Tuesday, November 18, 2014

Configure Forms Based Authentication(FBA) in SharePoint 2013

SharePoint is mostly used for intranet portals in the organizations. People in the organization have their own LAN ID and Password(which setup in Active Directory) through which they access the SharePoint portals. By default SharePoint site uses windows authentication to authenticate users, that means any users from Active Directory in the organization can access to SharePoint sites if they grant the permission by Site Collection Administrator.

Now if organization would like to provide access to External Business Users where they do not have any account in Active Directory, then you can configure Forms Based Authentication(FBA) with SQL Membership Provider to provide them access in the SharePoint Portals.

Few years back, I had implemented in MOSS 2007. Now I have configured the same in SharePoint 2013. It's almost same.

Let's go through below steps to configure FBA with SQLMembership Provider for a SharePoint portal. 
  • At first you need to create an new database which will store the information of External Users in a ASP.Net membership database. Open the directory in any SharePoint Server (C:\Windows\Microsoft.NET\Framework64\v4.0.30319) in the SharePoint server.
  • Run aspnet_regsql.exe file and Click Next.
  • Select 'Configure SQL Sever for application services' and click Next.
  • Provide the SQL Server name where you would like to create this database. Then provide the Database Name and click Next.
  • Verify the SQL Server name, new Database Name and click Next.
  • Now the new database needs to created in the SQL Server. Click Finish to close the window.
  • Now open SQL management Studio, then connect to the SQL server to verify the New database and the tables.
  • Expand the New Database -> Expand Security -> Right click on Users to Create a New User -> Add the application pool account of web application as log-in name and select all the _Full Access schemas from Owned Schemas section. See the below screenshot for reference.

Now membership database has been configured to store External Users information. So we need to register external users which will stored in this database.

At this point there is no external user created yet in the above ASP.Net membership database. Codeplex provides solutions for registering users, changing passwords and password recovery in the ASP.net membership database. Please download the SharePoint 2013 FBA Pack and deploy the WSP file into the web application where your site collection resides.  

SharePoint 2013 FBA Pack link: https://sharepoint2013fba.codeplex.com/

Step 1: Download the package and find out the WSP file(visigo.sharepoint.formsbasedauthentication.wsp).
Step 2: Add the solution file using below PS command.

Add-SPSolution -LiteralPath e:\downloads\visigo.sharepoint.formsbasedauthentication.wsp

Step 3: Go to Central Administration Site -> System Settings -> Solutions Management -> Select the solution file and deploy to the web application where your site collection resides.

Once solution is deployed you can able to see it in Solution management as below.

Once the solution gets deployed, Site Collection Administrator needs to activate the Forms Based Authentication Management feature in Site Collection features page. 

Then Site Collection Admin can see the below links in the site collection settings page to manage users.
Note: These features will be only available to Site Collection Administrator to manage them.

Now Site Collection Administrator can register external users,to do that click FBA User Management -> Create User -> Provide the detailed information with User ID, Password.

Once the user got created successfully, Site collection admin can see the user details as below.

You can also verify the same in the membership database as below that one row has been added to aspnet_Users table.

Now go to Central Administration site -> Manage Web Applications -> select an web application where your site collection resides -> Click on Authentication Provider -> Click Default Zone -> Select "FBA_SQL_MembershipProvider" for ASP.NET Membership provider name and write "FBA_SQL_RoleProvider" for ASP.NET Role manager name. See below screenshot for reference.

  • Now you need to add the SQL Connection String, People Picker Wildcards entryASP.Net Membership Provider and ASP.Net Role Manager entries to below 3 web config files.Please follow the below screenshots with entries of each part to web.config files.
  1. Web Application Web.Config file(in WFE servers)
  2. Central Admin Web App Web.Config file(in CA hosted server)
  3. Security Token Service Web.Config file (located in 15 hive folder\WebServices\SecurityToken\web.config) - in in both WFE servers and Application Servers
  •  SQL Connection String Entry:
    <add name="fbaSQLConnection" connectionString="server=WIN-5KDVOHD7F4P\SHAREPOINT;database=FBA_ExternalUsers;Trusted_Connection=true" />

Screenshot for reference:

  • People Picker Wildcards Entry:
      <clear />
      <add key="FBA_SQL_MembershipProvider" value="%" />
  • ASP.Net Membership Provider Entry:
    <add connectionStringName="fbaSQLConnection" applicationName="/" name="FBA_SQL_MembershipProvider
                 type="System.Web.Security.SqlMembershipProvider, System.Web,Version=2.0.3600.0, 
                 Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

  • ASP.Net Role Manager Entry:
 <add connectionStringName="fbaSQLConnection" applicationName="/" name="FBA_SQL_RoleProvider
             type="System.Web.Security.SqlRoleProvider, System.Web,Version=2.0.3600.0, 
             Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

Screenshot for reference:

Now Administrator can inform to External Business User and provide her the User ID and Password to login to the SharePoint Portal. Later on external user can change her password.

External User can browse the portal where she will find two option and she needs select Forms Authentication to login to portal.

Select Forms Authentication and input the user id and password.

Now you can able to see the portal with External User logged in credentials.

If you see the my settings of the logged in user, you find the account information as below. You can also find this user in the People Picker Control while providing permission to any SharePoint list/library/group.

That's all :) 

No comments:

Post a Comment