SharePoint 2013 Forms Based Authentication (FBA)

Here are the instructions for setting up FBA on SharePoint 2013.

Install FBA and Setup SharePoint to use FBA

The site users and roles will be stored in a SQL database, and the web site will use the FBA provider to authenticate the uses through the database.

Create Users/Roles Database

The first step is to create the database using the ASP.net SQL server setup wizard. Install the new database on the database server hosting the other SharePoint databases for this app. The wizard can be accessed from the following command from the run menu.

%windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe

This wizard will guide you through the creation of the new SQL database.

· A welcome screen will appear. Click Next.
image

· Select “Configure SQL Server for application services” and click Next.
image

· Enter the name of your server and your authentication information.  In this case SQL Server is installed on the same server as SharePoint 2013 and I am logged in as an administrator and have full access to SQL Server, so I choose Windows Authentication. For the database name, I just leave it as <default>, which creates a database called “aspnetdb”. Unless you want a specific name for your FBA database.
image

· A Confirm Your Settings screen will appear. Click Next.

· A “database has been created or modified” screen will appear. Click finish and the wizard will close.

Setup database Permissions

· Now that the database has been created, we’ll have to give SharePoint permissions to read and write to it. We’re going to connect to the database with Windows Authentication, so we’re going to have to give those permissions to the service account that is being used to run SharePoint. First, let’s find out the service account that’s being used to run SharePoint. Open IIS, go to “Application Pools”. Take a look at the “Identity” that is being used to run the SharePoint application pools. On my test VM, it happens to network service that is being used, but it will probably be different on your machine. Make note of the identity used.
image

· Now that we know what account is being used to run SharePoint, we can assign it the appropriate permissions to the membership database we created.  Open up SQL Server Management Studio and log in as an administrator.
image

· Under Security/Logins find the user that SharePoint runs as.  Assuming this is the same database server that SharePoint was installed on, the user should already exist. Right click on the user and click ‘Properties’

.image

· Go to the “User Mapping” Page. Check the “Map” checkbox for the aspnetdb database. With the aspnetdb database selected, check the “db_owner” role membership and click OK. This user should now have full permissions to read and write to the aspnetdb membership database.
image

Setup SharePoint membership provider.

The next thing that has to be done to get forms based authentication working with SharePoint is setting up the membership provider.  A membership provider is an interface from the program to the credential store.  This allows the same program to work against many different methods of storing credentials.

SharePoint is actually divided up into several web applications – Central Administration, the Security Token Service and all of the SharePoint web applications that you create. Each of those web applications needs to know about the membership provider. Most tutorials have you adding the membership provider settings over and over again in each web config (as well as every time you setup a new SharePoint web application).  I prefer to add the membership provider settings directly to the machine.config. By adding it to the machine.config, the configuration is inherited by all of the web.config files on the machine – so you only have to make the changes once, and don’t have to remember to make the changes every time you create a new SharePoint web application.

If you don’t have access to the machine.config, or prefer not to edit it, you will have to make all of these changes to the following web.config files:

· SharePoint Central Administration

· SecurityTokenServiceApplication

· Every SharePoint web application you create that you would like to access via FBA.

· Navigate to “C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Config” and open “machine.config”.

image

  • In the <ConnectionString> section, add the following line:
    <add connectionString=”Server=<SERVER>;Database=aspnetdb;Integrated Security=true” name=”FBADB” />
    !!Be sure to replace the value for Server with the name of your SQL Server.
    image
  • In the <membership><providers> section add the following:
    <add name=”FBAMembershipProvider” type=”System.Web.Security.SqlMembershipProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a” connectionStringName=”FBADB”
    enablePasswordRetrieval=”false” enablePasswordReset=”true”
    requiresQuestionAndAnswer=”false” applicationName=”/”
    requiresUniqueEmail=”true” passwordFormat=”Hashed”
    maxInvalidPasswordAttempts=”5″ minRequiredPasswordLength=”7″
    minRequiredNonalphanumericCharacters=”1″ passwordAttemptWindow=”10″ passwordStrengthRegularExpression=”” />

You can customize the authentication by modifying each of these options.

· In the <roleManager><providers> section add the following:
<add name=”FBARoleProvider” connectionStringName=”FBADB” applicationName=”/” type=”System.Web.Security.SqlRoleProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a” />
image

· Save and close the machine.config file.

  • The SharePoint Web Services configuration overrides the machine.config and clears the entries we created. For that reason, the membership and role providers also need to be added to the SecurityTokenService First we need to find the web.config for the SecurityTokenService.
  • Open up IIS. Under sites, SharePoint Web Services, right click on SecurityTokenServiceApplication and click on Explore. Edit the web.config in the folder that opens.
  • Add the following to the web.config, just before the closing </configuration> tag:

<system.web>
<membership>
<providers>

<add name=”FBAMembershipProvider” type=”System.Web.Security.SqlMembershipProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a” connectionStringName=”FBADB” enablePasswordRetrieval=”false”
enablePasswordReset=”true” requiresQuestionAndAnswer=”false” applicationName=”/” requiresUniqueEmail=”true” passwordFormat=”Hashed” maxInvalidPasswordAttempts=”5″ minRequiredPasswordLength=”7″ minRequiredNonalphanumericCharacters=”1″ passwordAttemptWindow=”10″ passwordStrengthRegularExpression=”” />

</providers>
</membership>
<roleManager>|
<providers>
<add name=”FBARoleProvider” connectionStringName=”FBADB” applicationName=”/” type=”System.Web.Security.SqlRoleProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a” />

</providers>
</roleManager>
</system.web>
image

Now that the membership and role provider have been configured, we can configure SharePoint to use them.

Configure SharePoint to use new membership provider

· Open SharePoint Central Administration -> Application Management -> Manage Web Applications.

· Click the Web Application you want the authentication model.
image

· Click the Authentication Providers button.
image

· Click the Zone you want to change the membership provider.

· Check “Enable Forms Based Authentication (FBA)”. Enter the ASP.Net Membership Provider Name and ASP.NET Role Provider Name that you configured in the web.config. For this example we used “FBAMembershipProvider” and “FBARoleProvider” (Without the quotation marks).Also, for this example we left “Enable Windows Authentication” checked. This allows us to login either via Windows Authentication or Forms Based Authentication (SharePoint will prompt you when you login for which method you’d like to use).  Click OK.
image

Install FBA Pack

Now that an empty membership database has been created, users need to be added. Install the SharePoint 2013 FBA Pack so that all user management can be done in SharePoint.

Deploy FBA Pack
Download and unzip Sharepoint2013FBAPack.X.X.X.zip to the SharePoint server.
Open PowerShell and navigate to the folder the files were unzipped to.
Run the following command:
.\deploy [Site Collection URL]
(e.g. .\deploy http://cbarba-vmsp/)

The FBA Pack will be deployed to SharePoint and activated on the specified site collection. If the site collection url is omitted, you will need to manually activate the ‘Forms Based Authentication Management’ feature in each site collection you wish to use it.

Notes:

Ensure that the SharePoint 2013 Administration service is running prior to running the deployment scripts, or the deployment will fail.

Depending on your PowerShell security settings, it may prevent you from running the deployment scripts because they are not signed. To change the setting to allow unsigned scripts to run, run the following command:

Set-ExecutionPolicy Unrestricted

Adding Users
The configuration and management pages can be opened from the Site Settings page:
image

Select ‘FBA Site Configuration’ to open the configuration page:

Click Enable Roles.
Click Review Membership Requests (so new logins have to be approved).

You can review all the settings here. http://sharepoint2013fba.codeplex.com/documentation?referringTitle=Home

Click the FBA Role Management link.
Add 2 roles
Admin
Users

Click the FBA User Management link to add users.
Add a new user (like fbaadmin) and give them the role of Admin.

Note: If you get an error about the membership provider not setup correctly, verify your connection string in the machine.config.

In Central Admin, click Application Management -> Change Site collection Adminstrators.

In the Secondary site collection administrator enter the admin user you setup earlier (fbaadmin).
This way you can manage the site externally as the admin user (fbaadmin) or internally as a windows user.

Login

· When you go to your website, if you enabled both Windows Authentication and Forms Based Authentication, you’ll be prompted for which method you’d like to use to authenticate.
(If you want to only have forms based authentication, go to the Authentication Providers in Central Admin (Manage Web Applications) and uncheck the Enable Windows Authentication).
image

· You’ll be prompted for a username and password. Enter the username and password that we created earlier.
image

· You’re now logged.
image

Now you’re ready to use Forms Based Authentication on your SharePoint site.

[tweetmeme only_single=”false”]
Advertisements

26 thoughts on “SharePoint 2013 Forms Based Authentication (FBA)

  1. Hello,
    This is great info. I am currently extending our internal website to internet with FBA so that we can interact and share data with our customers. This articles is really helpful for me.
    Thank you for sharing.

  2. Newbie here, you comment “I prefer to add the membership provider settings directly to the machine.config”. At the moment we only have an intranet deployed, however, would that present a problem if you defined an extranet or internet pool later on since the xml is at the machine level?

      • minRequiredNonalphanumericCharacters=”1? passwordAttemptWindow=”10? passwordStrengthRegularExpression=”” />

        **********|*********

        <add name=”FBARoleProvider” connectionStringName=”FBADB” applicationName=”/” type=”System.Web.Security.SqlRoleProvider, System.Web, Ve

        I don't think the Pipe's supposed to be there.

  3. Hi Chris,
    Thank you very very much for taking the time to write this detailed article. I followed the steps down to the teeth and was very successful. As FYI for everyone, I had to make the changes to the config files on both my SharePoint App servers and the Web Front End (WFE) servers for this to work successfully.

    Chris, if you don’t mind, i’d like to add this site as a link to my personal site.

  4. Hi Chris,
    For some reason I am not able to log into my Web App with forms based authentication today. I logged in with Windows Authentication, went to site settings and FBA User Management. Now I see ‘A Membership provider has not been configured correctly. Check the web.config settings for this web application.’
    No changes have been made on the farm. I did do an iisreset on all the web app and web front end servers but that didn’t help.
    I see that the aspnetdb is there on the SQL server.
    Any ideas what caused this and is there a way to fix it without rebuilding it?
    Thanks

    • Have you checked your machine.config (or web.config) to make sure the Membership or Role sections are still correct? Also check that permissions didn’t change on whatever database you set in the connectionString.
      I would suggest reading through the steps again to make sure everything is setup correctly.
      Anyone else work on your SharePoint farm (ie, check that no one else made any changes).
      Did you run the SharePoint configuration wizard again (I think that makes change to the web.configs)?
      Did you apply a service pack or anything?

      • HI Chris,
        Thanks for your quick reply!
        I checked the machine.config and the web.config of the SecurityTokenServiceApplication (of both my Web Front End (WFE) and SharePoint app servers. No changes made. I haven’t made any updates to this server and haven’t run the configuration wizard. Currently I am the only farm and site collection admin and the only one who has access to the servers.
        Do I need to make the same changes to the web.config file of the web application I am working on?

  5. Thanks Chris for the write up. Very useful. Been looking for something like this the last few months. I am running into an issue that I can’t explain if it’s something i’m doing. I just did a fresh install of Sharepoint 2013 Foundation and ran through your instruction from above.

    Before I installed the FBAPack and right after entering the FBA credentials – my Sharepoint – 80 is not coming up. Noticed that the Sharepoint Web Services was shut off so I restarted all services through IIS – this did not help.

    Could you provide some instructions?

    • That’s a bummer. I hate it when SharePoint does that.
      Most of the time I have experienced that problem it was the config files not being setup a again.

      So before you enabled Forms Based Authentication your site comes up?
      I would double check the config files. Make sure there are not special characters and make sure the keys added copied in correctly (like > instead of >). (I usually copy keys to notepad before I copy into the config file to make sure nothing gets jacked with when copying from an HTML page)
      You could also double check your SQL permissions.
      Also check your logs to see if any error are being thrown.

      I have never tried these instructions on SharePoint Foundation, but I would expect them to work.
      I would also suggest going through the steps one more time to make sure nothing was missed.
      I have missed smalls steps before that caused SharePoint to stop working.

      Hopefully this helps.

      • I actually reverted back 4x to the snapshot that worked. On this last one, I finally was able to get an error code to come up on Event Log.

        The problem is sharepoint – 80 will not start up due to:

        The worker process for application pool ‘SharePoint – 80’ encountered an error ‘Configuration file is not well-formed XML
        ‘ trying to read configuration data from file ‘\\?\C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CONFIG\machine.config’, line number ‘165’. The data field contains the error code.

        That particular line of code is this:

        One other thing I noticed, which I’m not sure is correct – but before doing modifications to the Machine.Config – the Sharepoint – 80’s identity was “NetworkService” – after the web.config changes, it changed to LocalService.

      • Weird… it didn’t include the code for line 165:

        OPEN-TAGadd connectionString=”Server=INTRANET;Database=aspnetdb;Integrated Security=true” name=”FBADB” /CLOSE-TAG

      • EDIT…

        “One other thing I noticed, which I’m not sure is correct – but before doing modifications to the Machine.Config – the Sharepoint – 80’s identity was “NetworkService” – after the web.config changes, it changed to LocalService.”

        Should state:

        One other thing I noticed, which I’m not sure is correct – but before doing modifications to the Machine.Config – the SecurityTokenServiceApplicationPool’s identity was “NetworkService” – after the web.config changes, it changed to LocalService.

  6. After following your config (loosely, i added the strings to web.config at the following paths, NOT machine.config) I can no longer create any sharepoint sites through the gui. If i create the IIS website first, and then click NEW in central administration, and pick the site i created from the dropdown, it works. If not, it gives me an error like “there is already a website created at this path”.
    So it seems like some file i changed, breaks the IIS install portion of “create a new web application” from central admin. I edited two files, but when i edited the web.config for central admin to put the role providers in, central admin stopped working. I thought I reverted my changes, but had no backup. So I am not sure if that is why, or its the security token file.

    “%programfiles%\common files\Microsoft Shared\web server extensions\15\WebServices\SecurityToken\web.config”

    “c:\inetpub\wwwroot\wss\VirtualDirectories\5468\web.config” (central Admin)

    Care to comment? can you still make new websites through the GUI with the config files edited for FBA enabled as you have done in this tutorial?

    FBA works fine. I just cannot create any new websites unless i create them in IIS first. Just errors out.

  7. Great stuff!!
    To Sam Harrison who can’t access public url – it is most likely your firewall. I set up Office Web Apps and had to make certain that I could ping the public url and then follow up with some firewall rules to ensure the public url pointed to the correct web app. In the end it didn’t matter to me if people authenticated internally or externally, so I deleted the internal sp site and only use the external one. But it was a real battle with the Sonic firewall.

  8. Sorry my question was trimmed in previous post. Here is it again.Don;t we need to add ‘ConnectionString’ to the Security Token Service Application’s Web.config file?

    • If I remember correctly you only need to if you don’t have access to the machine.config (so then you need to update all config files) or if you are using claims based authentication.

      It’s been a few minutes since I’ve had to setup SharePoint with FBA.

  9. Hello,
    I have deployed the FBA pack for one year now and running on the same issue since this time. Every functionnalities are working well but every actions related to user managemenet are very slow. For example access the “FBA User Management” page take almost 5 mins. Have you ever experienced this ?

    Thanks.

  10. Hello Sir,
    Nice Example. Can you tell me which public key token we have to pass in configuration.
    Like you mention- “PublicKeyToken=b03f5f7f11d50a3a”

Got something to add?

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s