Forms Authentication

If you come across a project that requires you to setup forms based authentication on a SharePoint site, its actually kind of simple. This post will walk you through creating a new database that will handle storing user information like usernames, passwords, and roles. The steps taht we're going to take are:

Create a database to store user info
Extend a site
Create the necessary web.config entries
Create users and roles
Configure the extended site for forms based authentication
Grant the new users and roles permissions on the extended site

Creating the Database

Luckily, we don't have to do alot to get a database up and running. You can run the Aspnet_regsql.exe tool to start a wizard that will create this database for you. The exe is found in \WINDOWS\Microsoft.NET\Framework\v2.0.50727. Double-click the file and let's begin.

Once you run that tool, the ASP .NET SQL Server Setup Wizard will open. Click next to get started.

Make sure the "Configure SQL Server for application services" radio button is selected and click next.

Next, you'll need to specify the server that will store the database and the database name. Now, for the database name, you have 1 of 3 options. You can leave it blank, like I do for this demo and it will create a generic name for your database "aspnetdb". You also have the option of selecting a database from the dropdown. When you select a database, it will add the necessary tables and stored procedures without affecting your existing database's content. The last option is to type in a new database name and it will create your database with the appropriate tables and stored procedures.

The next page will display your selections in the previous page. Confirm that everything is ok, and click Next.

Click Finish.

Once your database is created, you can go view it and inspect the tables and stored procedures provided. Below is an image of the tables created.

Extend a Site

In Central Admin, go to the Application Management tab and click on the Create or extend Web application link. This will take to to the following page. On this page, you'll need to select the site that you want to extend. This part is pretty straight forward. Just select the Create a new IIS web site radio button, assign an unused port, provide a host header if needed and select a zone from the available items in the dropdown.

Configure the Web.Config

The next thing that we'll need to do is setup the web.config by adding a connectinoStrings element, a membership element and a rolemanager element. We're going to want to test the connection before we start to modify the SharePoint web.config. In order to do this, you'll want to use Visual Studio to create a new website. Open the site's web.config file and before the section, add your connection string information. Inside add your membership and roleManager.

A few things to pay attention to: In the connectionStrings' add element, the name attribute's value is whatever you want it to be. The same goes for the membership's and roleManager's defaultProvider.

Go ahead and copy the data, with your particular modifications to the connectionstring. For additional help, you can visit msdn to learn more on the connectionStrings element, the membership element and the roleManager element.

Note: Do not edit the web.config used by your site without creating a backup. If you make a mistake either in the sections that we're going to add or even if you accidently add/remove a character from some random line in the file, you can break your site.

Create Users and Roles

Now that your web.config is setup in your test website, we'll need to go to the ASP .NET Configuration. In the image below, it is located under the Project menu item. This will open the ASP.NET Web Site Administration Tool.

When the tool loads, you'll see 3 sections in the bottom. We're going to worry about the 1st two (Users and Roles).

First, click on the Select authentication type under the Users section. Make sure, From the Internet is selected. Go back to the previous page, and in the Users section, you'll see a new link to create users. Click on the link, and create a couple of users. Then click Create or Manage Roles under the Roles section to create roles and assign users to each role. This part is simple, so I'll leave that to you.

Enable Forms Authentication on the Extended Site

Now we go back to Central Admin. Go to Application Management > Authentication Providers (found under the application security section) and select your extended site. If you don't see it, make sure that the original web application (the one that you extended) is in the dropdown on the page. When you select your extended site, you'll see the following page. I've highlighted the important sections. You'll see that the zone that appears is the zone that I selected when I extended the site. You'll have to select Forms under the authentication type and then you'll have to provide the Membership Provider and the Role Manager information. This information comes from your web.config file under the provider sections for each.

Once you click the save button, go back to the Application Management page and click the Site collection administrators link under the SharePoint Site Management section.

Make sure the correct web application appears in the dropdown and you can add one of the accounts created earlier in the Secondary site colleciton administrator section. If you use the Check Names button, it should find the account in your database. I created an admin user and admin group earlier and I'll add the admin here.

Now you can log into the site as the administrator and add the other users from the database to your site.

Best Practice: In my opinion, and I'm sure most will agree with me, it is best to do everything through groups. You'll want to create a SharePoint group and add users to the group instead of adding them directly to a site or list.

Note: The roles that we created earlier behave like domain groups and you should think of them as such. When you created your roles in the ASP.NET Web Site Administration Tool, you associated individual accounts to each role. Now you can go to a SharePoint group and add the role that you created. This will bring in all the users assigned to that role without you having to add them one by one.

When the user's attempt to access your new forms authenticated site, they will be greeted with the following page asking for credentials. The system will handle validating the credentials against the database that we created in the beginning without you having to write any code.

Labels: Administrator, Developer