Sunday, 23 June 2013

Claims Based Authentication in SharePoint 2010

Hi Readers

We are going to create a SharePoint web application that supports windows and forms based authentication that works against users in the SQL database using Membership providers.

What is required for a claim based authentication web application? 

When a claims based authentication web application is created, we should provide the details of Membership and role provider.
How to make SharePoint aware of the Membership and role providers? We can do this by modifying the web.config file of the SharePoint central administration site. How do we do that? It is simple
1. Go to -- > IIS à sites –> SharePoint Central Administration v4

2. Open web.config (take a backup of the web.config before you do any modification)
3. Find <system.web> section in the web.config and replace Role manager and Membership provider. Keep the order same, first Role manger then Membership provider.
  1. <!-- Role Manager-->  
  2.     <roleManager>  
  3.       <providers>  
  4.         <add connectionStringName="2008SVRCredentialStore" applicationName="/"  
  5.            name="BIJU2008SVRRoleManager"   
  6.              type="System.Web.Security.SqlRoleProvider, System.Web, 
  7.              Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />  
  8.       </providers>  
  9.     </roleManager>      
  10.     <!-- MemberShip Provider -->  
  11.     <membership>  
  12.       <providers>  
  13.         <add name="BIJU2008SVRMemberShipProvider"   
  14.              type="System.Web.Security.SqlMembershipProvider, 
  15.              System.Web, Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"   
  16.              connectionStringName="2008SVRCredentialStore"   
  17.              enablePasswordRetrieval="false" enablePasswordReset="true"   
  18.              requiresQuestionAndAnswer="true" applicationName="/" requiresUniqueEmail="false"   
  19.              passwordFormat="Hashed" maxInvalidPasswordAttempts="5"   
  20.              minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="1"   
  21.              passwordAttemptWindow="10" passwordStrengthRegularExpression=""></add>  
  22.       </providers>  
  23.     </membership>      
 3. Replace ConnectionStrings section  
  1. <connectionStrings>  
  2.     <add connectionString="data source=BIJU2008SVR;initial 
  3.          catalog=BIJU2008SVRCredentialStore;Integrated Security=SSPI;"   
  4.          name="2008SVRCredentialStore"   
  5.          providerName="System.Data.SqlClient"/>  
  6.   </connectionStrings>  
Having done this, SharePoint is aware of the Membership and role managers you have created.
Now Let us start creating a web application with claims authentication.
1. Select authentication mode as “Claims Based Authentication”
2. Provide the membership details in Claims Authentication Types section as what you have configured in web.config
3. Select default/custom Sign in page. If you have a custom page, go for that.
4. Click Ok to create the web application. 
5. Next thing is to create a Site Collection in the new web application.
6. Select Primary Site Collection Administrator and Secondary Site Collection. Primary Site Collection Administrator is the domain user and Secondary Site Collection Admin is from SQL users. SharePoint is able to resolve both users.
7. Click OK to create top level site collection and site collection is ready to use.
8. Let us log in to the new site collection. SharePoint will provide you with the default Log in screen instead of automatic log in using windows authentication. In the default log in screen, there is a control that talks to Security Taken Service to get authenticated. SharePoint Site no longer authenticates the users. It is a trust based authentication mode. Security Token Service trust the users and SharePoint truest Security Token Services.
Where is Security Token Service?
How Security Token Service understands our providers?
Security Token Service can be found in
We need to configure Security Token Service's web.config with provider details to make it aware of SQL users.
8. 1. Explore Security Token Service application which is a WCF Service  and update its web.config file
  1. <system.web>  
  2.    <roleManager>  
  3.        <providers>  
  4.           <add connectionStringName="2008SVRCredentialStore" applicationName="/"  
  5.              name="BIJU2008SVRRoleManager" type="System.Web.Security.SqlRoleProvider, 
  6.              System.Web, Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />  
  7.        </providers>  
  8.     </roleManager>  
  10.         <membership>  
  11.             <providers>  
  12.                 <add name="BIJU2008SVRMemberShipProvider" type="System.Web.Security.SqlMembershipProvider,                System.Web, Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" 
  13.                connectionStringName="2008SVRCredentialStore" enablePasswordRetrieval="false" 
  14.                enablePasswordReset="true" requiresQuestionAndAnswer="true" applicationName="/" 
  15.                requiresUniqueEmail="false" passwordFormat="Hashed" maxInvalidPasswordAttempts="5" 
  16.                minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="1" 
  17.                passwordAttemptWindow="10" passwordStrengthRegularExpression=""></add>  
  18.             </providers>  
  19.         </membership>  
  20. </system.web>  
8.2. Update connectionStrings as well
  1. <connectionStrings>  
  2.         <add connectionString="data source=BIJU2008SVR;initial catalog=BIJU2008SVRCredentialStore;
  3.         Integrated Security=SSPI;" name="2008SVRCredentialStore" 
  4.          providerName="System.Data.SqlClient"/>  
  5.     </connectionStrings>  
9. Select windows authentication and you are there!
10. Open the site in another browser and select forms authentication. A custom log in page is presented to you by SharePoint.
11. Enter your credentials and you are there! 
12. Try to add SQL users to SharePoint user groups. You will see that SQL users are not resolved in SharePoint by default.
It is because the site does not know anything about SQL users. We can let the site know about SQL users by adding providers in web.config of the site.
Web.config file 
  1. <membership defaultProvider="i">  
  2.       <providers>  
  3.         <add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, 
  4.          Microsoft.SharePoint, Version=, Culture=neutral, 
  5.         PublicKeyToken=71e9bce111e9429c" />  
  6.     <add name="BIJU2008SVRMemberShipProvider"   
  7.              type="System.Web.Security.SqlMembershipProvider, System.Web, Version=, 
  8.         Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"   
  9.              connectionStringName="2008SVRCredentialStore"   
  10.              enablePasswordRetrieval="false" enablePasswordReset="true"   
  11.              requiresQuestionAndAnswer="true" applicationName="/" requiresUniqueEmail="false"   
  12.              passwordFormat="Hashed" maxInvalidPasswordAttempts="5"   
  13.              minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="1"   
  14.              passwordAttemptWindow="10" passwordStrengthRegularExpression=""></add>  
  15.       </providers>  
  16.     </membership>  
  17.     <roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false">  
  18.       <providers>  
  19.         <add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, 
  20.         Microsoft.SharePoint, Version=, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />  
  21.         <add connectionStringName="2008SVRCredentialStore" applicationName="/" 
  22.       name="BIJU2008SVRRoleManager" type="System.Web.Security.SqlRoleProvider, 
  23.       System.Web, Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />  
  24.       </providers>  
  25.     </roleManager>  
Having done the above changes, SQL users are resolved in SharePoint. 
This is how we can implement forms based authentication in SharePoint for SQL users using providers. If you find it useful, don’t forget to add your comments.

Happy Reading!
Biju Joseph

No comments:

Post a Comment