Step-by-step Forms-Based Authentication (FBA) on SharePoint 2010

This is an A-Z guide that helps you setup a web application with Forms-Based Authentication (FBA) in SharePoint Foundation 2010, using Claims-Based authentication. It uses MS SQL Server to store users. The SharePoint server is running in Windows Server 2008 R2. Although this guide uses SharePoint Foundation 2010, the same steps apply to SharePoint Server 2010.

In this guide, you’ll create a SQL Server database to hold users and roles, create a SharePoint Web Application that uses FBA, configure IIS and the web.config files for the Web App, Central Admin and the Security Token Service, create a test user in the database and test your setup.

Setting up the ASP.NET Membership Provider database

Before we make any changes to SharePoint, let’s first create the database to store our users and groups.

Log on to your SharePoint server with a SharePoint admin account. Make sure this account has the DB creator server role on the SQL server that’ll hold the FBA users DB.

Navigate to the .NET v2 folder. The default location is: C:\Windows\Microsoft.NET\Framework\v2.0.50727

Here, locate the file aspnet_regsql.exe and run it.

You’ll be presented with the ASP.NET SQL Server Setup Wizard.

Click Next to continue to the Select a Setup Option step.

Select Configure SQL Server for application services. This is the default option.

Click Next to advance to the Select the Server and Database step.

Specify the SQL Server name and instance where you want to create the database. Also specify the database name.

Click Next to advance to the Confirm Your Settings step.

Check if you’ve specified the correct SQL Server name and instance and DB name. Click Next to create the database.

If all went well, you’ll see the success screen displayed above. Let’s check if the database was created as intended.

Start Microsoft SQL Server Management Studio and connect to the database server instance. If all went well, you’ll find your new database has been created, along with a bunch of tables to hold our users:

If you’re using Integrated Security, you’ll need to provide access to the database for the following service accounts in SharePoint:

  • Service Account that’ll be used for the application pool for the SharePoint Web Application using FBA.
  • Service Account used for the Security Token Service.
  • Service Account used for the Application Pool of SharePoint Central Administration.

In this case, we’ll be using SQL Server authentication. So create a new Login on the SQL Server. From SQL Server Management Studio, use the Object Explorer to navigate to the Security → Logins folder. Right click on the Logins folder to open the context menu and choose the menu item New Login…

This will open the Login – New dialog. Here, you specify a Login name, i.e. FBAService and a SQL Server authentication password, i.e. pwd. You can set your membership provider database as the Default database. Click OK to add the user. It will now show up in the list of logins.

To give the login access to the database, locate the database in the Object Explorer, under the Databases folder and expand the folder Security. Open the context menu from the Users folder and choose the option New User…

This opens the Database User – New dialog.

In this dialog, specify a name for the user and insert the login name that you created earlier (i.e. FBAService) in the Login name text field.

Assign the following Database roles to the user:

  • aspnet_Membership_FullAccess
  • aspnet_Roles_FullAccess

Click the OK button to add the user to the database.

Creating the Web Application

Now that the DB has been created, we’ll create a new Web Application on the SharePoint 2010 server.

Open Central Administration as a SharePoint Farm administrator user.

Under Application Management, select Manage Web Applications.

You’ll see a list of current Web Applications, Click the New button in the Contribute section of the Ribbon to create a new Web Application.

After a few seconds, you’ll see the Create New Web Application Modal window.

First, change the authentication mode to Claims Based Authentication.

Next, Specify the Name, Port and Host Header of your new IIS web site.

Leave the Security Configuration settings as default (no anonymous and no SSL).

Under Claims Authentication Types, leave the default settings for now (Enable Windows Authentication, using Integrated Windows Authentication via NTLM). We’ll modify these settings for FBA later.

Set the remaining settings for the new Web Application as you see fit.

Click OK button to create the new Web Application. Wait a few moments until the Application Created dialog is shown, and click the OK button to close it (don’t create a site collection just yet). The new Web Application will now show up in the list of Web Applications.

Modify IIS settings

In your SharePoint 2010 Foundation server, start Internet Information Services (IIS) Manager.

Under your Web Server, navigate to the IIS site that we created in the previous step and double click on Connection Strings

You’ll see a list of Connection Strings. In the Actions Pane, click Add… This opens the Add Connection String dialog.

Here, specify a name for the connection string and give the SQL Server name and instance, and database name of the DB that we created earlier. Use the Set… button to specify the SQL Server authentication credentials for the SQL Server user that will access the database.

Click the OK button to add the connection string.

Go back to the IIS site screen and double click Providers.

Under Feature:, select .NET Users and in the Actions Pane, click Add…

The Add Provider window opens…

Here, we’ll modify a few settings:

  • First of all, select SqlMembershipProvider from the Type dropdown listbox.
  • Next, specify a name for the Provider, i.e. “FBA”.
  • Under the Behaviour section, specify the desired behaviour for the SqlMembershipProvider.
  • Under Data, select the Connectionstring we created in an earlier step.
  • For the ApplicationName, enter “/”.

Click the OK button to add the provider. The new .NET Users provider will be visible in the list of Providers.

Now, Change the feature to .NET Roles and in the Action pane, click Add…

The Add Provider window opens…

Here, set the following items:

  • Under Type, select SqlRoleProvider
  • Specify a name for the SqlRoleProvider, i.e. “FBARoles”
  • Under Data, select the Connectionstring we created in an earlier step.
  • For the ApplicationName, enter “/”.

Click the OK button to add the provider. The new .NET Roles provider will be visible in the list of Providers.

The changes we’ve made to the IIS settings so far, have actually been made in the ASP.NET Web.Config file.

In the IIS Manager, Switch to Content View, Open the Context menu by clicking below the list of files and folders and choose Explore to open Windows Explorer.

From the new Windows Explorer window, open the web.config file in Notepad to view the changes.

The highlighted rows were added with our previous actions:

<configuration>
	[...]
  	<system.web>
		[...]
		<membership defaultProvider="i">
			<providers>
				<add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
				<add name="FBA" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="ontw-spf2010 FBA DB" enablePasswordReset="true" enablePasswordRetrieval="false" passwordFormat="Hashed" requiresQuestionAndAnswer="false" requiresUniqueEmail="true" applicationName="/" />
			</providers>
		</membership>
		<roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false">
			<providers>
				<add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
				<add name="FBARoles" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="ontw-spf2010 FBA DB" applicationName="/" />
			</providers>
		</roleManager>
		[...]
	</system.web>
	[...]
	<connectionStrings>
		<add connectionString="Server=ontw-sql2010\test;Database=FBA-ontw-spf2010;User ID=FBAService;Password=pwd" name="ontw-spf2010 FBA DB" />
	</connectionStrings>
	[...]
</configuration>

As you can see, there are also other providers there, named “i” and “c”. These are there by default and required for Claims Based Authentication. Be sure not to modify them!

The membershipprovider also supports additional settings, such as the minimum required password length and number of non-alphanumeric characters required in a password. For a full list of properties that can be set, see http://msdn.microsoft.com/en-us/library/9x1zytyd(v=VS.90).aspx

Add ConnectionString and Providers to STS and Central Admin.

In order for FBA to work, the ConnectionString, .NET Roles provider and .NET Users provider also need to be added to the web.config files of the Security Token Service and the web.config file of the Central Administration Web Application.

We could do this using the dialogs we used from the previous steps, but we can also make the changes in the web.config files directly.

First up: the Security Token Service.

From the IIS Manager, locate the web.config file location by following these steps:

Under the SharePoint Web Services IIS site, Select SecurityTokenServiceApplication, open the context menu by right-clicking the SecurityTokenServiceApplication node and choose Explore.

This will open a Windows Explorer dialog with the location of the STS web.config file. The default location is C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\WebServices\SecurityToken.

Open the web.config in a text editor, like Notepad and make the following changes:

In the <configuration> section, see if there is a <connectionStrings> element present. If not, add a <connectionStrings> element. Next, add the element containing the connection string to the FBA database as highlighted in the Web App’s web.config file above, i.e.:

  <connectionStrings>
    <add connectionString="Server=ontw-sql2010\test;Database=FBA-ontw-spf2010;User ID=FBAService;Password=pwd" name="ontw-spf2010 FBA DB" />
  </connectionStrings>

Next, check if there is a <system.web> element, with <membership> and <roleManager> elements present in the web.config, and add it if not, add them. Now add the membership and role manager providers, as highlighted in the Web App’s web.config snippet, i.e.

  <system.web>
    <membership defaultProvider="FBA">
      <providers>
        <add name="FBA"
              type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
              connectionStringName="ontw-spf2010 FBA DB"
              enablePasswordReset="true"
              enablePasswordRetrieval="false"
              passwordFormat="Hashed"
              requiresQuestionAndAnswer="false"
              requiresUniqueEmail="true"
              applicationName="/" />
      </providers>
    </membership>
    <roleManager enabled="true" defaultProvider="FBARoles">
      <providers>
        <add name="FBARoles"
              type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
              connectionStringName="ontw-spf2010 FBA DB"
              applicationName="/" />
      </providers>
    </roleManager>
  </system.web>

Save your changes to the web.config file.

Return to IIS Manager and locate the web.config file for Central Administration:

Select the SharePoint Central Administration v4 IIS site from the list of sites, open the context menu for this site and choose Explore.

From the Windows Explorer window, open the web.config file in a text editor like Notepad.

Here, also add the ConnectionString snippet to the <configuration> section and add the .NET Users and .NET Roles providers, just like you did for the STS site.

Note: the Central Admin’s web.config should already contain the <roleManager> and <membership> elements in <system.web>. Be sure not to modify any existing providers.

Important: the default provider for the roleManager must be set to “AspNetWindowsTokenRoleProvider”. (also see the highlighted row below)

    <membership defaultProvider="FBA">
      <providers>
        <add name="FBA"
              type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
              connectionStringName="ontw-spf2010 FBA DB"
              enablePasswordReset="true"
              enablePasswordRetrieval="false"
              passwordFormat="Hashed"
              requiresQuestionAndAnswer="false"
              requiresUniqueEmail="true"
              applicationName="/" />
      </providers>
    </membership>
    <roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">
      <providers>
        <add name="FBARoles"
              type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
              connectionStringName="ontw-spf2010 FBA DB"
              applicationName="/" />
      </providers>
    </roleManager>

To enable wildcards in the people picker, locate the <PeoplePickerWildCards> element (inside the <SharePoint> element), and add a key with the name of your Membership provider and value “%”. It will look like this (the highlighted line is the key we added):

    <PeoplePickerWildcards>
      <clear />
      <add key="AspNetSqlMembershipProvider" value="%" />
      <add key="FBA" value="%" />
    </PeoplePickerWildcards>

Creating a test user

It’s hard to test FBA if you don’t have any users, so we’ll add a test user first. One way of doing this is via the IIS manager.

First, we add a role to assign to the users. In IIS Manager, select the Web Application that will use FBA and from the Features View, double click on .NET Roles.

You’ll receive an error message, saying the the feature cannot be used, because the default provider is not a trusted provider. The default provider is “c”, which is the SPClaimsAuthRoleProvider. Click on the OK button to close the dialog.

We’ll temporarily set the default provider to our FBARoles provider. Click Set Default Provider… from in the actions pane and select the RoleProvider you created earlier (i.e. FBARoles). Click the OK button.

Click the Add… link in the Actions pane. In the Add .NET Role dialog, enter a name for a role, i.e. FBAUsers. Click the OK button to add the role. The new role is now visible, with 0 users.

We’ll leave the default roles provider this way for now, otherwise we’d not be able to add a .NET user via IIS Manager.

Now, let’s add a user. Go back in IIS Manager to the Features View for your Web Application and double click on .NET Users.

You’ll receive a similar error message, because the default provider (“i”) is not trusted. Click the OK button to ignore.

Now click the Set Default Provider… link in the Actions pane and change the default provider to the Membership Provider you created earlier (i.e. FBA).

Click the Add… link in the actions Pane, to add a new user.

The Add .NET User wizard appears. Enter the credentials for your test user (i.e. a User Name FBAtest). Click Next to advance to the next step.

Now assign a role to the new user by clicking the checkbox(es) for the role(s). Click Finish to add the user.

Important: Return the Default Provider for the .NET users to “i”  and for the .NET Roles to “c”.

Test in Central Administration

Now that we have the membership and roles provider set up in the Web Application, Central Admin and STS, we can test if it works.

In Central Administration, go to Application ManagementManage web applications.

Select the Web Application you created earlier by clicking on it in the list. Its row will highlight Now click the Authentication Providers button.

 The Authentication Providers modal dialog will open. Click on the Default zone.

Scroll down to the Claims Authentication Types section. Here, deselect Enable Windows Authentication and select Enable Forms Based Authentication (FBA).

Fill the ASP.NET Membership provider and ASP.NET Role manager names text boxes, with the names you defined earlier (i.e. FBA and FBARoles).

Note: you can also use both Windows Authentication and FBA simultaneously, should you want to.

Leave the other settings and scroll down to click the Save button.

After a few seconds, you’ll see the Authentication Providers modal dialog again. Close the dialog. You’ll return to the Web Applications list.

With the FBA Web Application still selected, click the User Policy button in the ribbon.

The Policy for Web Application modal dialog opens. Click on the Add Users link.

The Add Users wizard opens, click Next >.

In the next page, the cursor will show up in the people picker field. Click the Browse button to open the Select People and Groups dialog.

In the select People and Groups dialog, type (a part of) the name of the FBA test user you added from IIS Manager in the Find text box and press the search button. You should find the user in the Forms Auth search results.

This verifies that the FBA membership provider works from Central Admin. As we don’t want to add this user, press the Cancel button and Close the Add Users dialog.

Create Site Collection and test

So far, we only created and configured the Web Application. To test FBA in the SharePoint site, we need to create a site collection.

In Central Administration, go to Application ManagementCreate site collections.

Make sure you select the right Web Application, and specify a Title and Template for the top-level site.

Select a Primary Site Collection Administrator, i.e. the FBA user you created earlier.

Click the OK button to create the site collection.

Now navigate to the newly created Site Collection. You’ll see a login page for the FBA credentials.

Note: if you chose to use multiple authentication methods for the Web Application’s Authentication Providers, you’ll be asked to select an authentication method from a dropdown listbox first.

Sign in the the FBA user you declared as the Site Collection Administrator.

If all went well, you’ll see the name of the FBA user in the upper right corner!

 

60 thoughts on “Step-by-step Forms-Based Authentication (FBA) on SharePoint 2010

  1. Hi,
    your post was very helpful..

    However, i need to access the FBA thought web service, and i try

    WS_L.Authentication objAuthentication = new WS_L.Authentication();
    objAuthentication.Url = “[sitecollectionserver]/_vti_bin/authentication.asmx”;

    objAuthentication.CookieContainer = new System.Net.CookieContainer();
    objAuthentication.AllowAutoRedirect = true;

    WS_L.LoginResult lr = objAuthentication.Login(“FBATest”, “teste@123″);

    if (lr.ErrorCode == WS_L.LoginErrorCode.NoError){
    //Now we can talk to the Lists Web services
    ….

    When the user and password are wrong, the code run without problems, when the user and pass are right, I recibe an SoapException.. object reference not set to an instance of an object.. Can you help me ?

    Cheers

  2. I don’t have any experience using the authentication.asmx web service for a FBA site.

    Perhaps these links can help you out?

    http://www.tonytestasworld.com/post/2009/06/04/How-To-Authenticate-and-Use-SharePoint-Web-Services-in-an-FBA-SharePoint-site.aspx (based on MOSS, but should still work)

    http://sharepointbuild.blogspot.com/2011/04/access-fba-sharepoint-site-using-web.html

    http://snahta.blogspot.com/2009/04/using-sharepoint-web-services-using.html

    If these don’t help, I suggest you ask the wonderful people at the MSDN forums:
    http://social.msdn.microsoft.com/Forums/en/sharepoint2010programming/threads

  3. Hello again,

    Morgan, I follow the suggest that you make, and I ask to wonderful people at the MSDN forums..

    They said:

    Hello,

    This is a generic error, but I’ve sometimes seen it occur when the user doesn’t have sufficient permissions. Try making sure of the following:
    1.The user account is an Administrator on the computer (Windows).
    2.The user account is in the Farm Administrator group for the SharePoint server.
    If not, in SharePoint Central Administration, click the Manage the farm administrators group link.
    On the Farm Administrators page, click the New button on the menu.
    3.The user account is a member of the WSS_ADMIN_WPG group.

    Now, the problem is:
    FBA Users are not found on SharePoint Central Administration.. Any suggestions?

    • For FBA to work, the Roles and Membership providers need to be defined in web.config files at three locations:

      1. the sharepoint web application
      2. the STS (which translates FBA identities and roles to claims)
      3. the Central Admin web application i.e. for defining FBA users as site collection administrators

      If you’re able to find FBA users from the SharePoint web application, but not from Central Administration, you’ve most likely made a mistake in the Central Admin web.config and should be maticulate when checking the connection string and providers.

        • I don’t know if you’re able to add FBA users as farm administrators, but I’d advise against doing this any way. Farm administrators are highly privileged and are best used as Domain users in an LDAP like AD.

          I also think the response you received on the MSDN forum is not sufficient, as you should be able to access a SP Web Service from identities besides administrators. Testing your code under different identities can help in identifying the cause of the problem, but using the Web Services is not restricted to (farm) admins.

          If you’re confident you’ve setup the FBA settings correctly, I’d look into the code using the Web Services (and environment from which you access it). Alternatively, you can try using different SharePoint data technologies, like the Client Object Model. This model is much easier to work with than the Web Services, IMO. If possible, ask another SharePoint developer to help you out.

          Good luck!

  4. Hi Morgan,

    Thanks for this great detailed, easy to follow guide. Especially that Microsoft literature does not give details when it comes to setting up FBA with SQL Server as a provider.

    I faced a challenge at the step where we add the FBA parameters into the web.config file of the Central Administration website. By default, the Central Administration website does not have FBA enables, rather Windows Authentication, the input we made to the web.config file was faced with an error in IIS: when I click on .NET Roles under Central Administration website, the error says:
    – Roles have been disables.
    – The user roles that are configured on this page cannot be accepted and authenticated, because Forms authentication is not enabled for this URL.

    However, if I try to enable Forms authentication on the website, it doesn’t work, because either Windows or Forms authentication should be enabled at any time.

    Could you please add your thoughts on how to go about this?

    Thanks,
    K.

  5. this post as well as many others only outline the steps. i have followed each instruction here and on other posts available on the net (which are almost exactly the same), however i do not get the user to show up when trying to add. further it would be nice to mention that Central Admin doens’t have any membership/providers in the config file so simply adding my custom providers, it resulted in username/password to appear everytime i click on any of the links in CA and it wouldn’t even validate the user that is actually logged in. removing membership/providers from CA config file stabilizes this. The question remains: why am i not able to add the user?

  6. I dont usually comment on anything to spread accross the internet but i just wanted to thank you for this guide. Its extremely wel written and although certain steps didnt happen my end as shown with the help of some backgorund knowledge and ‘Google’ I managed to pull it off.

  7. Pingback: FBA SharePoint 2010 « venkateshprogramer

  8. Hey,
    I have one problem.
    When i add new user from site setting-> FBA User Management after creating new user i logged in successfully.But after this user sign out i can’t login with site collection administrator user please help….

  9. Thanks for such a nice article, I followed it step by step. Everything works fine, in the end when I tried to login using FBA credentials, it takes me back to sign in page after authentication.

    Could you please advise the solution.

    Thanks for reading.

    • Are you combining FBA with Windows Auth, and does it do the same thing after you login using a Windows account?

      Usually, when you are returned to the sign in page, it’d mean that the credentials are incorrect.

  10. Hi,

    in User policy why share point search within roleprovider ? We are using membership fro OpenLdap, we can search users but sharepoint don’t search in groups ?

    i addes datas in all web.config files(central, application, security token). i want to give acces for groups from ldap .
    thanks in advance,

  11. Hello Morgan,
    Thanks for a useful article, I have followed each and every step evrything works fine, but when i try to add new user in site it doesn’t show any user. I am stuck in this step only can you please guide.
    Thanks a lot in advance.
    regards
    ruchi

  12. After all is up and running, I’m using both FBA and AD on my site, and access control works as expected, I find that I cannot assign FBA users to resources unless I am logged in with an FBA account.

    Is there a setting I missed, or can set, that will allow AD accounts the ability to add FBA accounts to resources?

    • Hmm, normally you’d be able to assign users from any user store, regardless of which type of user you’re logged in with. Are you able to search for users from the FBA DB when you’re logged in with the AD account in the people picker, and is the problem occurring when you want to add them to a group, or can you not access the FBA users in the people picker at all?

      • The name resolves correctly, but it is then underlined in red and a message displays that says, “no exact match can be found.”

        It happens for any attempts to add FBA users to a group or give direct permissions to a site or resource while logged in under AD.

        FBA users can add AD users to permissions and groups.

  13. Sounds like a permission issue, where the SharePoint service account has insufficient permissions on the FBA Database. This is probably the service account used as application pool identity, but the farm account might also need permissions for timer jobs. I’d advise you to check these permissions and expand them where necessary.

  14. Excellent article, could you post an article on how to implement windows and FBA on same web application on different zone

  15. Hello Morgan,
    Thanks for such a nice article, I followed it step by step. Everything works fine, in the end when I tried to login using FBA credentials, it takes me back to sign in page after authentication.

    Could you please advise the solution.

    Thanks for reading.

    • Kumar,

      Are you sure you’ve set the proper permissions for this FBA user. Being sent back to a login dialog is usually the result of not being authorized to perform an action.

  16. Hi,
    I followed everything as mentioned but after signing in into the website its giving me a runtime error with the error message as “Server Error in ‘/’ Application”. Please help me out in the issue.

    Thanks

  17. Hi, I have followed the step by step procedure to make the FBA as per your site but when I am logging into the site using FBA authentication we have created its throwing a runtime error, with error message as- “Server Error in ‘/’ Application”. What can be the possible reason and solution behind the issue.
    Thanks

    • That is a generic error message. The problem is probably somewhere on ASP.net level, not necessarily on SharePoint level. You should check the Windows event log and the SharePoint ULS for further hints on what’s going wrong.

  18. Pingback: Claim Based Authentication in Sharepoint 2013 | Question and Answer

  19. Thanks for this well written guide. I have now twice been through the steps with two separate Web Applications. For some as yet unknown reason, the users do not show up in the People Picker. Users and Roles have been created correctly, I made the necessary changes to the web.config files of the CA, STS and my own Web Application. Is there something that I am missing? I’m on SharePoint Server 2010, SQL 2008R2 on Windows Server 2008R2.

    • John,

      If you have the chance, you could try this on a clean install of Windows, SQL Server and SharePoint. There might be something from a previous modification to the web server that’s causing this problem. In the people picker, is the Forms Auth store showing up in the left pane, as shown in http://morg.nl/wp-content/uploads/2011/08/25-found-fba-user.jpg? If it’s not visible, there is a problem in the configuration. If it is visible, there might be an authentication problem in SQL Server. Also please check if CA and your Web App behave the same.

  20. Morgan,

    Good article, thank you! I know I’m a little late here, but have you tried adding a password reset feature to this? If so, would you mind sharing your results?

    Thanks,

    Jason

  21. This is the third online tutorial I have tried. The first two failed miserably. This one was spot on. Beautiful description and steps. The only thing I would change is to add what permissions the accounts get in the DB. STS and Central Administration (according to Microsoft) should be using the Farm Account). I did not know what permissions to assign, so I gave it “db_owner”. The domain account for the web application pool; its permissions were described perfectly!

  22. Pingback: SharePoint Claims Authentication problems with Active Directory | Lionadi's Tunking Blog :)

  23. Hi Morgan
    Your blog is very nice .
    i have small problem,
    my server(sharepoint foundation 2010, sql server 2008r2)
    i have followed the steps, not able assign the user (i.e FBAtest) i have verify the web app,STS and CA all web.config. i have not access the central admin so after i have followed this link CA is open but not access to assign the user plz reply for me http://social.technet.microsoft.com/Forums/sharepoint/en-US/6a72a075-2d4a-43dd-98da-94f829793b41/central-administration-coming-up-as-an-http500-internal-server-error

  24. This is very helpful and DETAIL information. I’m amazed with the amount of effort you put in this to help SharePoint community.
    Thank you very much.

  25. Pingback: FBA Error and/or Access Denied when upgrading SharePoint Internet Site 2007 to 2010 | Le's Workspace

  26. Hey this is kind of of off topic but I was wondering if blogs use WYSIWYG editors or if you have to manually code with HTML. I’m starting a blog soon but have no coding know-how so I wanted to get guidance from someone with experience. Any help would be enormously appreciated!

  27. http://s17.postimg.org/kdk4636q7/Untitled.jpg

    After adding connection string and providers to STS and Central Admin
    -while Creating Test user by clicking .Net Roles icon of my new application to Set FBARoles as Default Provider i’m getting an error stating that
    “Error Details: A Connection was successfully established with server, but then an error occurred during login process.(Provider: Shared Memory Provider,error: 0-No Process is on the other end of the pipe.)”
    I did everything as you said in the above process,but I’m unable do it.

  28. Hi! Just curious…is it possible to add FBA to a SharePoint Application that is already set up? I didn’t add it during setup, and now I would like to go back and add it.

  29. If you are using encryption and the above does not work and you happen to encounter the 8603 error: “The security token username and password could not be validated”, make sure you are using the same machinekey (validationkey + decryptionkey) in the security token and application web.config

  30. Hi Morgan, very nice article, but I am facing one issue, following are the details.

    Need your help in the following issue.

    1. Intranet Portal e.g. http://intranetsite
    • For internal / AD users.
    Central Admin > Application Management > Manage web applications > Web Application > Authentication Providers > Default > Claim Authentication Type >
    Checked – Enable Windows Authentication
    Checked – Integrated Windows Authentication (NTLM from drop down)
    Checked – Basic Authentication

    2. Extranet Portal e.g. http://extranetsite
    • For vendors / external users (extended web application of above intranet portal)
    Central Admin > Application Management > Manage web applications > Web Application > Authentication Providers > Extranet > Claim Authentication Type >
    Checked – Enable Form Based Authentication
    Note: FBA configured successfully and working fine, I have followed http://morg.nl/2011/08/step-by-step-forms-based-authentication-fba-on-sharepoint-2010/ to configure FBA.

    If someone from AD / Intranet user want to assign a task to any external user or vendor from internal site (http://intranetsite) so he can’t similarly if someone from the vendor want to assign a task from external site (http://extranetsite) to any AD user he can’t.
    Means, in people picker FBA users are not working in intranet site and similarly AD users are not coming in people picker of FBA site / extranet portal.

    Note: AD users are working on Intranet site and FBA users are working on extranet site in people picker. I don’t want to enable both (Windows and FBA) authentication on default provider.

  31. Hi,
    I have successfully implemented FBA site. but i have taken custom login page.
    and I have one WCF service that needs to access this site user and groups using Client object model.
    How can I access users and groups of this custom login page FBA site using Client object model?

    Please help!

    Thanks

  32. Pingback: Classic Mode Vs Claims Based Authentication in SharePoint 2010 | dotnetblogspot

  33. Pingback: Step-by-step Forms-Based Authentication (FBA) on SharePoint 2010

  34. Great set of instructions… I have a bit of an issue though. Seems that when my IIS was setup they set the trust settings too high. Now, when I get to this part
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    We’ll temporarily set the default provider to our FBARoles provider. Click Set Default Provider… from in the actions pane and select the RoleProvider you created earlier (i.e. FBARoles). Click the OK button.

    Click the Add… link in the Actions pane. In the Add .NET Role dialog, enter a name for a role, i.e. FBAUsers. Click the OK button to add the role. The new role is now visible, with 0 users.

    We’ll leave the default roles provider this way for now, otherwise we’d not be able to add a .NET user via IIS Manager.

    Now, let’s add a user. Go back in IIS Manager to the Features View for your Web Application and double click on .NET Users.
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    I’m told my provide is not trusted and it will not let me add users. To cap things off even more. I am not seeing any of the users I created within the SQL. The only way I can add users is through CA user policy. Not how I was imaging this working… Any help here?

  35. Hi Morgan

    Fantastic walk through on how to setup the FBA on SharePoint.
    Sadly I haven’t got the option to select the .Net Users I added in SharePoint.
    I think the problem is the connection string or the added .Net Roles and .Net User under the web.config file I have missed.

    I specified the credentials for the connection string, and this didn’t work for me and I instead used the “Use Windows Integrated Security” option. This made it work and I have had no problems, only that I can’t choose the users under my claim based authentication sharepoint web application.

    If I specified the crendentials for the connection string the Central Administration sends a 500 error.

    Hope you or other maybe can help. Thanks

  36. i am facing issue when creating site collection and giving FBAtest user as site collection administrator
    it is able to find the user but when i try to add as site collection administrator

    i am getting unexpected error
    any one can help

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>