Form Base Authentication (FBA) is a newly introduced feature in Microsoft Office Sharepoint Server (MOSS) 2007. It gives flexibility of using a Sharepoint Web Application (Site) from outside of your firewall. Same webapplication can be used by Company Employee via Intranet with their windows account and by Partners or Customers via Internet with their custom database account. Custom database source can be SQL Server or Lightweight Directory Access Protocol (LDAP).
Description and Implementation:
This section will describe about the implementation of FBA in real time scenario. I divided in to four section Database setup, FBA for WebApplication, creating user for FBA and FBA for MySite. In this article I will explain using SQL Server database. Same we can do with LDAP also.
Section 1: Prepare database.
We can setup our custom database for Authentication. One important note is, this database should be in a predefine schema which can be recognize by sharepoint. Microsoft provides a utility to setup database. Follow the below steps to create database:
1. Open a Command prompt, CD (change directory) to C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727.
2. Type aspnet_sql.exe and press Enter. This will open up ASP.NET SQL Server setup wizard.
3. On Next click, Choose Configure SQL Server for application services.
4. Enter SQL Server name and database name, if you do not have any specific requirement then create database name as ‘aspnetdb’.
NOTE: Make sure User for which you are going to create the below site should have access on the database.
Section 2: Configure your web application to use Forms authentication
This section will tell you about converting web application authentication from Windows to Forms. Here I am converting my application to FormAuthentication. If you want to create separate application for Windows authentication and Form based authentication then you can extend this application in to intranet zone and keep the authentication mode as windows, which will be used for AD users in your domain and change default zone to Form Based Authentication as explained below
NOTE: If you are going to use WSS or MOSS Search also in your Form Based Authenticated then you have to extend the FBA site in a zone (may be intranet) and login with your crawl search account. One more thing you need to add same user in Policy for Web Application section of Application management with at least full read access (see reference for more).
1. Open SharePoint Central administration site.
2. Create a web application (ex: - http://124378m4) with required site collection.
3. Open web.config of your web application in a text editor (Notepad, or Visual Studio 2005).
4. Add connection string to point to the aspnetdb database. It is preferred that you add the string below
connectionString="Data Source=124378M1;Initial Catalog=aspnetdb;Integrated Security=True" />
NOTE: You may change the yellow highlighted string based on your environment
5. Add membership provider, role manager name in web.config. It is preferred that you add the string below
enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresQuestionAndAnswer="false"
applicationName="mcc"
requiresUniqueEmail="false"
passwordFormat="Hashed"
maxInvalidPasswordAttempts="5"
minRequiredPasswordLength="1"
minRequiredNonalphanumericCharacters="0"
passwordAttemptWindow="10"
passwordStrengthRegularExpression=""
name="FBADemoMember" type="System.Web.Security.SqlMembershipProvider,System.Web,Version=2.0.0.0,Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a" />
applicationName="mcc"
name="FBADemoRole" type="System.Web.Security.SqlRoleProvider,System.Web,Version=2.0.0.0,Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a" />
NOTE: Here applicationName section contains a name, by changing the applicationname you can differentiate the set of users in your aspnetdb database. If you have only one site as FBA then you can write like that also applicationName=”/”.
6. Go to Application Management tab; click Application Providers (under Application Security).
7. Make sure that the current selected web application is the one you want to change to use Forms authentication, click Default (under Zone). If you extended the current site in intranet zone then you will find out one more zones. That time keep intranet zone in windows and change default zone as below.
8. Set Membership provider name, Role manager name as below:
You can verify these name from web.config for your application.
9. Click OK to save the changes.
Change the Central Administration web.config:
After changing to Webapplication we need to change the CentralAdmin web.config also. This is required step because first time we have to enter one user by central admin only.
NOTE: Please take a backup of web.config for safety reason.
10. Open the web.config your SharePoint Central administration site in a text editor, and add same connection string:
connectionString="Data Source=124378M1;Initial Catalog=aspnetdb;Integrated Security=True" />
11. Add membership name & role manager string:
enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresQuestionAndAnswer="false"
applicationName="mcc"
requiresUniqueEmail="false"
passwordFormat="Hashed"
maxInvalidPasswordAttempts="5"
minRequiredPasswordLength="1"
minRequiredNonalphanumericCharacters="0"
passwordAttemptWindow="10"
passwordStrengthRegularExpression=""
name="FBADemoMember" type="System.Web.Security.SqlMembershipProvider,System.Web,Version=2.0.0.0,Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a" />
applicationName="mcc"
name="FBADemoRole" type="System.Web.Security.SqlRoleProvider,System.Web,Version=2.0.0.0,Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a" />
NOTE: The only thing here worth noticing here is that we need to ensure defaultProvider for roleManager is set to AspNetWindowsTokenRoleProvider. And here applicationName tag has same significance as explained in webapplication.
12. Save the changes.
Section 3: Creating users and roles in database (aspnetdb)
Here you can define your custom database users and also can define or create roles. These users and roles will be recognizing by sharepoint application. It is not necessary to create all users by this method but you have to create at least one user by this so that you can log in to FBA site first time. Rest of users you can enter either by sql server or by creating a console application. Roles are very useful utility, you can create different role depend on your requirement and assign particular user to particular role. These roles you can use in giving different permission in sharepoint.
Here are the steps:
1. Open Visual Studio 2005.
2. Click Open menu -> Web site …
3. Click File System, and browse to the folder where your web application (which created above) web.config resides, and click Open. My application is under 81port so…
4. Click Web site menu -> ASP.NET Configuration. This launches Web site administration tool in IE.
5. Click Security, and add roles & users as needed.
6. You can check the membership provider and role provider by clicking the provider tab.
Add first user for your Forms auth web application:
1. Open SharePoint Central administration site.
2. Go to Application Management tab. Under SharePoint Site Management, click Site collection administrators.
3. From the Site collection list, make sure that you have selected the site collection which you want to change.
4. In Primary / secondary site collection administrator, type in a Forms auth user, and click “Check Names” icon.
5. After it succeeds verifying the user, click OK.
6. Now the first Forms auth user is successfully added, you can use the user to login. As an alternative, you can also click Policy for web application (under Application Security) and define a Full Control policy to the web application for your Forms auth. By doing this, you don’t have to set site collection administrator individually for each site collection in your web application.
Section 4: Enable My Site for your Forms auth user
Step 1: Create a mapped web application for SSP admin site
1. Open SharePoint Central administration site.
2. Go to Application Management tab and click Create or extend Web application (under SharePoint Web Application Management).
3. Choose Extend an existing Web application.
4. From web application list, choose the web application hosting SSP admin site.
5. Set other parameters (i.e. port, zone etc.) as you feel needed, and click OK.
6. After you create the mapped web application, click Application Management -> Authentication Providers (under Application Security).
7. Choose the web application hosting SSP admin site from the web application list.
8. Select the zone (set in step 5) which is for the mapped web app.
9. Set same Membership, Role manager name, and click OK.
10. Open the web.config for the mapped web application in a text editor, and add same connection string, membership, role manager string:
connectionString="Data Source=124378M1;Initial Catalog=aspnetdb;Integrated Security=True" />
…
enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresQuestionAndAnswer="false"
applicationName="mcc"
requiresUniqueEmail="false"
passwordFormat="Hashed"
maxInvalidPasswordAttempts="5"
minRequiredPasswordLength="1"
minRequiredNonalphanumericCharacters="0"
passwordAttemptWindow="10"
passwordStrengthRegularExpression=""
name="FBADemoMember" type="System.Web.Security.SqlMembershipProvider,System.Web,Version=2.0.0.0,Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a" />
applicationName="mcc"
name="FBADemoRole" type="System.Web.Security.SqlRoleProvider,System.Web,Version=2.0.0.0,Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a" />
11. Save the changes.
Step 2: Grant “Create My Site” permission to your forms auth users.
1. Open your SSP Admin site through the web application with Windows authentication.
2. Click Personalization services permissions (under User Profiles and My Sites).
3. Choose Add Users/Groups.
4. Type in Forms auth user, and click Check Names.
4. Also check “Create personal site”, “User personal features” … which you see fits, and click Save.
5. The forms auth user should now see “My Site” link after he logins.
Additional features in Form Based Authenticated webapplication:
1. After changing the authentication to Forms, when you will access the site users will get the default login.aspx screen to login. In your application you may not want this default sharepoint screen. I found some workaround to put our custom login screen instead of this.
a. Change the default location of login page in web.config file of webapplication.
b. After changing login page now you are thinking how to validate user to sharepoint from your custom page. For that I got some solution:
if (Membership.ValidateUser(_username, _password) == true)
{
FormsAuthentication.RedirectFromLoginPage(_username, true);}
You can use this code on sign in button click; here you need to pass your custom database username and password. Sharepoint will automatically authenticate user.
Business applicability:
This functionality can become very efficient in real time business scenario like:
1. While creating a Sharepoint portal if requirement for giving access to external users. Here an external user means the user which are not present in Active Directory or who are not employee of that particular organization.
2. Another case where you need to create MySite for your external user, that time FBA will help you to resolve. Here one interesting thing is you can retain same URL of your webapplication for MySite. Because by default your webapplication URL and MySite URL will be different.
Conclusion:
FBA functionality in MOSS can take us at another level of development. By this we can effectively handle the situation of giving access to outside user.
We have certain advantage by using Form Based Authentication in compare to SPS 2003 functionality.
1. ISA server completely removed from the architecture as MOSS 2007 can directly authenticate against AD.
2. External users are authenticated against a different domain (in AD) from the Employees, so there is no security risk.
3. No need to create any dummy user IDs for giving access to other external users as it require in SPS 2003.
4. Clear separation of the Internet and Intranet traffic.
5. Latest features offered by MOSS 2007 incl. My Sites, Wiki, Blogs, Workflows etc. can be leveraged
