Enabling Forms Based Authentication With SharePoint 2007 | Tech Off

leeappdalecom
.nettter

Ok after spending a few weeks at Microsoft working with MOSS 2007 and trying to get a site working with both Integrated and FBA security I thought I might as well post up a quick "how to" because it seems apparent that this is something that is not very well documented but alot of companies are going to want this type of scenario.

I also sat with a Microsoft guy who specialised in SharePoint who had never even seen FBA working with the SSP profile database before.

Anyway here goes, first of all ill show how to get the actual site working so FBA users can login into the site by browsing to an external URL. For example browsing to http://localhost/ will authenticate using integrated security and browsing to http://localhostexternal/ will authenticate using FBA.

SQL Server Setup

Create new database to hold membership data

Run aspnet_regsql.exe with from Visual Studio
2005 command prompt to create database schema

Web.config changes

    Add connectionStrings entry to web.config file of both web
    application and central admin site, this is the connection string that         points to your membership database.

    Add membership provider section to web.config file of both
    web application and central admin site

    Add role provider section to to web.config file of both web
    application and central admin site

    Change default RoleManager provider to
    AspNetWindowsTokenProvider for web.config

SharePoint Administration

Extend Web Application

        Open Central Admin Site
        Open Application Management
        Click Create or Extend Web Application
        Click Extend Web Application
        Enter details for external site access and click OK
        Go back to Application Management

Setup Authentication Providers

        Click Authentication Providers
        Select correct zone from dropdown (the external FBA zone
        created earlier when application was extended)
        Change Authentication Type to Forms
        Check Anonymous Access
        Enter Membership and Role provider names into respective boxes
        Click Save

Setup FBA Administrator

        Open IIS Web Admin Tool from Visual Studio 2005
        Add new user to application
        Open Central Admin site
        Open Application Management
        Click Policy For Web Application
        Click Add Users
        Select External zone created earlier from dropdown list
        Enter username of the FBA administrator and click the Resolve                 button
        Check Full Control then click Finish

Setup FBA for Shared Service Provider

Web.config changes

        Add connectionStrings entry to web.config file for both MySite and             SSP Admin site
        Add membership provider section to web.config file for
        both MySite and SSP Admin site
        Add role provider section to to web.config file for both MySite and             SSP Admin site
        Add FBA user personalisation services oermissions
        Open SSP Admin
        Click Personalisation service permissions
        Click Add user
        Enter FBA username and click resolve button
        Check all boxes
        Click Save

Setup Authentication Providers

        Open Central Admin Site
        Open Application Management
        Click Authentication Providers
        Select SSP Admin from Web Application dropdown
        Select default zone from dropdown
        Change Authentication Type to Forms
        Enter Membership and Role provider names into respective boxes
        Click Save
        Repeat for MySite Web Application

Setup FBA Administrator for SSP Admin & MySite

        Open Central Admin site
        Open Application Management
        Click Policy For Web Application
        Select SSP Admin Web Application from dropdown
        Click Add Users
        Select default zone
        Enter username of the FBA administrator and click the Resolve                 button
        Check Full Control then click Finish
        Repeat for MySite Web Application

Setup Site Collection Administrators for SSP Admin & MySite

        Open Central Admin site
        Open Application Management
        Click Site Collection Administrators
        Select SSP Admin site from web application dropdown
        Enter FBA user into Primary Administrator box and click Resolve             button
        Click Ok
        Repeat for MySite web application

Ensure Self service site management is turned on

        Open Central Admin site
        Open Application management
        Click Self Service Site Management
        Turn on for all web applications

Assign My Site Host Permissions to FBA group

        Open SSP Admin
        Click My Site Settings
        Click My Site Host Permissions
        Click Site Permissions
        Click Add Users
        Enter FBA group for everyone e.g. User
        Grant Permissions
        Click OK

Grant personalisation service permissions

        Open SSP Admin site
        Click Personalization service permissions
        Click Add Users
        Enter FBA User group and click resolve button
        Click Save

Anyway I know this is a very high level explaination, so if anyone wants my help drop me a line at leedale@athousandthreads.com

Cheers Cool

HBEaker

Very good information - thank you.

Has anyone experimented (yet) with CardSpace and SharePoint? I am surprised I have not seen many sites (Channel9? Ahem, ahem) supporting this yet. From the demos I saw early on, it seemed enabling CardSpace was literally a few lines of code in a server.config file. Seems anyone who supports forms and/or MS Passport should be able to support CardSpace fairly easily. And, it seems the sites that drink the MS Kool Aid (Channel9?) should be among the first to support...

blowdart
Peek-a-boo

HBEaker wrote:

From the demos I saw early on, it seemed enabling CardSpace was literally a few lines of code in a server.config file. Seems anyone who supports forms and/or MS Passport should be able to support CardSpace fairly easily.

It's a bit more work than that, depending on what you want to do. If all you want to do is accept cards, you need a way to hook them into your existing user account setup, saving a unique reference for each card against the user (usually a unique claim (PPID for self issued cards), whatever you can get for managed cards and the thumbprint or public key of the IP), then roll your own login code which authenicates and drops the cookie.

farrukh.ijaz

Hi,
i am unable to resolve users names in "Setup FBA Administrator" step.
any help?

Snowko
Thandar Aung

In reply to farrukh.ijaz

#May 3rd, 2007 @ 1:09 AM

Hi,

Plz follow step by step

http://www.devcow.com/blogs/jdattis/archive/2007/02.aspx (Office SharePoint Server 2007 - Forms Based Authentication (FBA) Walk-through - Part 1)

http://www.devcow.com/blogs/jdattis/archive/2007/03.aspx (Office SharePoint Server 2007 - Forms Based Authentication (FBA) w/MySites Walk-through - Part 2)

http://blog.richfinn.net/2007/10/19/InstallAndConfigureTheCommunityKitForSharePointInternetExtranetEdition.aspx

http://www.codeplex.com/Release/ProjectReleases.aspx?ProjectName=CKS&ReleaseId=7675

Hope This Help

Best Wishes,
Snowko