Welcome to Atlanta .NET Regular Guys Sign in | Join | Help

Office SharePoint Server 2007 - Forms Based Authentication (FBA) Walk-through - Part 1

A while back a client asked me to set up Forms Based Authentication (FBA) for them.  I said sure (of course) and started to research the steps required to accomplish this.  In my oodles and oodles of research I had found many useful but somewhat partial posts.  What I mean by this is that not one of the posts I have encountered in my research had ALL of the steps required to get this to work, I was left to aggregate steps from different areas.  Most posts assumed you were running as an administrator, maybe even that your SharePoint application pools were running as system accounts with unlimited privileges (on both the operating system and in the database), no "real world" scenarios if you will.  Also, all of the posts never made mention of Office SharePoint Server, they all centered around Windows SharePoint Services (more on that later).  My aim here is to provide a series of posts that include the following:

  1. Each and every step required to setup FBA using the built in Asp.Net Membership and Role providers (Part 1).  I will demonstrate one way to accomplish this.  There are others and they will be mentioned, but not looked at in any detail.
  2. How to enable MySites and the Personalization features included with Office Server and have them actually work with a site using (FBA).
  3. A natural extension of 1 and 2 that will demonstrate how to hook into the ADAM membership provider, and get it functioning with MySites and the Personalization features as well.

Initially, after setting FBA up successfully (Part 1), my client then asked me to enable MySites.  That's when all hell broke loose.  Not only did this not work right away, but after 3 unsuccessful calls to Microsoft support (they could not get it to work and kept parading me in circles, and still are for that matter, maybe they will read this and call me back), and quotes from Microsoft employees saying "it's not supposed to work" or "it does not work", I am pleased to say that it does in fact work and I will show you how (Part 2).

Before we begin I have to say that since I have been told that "it's not supposed to work" or "it does not work", and since I have not found any reliable documentation indicating how to do this, I must add a disclaimer that if it does not work for you, something is different between our environments, or to please call Microsoft <shrug>.  I will do my best to be as detailed as possible about my environment and all of the steps involved.  If anything is unclear, please leave a comment and I will do my best to make it a little clearer.  One last thing I would like to mention is that I have successfully implemented MySite functionality as well as the other Personalization features of Office SharePoint Server 2007 with Forms Authentication using both the built in Asp.Net Membership and Role providers as well as with an ADAM Membership provider.  I have recently received an ADAM Role provider from Adam Buenz and plan on testing that soon but fully expect it to integrate seamlessly (with his help if needed, I hope).

So here we go, this is going to be a long one so bear with me.  In the end of the series you will have MySite and the Personalization features working seamlessly with Forms Authentication in your Office SharePoint Server 2007 environment!  Good Luck!

One assumption I have made in this process is that you have already created a Shared Services Provider and started the Office SharePoint Server Search service.  Also, I am logged on to the development machine as a domain administrator.  The term browser in this series means Internet Explorer 7.  All of the below steps are to be performed on the Guest machine.

Environment

My environment is as follows.  Keep in mind that any variation from this could produce different results.  Again, if I forget to mention something obvious, please let me know and I will update the list.

Host Machine

  1. Intel(R) Pentium(R) M processor 1.86GHz 1.86GHz
  2. 2.00 GB of RAM
  3. Microsoft Windows XP Professional, Version 2002, Service Pack 2
  4. VMWare Workstation, Version 5.5.3 build-34685

 

Guest Machine

  1. Intel(R) Pentium(R) M processor 1.86GHz 1.86GHz
  2. 1.00 GB of RAM
  3. Microsoft Windows Server 2003, Standard Edition, Service Pack 1
  4. Active Directory (Domain Controller)
  5. Microsoft SQL Server 2005, Service Pack 1
  6. Microsoft Visual Studio 2005
  7. Microsoft Office Server 2007, Version 12.0.0.4518

 

FBA User & Role Store

Database Creation

We need a place to put our users.  The Asp.Net 2.0 Membership and Role providers include a database.  The steps to install the database are as follows:

  1. Open up a command prompt by clicking Start...Run, then typing cmd and pressing Enter.
  2. Switch to the Asp.Net 2.0 Framework directory by typing
      cd c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727
    and pressing Enter.
  3. Type aspnet_regsql to launch the ASP.NET SQL Server Setup Wizard.


  4. Click Next.
  5. Choose Configure SQL Server for application services (the default choice) on the Select a Setup Option screen and click Next.

     
  6. Specify the SQL Server name (your machine name), database name to create (I used AspNetDb_FBADemo), and the credentials to use for this process (database creation).  I generally prefix my Membership and Role provider databases with AspNetDb_ such that they appear together in Microsoft SQL Server Management Studio and are easily identifiable should I need to access them, such as to update Security (Step 10).  Click Next.


  7. Confirm your settings on the Confirm Your Settings screen and click Next.


  8. The process takes a few seconds and then The database has been created or modified screen appears.  Click Finish to close the wizard.


  9. Open Microsoft SQL Server Management Studio and confirm that the database was successfully created.
  10. One step that I have not seen mentioned ANYWHERE is to make sure that the account that is running the application pool that will be used by the sites you create below have access to the database we just created.  This step is critical as SharePoint will NOT be able to find your users and roles if it does not have the permissions to look for them.  This step is what I like to refer to as the MAGIC step that no one tells you about, so I am ruining the surprise and telling you the secret.  You will thank me later.

 

User and Role Creation

Microsoft has given us a great database schema to use as a membership and role provider data store but has not really supplied a "good" tool to manage its contents.  When you think about it, this actually makes sense.  The providers are intended to be used by other applications so maybe one of the assumptions made was that the tools to maintain the users and roles will be provided by the applications that consume them.

Thankfully, the Microsoft Visual Studio 2005 team had the foresight to create a somewhat rudimentary web application to help us manage the membership and role provider data store.  The caveat is that the tool must be launched from Microsoft Visual Studio 2005.  You can immediately see that this is not a very good option for those that will be managing the users and roles, i.e.: real users of your application.

I will now walk you thru a set of steps to create a few users and roles that we will be using later.

  1. Create a folder on your desktop called FBA Management Site.
  2. Open Microsoft Visual Studio 2005.
  3. Select File...Open...Web Site.
  4. In the Open Web Site dialog, choose the File System icon on the left side of the dialog, then browse to and select the FBA Management Site folder created in step 1.


  5. Click Open.
  6. In the Solution Explorer, right-click on the web site and select Add New Item.
  7. Select Web Configuration File and click Add.  There is no need to rename the file, web.config is fine.
  8. Replace the empty <connectionStrings/> element with the following snippet.  Be sure to replace both <server name> and <database name> with their appropriate values.

    <connectionStrings>
      <add
        name="AspNetDbFBADemoConnectionString"
        connectionString="Data Source=<server name>;Initial Catalog=<database name>;Integrated Security=True" />
    </connectionStrings>

    My connection string element looks like this:

    <connectionStrings>
      <add
        name="AspNetDbFBADemoConnectionString"
        connectionString="Data Source=OSSDEV;Initial Catalog=AspNetDb_FBADemo;Integrated Security=True" />
    </connectionStrings>

  9. Just below the <system.web> element, add the following membership and roleManager elements.  Be sure to update the connectionStringName attributes of each of the two providers to the name of the connection string name you created in step 8.  Also be sure to give both providers meaningful names, in my case, I used FBADemoMember and FBADemoRole.  Remember these names, we will need them later.  Save and close the web.config file.

    <!-- membership provider -->
    <membership defaultProvider="FBADemoMember">
      <providers>
        <add
          connectionStringName="AspNetDbFBADemoConnectionString"
          enablePasswordRetrieval="false"
          enablePasswordReset="true"
          requiresQuestionAndAnswer="false"
          applicationName="/"
          requiresUniqueEmail="false"
          passwordFormat="Hashed"
          maxInvalidPasswordAttempts="5"
          minRequiredPasswordLength="1"
          minRequiredNonalphanumericCharacters="0"
          passwordAttemptWindow="10"
          passwordStrengthRegularExpression=""
          name="FBADemoMember"
          type="System.Web.Security.SqlMembershipProvider,System.Web,Version=2.0.0.0,Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a" />
      </providers>
    </membership>

    <!-- role provider -->
    <roleManager enabled="true" defaultProvider="FBADemoRole">
      <providers>
        <add
          connectionStringName="AspNetDbFBADemoConnectionString"
          applicationName="/"
          name="FBADemoRole"
          type="System.Web.Security.SqlRoleProvider,System.Web,Version=2.0.0.0,Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a" />
      </providers>
    </roleManager>

  10. Click ASP.NET Configuration under Website.  The ASP.NET Web Site Administration Tool opens in a browser.  If the tool does not appear, or cannot connect, verify the connection string and provider information entered above.


  11. Click on the Security tab.  You are presented with the following.  From here we will create our users and roles.


  12. Click on the Select authentication type link in the Users box on the left.
  13. Select the From the internet radio button then click the Done button in the bottom right hand corner of the window.
  14. Create an Administrator, Manager and Employee role.  This step and the next three are intuitive enough that I am not going to spell them out.
  15. Create a single Administrator user, spadmin.  Be sure to assign the user to the Administrator role as you create it.
  16. Create two Manager users, Manager1 and Manager2.  Be sure to assign these users to the Manager role as you create them.
  17. Create 4 Employee users, Employee1, Employee2, Employee3 and Employee4.  Be sure to assign these users to the Employee role as you create them.
  18. When you are done you should have seven users and three roles defined.  This can be verified by clicking on the Security tab.  Your user and role counts may differ depending on if you followed my instructions to the letter.  It is not critical.  What is important is that you create some roles and users and assign some users to the roles.  This is what my Security screen looks like.

     
  19. Close the ASP.NET Web Site Administration Tool.
  20. Close Microsoft Visual Studio 2005.

 

SharePoint Setup

We cannot implement FBA without a SharePoint site.  The first thing we need to do is decide upon some url's.  For the sake of this example, I will be demonstrating how to expose the same site (content database(s)) to users with NT accounts thru one url and to our FBA users thru another url.  This setup is typical in an extranet scenario where we may want to expose some content to our customers but they may not have Active Directory accounts and their user information is either stored elsewhere (and custom Membership and Role providers written, which is well beyond the scope of this post), or stored in a SQL Database created using the steps earlier in this post and populated either thru your own interface or using the above steps.  I am choosing to create an internal site to be accessed via http://FBAextranet and an external site for my customers to be accessed via http://FBAextranet.attis.org.

 

Update hosts file

To make these url's accessible on our development machine, we need to add some hosts file entries.  Here are the steps.

  1. Open up Windows Explorer.
  2. Type C:\WINDOWS\system32\drivers\etc into the address bar and click Enter.
  3. Double click on the hosts file.
  4. Select Notepad and click OK.
  5. Add the following two lines to the bottom of the file, right below the localhost entry.

    127.0.0.1       FBAextranet
    127.0.0.1       FBAextranet.attis.org

  6. Save and close the hosts file.
  7. Close Windows Explorer.
  8. Opening up a browser and browsing to either of the above two entries should bring up the Under Construction page as shown below.

     

Create FBAextranet.attis.org

Try to keep the primary purpose of your content in mind.  I say this because it may make your life a little easier when making decisions later, primarily in Part 2 of this series when we setup MySites and Personalization.  In our case, the primary purpose of my site is to serve my customers.  With that said, we should create our external site first, http://FBAextranet.attis.org.  Here are the steps.

  1. Open Central Administration.
  2. Click on the Application Management tab.
  3. Click on Create or extend Web application under SharePoint Web Application Management.
  4. Click Create a new Web application.
  5. Choose to Create a new IIS web site.
  6. Enter 80 in the Port textbox.
  7. Enter FBAextranet.attis.org in the Host Header textbox.
  8. Do not make any changes in the Security Configuration section or the Load Balanced URL section.
  9. Depending on your environment, either create a new application pool or use an existing one.  In my case, I have one that I reuse for all sites on my development machine.
  10. Choose to Restart IIS Automatically.
  11. Ensure that the value in the Database server textbox is accurate.
  12. Enter a meaningful name for the content database.  I generally suffix the default name with an underscore (_) and the name of the primary url for my content (FBAextranet.attis.org), in this case, WSS_Content_FBAextranet.attis.org.
  13. Click OK.
  14. From the Application Created screen, click on the Create Site Collection link.
  15. Enter FBA Extranet in the Title textbox.
  16. Choose the Blank Site template.
  17. I mentioned at the beginning of this post that I was logged on to the development machine as a domain administrator.  Assuming you are as well, make this user the Primary Site Collection Administrator, otherwise, choose an appropriate user.
  18. Click OK.
  19. From the Top-Level Site Successfully Created page, click OK.
  20. Open a browser and browse to http://FBAextranet.attis.org.
  21. You will be prompted for your NT credentials, remember, we have yet to change the site's authentication mode to forms.

 

Update FBAextranet.attis.org web.config

  1. Open Internet Information Services (IIS) Manager.
  2. Expand Web Sites and select the SharePoint - FBAextranet.attis.org80 website.
  3. Right click on the above website and select Properties.
  4. Select the Home Directory tab.
  5. In the Local path textbox take note of the entire string.  This is the folder on the file system that contains the web.config for the http://FBAextranet.attis.org web application.  We will be updating this file next.
  6. Open Windows Explorer and browse to the folder noted in step 5.
  7. Make a backup copy of the web.config file.
  8. Copy the connection string and the membership and roleManager elements as described earlier in this post to the appropriate locations in the web.config file.
  9. Save and close the web.config file.

 

Create FBAextranet

  1. Open Central Administration.
  2. Click on the Application Management tab.
  3. Click on Create or extend Web application under SharePoint Web Application Management.
  4. Click Extend an existing Web application.
  5. In the Web Application section choose to extend http://FBAextranet.attis.org.
  6. Choose to Create a new IIS web site.
  7. Enter 80 in the Port textbox.
  8. Enter FBAextranet in the Host Header textbox.
  9. Do not make any changes in the Security Configuration section.
  10. In Load Balanced URL section, be sure the Zone is set to Intranet.
  11. Click OK.
  12. Open a browser and browse to http://FBAextranet.
  13. You will not be prompted for your credentials because the above url automatically falls into the Local Intranet security zone of your browser (unless you have changed your browser's default settings) and your NT credentials are simply passed thru to the site by Windows (Integrated Windows authentication).  This is the behavior we want at this url.

 

Update Central Administration web.config

We need to make Central Administration aware of our new membership and role provider.  Here are the steps.

  1. Open Internet Information Services (IIS) Manager.
  2. Expand Web Sites and select the SharePoint Central Administration v3 website.
  3. Right click on the above website and select Properties.
  4. Select the Home Directory tab.
  5. In the Local path textbox take note of the entire string.  This is the folder on the file system that contains the web.config for the Central Administration web application.  We will be updating this file next.
  6. Open Windows Explorer and browse to the folder noted in step 5.
  7. Make a backup copy of the web.config file.
  8. Copy the connection string and the membership and roleManager elements as described earlier in this post to the appropriate locations in the web.config file of the Central Administration site.
  9. Update the roleManager element from

    <roleManager enabled="true" defaultProvider="FBADemoRole">

    to this

    <roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">
  10. Save and close the web.config file.

Enable FBA on FBAextranet.attis.org

  1. Open Central Administration.
  2. Click on the Application Management tab.
  3. Click on Authentication providers in the Application Security section.
  4. Be sure to select the http://fbaextranet.attis.org Web Application in the top right hand corner of the screen.
  5. You should see two zones listed, a Default zone and an Intranet zone.  Click on the Default zone.  Remember, earlier we decided that serving our customers was the primary (default) purpose of this site.
  6. Select Forms in the Authentication Type section.  After the page posts back, Membership Provider Name and Role Manager Name textboxes appear.
  7. Enter the appropriate values from the previous sections into both the Membership Provider Name (in my case FBADemoMember) textbox and the Role Manager Name (in  my case FBADemoRole) textbox and click Save.
  8. Open a browser and browse to http://FBAextranet.attis.org.
  9. You will be presented with the stock FBA login form.

 

Add secondary Site Collection Administrator to FBAextranet.attis.org

  1. Open Central Administration.
  2. Click on the Application Management tab.
  3. Click on Site collection administrators in the SharePoint Site Management section.
  4. Make sure http://fbaextranet.attis.org is selected in the Site Collection dropdown at the top right corner of the screen.
  5. Type spadmin (the admin user we created earlier in this post) into the Secondary site collection administrator textbox, then click the person icon to resolve the user.  It will resolve to your FBA user.
  6. Click OK.

 

Browse http://FBAextranet.attis.org

  1. Open a browser and browse to http://FBAextranet.attis.org.
  2. On the FBA login screen, logon as spadmin.
  3. You can now add secure your securables using the users and roles stored in SQL Server!  Congratulations.
  4. Notice that MySites are not available.  Be on the lookout for Part 2 to walk you thru the steps to do that!  It's a doozie and apparently shouldn't work :)


 

I hope this post is useful.  It's an aggregation of many sources, coupled with my own experience, all into one, with many the lessons I have learned.  There are a couple of variations to this process, some involve policy.  I am of the thought that one should only use policy when it is absolutely necessary.  I finished writing this at 1 AM so there may be some errors, please let me know if you find any!

Published Friday, February 23, 2007 4:52 AM by Dan Attis
Filed Under:

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

# re: Office SharePoint Server 2007 - Forms Based Authentication (FBA) Walk-through - Part 1

This looks to be very helpful.  Thx!
Friday, February 23, 2007 5:35 AM by John West

# re: Office SharePoint Server 2007 - Forms Based Authentication (FBA) Walk-through - Part 1

Great job!
Friday, February 23, 2007 10:50 AM by Stacy Draper

# Office SharePoint Server 2007 - Forms Based Authentication (FBA) w/MySites Walk-through - Part 2

As promised, here is part 2 of my series on hooking up Forms based authentication on a SharePoint 2007...
Thursday, March 01, 2007 10:09 PM by Dan Attis

# Office SharePoint Server 2007 - Forms Based Authentication (FBA) w/MySites Walk-through - Part 2

As promised, here is part 2 of my series on hooking up Forms based authentication on a SharePoint 2007...
Thursday, March 01, 2007 10:20 PM by Dan Attis

# The Detailed Forms Based Authentication Steps!

Dan Attis&amp;nbsp;has written down the steps&amp;nbsp;to have Forms Based Authentication (FBA)&amp;nbsp;for SharePoint...
Friday, March 02, 2007 1:25 PM by Stacy Draper

# WSS FAQ - additions and corrections - XXXXIV 26thFebruary - 4th March 2007

Saturday, March 03, 2007 11:48 PM by Mike Walsh's WSS and more

# re: Office SharePoint Server 2007 - Forms Based Authentication (FBA) Walk-through - Part 1

this si the collest thing I have ever seen
Monday, March 05, 2007 11:06 AM by Keith "Chuck Norris" Rome

# re: Office SharePoint Server 2007 - Forms Based Authentication (FBA) Walk-through - Part 1

Hi Dan,

I've spent a while fiddling around with WSS v3.0 FBA (no MOSS2007). The biggest problem that I found with this guide and many others is that Visual Studio appears to be a requirement to be able to access the ASP .Net Site Administration tool. I couldn't settle for a solution that involved the reliant use of Visual Studio - knowing that it would not be available on a production web front end.

So I thought it might be worth noting that it is possible to work around the Visual Studio requirement. How? Simply create your own web interface and use ASP .Net 2.0 controls on a series of pages for the user administration. The CreateUserWizard is particularly useful.

I thought it might also be worth mentioning that there absolutely must be a way of referencing the ASP .Net Site Administration files (found in C:\Windows\Microsoft.Net\Framework\v2.0xxx\ASP.NetWebAdminFiles) using a Virtual Directory and administrating your application that way. That's something I'm still investigating.
Thursday, March 08, 2007 9:26 AM by Jason Dunbar

# re: Office SharePoint Server 2007 - Forms Based Authentication (FBA) Walk-through - Part 1

Great article!
I worked on FBA for a couple of days, but didn't make it work.  This article helps me a lot. However, I still have trouble with signing in the site.  After I enter the username and password, the sign in page pop up again and again. Would someone give me some help on it?
Ealier reply would be really appreciated!

Tracy
Monday, March 12, 2007 9:22 AM by Tracy

# re: Office SharePoint Server 2007 - Forms Based Authentication (FBA) Walk-through - Part 1

Hi

Regarding User Name and pasword pls go to the Database and check the connection have u give it properly or not Ex sharepoints sp_workerprocess this will be in securety process wher it should recognise the users once it recongnise the user u can easely work on it

Monday, March 12, 2007 10:36 PM by shiva

# re: Office SharePoint Server 2007 - Forms Based Authentication (FBA) Walk-through - Part 1

Shiva, thank you for answering my question.  But I get a little confuse what you said, can you please give me more detailed information, or give me an example? Thanks again!
Tuesday, March 13, 2007 7:51 AM by Tracy

# SharePoint Links 220307

Formularbasierte Authentifizierung (auch mit MySites) einrichten Office SharePoint Server 2007 - Forms
Thursday, March 22, 2007 4:42 AM by SharePoint, SharePoint and stuff

# SharePoint Kaffeetasse 01

Die SharePoint Kaffeetasse - Links, die mir beim morgentlichen durchforsten der SharePoint-Infos aufgefallen
Thursday, March 22, 2007 4:51 AM by SharePoint, SharePoint and stuff

# SharePoint Kaffeetasse 01

Die SharePoint Kaffeetasse - Links, die mir beim morgentlichen durchforsten der SharePoint-Infos aufgefallen
Thursday, March 22, 2007 5:45 AM by SharePoint, SharePoint and stuff

# re: Office SharePoint Server 2007 - Forms Based Authentication (FBA) Walk-through - Part 1

I followed the same steps but got stuck with the Sign-in page. The sign in page either pops up again or gives an unkown error. The database has records of the usernames stored by the asp.net configuration tool but it is not being fetched by sharepoint.
The error captured in the event viewer is that -- There is no administration site associated with the Shared Services Provider SharedServices1.
Thursday, March 29, 2007 1:49 AM by Prateet Sinha

# re: Office SharePoint Server 2007 - Forms Based Authentication (FBA) Walk-through - Part 1

I followed the same steps but got stuck with the Sign-in page. The sign in page either pops up again or gives an unkown error. The database has records of the usernames stored by the asp.net configuration tool but it is not being fetched by sharepoint.
The error captured in the event viewer is that -- There is no administration site associated with the Shared Services Provider SharedServices1.
Thursday, March 29, 2007 5:45 AM by Prateet Sinha

# re: Office SharePoint Server 2007 - Forms Based Authentication (FBA) Walk-through - Part 1

The problem with me is that even though i added 127.0.0.1 FBAextranet.attis.org line after the localhost line and save the file and try and access http://FBAextranet.attis.org, it does not show under construction but rather shows me a page cannot be displayed page!! please help
Sunday, April 01, 2007 6:55 AM by Manav

# SharePoint Connections - Session Follow Up: Create an Internet-Facing SharePoint Site

During the Create an Internet-Facing SharePoint Site session I covered the following topics. Setting
Thursday, April 12, 2007 3:25 PM by Todd Baginski's SharePoint 2003 and MOSS 2007 Blog

# re: Office SharePoint Server 2007 - Forms Based Authentication (FBA) Walk-through - Part 1

Dan:
Thanks for such thorough documentation. I did run into a couple of problems and I'm hoping you can demystify them for me.

First - in Part 1 where you say:

*****

Create a folder on your desktop called FBA Management Site.
Open Microsoft Visual Studio 2005.
Select File...Open...Web Site.
In the Open Web Site dialog, choose the File System icon on the left side of the dialog, then browse to and select the FBA Management Site folder created in step 1.

*****
I could not find the ...Open...Web Site at all. I had Projects and Solutions, but no website.

Also, after I completed this step: "Create FBAextranet.attis.org (using my own host header of course), I suddenly could not get into my Central Administration screen - the system kept telling me it "could not connect to the configuration database".

Any idea why that would happen?

Any assistance would be appreciated.
Thursday, April 19, 2007 4:51 PM by Joe Caiola

# MOSS 2007 Forms Based Authentication

Friday, April 20, 2007 4:03 PM by Biztalk + Sharepoint = stefan @ decatec

# re: Office SharePoint Server 2007 - Forms Based Authentication (FBA) Walk-through - Part 1

I am able to add site collection administrators for my FBA site only if my users db is in same SQLServer instance as MOSS Application's default database server. is this a limitation or any thing worng at my part.
To be More elaborative: Database server for MOSS application is [myMachine]\Officeservers and i cann't add site collection administrators if usres db is at [myMachine]\SQL2005.
but it works fine if i put users db at [myMachine]\Officeservers.

Second question is about custome authentication provider. [it is optional on this blog :)] Is it possible to authenticate a user based on three things UserID,Password, CompanyName.
Thanks in advance for any help.
Monday, May 07, 2007 5:52 AM by fijaz

# re: Office SharePoint Server 2007 - Forms Based Authentication (FBA) Walk-through - Part 1

Hi Dan,

great post, thanks for making the effort!

I've linked to it from my summary on SP security: http://www.finalcandidate.com/en/tandp/Pages/SharePointSecurityConcepts.aspx

best
jennifer
Wednesday, May 09, 2007 2:17 AM by Jennifer

# re: Office SharePoint Server 2007 - Forms Based Authentication (FBA) Walk-through - Part 1

You mention the step:

One step that I have not seen mentioned ANYWHERE is to make sure that the account that is running the application pool that will be used by the sites you create below have access to the database we just created.  This step is critical as SharePoint will NOT be able to find your users and roles if it does not have the permissions to look for them.  This step is what I like to refer to as the MAGIC step that no one tells you about, so I am ruining the surprise and telling you the secret.  You will thank me later.

as very important. However, I do not see any place in your article where you ensure that this is being done.

Can you elaborate, please?
Sunday, May 13, 2007 4:16 PM by Nik Ivancic

# Is there a step missing?

In addition to updating the web.config files for FBAextranet.attis.org and Central Administration (with connection string, the membership and roleManager elements), I needed to do the same for the FBAextranet site as well (in order to be able to add the users to the FBAextranet.attis.org).
Sunday, May 13, 2007 4:25 PM by Nik Ivancic

# A typo in the Create FBAextranet step?

The sub-step 10 states:

10. In Load Balanced URL section, be sure the Zone is set to Intranet.

I was presented with three alternatives in this case:

Internet (not Intranet)
Extranet
Custom

I selected the first (Intranet) and everything works as it should. Is your spelling for the desired zone (Intranet) a typo?
Sunday, May 13, 2007 4:29 PM by Nik Ivancic

# re: Office SharePoint Server 2007 - Forms Based Authentication (FBA) Walk-through - Part 1

Hey, everything went smoothly untill the last section: "Add secondary Site Collection Administrator to FBAextranet.attis.org". At point 5 I typed spadmin into the "Secondary site collection administrator"-textbox, but when I click the person icon to resolve the user, it will not resolve to the FBA user?! What am I possibly doing wrong? Every step before this point went as described in this excellent tutorial.
Friday, May 18, 2007 9:37 PM by Sjur

# re: Office SharePoint Server 2007 - Forms Based Authentication (FBA) Walk-through - Part 1

Thank you for your magic step.  I followed Baginski's steps and could not get the Central Admin to 'see' my users. (Red squigglies under my users...) I checked the app pool and noticed that it was set to 'network service'.  I went ahead and gave it access to my membership/role db and now everything works.  
Sunday, May 20, 2007 11:19 PM by ykurtz

# re: Office SharePoint Server 2007 - Forms Based Authentication (FBA) Walk-through - Part 1

Just aswesome!
You saved my day dude!!!
Thank you very much.
Email: mani@solutionsdevelopers.com
Monday, May 28, 2007 9:41 PM by Manikandan Sachidanandan

# re: Office SharePoint Server 2007 - Forms Based Authentication (FBA) Walk-through - Part 1

Sjur:  I am having the same issue.  Please let me know if you found any lead on this.
-Thanks
Tuesday, May 29, 2007 2:38 PM by Ramesh

# re: Office SharePoint Server 2007 - Forms Based Authentication (FBA) Walk-through - Part 1

Sorry, it is the same issue as Sjur's - I am copying/pasting the same question.  Everything went smoothly untill the last section: "Add secondary Site Collection Administrator to FBAextranet.attis.org". At point 5 I typed spadmin into the "Secondary site collection administrator"-textbox, but when I click the person icon to resolve the user, it will not resolve to the FBA user?! What am I possibly doing wrong? Every step before this point went as described in this excellent tutorial.
Tuesday, May 29, 2007 2:51 PM by Ramesh

# re: Office SharePoint Server 2007 - Forms Based Authentication (FBA) Walk-through - Part 1

This has worked great, at least up to the "Update Central Administration web.config" section.  I copied connectionStrings, membership, and roleManager into the system.web element as I had done for the other web.configs, and I modified the defaultProvider to read "AspNetWindowsTokenRoleProvider".  But after saving the web.config, I was not able to use the Central Administration site anymore... any link that I clicked on returned a blank page.  So I could not go on to the next step.

Any idea what might cause this, and what I can do to fix it?

Thanks,
davidh
Tuesday, June 05, 2007 6:43 AM by David Henderson

# SharePoint Connections - Session Follow Up: Create an Internet-Facing SharePoint Site

During the Create an Internet-Facing SharePoint Site session I covered the following topics. Setting
Wednesday, June 27, 2007 11:37 PM by Todd Baginski's SharePoint 2003 and MOSS 2007 Blog

# re: Office SharePoint Server 2007 - Forms Based Authentication (FBA) Walk-through - Part 1

Great article, but if you want to use SharePoint Designer 2007 on a web server that doesn't have access to Active Directory, create the Default zone using NTLM and create the extended site with FBA using the Internet zone.
Sunday, July 29, 2007 8:00 PM by Ray DeBiase

# re: Office SharePoint Server 2007 - Forms Based Authentication (FBA) Walk-through - Part 1

Hello, I have followed this to the letter.  It took about two weeks to get everything working properly.  Now it appears to be fine.  I get to the last step of trying to sign in as one of the people I have created and I get he following error:    

Unknown Error
Troubleshoot issues with Windows SharePoint Services.


I really am going to tear my hair out!  Please help! I don't even know where to start troubleshooting an eroor like that....THANKS!
Monday, July 30, 2007 5:04 PM by Karen

# re: Office SharePoint Server 2007 - Forms Based Authentication (FBA) Walk-through - Part 1

Do you know how to perform Passport integration support  with MOSS 2007? Do you have any sample code?

Kindly help.

Thanks,
Birendra
Tuesday, August 21, 2007 11:19 PM by BIrendra

# MOSS and Forms-Based Authentication: the Tricks

There are three great guides to configuing FBA: Andrew Connell had the best article first. Dan Attis
Friday, September 07, 2007 12:55 PM by Eli Robillard's World of Blog.

# re: Office SharePoint Server 2007 - Forms Based Authentication (FBA) Walk-through - Part 1

Great article!  As Nik Ivancic noted, you leave
out the details of granting the AppPool identity access to the aspnetdb database.  I've seen this same thing mentioned elsewhere, but again, no one says exactly what permissions it needs.  I suppose I can walk through the errors, granting execute permissions on each object that errors out, but is there a particular role or set of permissions that would do it?

For example, I can run this query:

USE aspnetdb
GO
sp_addrolemember 'aspnet_Membership_FullAccess', 'DOMAIN\WSS_Service'

and forms auth works.  But is that the *minimum* access?  I'd rather not grant full access unless I have to.

Thanks,
Mike Sharp
Wednesday, September 12, 2007 11:15 PM by Mike Sharp

# re: Office SharePoint Server 2007 - Forms Based Authentication (FBA) Walk-through - Part 1

hi all,
       just browse the link you will get all the information about how to configure the Forms based authenticatoion in Moss 2007 and a lot more relating forms authentication.
http://www.lots-with-sharepoint.blogspot.com

Feel free to contact me for any type of queries in share point
Wednesday, September 19, 2007 10:10 PM by srikanth sapelly

# re: Unknown Error message when logging in

For those of you who follow these instructions to the letter and still get an "Unknown Error" when trying to login (last step) using forms authentication. Check this... If you initially set up multiple users for your Sharepoint farm, check the application pool users for both Central Administration and YourSite. In IIS look at the properties of each of these app pools, then look at Identity tab. In my case, they were using two different users. One had access to reach SQL server and the other didn't. They both (if different) need to be logins in SQL server, with the proper sql server role permissions in order to reach the aspnetdb database. Hope this helps you!
Monday, October 15, 2007 12:02 PM by Jay

# Asking to login twice before it opens the site

I followed the steps properly and also gave the database access rights to the app pool user. But when I open the extranet site, it pops up the windows username/password box and once I enter the windows local administrator account credentials, it opens up the Forms sign in page. Then I am able to login with the username/passwd in the Aspnet_db database. Is this how it is supposed to work? or Am I missing something?
Wednesday, October 17, 2007 11:36 PM by Srinivas

# Asking to login twice before it opens the site

I followed the steps properly and also gave the database access rights to the app pool user. But when I open the extranet site, it pops up the windows username/password box and once I enter the windows local administrator account credentials, it opens up the Forms sign in page. Then I am able to login with the username/passwd in the Aspnet_db database. Is this how it is supposed to work? or Am I missing something?
Wednesday, October 17, 2007 11:37 PM by Srinivas

# re: Office SharePoint Server 2007 - Forms Based Authentication (FBA) Walk-through - Part 1

I followed the steps properly and also gave the database access rights to the app pool user. But when I open the extranet site, it pops up the windows username/password box and once I enter the windows local administrator account credentials, it opens up the Forms sign in page. Then I am able to login with the username/passwd in the Aspnet_db database. Is this how it is supposed to work? or Am I missing something?
Wednesday, October 17, 2007 11:38 PM by Srinivas

# I am sorry for multiple pots and I have another issue

While I am submitting my connect, it took me to an error page so I tried to re-submit and u se the result.

Other issue I want to talk about is the change we are making in the Central Administration web.config file. Is it a good practise to edit the Central Admin's config file? Doesn't it affect other webapplications provisioned on the same farm using the same central administration? Any thoughts on it? Also, please provide a tiny explanation for doing those changes.
Thursday, October 18, 2007 6:16 AM by Srinivas

# re: Office SharePoint Server 2007 - Forms Based Authentication (FBA) Walk-through - Part 1

Great article! This is exactly what my client requested. After juggling with the web.config files I managed to have both Windows Tokens and FBA for ssp and mysite (depending on the zone). Now I need to create the FBA management tool in Visual Studio :)

Thanks for this article. Couldn't have done it without it.
Wednesday, November 14, 2007 11:43 AM by Ryan Lee

# re: Office SharePoint Server 2007 - Forms Based Authentication (FBA) Walk-through - Part 1

Oh My God!!!

I have read so many articles, none of them mentioned the database permission detail, which I also missed! I lost hours on this issue. Thank you so much!!!
Sunday, November 25, 2007 2:28 AM by Hristo Yankov

# re: Office SharePoint Server 2007 - Forms Based Authentication (FBA) Walk-through - Part 1

Thanks for the post, very usefull info!
www.sharepoint2007.co.cc
Monday, November 26, 2007 9:54 AM by Hinsua

# re: Office SharePoint Server 2007 - Forms Based Authentication (FBA) Walk-through - Part 1

After spending lot of hours finally i have successfully created sharepoint site with FBA authentication. Thanks for the usefull article.
Thursday, November 29, 2007 8:30 AM by Vinothkumar

# re: Office SharePoint Server 2007 - Forms Based Authentication (FBA) Walk-through - Part 1

Googd very good

But, I have always a problem... Users of SQL database not recognize in WSS.

Need help.

Thanks.

Monday, December 03, 2007 8:26 AM by Lili

What do you think?

(required) 
required 
(required)