UKReddy SharePoint Journey: How to configure FBA in SharePoint 2013

Here we are going to do the following list of things:
I. Create membership provider database.
II. Setup database Permissions.
III. Create membership User/Roles.
IV. Configuring membership provider.
V. Configuring FBA for a website in Central Administration.
VI. Login using membership user.

I. Create membership provider database

The first step is to create the database using the ASP.net SQL server setup wizard. Install the new database on the database server hosting the other SharePoint databases for this app. The wizard can be accessed from the following command from the run menu.

%windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe

This wizard will guide you through the creation of the new SQL database.

A welcome screen will appear. Click Next.

Select "Configure SQL Server for application services" and click Next.

Enter the name of your server and your authentication information. In this case SQL Server is installed on the same server as SharePoint 2013 and I am logged in as an administrator and have full access to SQL Server, so I choose Windows Authentication. For the database name, I just leave it as <default>, which creates a database called "aspnetdb". Unless you want a specific name for your FBA database.

A Confirm Your Settings screen will appear. Click Next.

A "database has been created or modified" screen will appear. Click finish and the wizard will close.

II. Setup database Permissions

Now that the database has been created, we'll have to give SharePoint permissions to read and write to it. We're going to connect to the database with Windows Authentication, so we're going to have to give those permissions to the service account that is being used to run SharePoint. First, let's find out the service account that's being used to run SharePoint. Open IIS, go to "Application Pools". Take a look at the "Identity" that is being used to run the SharePoint application pools.

Now that we know what account is being used to run SharePoint, we can assign it the appropriate permissions to the membership database we created. Open up SQL Server Management Studio and log in as an administrator.

Under Security/Logins find the user that SharePoint runs as. Assuming this is the same database server that SharePoint was installed on, the user should already exist. Right click on the user and click ‘Properties'

Go to the "User Mapping" Page. Check the "Map" checkbox for the aspnetdb database. With the aspnetdb database selected, check the "db_owner" role membership and click OK. This user should now have full permissions to read and write to the aspnetdb membership database.

III. Create membership User/Roles

There are different ways to create aspnet users.

here am using one tool for create aspnet users, can download from here.

Once download the file unzip it and open "MembershipSeeder.exe" xml file and change server name ,database name then save the file and open "MembershipSeeder" application file and create users.

here the application interface for creation of users,roles.

Here am creating single user so selected "Only create or delete 1 user; dont use the # of Users field" check box. Then click on Create button.(other fields remains same);

IV. Configuring membership provider

The next thing that has to be done to get forms based authentication working with SharePoint is setting up the membership provider. A membership provider is an interface from the program to the credential store. This allows the same program to work against many different methods of storing credentials.

SharePoint is actually divided up into several web applications – Central Administration, the Security Token Service and all of the SharePoint web applications that you create. Each of those web applications needs to know about the membership provider.

SharePoint is actually divided up into several web applications – Central Administration, the Security Token Service and all of the SharePoint web applications that you create. Each of those web applications needs to know about the membership provider. i like to change this in machine.config because, By adding it to the machine.config, the configuration is inherited by all of the web.config files on the machine – so you only have to make the changes once, and don't have to remember to make the changes every time you create a new SharePoint web application.

If you don't have access to the machine.config, or prefer not to edit it, you will have to make all of these changes to the following web.config files:

1. SharePoint Central Administration

2. SecurityTokenServiceApplication

3. Every SharePoint web application you create that you would like to access via FBA.

Here we go with machine.config,

Navigate to "C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Config" and open "machine.config".

In the <ConnectionString> section, add the following line:
<add connectionString="Server=<ServerName>;Database=aspnetdb;Integrated Security=true" name="FBADB" />

In the <membership><providers> section add the following:

<add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="LocalSqlServer" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="true" applicationName="/" requiresUniqueEmail="false" passwordFormat="Hashed" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="1" passwordAttemptWindow="10" passwordStrengthRegularExpression=""/>
<add name="FBAMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="FBADB"
enablePasswordRetrieval="false" enablePasswordReset="true"
requiresQuestionAndAnswer="false" applicationName="/"
requiresUniqueEmail="true" passwordFormat="Hashed"
maxInvalidPasswordAttempts="5" minRequiredPasswordLength="7"
minRequiredNonalphanumericCharacters="1" passwordAttemptWindow="10" passwordStrengthRegularExpression="" />

In the <roleManager><providers> section add the following:

<add name="FBARoleProvider" connectionStringName="FBADB" applicationName="/" type="System.Web.Security.SqlRoleProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

Now,Save and close the machine.config file.

The SharePoint Web Services configuration overrides the machine.config and clears the entries we created. For that reason, the membership and role providers also need to be added to the SecurityTokenService First we need to find the web.config for the SecurityTokenService.

Open up IIS. Under sites, SharePoint Web Services, right click on SecurityTokenServiceApplication and click on Explore. Edit the web.config in the folder that opens.

Add the following to the web.config, just before the closing </configuration> tag:

<system.web>
<membership>
<providers>
<add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="LocalSqlServer" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="true" applicationName="/" requiresUniqueEmail="false" passwordFormat="Hashed" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="1" passwordAttemptWindow="10" passwordStrengthRegularExpression=""/>
<add name="FBAMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="FBADB"
enablePasswordRetrieval="false" enablePasswordReset="true"
requiresQuestionAndAnswer="false" applicationName="/"
requiresUniqueEmail="true" passwordFormat="Hashed"
maxInvalidPasswordAttempts="5" minRequiredPasswordLength="7"
minRequiredNonalphanumericCharacters="1" passwordAttemptWindow="10" passwordStrengthRegularExpression="" />

</providers>
</membership>
<roleManager>
<providers>
<add name="FBARoleProvider" connectionStringName="FBADB" applicationName="/" type="System.Web.Security.SqlRoleProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

</providers>
</roleManager>
</system.web>

Now that the membership and role provider have been configured, we can configure SharePoint to use them.

V. Configuring FBA for a website in Central Administration

Configure SharePoint to use new membership provider

Open SharePoint Central Administration -> Application Management -> Manage Web Applications.

Click the Web Application you want the authentication model and select the Authentication Providers button from ribbon.

Click the Zone you want to change the membership provider.

Check "Enable Forms Based Authentication (FBA)". Enter the ASP.Net Membership Provider Name and ASP.NET Role Provider Name that you configured in the web.config. For this example we used "FBAMembershipProvider" and "FBARoleProvider" (Without the quotation marks).Also, for this example we left "Enable Windows Authentication" checked. This allows us to login either via Windows Authentication or Forms Based Authentication (SharePoint will prompt you when you login for which method you'd like to use). Click OK.

Now we need to add the user to SharePoint site.

select web application and select UserPolicy.

Click on Add Users and select zone.

Then choose user and give permissions( here am giving full control) and click finish.

VI. Login using membership user

Now we will check FBA,

Till now FBA configuration is over now i want to check FBA is working for my FBA site or not.
Open FBA site in the browser and select "Forms Authentication".