Following are the steps for setting up Forms Authentication in SharePoint 2007:
1. Setup the Membership database
2. Add a new user to the membership database
3. Configure SharePoint Central Administration web.config
4. Configure the SharePoint site's web.config
5. Enable Forms authentication on the SharePoint site
6. Give the rights to the Forms-based user to access the site
7. Login
In this article, we will be using the SQL Server membership provider to authenticate users. I'm also assuming that you've already installed SharePoint and created the SharePoint site on which you're trying to enable forms authentication.
<Windows Directory>\Microsoft.NET\Framework\aspnet_regsql.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe
When you launch the wizard, the "Welcome" screen appears and tells you about what the wizard does and also the command line parameters you can use for more options. Click the Next button to display the "Select a Setup Option" screen (Figure 1).
Figure 1 – ASP.NET SQL Server Setup Wizard – Select a Setup Option
From the "Select a Setup Option" screen, choose the "Configure SQL Server for application services" option. This lets the wizard know you want to add new tables and stored procedures to a membership database. If you accidentally add the structure to the wrong database, you can remove the table structure and delete all data in the database by choosing “Remove application services information from an existing database” option. Click "Next" to move to the "Select the Server and Database" screen (Figure 2).
Figure 2 – ASP.NET SQL Server Setup Wizard – Select the Server and Database
Choose your database from the Database combo box by entering the name of your database server in the Server textbox. If you want to add the tables and stored procedures for the provider to an existing database, select the database from the list. If you want to create a new database, then just type the name of the new database directly in the combo box and the wizard will create the database automatically. You may also need to enter SQL Server authentication credentials if you connect to the database using SQL Server authentication instead of Windows authentication. These credentials are only used to create membership tables and stored procedure. Click the Next button to continue to the "Confirm Your Settings" screen.
The "Confirm Your Settings" screen displays a summary of choices you've made thus far in the wizard. You can change your choices if you're feeling hesitant about either, otherwise click the Next button.
In about a second or half seconds, the wizard will create all of the tables and stored procedures required by the membership provider in the database chosen by you. If it takes longer than it means that, you've entered a incorrect setting and the wizard is waiting to time out. The wizard then displays a final status screen indicating success or failure. If the wizard fails, it shows the details of the reasons. The success screen just tells you that everything worked and to click the Finish button.
1. Create a new ASP.NET web application
2. Configure the new application for Forms authentication and point it at your newly-created membership database
3. Copy the machine key element from your SharePoint site's Web.config into to your new web application
4. Add users and roles using the ASP.NET Web Site Administration Tool (if you have Visual Studio 2005) or create users via the CreateUserWizard ASP.NET control.
Once you have the website created, add a new Web.config to the application root and add the following configuration setting to the file:
Listing 01 – Web.config for the ASP.NET web application
1. Replace the machineKey element from the listing with the machine key element in the Web.config from your SharePoint site. The machineKey element changes from site to site, so make sure you get it from the site you want to configure for Forms authentication. You need matching machineKeys in the web application and the SharePoint site because user passwords are hashed (one way encrypted) and the hash routine uses the machine key value as part of the hashing algorithm.
2. Make sure your connection string points at the appropriate server that houses the membership database you just created. Also make sure the appropriate credentials are supplied to the connection string.
3. You can name your connection string anything you want, just makes sure you use the same name in the connectionStringName parameter for the membership and roleManager provider configurations.
4. Make sure your applicationName parameters match in both the membership and roleManager provider configurations.
Once you have done the configuration settings, you need a way to add users. If you are using Visual Studio 2005, you can use the built-in Web Site Administration Tool:
1. Click the Website menu and choose the ASP.NET Configuration menu item. This launches a new web browser window that displays the Web Site Administration Tool.
2. Click on the Security tab.
3. Click on the Create User link and create a new user.
If you do not have Visual Studio 2005, then you can use the CreateUserWizard control to add a new user to the membership database. Create a new page named CreateUser.aspx and add the following markup to the file:
Once you save the file, navigate to the CreateUser.aspx page using your browser and create a new user. One way or another, you should have a user in the membership database at this point.
Open the Central Administration's Web.config. If you do not know the location, use the IIS Manager. Add the following configuration elements to the Central Administration's Web.config. Please note that some element, like <connectionString>, <membership>, and <roleManager>, may already exist in the Web.config. If they do, add the child elements to the existing item.
Listing 03 – Additions to the Central Administration Web.config
Listing 04 – Attributes that appear in the SharePoint site Web.config (but not in the Central Administration Web.config)
Figure 3 – Authentication Providers
Make sure the correct Web Application is selected when you are changing configuration settings. If it's not, click the little down-arrow next to the URL and choose "Change Web Application" from the drop down list. SharePoint then displays a popup window with a list of web application from which you may choose.
Once you have the right web application selected, the Authentication Providers page displays a list of the zones in that application. Click on the name of the zone in which you want to enable Forms authentication. The Edit Authentication page displays (Figure 4).
Figure 4 – Edit Authentication Page
In the Edit Authentication page, choose the "Forms" option for Authentication Type. The page refreshes and displays the Membership provider and Role manager sections. Enter MembershipProviderDemo in the Membership provider name textbox, and RoleProviderDemo in the Role manager name textbox, then click the Save button. You are taken back to the Authentication Providers screen, but your zone should now say MembershipProviderDemo under the Membership Provider Name column. Forms authentication is now enabled on the site.
You may remember setting up a Site Collection Administrator when you first created the site, and it was a Windows user account. If you extended the site and have both a Windows zone and a Forms authentication zone, then you can login to the Windows zone and setup the Forms user in Site Settings as you would any other user.
If you have not extended the site, then the Windows account associated with the site collection administrator is useless and you need to change the site collection administrator over to a Forms based account. To do this, open SharePoint Central Administration and click on the Application Management link in the left navigation menu. Click the Site Collection Administrators link under the SharePoint Site Management section in the left-hand column of the page. The Site Collection Administrators page displays (Figure 5).
Figure 5 – Site Collection Administrators Page
On the Site Collection Administrators page, make sure that correct site collection is selected. Then, enter the username of the user you created back in Step 2 in the Primary Site Collection Administrator textbox. Click on the Check Names icon. It may take a few seconds, but the page should underline the text in the textbox. If the username is not valid, the page puts a red line under the username. If the user is not found, make sure you typed the name correctly. If the issue persists, go back and check your configuration settings to ensure the connection string is valid and there are no typing errors.
Click on the OK button to save the changes. Your Forms authentication account is now a Site Collection Administrator who has authorization to visit the site. You can use that account to get into the site and setup additional Forms authentication users in Site Settings.
Figure 6 – SharePoint Forms Authentication Login Page
1. Setup the Membership database
2. Add a new user to the membership database
3. Configure SharePoint Central Administration web.config
4. Configure the SharePoint site's web.config
5. Enable Forms authentication on the SharePoint site
6. Give the rights to the Forms-based user to access the site
7. Login
In this article, we will be using the SQL Server membership provider to authenticate users. I'm also assuming that you've already installed SharePoint and created the SharePoint site on which you're trying to enable forms authentication.
Step 1: Setup the Membership database
Before using SQL Server membership provider, you have to set up the database that the provider uses to store member and role information. Microsoft provides a tool named the ASP.NET SQL Server Setup Wizard along with the .NET Framework, which will help you to create the table structure and stored procedures required for the provider. You can launch the wizard by running aspnet_regsql.exe from the following location:<Windows Directory>\Microsoft.NET\Framework\aspnet_regsql.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe
When you launch the wizard, the "Welcome" screen appears and tells you about what the wizard does and also the command line parameters you can use for more options. Click the Next button to display the "Select a Setup Option" screen (Figure 1).
Figure 1 – ASP.NET SQL Server Setup Wizard – Select a Setup Option
From the "Select a Setup Option" screen, choose the "Configure SQL Server for application services" option. This lets the wizard know you want to add new tables and stored procedures to a membership database. If you accidentally add the structure to the wrong database, you can remove the table structure and delete all data in the database by choosing “Remove application services information from an existing database” option. Click "Next" to move to the "Select the Server and Database" screen (Figure 2).
Figure 2 – ASP.NET SQL Server Setup Wizard – Select the Server and Database
Choose your database from the Database combo box by entering the name of your database server in the Server textbox. If you want to add the tables and stored procedures for the provider to an existing database, select the database from the list. If you want to create a new database, then just type the name of the new database directly in the combo box and the wizard will create the database automatically. You may also need to enter SQL Server authentication credentials if you connect to the database using SQL Server authentication instead of Windows authentication. These credentials are only used to create membership tables and stored procedure. Click the Next button to continue to the "Confirm Your Settings" screen.
The "Confirm Your Settings" screen displays a summary of choices you've made thus far in the wizard. You can change your choices if you're feeling hesitant about either, otherwise click the Next button.
In about a second or half seconds, the wizard will create all of the tables and stored procedures required by the membership provider in the database chosen by you. If it takes longer than it means that, you've entered a incorrect setting and the wizard is waiting to time out. The wizard then displays a final status screen indicating success or failure. If the wizard fails, it shows the details of the reasons. The success screen just tells you that everything worked and to click the Finish button.
Step 2: Add a user to the membership database
Adding users is a bit tedious in IIS 6.0 rather than IIS 7.0, but here's how you do it.1. Create a new ASP.NET web application
2. Configure the new application for Forms authentication and point it at your newly-created membership database
3. Copy the machine key element from your SharePoint site's Web.config into to your new web application
4. Add users and roles using the ASP.NET Web Site Administration Tool (if you have Visual Studio 2005) or create users via the CreateUserWizard ASP.NET control.
Once you have the website created, add a new Web.config to the application root and add the following configuration setting to the file:
Listing 01 – Web.config for the ASP.NET web application
<connectionStrings> <add name="MembershipDatabaseConnectionString" connectionString="SERVER=localhost; DATABASE=MembershipDatabase; TRUSTED_CONNECTION=true;"/> </connectionStrings> <system.web> <machineKey validationKey="8E074B186056F889587355255B167DA297AD837E43FD9850" decryptionKey="991D4DEB57A2263855C31AA1D3FF4F1AD508A53D2A94658F" validation="SHA1" /> <authentication mode="Forms"/> <membership defaultProvider="MembershipProviderDemo"> <providers> <add name="MembershipProviderDemo" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="MembershipDatabaseConnectionString" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="true" applicationName="/" requiresUniqueEmail="false" passwordFormat="Hashed" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="1" passwordAttemptWindow="10" passwordStrengthRegularExpression="" /> </providers> </membership> <roleManager enabled="true" defaultProvider="RoleProviderDemo"> <providers> <add name="RoleProviderDemo" connectionStringName="MembershipDatabaseConnectionString" applicationName="/" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /> </providers> </roleManager> </system.web>I've highlighted a few areas of Listing 01 because you will need to modify them to work on your system:
1. Replace the machineKey element from the listing with the machine key element in the Web.config from your SharePoint site. The machineKey element changes from site to site, so make sure you get it from the site you want to configure for Forms authentication. You need matching machineKeys in the web application and the SharePoint site because user passwords are hashed (one way encrypted) and the hash routine uses the machine key value as part of the hashing algorithm.
2. Make sure your connection string points at the appropriate server that houses the membership database you just created. Also make sure the appropriate credentials are supplied to the connection string.
3. You can name your connection string anything you want, just makes sure you use the same name in the connectionStringName parameter for the membership and roleManager provider configurations.
4. Make sure your applicationName parameters match in both the membership and roleManager provider configurations.
Once you have done the configuration settings, you need a way to add users. If you are using Visual Studio 2005, you can use the built-in Web Site Administration Tool:
1. Click the Website menu and choose the ASP.NET Configuration menu item. This launches a new web browser window that displays the Web Site Administration Tool.
2. Click on the Security tab.
3. Click on the Create User link and create a new user.
If you do not have Visual Studio 2005, then you can use the CreateUserWizard control to add a new user to the membership database. Create a new page named CreateUser.aspx and add the following markup to the file:
<form id="form1" runat="server"> <asp:CreateUserWizard ID="CreateUserWizard1" runat="server"></asp:CreateUserWizard> </form>Listing 02 – CreateUser.aspx
Once you save the file, navigate to the CreateUser.aspx page using your browser and create a new user. One way or another, you should have a user in the membership database at this point.
Step 3: Configure SharePoint Central Administration Web.config
Now you have to configure your site to use Forms authentication. You configure authentication through the SharePoint Central Administration web interface, for this Central Administration needs to know about your membership and roleManager providers. So you have to add the appropriate <connectionString>, <membership>, and <roleManager> configuration elements to the Central Administration Web.config. The configuration for Central Administration is almost identical to Listing 01, but this time you do not set the defaultProvider attribute on the <membership> and <roleManager> elements, and do not set the enabled attribute on the <roleManager> element. Also, the Web.config for Central Administration already contains a great deal of configuration data, so make sure you do not accidentally remove or modify any existing settings. Notice that Listing 03 never refers to the machineKey. Do not change or delete it.Open the Central Administration's Web.config. If you do not know the location, use the IIS Manager. Add the following configuration elements to the Central Administration's Web.config. Please note that some element, like <connectionString>, <membership>, and <roleManager>, may already exist in the Web.config. If they do, add the child elements to the existing item.
Listing 03 – Additions to the Central Administration Web.config
<connectionStrings> <!-- element may already exist --> <add name="MembershipDatabaseConnectionString" connectionString="SERVER=localhost; DATABASE=MembershipDatabase; TRUSTED_CONNECTION=true;"/> </connectionStrings> <system.web> <membership> <!-- element may already exist --> <providers> <!-- element may already exist --> <add name="MembershipProviderDemo" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="MembershipDatabaseConnectionString" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="true" applicationName="/" requiresUniqueEmail="false" passwordFormat="Hashed" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="1" passwordAttemptWindow="10" passwordStrengthRegularExpression="" /> </providers> </membership> <roleManager> <!-- element may already exist --> <providers> <!-- element may already exist --> <add name="RoleProviderDemo" connectionStringName="MembershipDatabaseConnectionString" applicationName="/" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /> </providers> </roleManager> </system.web>Now the Central Administration knows about your provider configurations. Now you've to add it to the Web.config in your SharePoint site as well.
Step 4: Configure SharePoint Site Web.config
Now open the Web.config in the root directory of your SharePoint site, and make the same changes that you made to the SharePoint Central Administration's Web.config. When you are finished, you need to set the defaultProvider attributes in the <membership> and <roleManager> elements, and the enabled attribute in the <roleManager> element, as shown in Listing 04.Listing 04 – Attributes that appear in the SharePoint site Web.config (but not in the Central Administration Web.config)
<connectionStrings> <add name="MembershipDatabaseConnectionString" connectionString="SERVER=localhost; DATABASE=MembershipDatabase; TRUSTED_CONNECTION=true;"/> </connectionStrings> <system.web> <membership defaultProvider="MembershipProviderDemo"> <providers> <add name="MembershipProviderDemo" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="MembershipDatabaseConnectionString" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="true" applicationName="/" requiresUniqueEmail="false" passwordFormat="Hashed" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="1" passwordAttemptWindow="10" passwordStrengthRegularExpression="" /> </providers> </membership> <roleManager enabled="true" defaultProvider="RoleProviderDemo"> <providers> <add name="RoleProviderDemo" connectionStringName="MembershipDatabaseConnectionString" applicationName="/" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /> </providers> </roleManager> </system.web>After doing this, SharePoint Central Administration and your SharePoint site have the settings required to enable Forms authentication.
Step 5: Enable Forms Authentication on the SharePoint site
Now enable Forms Authentication for SharePoint sites using SharePoint Central Administration. Navigate to the Central Administration site. Click on the Application Management link on the left hand navigation bar. Click on the Authentication Providers link under the Application Security section on the right hand column of the page. The Authentication Providers page loads, as shown in Figure 3.Figure 3 – Authentication Providers
Make sure the correct Web Application is selected when you are changing configuration settings. If it's not, click the little down-arrow next to the URL and choose "Change Web Application" from the drop down list. SharePoint then displays a popup window with a list of web application from which you may choose.
Once you have the right web application selected, the Authentication Providers page displays a list of the zones in that application. Click on the name of the zone in which you want to enable Forms authentication. The Edit Authentication page displays (Figure 4).
Figure 4 – Edit Authentication Page
In the Edit Authentication page, choose the "Forms" option for Authentication Type. The page refreshes and displays the Membership provider and Role manager sections. Enter MembershipProviderDemo in the Membership provider name textbox, and RoleProviderDemo in the Role manager name textbox, then click the Save button. You are taken back to the Authentication Providers screen, but your zone should now say MembershipProviderDemo under the Membership Provider Name column. Forms authentication is now enabled on the site.
Step 6: Authorize the Forms-based user to access the site
Forms authentication is enabled on the site. When you hit the site and enter your username and password, you will be successfully authenticated but have no authorization to be in the site. So, for getting authorization, you have to use the Site Collection Administrator account.You may remember setting up a Site Collection Administrator when you first created the site, and it was a Windows user account. If you extended the site and have both a Windows zone and a Forms authentication zone, then you can login to the Windows zone and setup the Forms user in Site Settings as you would any other user.
If you have not extended the site, then the Windows account associated with the site collection administrator is useless and you need to change the site collection administrator over to a Forms based account. To do this, open SharePoint Central Administration and click on the Application Management link in the left navigation menu. Click the Site Collection Administrators link under the SharePoint Site Management section in the left-hand column of the page. The Site Collection Administrators page displays (Figure 5).
Figure 5 – Site Collection Administrators Page
On the Site Collection Administrators page, make sure that correct site collection is selected. Then, enter the username of the user you created back in Step 2 in the Primary Site Collection Administrator textbox. Click on the Check Names icon. It may take a few seconds, but the page should underline the text in the textbox. If the username is not valid, the page puts a red line under the username. If the user is not found, make sure you typed the name correctly. If the issue persists, go back and check your configuration settings to ensure the connection string is valid and there are no typing errors.
Click on the OK button to save the changes. Your Forms authentication account is now a Site Collection Administrator who has authorization to visit the site. You can use that account to get into the site and setup additional Forms authentication users in Site Settings.
Step 7: Login
When you access the site, default SharePoint login page will be displayed (Figure 6). Enter your username and password, and then click the Sign In button. You should be authenticated and authorized, and the site should display.Figure 6 – SharePoint Forms Authentication Login Page
No comments:
Post a Comment