IIS 7.0, but it’s really rudimentary. Instead, I prefer the CKS solution that we installed earlier.

In the SharePoint site that has been converted to FBA, select Site Settings. You’ll notice some new options under Users and Permissions for FBA. FBA User Management is a simple utility to create and manage users from within the SharePoint site. For more information on what this feature has to offer, visit the CodePlex site that hosts the application.

Final Note

If you plan to use the same membership database for multiple sharepoint sites AND you choose to encrypt the passwords, you’ll need to add one final step. In IIS 7,  on the first site, select the Machine Keys icon. Copy those keys. In the next site that you create, you’ll need to use the same machine keys and disable “Automtically Generate” and disable “Generate Unique Key”. This is crucial as the machine key is used to determine the encrypted password that is passed back to the .NET membership database.

In the next article, we’ll add a second zone to allow local Windows users to access the resources of this site.