Office SharePoint Server 2007 - Forms Based Authentication (FBA) Walk-through - Part 1

A while back a client asked me to set up Forms Based Authentication (FBA) for them.  I said sure (of course) and started to research the steps required to accomplish this.  In my oodles and oodles of research I had found many useful but somewhat partial posts.  What I mean by this is that not one of the posts I have encountered in my research had ALL of the steps required to get this to work, I was left to aggregate steps from different areas.  Most posts assumed you were running as an administrator, maybe even that your SharePoint application pools were running as system accounts with unlimited privileges (on both the operating system and in the database), no "real world" scenarios if you will.  Also, all of the posts never made mention of Office SharePoint Server, they all centered around Windows SharePoint Services (more on that later).  My aim here is to provide a series of posts that include the following:

  1. Each and every step required to setup FBA using the built in Asp.Net Membership and Role providers (Part 1).  I will demonstrate one way to accomplish this.  There are others and they will be mentioned, but not looked at in any detail.
  2. How to enable MySites and the Personalization features included with Office Server and have them actually work with a site using (FBA).
  3. A natural extension of 1 and 2 that will demonstrate how to hook into the ADAM membership provider, and get it functioning with MySites and the Personalization features as well.

Initially, after setting FBA up successfully (Part 1), my client then asked me to enable MySites.  That's when all hell broke loose.  Not only did this not work right away, but after 3 unsuccessful calls to Microsoft support (they could not get it to work and kept parading me in circles, and still are for that matter, maybe they will read this and call me back), and quotes from Microsoft employees saying "it's not supposed to work" or "it does not work", I am pleased to say that it does in fact work and I will show you how (Part 2).

Before we begin I have to say that since I have been told that "it's not supposed to work" or "it does not work", and since I have not found any reliable documentation indicating how to do this, I must add a disclaimer that if it does not work for you, something is different between our environments, or to please call Microsoft <shrug>.  I will do my best to be as detailed as possible about my environment and all of the steps involved.  If anything is unclear, please leave a comment and I will do my best to make it a little clearer.  One last thing I would like to mention is that I have successfully implemented MySite functionality as well as the other Personalization features of Office SharePoint Server 2007 with Forms Authentication using both the built in Asp.Net Membership and Role providers as well as with an ADAM Membership provider.  I have recently received an ADAM Role provider from Adam Buenz and plan on testing that soon but fully expect it to integrate seamlessly (with his help if needed, I hope).

So here we go, this is going to be a long one so bear with me.  In the end of the series you will have MySite and the Personalization features working seamlessly with Forms Authentication in your Office SharePoint Server 2007 environment!  Good Luck!

One assumption I have made in this process is that you have already created a Shared Services Provider and started the Office SharePoint Server Search service.  Also, I am logged on to the development machine as a domain administrator.  The term browser in this series means Internet Explorer 7.  All of the below steps are to be performed on the Guest machine.

Environment

My environment is as follows.  Keep in mind that any variation from this could produce different results.  Again, if I forget to mention something obvious, please let me know and I will update the list.

Host Machine

  1. Intel(R) Pentium(R) M processor 1.86GHz 1.86GHz
  2. 2.00 GB of RAM
  3. Microsoft Windows XP Professional, Version 2002, Service Pack 2
  4. VMWare Workstation, Version 5.5.3 build-34685

 

Guest Machine

  1. Intel(R) Pentium(R) M processor 1.86GHz 1.86GHz
  2. 1.00 GB of RAM
  3. Microsoft Windows Server 2003, Standard Edition, Service Pack 1
  4. Active Directory (Domain Controller)
  5. Microsoft SQL Server 2005, Service Pack 1
  6. Microsoft Visual Studio 2005
  7. Microsoft Office Server 2007, Version 12.0.0.4518

 

FBA User & Role Store

Database Creation

We need a place to put our users.  The Asp.Net 2.0 Membership and Role providers include a database.  The steps to install the database are as follows:

  1. Open up a command prompt by clicking Start...Run, then typing cmd and pressing Enter.
  2. Switch to the Asp.Net 2.0 Framework directory by typing
      cd c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727
    and pressing Enter.
  3. Type aspnet_regsql to launch the ASP.NET SQL Server Setup Wizard.


  4. Click Next.
  5. Choose Configure SQL Server for application services (the default choice) on the Select a Setup Option screen and click Next.

     
  6. Specify the SQL Server name (your machine name), database name to create (I used AspNetDb_FBADemo), and the credentials to use for this process (database creation).  I generally prefix my Membership and Role provider databases with AspNetDb_ such that they appear together in Microsoft SQL Server Management Studio and are easily identifiable should I need to access them, such as to update Security (Step 10).  Click Next.


  7. Confirm your settings on the Confirm Your Settings screen and click Next.


  8. The process takes a few seconds and then The database has been created or modified screen appears.  Click Finish to close the wizard.


  9. Open Microsoft SQL Server Management Studio and confirm that the database was successfully created.
  10. One step that I have not seen mentioned ANYWHERE is to make sure that the account that is running the application pool that will be used by the sites you create below have access to the database we just created.  This step is critical as SharePoint will NOT be able to find your users and roles if it does not have the permissions to look for them.  This step is what I like to refer to as the MAGIC step that no one tells you about, so I am ruining the surprise and telling you the secret.  You will thank me later.

 

User and Role Creation

Microsoft has given us a great database schema to use as a membership and role provider data store but has not really supplied a "good" tool to manage its contents.  When you think about it, this actually makes sense.  The providers are intended to be used by other applications so maybe one of the assumptions made was that the tools to maintain the users and roles will be provided by the applications that consume them.

Thankfully, the Microsoft Visual Studio 2005 team had the foresight to create a somewhat rudimentary web application to help us manage the membership and role provider data store.  The caveat is that the tool must be launched from Microsoft Visual Studio 2005.  You can immediately see that this is not a very good option for those that will be managing the users and roles, i.e.: real users of your application.

I will now walk you thru a set of steps to create a few users and roles that we will be using later.

  1. Create a folder on your desktop called FBA Management Site.
  2. Open Microsoft Visual Studio 2005.
  3. Select File...Open...Web Site.
  4. In the Open Web Site dialog, choose the File System icon on the left side of the dialog, then browse to and select the FBA Management Site folder created in step 1.


  5. Click Open.
  6. In the Solution Explorer, right-click on the web site and select Add New Item.
  7. Select Web Configuration File and click Add.  There is no need to rename the file, web.config is fine.
  8. Replace the empty <connectionStrings/> element with the following snippet.  Be sure to replace both <server name> and <database name> with their appropriate values.

    <connectionStrings>
      <add
        name="AspNetDbFBADemoConnectionString"
        connectionString="Data Source=<server name>;Initial Catalog=<database name>;Integrated Security=True" />
    </connectionStrings>

    My connection string element looks like this:

    <connectionStrings>
      <add
        name="AspNetDbFBADemoConnectionString"
        connectionString="Data Source=OSSDEV;Initial Catalog=AspNetDb_FBADemo;Integrated Security=True" />
    </connectionStrings>

  9. Just below the <system.web> element, add the following membership and roleManager elements.  Be sure to update the connectionStringName attributes of each of the two providers to the name of the connection string name you created in step 8.  Also be sure to give both providers meaningful names, in my case, I used FBADemoMember and FBADemoRole.  Remember these names, we will need them later.  Save and close the web.config file.

    <!-- membership provider -->
    <membership defaultProvider="FBADemoMember">
      <providers>
        <add
          connectionStringName="AspNetDbFBADemoConnectionString"
          enablePasswordRetrieval="false"
          enablePasswordReset="true"
          requiresQuestionAndAnswer="false"
          applicationName="/"
          requiresUniqueEmail="false"
          passwordFormat="Hashed"
          maxInvalidPasswordAttempts="5"
          minRequiredPasswordLength="1"
          minRequiredNonalphanumericCharacters="0"
          passwordAttemptWindow="10"
          passwordStrengthRegularExpression=""
          name="FBADemoMember"
          type="System.Web.Security.SqlMembershipProvider,System.Web,Version=2.0.0.0,Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a" />
      </providers>
    </membership>

    <!-- role provider -->
    <roleManager enabled="true" defaultProvider="FBADemoRole">
      <providers>
        <add
          connectionStringName="AspNetDbFBADemoConnectionString"
          applicationName="/"
          name="FBADemoRole"
          type="System.Web.Security.SqlRoleProvider,System.Web,Version=2.0.0.0,Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a" />
      </providers>
    </roleManager>

  10. Click ASP.NET Configuration under Website.  The ASP.NET Web Site Administration Tool opens in a browser.  If the tool does not appear, or cannot connect, verify the connection string and provider information entered above.


  11. Click on the Security tab.  You are presented with the following.  From here we will create our users and roles.


  12. Click on the Select authentication type link in the Users box on the left.
  13. Select the From the internet radio button then click the Done button in the bottom right hand corner of the window.
  14. Create an Administrator, Manager and Employee role.  This step and the next three are intuitive enough that I am not going to spell them out.
  15. Create a single Administrator user, spadmin.  Be sure to assign the user to the Administrator role as you create it.
  16. Create two Manager users, Manager1 and Manager2.  Be sure to assign these users to the Manager role as you create them.
  17. Create 4 Employee users, Employee1, Employee2, Employee3 and Employee4.  Be sure to assign these users to the Employee role as you create them.
  18. When you are done you should have seven users and three roles defined.  This can be verified by clicking on the Security tab.  Your user and role counts may differ depending on if you followed my instructions to the letter.  It is not critical.  What is important is that you create some roles and users and assign some users to the roles.  This is what my Security screen looks like.

     
  19. Close the ASP.NET Web Site Administration Tool.
  20. Close Microsoft Visual Studio 2005.

 

SharePoint Setup

We cannot implement FBA without a SharePoint site.  The first thing we need to do is decide upon some url's.  For the sake of this example, I will be demonstrating how to expose the same site (content database(s)) to users with NT accounts thru one url and to our FBA users thru another url.  This setup is typical in an extranet scenario where we may want to expose some content to our customers but they may not have Active Directory accounts and their user information is either stored elsewhere (and custom Membership and Role providers written, which is well beyond the scope of this post), or stored in a SQL Database created using the steps earlier in this post and populated either thru your own interface or using the above steps.  I am choosing to create an internal site to be accessed via http://FBAextranet and an external site for my customers to be accessed via http://FBAextranet.attis.org.

 

Update hosts file

To make these url's accessible on our development machine, we need to add some hosts file entries.  Here are the steps.

 

  1. Open up Windows Explorer.
  2. Type C:\WINDOWS\system32\drivers\etc into the address bar and click Enter.
  3. Double click on the hosts file.
  4. Select Notepad and click OK.
  5. Add the following two lines to the bottom of the file, right below the localhost entry.

    127.0.0.1       FBAextranet
    127.0.0.1       FBAextranet.attis.org
  6. Save and close the hosts file.
  7. Close Windows Explorer.
  8. Opening up a browser and browsing to either of the above two entries should bring up the Under Construction page as shown below.

     

Create FBAextranet.attis.org

Try to keep the primary purpose of your content in mind.  I say this because it may make your life a little easier when making decisions later, primarily in Part 2 of this series when we setup MySites and Personalization.  In our case, the primary purpose of my site is to serve my customers.  With that said, we should create our external site first, http://FBAextranet.attis.org.  Here are the steps.

  1. Open Central Administration.
  2. Click on the Application Management tab.
  3. Click on Create or extend Web application under SharePoint Web Application Management.
  4. Click Create a new Web application.
  5. Choose to Create a new IIS web site.
  6. Enter 80 in the Port textbox.
  7. Enter FBAextranet.attis.org in the Host Header textbox.
  8. Do not make any changes in the Security Configuration section or the Load Balanced URL section.
  9. Depending on your environment, either create a new application pool or use an existing one.  In my case, I have one that I reuse for all sites on my development machine.
  10. Choose to Restart IIS Automatically.
  11. Ensure that the value in the Database server textbox is accurate.
  12. Enter a meaningful name for the content database.  I generally suffix the default name with an underscore (_) and the name of the primary url for my content (FBAextranet.attis.org), in this case, WSS_Content_FBAextranet.attis.org.
  13. Click OK.
  14. From the Application Created screen, click on the Create Site Collection link.
  15. Enter FBA Extranet in the Title textbox.
  16. Choose the Blank Site template.
  17. I mentioned at the beginning of this post that I was logged on to the development machine as a domain administrator.  Assuming you are as well, make this user the Primary Site Collection Administrator, otherwise, choose an appropriate user.
  18. Click OK.
  19. From the Top-Level Site Successfully Created page, click OK.
  20. Open a browser and browse to http://FBAextranet.attis.org.
  21. You will be prompted for your NT credentials, remember, we have yet to change the site's authentication mode to forms.

 

Update FBAextranet.attis.org web.config

  1. Open Internet Information Services (IIS) Manager.
  2. Expand Web Sites and select the SharePoint - FBAextranet.attis.org80 website.
  3. Right click on the above website and select Properties.
  4. Select the Home Directory tab.
  5. In the Local path textbox take note of the entire string.  This is the folder on the file system that contains the web.config for the http://FBAextranet.attis.org web application.  We will be updating this file next.
  6. Open Windows Explorer and browse to the folder noted in step 5.
  7. Make a backup copy of the web.config file.
  8. Copy the connection string and the membership and roleManager elements as described earlier in this post to the appropriate locations in the web.config file.
  9. Save and close the web.config file.

 

Create FBAextranet

  1. Open Central Administration.
  2. Click on the Application Management tab.
  3. Click on Create or extend Web application under SharePoint Web Application Management.
  4. Click Extend an existing Web application.
  5. In the Web Application section choose to extend http://FBAextranet.attis.org.
  6. Choose to Create a new IIS web site.
  7. Enter 80 in the Port textbox.
  8. Enter FBAextranet in the Host Header textbox.
  9. Do not make any changes in the Security Configuration section.
  10. In Load Balanced URL section, be sure the Zone is set to Intranet.
  11. Click OK.
  12. Open a browser and browse to http://FBAextranet.
  13. You will not be prompted for your credentials because the above url automatically falls into the Local Intranet security zone of your browser (unless you have changed your browser's default settings) and your NT credentials are simply passed thru to the site by Windows (Integrated Windows authentication).  This is the behavior we want at this url.

 

Update Central Administration web.config

We need to make Central Administration aware of our new membership and role provider.  Here are the steps.

  1. Open Internet Information Services (IIS) Manager.
  2. Expand Web Sites and select the SharePoint Central Administration v3 website.
  3. Right click on the above website and select Properties.
  4. Select the Home Directory tab.
  5. In the Local path textbox take note of the entire string.  This is the folder on the file system that contains the web.config for the Central Administration web application.  We will be updating this file next.
  6. Open Windows Explorer and browse to the folder noted in step 5.
  7. Make a backup copy of the web.config file.
  8. Copy the connection string and the membership and roleManager elements as described earlier in this post to the appropriate locations in the web.config file of the Central Administration site.
  9. Update the roleManager element from

    <roleManager enabled="true" defaultProvider="FBADemoRole">

    to this

    <roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">
  10. Save and close the web.config file.

Enable FBA on FBAextranet.attis.org

  1. Open Central Administration.
  2. Click on the Application Management tab.
  3. Click on Authentication providers in the Application Security section.
  4. Be sure to select the http://fbaextranet.attis.org Web Application in the top right hand corner of the screen.
  5. You should see two zones listed, a Default zone and an Intranet zone.  Click on the Default zone.  Remember, earlier we decided that serving our customers was the primary (default) purpose of this site.
  6. Select Forms in the Authentication Type section.  After the page posts back, Membership Provider Name and Role Manager Name textboxes appear.
  7. Enter the appropriate values from the previous sections into both the Membership Provider Name (in my case FBADemoMember) textbox and the Role Manager Name (in  my case FBADemoRole) textbox and click Save.
  8. Open a browser and browse to http://FBAextranet.attis.org.
  9. You will be presented with the stock FBA login form.

 

Add secondary Site Collection Administrator to FBAextranet.attis.org

  1. Open Central Administration.
  2. Click on the Application Management tab.
  3. Click on Site collection administrators in the SharePoint Site Management section.
  4. Make sure http://fbaextranet.attis.org is selected in the Site Collection dropdown at the top right corner of the screen.
  5. Type spadmin (the admin user we created earlier in this post) into the Secondary site collection administrator textbox, then click the person icon to resolve the user.  It will resolve to your FBA user.
  6. Click OK.

 

Browse http://FBAextranet.attis.org

  1. Open a browser and browse to http://FBAextranet.attis.org.
  2. On the FBA login screen, logon as spadmin.
  3. You can now add secure your securables using the users and roles stored in SQL Server!  Congratulations.
  4. Notice that MySites are not available.  Be on the lookout for Part 2 to walk you thru the steps to do that!  It's a doozie and apparently shouldn't work :)


 

I hope this post is useful.  It's an aggregation of many sources, coupled with my own experience, all into one, with many the lessons I have learned.  There are a couple of variations to this process, some involve policy.  I am of the thought that one should only use policy when it is absolutely necessary.  I finished writing this at 1 AM so there may be some errors, please let me know if you find any!

Published 23 February 2007 04:52 AM by Dan Attis
Filed under:

Comments

# John West said on 23 February, 2007 05:35 AM
This looks to be very helpful.  Thx!
# Stacy Draper said on 23 February, 2007 10:50 AM
Great job!
# Dan Attis said on 01 March, 2007 10:09 PM
As promised, here is part 2 of my series on hooking up Forms based authentication on a SharePoint 2007...
# Dan Attis said on 01 March, 2007 10:20 PM
As promised, here is part 2 of my series on hooking up Forms based authentication on a SharePoint 2007...
# Stacy Draper said on 02 March, 2007 01:25 PM
Dan Attis&amp;nbsp;has written down the steps&amp;nbsp;to have Forms Based Authentication (FBA)&amp;nbsp;for SharePoint...
# Mike Walsh's WSS and more said on 03 March, 2007 11:48 PM
# Keith "Chuck Norris" Rome said on 05 March, 2007 11:06 AM
this si the collest thing I have ever seen
# Jason Dunbar said on 08 March, 2007 09:26 AM
Hi Dan,

I've spent a while fiddling around with WSS v3.0 FBA (no MOSS2007). The biggest problem that I found with this guide and many others is that Visual Studio appears to be a requirement to be able to access the ASP .Net Site Administration tool. I couldn't settle for a solution that involved the reliant use of Visual Studio - knowing that it would not be available on a production web front end.

So I thought it might be worth noting that it is possible to work around the Visual Studio requirement. How? Simply create your own web interface and use ASP .Net 2.0 controls on a series of pages for the user administration. The CreateUserWizard is particularly useful.

I thought it might also be worth mentioning that there absolutely must be a way of referencing the ASP .Net Site Administration files (found in C:\Windows\Microsoft.Net\Framework\v2.0xxx\ASP.NetWebAdminFiles) using a Virtual Directory and administrating your application that way. That's something I'm still investigating.
# Tracy said on 12 March, 2007 09:22 AM
Great article!
I worked on FBA for a couple of days, but didn't make it work.  This article helps me a lot. However, I still have trouble with signing in the site.  After I enter the username and password, the sign in page pop up again and again. Would someone give me some help on it?
Ealier reply would be really appreciated!

Tracy
# shiva said on 12 March, 2007 10:36 PM
Hi

Regarding User Name and pasword pls go to the Database and check the connection have u give it properly or not Ex sharepoints sp_workerprocess this will be in securety process wher it should recognise the users once it recongnise the user u can easely work on it

# Tracy said on 13 March, 2007 07:51 AM
Shiva, thank you for answering my question.  But I get a little confuse what you said, can you please give me more detailed information, or give me an example? Thanks again!
# SharePoint, SharePoint and stuff said on 22 March, 2007 04:42 AM
Formularbasierte Authentifizierung (auch mit MySites) einrichten Office SharePoint Server 2007 - Forms
# SharePoint, SharePoint and stuff said on 22 March, 2007 04:51 AM
Die SharePoint Kaffeetasse - Links, die mir beim morgentlichen durchforsten der SharePoint-Infos aufgefallen
# SharePoint, SharePoint and stuff said on 22 March, 2007 05:45 AM
Die SharePoint Kaffeetasse - Links, die mir beim morgentlichen durchforsten der SharePoint-Infos aufgefallen
# Prateet Sinha said on 29 March, 2007 01:49 AM
I followed the same steps but got stuck with the Sign-in page. The sign in page either pops up again or gives an unkown error. The database has records of the usernames stored by the asp.net configuration tool but it is not being fetched by sharepoint.
The error captured in the event viewer is that -- There is no administration site associated with the Shared Services Provider SharedServices1.
# Prateet Sinha said on 29 March, 2007 05:45 AM
I followed the same steps but got stuck with the Sign-in page. The sign in page either pops up again or gives an unkown error. The database has records of the usernames stored by the asp.net configuration tool but it is not being fetched by sharepoint.
The error captured in the event viewer is that -- There is no administration site associated with the Shared Services Provider SharedServices1.
# Manav said on 01 April, 2007 06:55 AM
The problem with me is that even though i added 127.0.0.1 FBAextranet.attis.org line after the localhost line and save the file and try and access http://FBAextranet.attis.org, it does not show under construction but rather shows me a page cannot be displayed page!! please help
# Todd Baginski's SharePoint 2003 and MOSS 2007 Blog said on 12 April, 2007 03:25 PM
During the Create an Internet-Facing SharePoint Site session I covered the following topics. Setting
# Joe Caiola said on 19 April, 2007 04:51 PM
Dan:
Thanks for such thorough documentation. I did run into a couple of problems and I'm hoping you can demystify them for me.

First - in Part 1 where you say:

*****

Create a folder on your desktop called FBA Management Site.
Open Microsoft Visual Studio 2005.
Select File...Open...Web Site.
In the Open Web Site dialog, choose the File System icon on the left side of the dialog, then browse to and select the FBA Management Site folder created in step 1.

*****
I could not find the ...Open...Web Site at all. I had Projects and Solutions, but no website.

Also, after I completed this step: "Create FBAextranet.attis.org (using my own host header of course), I suddenly could not get into my Central Administration screen - the system kept telling me it "could not connect to the configuration database".

Any idea why that would happen?

Any assistance would be appreciated.
# Biztalk + Sharepoint = stefan @ decatec said on 20 April, 2007 04:03 PM
# fijaz said on 07 May, 2007 05:52 AM
I am able to add site collection administrators for my FBA site only if my users db is in same SQLServer instance as MOSS Application's default database server. is this a limitation or any thing worng at my part.
To be More elaborative: Database server for MOSS application is [myMachine]\Officeservers and i cann't add site collection administrators if usres db is at [myMachine]\SQL2005.
but it works fine if i put users db at [myMachine]\Officeservers.

Second question is about custome authentication provider. [it is optional on this blog :)] Is it possible to authenticate a user based on three things UserID,Password, CompanyName.
Thanks in advance for any help.
# Jennifer said on 09 May, 2007 02:17 AM
Hi Dan,

great post, thanks for making the effort!

I've linked to it from my summary on SP security: http://www.finalcandidate.com/en/tandp/Pages/SharePointSecurityConcepts.aspx

best
jennifer
# Nik Ivancic said on 13 May, 2007 04:16 PM
You mention the step:

One step that I have not seen mentioned ANYWHERE is to make sure that the account that is running the application pool that will be used by the sites you create below have access to the database we just created.  This step is critical as SharePoint will NOT be able to find your users and roles if it does not have the permissions to look for them.  This step is what I like to refer to as the MAGIC step that no one tells you about, so I am ruining the surprise and telling you the secret.  You will thank me later.

as very important. However, I do not see any place in your article where you ensure that this is being done.

Can you elaborate, please?
# Nik Ivancic said on 13 May, 2007 04:25 PM
In addition to updating the web.config files for FBAextranet.attis.org and Central Administration (with connection string, the membership and roleManager elements), I needed to do the same for the FBAextranet site as well (in order to be able to add the users to the FBAextranet.attis.org).
# Nik Ivancic said on 13 May, 2007 04:29 PM
The sub-step 10 states:

10. In Load Balanced URL section, be sure the Zone is set to Intranet.

I was presented with three alternatives in this case:

Internet (not Intranet)
Extranet
Custom

I selected the first (Intranet) and everything works as it should. Is your spelling for the desired zone (Intranet) a typo?
# Sjur said on 18 May, 2007 09:37 PM
Hey, everything went smoothly untill the last section: "Add secondary Site Collection Administrator to FBAextranet.attis.org". At point 5 I typed spadmin into the "Secondary site collection administrator"-textbox, but when I click the person icon to resolve the user, it will not resolve to the FBA user?! What am I possibly doing wrong? Every step before this point went as described in this excellent tutorial.
# ykurtz said on 20 May, 2007 11:19 PM
Thank you for your magic step.  I followed Baginski's steps and could not get the Central Admin to 'see' my users. (Red squigglies under my users...) I checked the app pool and noticed that it was set to 'network service'.  I went ahead and gave it access to my membership/role db and now everything works.  
# Manikandan Sachidanandan said on 28 May, 2007 09:41 PM
Just aswesome!
You saved my day dude!!!
Thank you very much.
Email: mani@solutionsdevelopers.com
# Ramesh said on 29 May, 2007 02:38 PM
Sjur:  I am having the same issue.  Please let me know if you found any lead on this.
-Thanks
# Ramesh said on 29 May, 2007 02:51 PM
Sorry, it is the same issue as Sjur's - I am copying/pasting the same question.  Everything went smoothly untill the last section: "Add secondary Site Collection Administrator to FBAextranet.attis.org". At point 5 I typed spadmin into the "Secondary site collection administrator"-textbox, but when I click the person icon to resolve the user, it will not resolve to the FBA user?! What am I possibly doing wrong? Every step before this point went as described in this excellent tutorial.
# David Henderson said on 05 June, 2007 06:43 AM
This has worked great, at least up to the "Update Central Administration web.config" section.  I copied connectionStrings, membership, and roleManager into the system.web element as I had done for the other web.configs, and I modified the defaultProvider to read "AspNetWindowsTokenRoleProvider".  But after saving the web.config, I was not able to use the Central Administration site anymore... any link that I clicked on returned a blank page.  So I could not go on to the next step.

Any idea what might cause this, and what I can do to fix it?

Thanks,
davidh
# Todd Baginski's SharePoint 2003 and MOSS 2007 Blog said on 27 June, 2007 11:37 PM
During the Create an Internet-Facing SharePoint Site session I covered the following topics. Setting
# Ray DeBiase said on 29 July, 2007 08:00 PM
Great article, but if you want to use SharePoint Designer 2007 on a web server that doesn't have access to Active Directory, create the Default zone using NTLM and create the extended site with FBA using the Internet zone.
# Karen said on 30 July, 2007 05:04 PM
Hello, I have followed this to the letter.  It took about two weeks to get everything working properly.  Now it appears to be fine.  I get to the last step of trying to sign in as one of the people I have created and I get he following error:    

Unknown Error
Troubleshoot issues with Windows SharePoint Services.


I really am going to tear my hair out!  Please help! I don't even know where to start troubleshooting an eroor like that....THANKS!
# BIrendra said on 21 August, 2007 11:19 PM
Do you know how to perform Passport integration support  with MOSS 2007? Do you have any sample code?

Kindly help.

Thanks,
Birendra
# Eli Robillard's World of Blog. said on 07 September, 2007 12:55 PM
There are three great guides to configuing FBA: Andrew Connell had the best article first. Dan Attis
# Mike Sharp said on 12 September, 2007 11:15 PM
Great article!  As Nik Ivancic noted, you leave
out the details of granting the AppPool identity access to the aspnetdb database.  I've seen this same thing mentioned elsewhere, but again, no one says exactly what permissions it needs.  I suppose I can walk through the errors, granting execute permissions on each object that errors out, but is there a particular role or set of permissions that would do it?

For example, I can run this query:

USE aspnetdb
GO
sp_addrolemember 'aspnet_Membership_FullAccess', 'DOMAIN\WSS_Service'

and forms auth works.  But is that the *minimum* access?  I'd rather not grant full access unless I have to.

Thanks,
Mike Sharp
# srikanth sapelly said on 19 September, 2007 10:10 PM
hi all,
       just browse the link you will get all the information about how to configure the Forms based authenticatoion in Moss 2007 and a lot more relating forms authentication.
http://www.lots-with-sharepoint.blogspot.com

Feel free to contact me for any type of queries in share point
# Jay said on 15 October, 2007 12:02 PM
For those of you who follow these instructions to the letter and still get an "Unknown Error" when trying to login (last step) using forms authentication. Check this... If you initially set up multiple users for your Sharepoint farm, check the application pool users for both Central Administration and YourSite. In IIS look at the properties of each of these app pools, then look at Identity tab. In my case, they were using two different users. One had access to reach SQL server and the other didn't. They both (if different) need to be logins in SQL server, with the proper sql server role permissions in order to reach the aspnetdb database. Hope this helps you!
# Srinivas said on 17 October, 2007 11:38 PM
I followed the steps properly and also gave the database access rights to the app pool user. But when I open the extranet site, it pops up the windows username/password box and once I enter the windows local administrator account credentials, it opens up the Forms sign in page. Then I am able to login with the username/passwd in the Aspnet_db database. Is this how it is supposed to work? or Am I missing something?
# Srinivas said on 18 October, 2007 06:16 AM
While I am submitting my connect, it took me to an error page so I tried to re-submit and u se the result.

Other issue I want to talk about is the change we are making in the Central Administration web.config file. Is it a good practise to edit the Central Admin's config file? Doesn't it affect other webapplications provisioned on the same farm using the same central administration? Any thoughts on it? Also, please provide a tiny explanation for doing those changes.
# Ryan Lee said on 14 November, 2007 11:43 AM
Great article! This is exactly what my client requested. After juggling with the web.config files I managed to have both Windows Tokens and FBA for ssp and mysite (depending on the zone). Now I need to create the FBA management tool in Visual Studio :)

Thanks for this article. Couldn't have done it without it.
# Hristo Yankov said on 25 November, 2007 02:28 AM
Oh My God!!!

I have read so many articles, none of them mentioned the database permission detail, which I also missed! I lost hours on this issue. Thank you so much!!!
# Hinsua said on 26 November, 2007 09:54 AM
Thanks for the post, very usefull info!
www.sharepoint2007.co.cc
# Prajyot said on 17 December, 2007 03:50 AM

I m trying to use FBA I have done all the things as per u r Blog but After Sign in I am getting Unknown error..... I havn't added Role Manager in Web.config as it's optional . Is it necessary to add this one  ?

Also  Plz tell me How to check the magic step !!!!!

# Pradeep said on 23 December, 2007 11:23 AM

hi! this is a excellent page !! Thanks a lot to you and all the others who have contributed.

i have a bug, the people picker is not picking up the users in central adminstration website -> policy for webapplications , can you please tell me what changes have to be done in the web.config of adminstration site to enable people picker work?

# Pradeep said on 23 December, 2007 12:48 PM

My Form Based thing is all done !! thanks a lot ppl !! :)

# blog.ekegren said on 02 January, 2008 09:36 AM
# Atlanta .NET Regular Guys said on 02 January, 2008 02:18 PM

When you setup a SharePoint 2007 site with Forms Based Authentication (FBA) you have multiple options

# Blunderdog said on 05 February, 2008 12:36 AM

After struggling with other tutorials for several days I started this one this morning. I'm further than ever before. The spadmin account can now be found and underlined when adding the secondary site collection administrator. However, no other user can be found and I cannot log into the site with the spadmin account. I've verified that I'm using the correct password. I'm getting application log errors saying "Membership credential verification failed" for spadmin. Any help would be greatly appreciated here or in my email at kelleyathccanetdotorg.

# Nick CHapman said on 08 February, 2008 02:46 PM

Thanks for this it works a treat.

Just a couple of questions :-

1. Does it work using ssl on port 443 (you quote standard port 80 in the above steps)

2. Is there a procedure for the user to change there passwords once i have created the account?

Thanks

Nick

# Tony Testa's World said on 09 February, 2008 09:05 AM

Roll your own custom MembershipProvider and use it with SharePoint for Forms Based Authentication

# Mina Shawky said on 11 February, 2008 02:49 AM

I've been following the steps described exactly, and just when I try to add my new user to the Secondary Site Collection Administrator, the user was found no where...

I changed the connection string in both the Central Administrator, and the Web App, by removing the Trusted Connection Attribute and adding a new User ID and Password attributes (A new Login to the Database)... Thankfully the site worked perfectly...

# Nick Chapman said on 11 February, 2008 06:19 AM

1. Does it work using ssl on port 443 (you quote standard port 80 in the above steps)

# erinc arikan said on 03 March, 2008 09:48 AM

Hi, this article was a perfect explanation, Thanks a lot for that. I followed all of the steps, but since I don't want a intranet page, I skipped that part. Except extending the web application, I configured everything like you have told us to do.

# erinc arikan said on 03 March, 2008 09:50 AM

But I have a problem that I can not solve after 3 days of struggle.

When I try to change site collection administrators, I had no luck of resolving the usernames.

If I don't do that when I try to login with the form, I keep getting a unknown error, when I hit login.

# erinc arikan said on 03 March, 2008 09:51 AM

Clearly I am getting problems accessing the database,

so I checked If I had the access to the database. Firstly;

IIS->Application Pools->Sharepoint Central Administration v3->right click->Properties

From there I went to the identity tab. It tells me that Identity of the pool is Network Service.

So I went into the SQL Server->Security->Logins->NT AUTHORITY\NETWORK SERVICE->right click->properties

and after that I clicked user mapping, I checked the aspnetdbFBADemo database checkbox.

and under database role membership for the aspNetDemo part public checkbox is checked.

What else might I do to prevent this error?

Did anybody run into similar issue?

Thanks in advance

# Andy Burns said on 05 March, 2008 01:40 PM

Thanks, good instructions.

I've nearly got it working, except that the Sign In page always just posts back to itself. I can the spadmin user I created in the site owners group, and it does resolve it okay to "FBAUsers:spadmin", so I'm figuring that the db connection is right. It looks like everything is correct - except that when I type in 'spadmin' and 'password' I just get returned to the Sign In page.

All in all, I'd rather get an error - no problems but no access is annoying.

Any ideas anyone?

# Form Authentication: The missing part « Amir Mehrani’s Tech Blog said on 08 March, 2008 02:50 PM

Pingback from  Form Authentication: The missing part &laquo; Amir Mehrani&#8217;s Tech Blog

# novolocus.com » Using the ASP.NET Web Site Administration Tool to test SQL connections said on 11 March, 2008 05:39 AM

Pingback from  novolocus.com &raquo; Using the ASP.NET Web Site Administration Tool to test SQL connections

# novolocus.com » Forms Based Authentication in SharePoint said on 18 March, 2008 07:35 AM

Pingback from  novolocus.com &raquo; Forms Based Authentication in SharePoint

# Tony Testa's World said on 02 April, 2008 03:58 AM

SharePoint MySite Forms Based Authentication Missing Steps That Might Come In Handy

# sunny said on 08 April, 2008 01:13 PM

can we hide sub sites using FBA , for site collection, i want a user x not able to see site A1 subsiotes useing FBA .

the site collecion using FBA  dopes nto care the inheritenc broken model. how can we restricst a use r form accessing a site A.

# Forms Based Authentication Links « Sanket Shah’s Weblog said on 08 May, 2008 11:18 PM

Pingback from  Forms Based Authentication Links &laquo; Sanket Shah&#8217;s Weblog

# Anthony Casillas said on 20 May, 2008 03:56 PM

Just a thought here if you have not already figured out why you are being looped right back to your login form.  Have you verified that your IIS Site that the FBA is living on, has Integrated Auth enabled on it. Mine was onyl set for Anonymous, and it woudl loop me back as well.

# duc_clo said on 22 May, 2008 10:15 PM

i can't sign in to http://FBAextranet.attis.org

i completed all steps but i can't access when i using user : spadmin

when i typing user and password , then when i submit  ,it return no err but i  still can't connect to the site . i have checked SQL database, IIS identity ,please help me duc_clo@yahoo.com thank you  very much

# dukkichst said on 22 May, 2008 11:59 PM

Re-post :

Thanks, good instructions.

I've nearly got it working, except that the Sign In page always just posts back to itself. I can the spadmin user I created in the site owners group, and it does resolve it okay to "FBAUsers:spadmin", so I'm figuring that the db connection is right. It looks like everything is correct - except that when I type in 'spadmin' and 'password' I just get returned to the Sign In page.

All in all, I'd rather get an error - no problems but no access is annoying.

Any ideas anyone?

Please

# Nick Swan's SharePoint Blog said on 28 May, 2008 03:19 AM
# Digital Strawberry Girl said on 29 May, 2008 07:07 AM

SharePoint Content Deployment Walkthrough

# SharePoint without AD and clean database names and FBA | abortretryfail.net said on 02 June, 2008 03:45 PM

Pingback from  SharePoint without AD and clean database names and FBA | abortretryfail.net

# Rob King said on 05 June, 2008 08:03 AM

You need to make the magic step (the step about granting  the application pool user database access) a large blinking banner or something.  I struggled for almost 2 days trying and retrying setting up FBA to the letter and still it wouldn't work.  Then I stumbled across another blog post that mentioned it and said it was vital.  I made the change and lo it all magically worked!

# Thomas said on 18 June, 2008 09:56 AM

Hello,

thanks to this article and another one I finaly got it working, partialy.

One thing I couldn't use from this article was the Visual Studio one so I had to create all users and roles manualy with MS SQL Manager 2005.

So the users are created, form login shows up, but when I would like to add my user in the Central Administration I can't find it anywhere, even if I try to login with the username and password I've inserted into the database it pops an error, that I can't log in, bla bla bla...

So I think my connection with the Database is not ok in what way.

If you need my configuration from web.config say so and I will upload it to a pastebin or something.

Thank you!

Regards,

xfirestorm

# AM21 said on 19 June, 2008 02:17 AM

hi,

After following exact step mentioned,I am getting continuous pop for the login page even though i typed correct user name and password.

can u please help me on this matter.

# bsg said on 06 July, 2008 09:09 AM

SharePoint treat as two different

identities when authenticated using windows and Form based authentication for Microsoft Active Directory user. How to solve this problem.

# Charles said on 06 July, 2008 05:11 PM

I get the same issue.  The sign in page keeps posting back to itself.  No error, just keeps asking me to log in again and again. Did someone find out what is going on?

# Ashwin said on 09 July, 2008 05:20 AM

Hi,

Thanks for the valuable information. I tried the whole thing but when i m on login page and try to log in, i m not able to do it. Can please tell me wats wrong?

# Tim said on 10 July, 2008 11:33 AM

Man, what a nightmare.  But I finally got it.  Very good post.  I was searching all over for this and like you said, MOST were incomplete.  This worked perfectly!!  Thanks!

# The hoops of Internet-enabling a SharePoint site - Part 2 | blog.jesskim.com said on 13 July, 2008 08:34 AM

Pingback from  The hoops of Internet-enabling a SharePoint site - Part 2 | blog.jesskim.com

# Mike Sharp said on 15 July, 2008 09:39 AM

A lot of water has run under this bridge, but in case anyone is still wondering, in step 10 of Database Creation, the application pool identity needs to have Data Reader and Data Writer permissions in the aspnetdb database.

Regards,

Mike Sharp

# Ben said on 20 July, 2008 11:48 PM

Great instructions.  It brought all my research together in one place.  

Note to folks having trouble logging in using forms auth:

Ensure that you have given the users that you trying to log in as permission to the SharePoint SiteCollection for which you are attempting to log them in.    

# Ricardo Caldas said on 21 July, 2008 10:44 AM

Hi Dan,

Nice job with the article.

I have one problem with my FBA and I would like to know if you have any idea to solve it.

I have implemented a PWA in the company, and I'm trying to publish it in the internet with SSL. The published site with authentication trough AD is working just fine. But with FBA I have a problem with the links. When I click in a link the page ir redirected to the respective link, but using an internal URL, and logically the user can't open the folder, or the workspace.

Do you have any idea of what could be the problem?

Thank you very much.

# Mirrored Blogs said on 22 July, 2008 08:47 AM

Corps: Petite astuce aujourd&#39;*** concernant l&#39;authentification par formulaire dans SharePoint

# Ricardo Caldas said on 23 July, 2008 04:59 AM

Hi Dan,

Nice work with the articel.

Hi have a problem with my FBA access.

My PWA working with FBA (SQL server DB) is not working properly. The user can access to the page of PWA normally, but when they try to use the shortcuts for folder or workspaces it redirect the user for an internal page, using the AD and logically they don't have access and gives them a blank page.

Do you have any idea of what could be the problem?

Thank you very much.

# Ricardo Caldas said on 23 July, 2008 06:03 AM

Hi Dan,

Nice work with the article.

Hi have a problem with my FBA access.

My PWA working with FBA (SQL server DB) is not working properly. The user can access to the page

of PWA normally, but when they try to use the shortcuts for folder or workspaces it redirect the

user for an internal page, using the AD and logically they don't have access and gives them a blank page.

Do you have any idea of what could be the problem?

Thank you very much.

# Sharepointer said on 24 July, 2008 05:06 AM

BIG NOTE FOR ALL WHO GET POSTED BACK ON LOGIN

------------------------------------------------------------

Assuming the spadmin use CAN be resolved in Central Admin but you get posted back to login form when trying to log in through FBA.

Anthony Casillas mentioned in the comments here, that you should turn on "Integrated Authentication" on the FBA SharePoint website. It worked for me as well - THANKS!

It would be good to update the blog post to reflect this solution so that not everybody has to read all the comments.

How to do this fix:

-----------------------

- go to IIS, right click on the FBA website: "Properties"

- click the tab "Directory Security"

- click on the top "Edit" button (Authentication and access control)

- in the bottom part check "Integrated Windows authentication"

Now it may work for you! Did for me thanks to Anthony Casillas posting the hint.

# Nick Swan's SharePoint Blog said on 25 July, 2008 06:06 AM
# Larry said on 26 July, 2008 10:15 AM

I followed the instructions and seem to almost have things working. My problem is I cannot login to the FBA site.  I can use the people picker in the default and central admin sites to find users in my FBA provider, but cannot login with any of those users. Also, if I run a trace on the SQL server, I do not see any activity when trying to login to the FBA site, but do when using the people picker on the other two sites. Do you have any ideas as to what might be the problem? It seems strange to me -- I keep checking the obvious connection strings etc but find no difference.

# justguy's said on 01 August, 2008 01:20 AM

Hi, Recently I’ve had an interesting challenge (yes, challenge): building a MOSS portal based on Form

# AM21 said on 01 August, 2008 10:55 AM

hi

here is the solution for the problem i faced..

we need to check the integrated windows solution from:

iis Manager > Properties > Directory security > Authentication and security control..

and things will work for sure

# AM21 said on 01 August, 2008 10:55 AM

hey here is the solution for the problem i faced..

we need to check the integrated windows solution from:

iis Manager > Properties > Directory security > Authentication and security control..

and things will work for sure

# Aaron Stillwell said on 01 August, 2008 11:41 AM

We offer a COTS solution for extranet management and reporting. In our next release, we will have office integration using FBA.  My email is astillwell@epok.net . Our site is www.epok.net .

# DT blogi said on 21 August, 2008 04:36 PM

Et hoida kokku Windows-i litsentside ostmise pealt, saab SharePoint-i kasutajate hoidlana kasutada ka ASP.NET vormipõhist autentimist (FBA - Form Based Authentication). Kuigi see seab hiljem SharePoint-i kasutamisele mõningad piirangud, on see näi...

Leave a Comment

(required) 
(required) 
(optional)
(required)