Hi Readers
We are going to create a SharePoint web application that supports windows and forms based authentication
that works against users in the SQL database using Membership
providers.
What is required for a claim based authentication web application?
What is required for a claim based authentication web application?
When a claims based authentication web application is created, we should provide the details of Membership and role provider.
How to make SharePoint aware of the Membership and role providers?
We can do this by modifying the web.config file of the SharePoint central
administration site. How do we do that? It is simple
1. Go to -- > IIS à sites –> SharePoint Central Administration v4
2. Open web.config (take a backup of the web.config before you do any modification)
3. Find <system.web> section in the web.config and replace Role
manager and Membership provider. Keep the order same, first Role manger
then Membership provider.- <!-- Role Manager-->
- <roleManager>
- <providers>
- <add connectionStringName="2008SVRCredentialStore" applicationName="/"
- name="BIJU2008SVRRoleManager"
- type="System.Web.Security.SqlRoleProvider, System.Web,
- Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
- </providers>
- </roleManager>
- <!-- MemberShip Provider -->
- <membership>
- <providers>
- <add name="BIJU2008SVRMemberShipProvider"
- type="System.Web.Security.SqlMembershipProvider,
- System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
- connectionStringName="2008SVRCredentialStore"
- enablePasswordRetrieval="false" enablePasswordReset="true"
- requiresQuestionAndAnswer="true" applicationName="/" requiresUniqueEmail="false"
- passwordFormat="Hashed" maxInvalidPasswordAttempts="5"
- minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="1"
- passwordAttemptWindow="10" passwordStrengthRegularExpression=""></add>
- </providers>
- </membership>
3. Replace ConnectionStrings section
- <connectionStrings>
- <add connectionString="data source=BIJU2008SVR;initial
- catalog=BIJU2008SVRCredentialStore;Integrated Security=SSPI;"
- name="2008SVRCredentialStore"
- providerName="System.Data.SqlClient"/>
- </connectionStrings>
Having done this, SharePoint is aware of the Membership and role managers you have created.
Now Let us start creating a web application with claims authentication.
1. Select authentication mode as “Claims Based Authentication”
2. Provide the membership details in Claims Authentication Types section as what you have configured in web.config
3. Select default/custom Sign in page. If you have a custom page, go for that.
4. Click Ok to create the web application.
5. Next thing is to create a Site Collection in the new web application.
6. Select Primary Site Collection Administrator and Secondary Site
Collection. Primary Site Collection Administrator is the domain user and
Secondary Site Collection Admin is from SQL users. SharePoint is able
to resolve both users.
7. Click OK to create top level site collection and site collection is ready to use.
8. Let us log in to the new site collection. SharePoint will provide
you with the default Log in screen instead of automatic log in using
windows authentication. In the default log in screen, there is a control
that talks to Security Taken Service to get authenticated. SharePoint
Site no longer authenticates the users. It is a trust based
authentication mode. Security Token Service trust the users and
SharePoint truest Security Token Services.
Where is Security Token Service?
How Security Token Service understands our providers?
Security Token Service can be found in
We need to configure Security Token Service's web.config with provider details to make it aware of SQL users.
8. 1. Explore Security Token Service application which is a WCF Service and update its web.config file- <system.web>
- <roleManager>
- <providers>
- <add connectionStringName="2008SVRCredentialStore" applicationName="/"
- name="BIJU2008SVRRoleManager" type="System.Web.Security.SqlRoleProvider,
- System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
- </providers>
- </roleManager>
- <membership>
- <providers>
- <add name="BIJU2008SVRMemberShipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
- connectionStringName="2008SVRCredentialStore" enablePasswordRetrieval="false"
- enablePasswordReset="true" requiresQuestionAndAnswer="true" applicationName="/"
- requiresUniqueEmail="false" passwordFormat="Hashed" maxInvalidPasswordAttempts="5"
- minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="1"
- passwordAttemptWindow="10" passwordStrengthRegularExpression=""></add>
- </providers>
- </membership>
- </system.web>
8.2. Update connectionStrings as well
- <connectionStrings>
- <add connectionString="data source=BIJU2008SVR;initial catalog=BIJU2008SVRCredentialStore;
- Integrated Security=SSPI;" name="2008SVRCredentialStore"
- providerName="System.Data.SqlClient"/>
- </connectionStrings>
9. Select windows authentication and you are there!
10. Open the site in another browser and select forms authentication. A custom log in page is presented to you by SharePoint.
11. Enter your credentials and you are there!
12. Try to add SQL users to SharePoint user groups. You will see that SQL users are not resolved in SharePoint by default.
It is because the site does not know anything about SQL users. We
can let the site know about SQL users by adding providers in web.config
of the site.
Web.config file
- <membership defaultProvider="i">
- <providers>
- <add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider,
- Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral,
- PublicKeyToken=71e9bce111e9429c" />
- <add name="BIJU2008SVRMemberShipProvider"
- type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0,
- Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
- connectionStringName="2008SVRCredentialStore"
- enablePasswordRetrieval="false" enablePasswordReset="true"
- requiresQuestionAndAnswer="true" applicationName="/" requiresUniqueEmail="false"
- passwordFormat="Hashed" maxInvalidPasswordAttempts="5"
- minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="1"
- passwordAttemptWindow="10" passwordStrengthRegularExpression=""></add>
- </providers>
- </membership>
- <roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false">
- <providers>
- <add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider,
- Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
- <add connectionStringName="2008SVRCredentialStore" applicationName="/"
- name="BIJU2008SVRRoleManager" type="System.Web.Security.SqlRoleProvider,
- System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
- </providers>
- </roleManager>
ConnectionStrings
Having done the above changes, SQL users are resolved in SharePoint.
This is how we can implement forms based authentication in
SharePoint for SQL users using providers. If you find it useful, don’t
forget to add your comments.
Happy Reading!
Biju Joseph