Form Based Authentication Configuration (FBA) for SharePoint 2013

Introduction: Today I will give you the detailed idea of configuring Form Based Authentication (FBA) for SharePoint 2013. This configuration is very similar to SharePoint 2010 but there are some differences because SharePoint 2013 works on .Net 4.0. The web.config entries entries are slightly different from SP 2010. Also IIS doesn’t support editing .Net 4.0 Membership Provider Configuration through its interface so all the configuration has to be done manually in the .config files.

For FBA configuration you have to follow some major steps and I have categorized these steps into 4 section:

Section 1: Creating Membership Database: Membership Database is used to store all the username and password of the users so you have to create Membership Database first.

1. Login your SharePoint 2013 server with Farm Admin (System Account) who has installed SharePoint and SQL Server and navigate to c:\windows\Microsoft.NET\Framework64\v4.0.30319\
2. Run aspnet_regsql.exe
   
3. “Welcome to the ASP.NET SQL Server Setup Wizard” screen will appear. Then Click Next to continue.
4. Select “Configure SQL Server for application services” and click Next.
5. Now enter the Database Server Name and give the database name in place of <default>. For the database name, you can leave it as <default>, which creates a database called “aspnetdb”. But I gave the name “SP_FBADB”.
6. “Confirm Your Settings” screen will appear. Click Next.
7. “Database has been created or modified” screen will appear. Click finish to close the wizard.
8. The current logged in used must have full permission on database you just have created. So open SQL Server Management Studio using windows authentication–> Expand Security/Logins –> find the user (Farm Admin) and right click –> go to properties.
9. Go to the “User Mapping” Page. Check the “Map” checkbox for the SP_FBADB database. With the SP_FBADB database selected, check the “db_owner” role membership and click OK. This user should now have full permissions to read and write to the SP_FBADB membership database.

 

Section 2: Create Users in Membership Database: You have successfully created empty Membership Database with the name SP_FBADB. Now you have to add users so that these users can access the site. So I have followed very simple approach by deploying third party pack for  User Management. Click on SharePoint 2013 FBA Pack and deploy the solution on your SharePoint Site.

Section 3: Modify .config files: The next thing that has to be done to get forms based authentication working with SharePoint is setting up the membership provider.  A membership provider is an interface from the program to the credential store.

SharePoint is actually divided up into several web applications

1. Central Administration
2. Security Token Service
3. SharePoint web applications

So you need to add membership provider settings to all above web.config files.

Note: Let’s suppose you have number of web applications, you have to add the membership provider settings to every web.config file for all the web applications. I prefer to add the membership provider settings directly to the machine.config. By adding it to the machine.config, the configuration is inherited by all of the web.config files on the machine so you only have to make the changes once and don’t need to remember to make the changes every time you create a new SharePoint web application.

Note: Take a backup of config file before editing it.

1. Modify machine.config file:

a) Go to SharePoint Server –> Navigate to C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Config and open machine.config file.

b) Find the <ConnectionString> section and add the below code inside <ConnectionString> tag.

<add connectionString=”Server=DataBase Server Name;Database=SP_FBADB;Integrated Security=true” name=”FBADB” />

c) Find the <membership><providers> section and add the below code inside the <membership><providers> tags.

<add name=”FBAMembership”

 type=”System.Web.Security.SqlMembershipProvider, System.Web, Version=4.0.0.0,

Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a”

 connectionStringName=”FBADB”

 enablePasswordRetrieval=”false”

 enablePasswordReset=”true”

 requiresQuestionAndAnswer=”false”

 applicationName=”/”

 requiresUniqueEmail=”true”

 passwordFormat=”Hashed”

 maxInvalidPasswordAttempts=”5″

 minRequiredPasswordLength=”7″

 minRequiredNonalphanumericCharacters=”1″

 passwordAttemptWindow=”10″

 passwordStrengthRegularExpression=”” />

You can customize the authentication by modifying each of these options. Here’s a description of the different options available:

Option	Description
connectionStringName	The name of the database connection to the aspnetdb database.
enablePasswordRetrieval	true/false. Whether the user’s password can be retrieved. I suggest setting this to false for security purposes.
enablePasswordReset	true/false. Whether the user can reset their password. I suggest setting this to true.
requiresQuestionAndAnswer	true/false. Whether accounts also have a question and answer associated with them. The answer must be provided when resetting the password. I suggest setting this to false, as setting it to true prevents an administrator from resetting the user’s password.
applicationName	Setting the application name allows you to share a single membership database with multiple different applications, with each having their own distinct set of users. The default applicationName is /.
requiresUniqueEmail	true/false. Determines if multiple users can share the same email address. I suggest setting this to false, in case you ever want to implement a login by email system.
passwordFormat	Clear, Hashed or Encrypted. Clear stores the password in the database as plain text, so anybody with access to the database can read the user’s password. Encrypted encrypts the user’s password, so although the password isn’t human readable in the database, it can still be decrypted and the user’s actual password retrieved. Hashed stores a one way hash of the password.  When a user authenticates, the password they enter is hashed as well and matched against the stored hashed value. Using this method, the user’s password can never be retrieved (even if your database is stolen), only reset.  I always recommend using “Hashed” as it is the most secure way of storing the user’s password.
maxInvalidPasswordAttempts	The number of times in a row that a user can enter an invalid password, within the passwordAttemptWindow, before the user’s account is locked out. Defaults to 5.
passwordAttemptWindow	The number of minutes before the invalid password counter is reset. Defaults to 10.
minRequiredPasswordLength	The minimum password length. Defaults to 7.
minRequiredNonalphanumericCharacters	The minimum number of non-alphanumeric characters required in the password. Defaults to 1.
passwordStrengthRegularExpression	A regular expression that can be used to validate the complexity of the password.

d) Find the <roleManager><providers> section and add the below code inside <roleManager><providers> tags.

<add name=”FBARole” connectionStringName=”FBADB” applicationName=”/” type=”System.Web.Security.SqlRoleProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a” />

e) Now save and close the machine.config file.

2. Modify web.config file for Security Token Service:

a) Open IIS –> Go to Security Token Service –> Explore it.

b) Open the web.config file and find the </configuration> tag and add the below code just before </configuration> tag.

<system.web>

 <membership>

 <providers>

 <add name=”FBAMembership”

 type=”System.Web.Security.SqlMembershipProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a”

 connectionStringName=”FBADB”

 enablePasswordRetrieval=”false”

 enablePasswordReset=”true”

 requiresQuestionAndAnswer=”false”

applicationName=”/”

 requiresUniqueEmail=”true”

 passwordFormat=”Hashed”

 maxInvalidPasswordAttempts=”5″

 minRequiredPasswordLength=”7″

 minRequiredNonalphanumericCharacters=”1″

 passwordAttemptWindow=”10″

 passwordStrengthRegularExpression=”” />

 </providers>

 </membership>

<roleManager>

 <providers>

 <add name=”FBARole” connectionStringName=”FBADB” applicationName=”/”

 type=”System.Web.Security.SqlRoleProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a” />

 </providers>

</roleManager>

 </system.web>

c) Now save and close the file.

Section 4: Create SharePoint Web Application: Now Membership and Role Provider have been configured, you can configure SharePoint to use them.

1. Open SharePoint Central Administration –> Application Management –> Manage Web Applications.
2. Click “New” to create a new Web Application.
3. Name the web application and adjust any other options to your preferences.
4. Check “Enable Forms Based Authentication (FBA)”. Enter the ASP.Net Membership Provider Name and ASP.NET Role Provider Name that you configured in the web.config. 
5. This allows us to login either via Windows Authentication or Forms Based Authentication and click OK.
6. An Application Created dialog will appear. Click the “Create Site Collection” link to create the first site collection for this web application.
7. From the Create Site Collection dialog, give the site collection a name and URL and select a template.
8. For the Primary Site Collection administrator, I have left it as my Windows administrator account, so that I can login without FBA. For the Secondary Site Collection Administrator I have set it to “fbaadmin” You can set these to whatever is appropriate for your setup. Click OK.
9. You’ll get the “Top-Level Site Successfully Created” dialog. You can click on the URL to visit the new site collection you just created.
10. When authenticating to the site collection, if you enabled both Windows Authentication and Forms Based Authentication, you’ll be prompted for which method you’d like to use to authenticate. I’m going to choose to authenticate with Forms Authentication.
11. You’ll be prompted for a username and password. Enter the username and password, and also set as the Secondary Site Collection Administrator.
12. You’re now logged into the site as a site collection administrator.

Reference: Configuring Forms Based Authentication in SharePoint 2013

Thanks for giving the specious time to read this blog. Click on like button if this blog helped you in any way or give your valuable comments for the betterment..