Friday, February 9, 2018

Configuring Forms Based Authentication in SharePoint 2016

Configuring Forms Based Authentication in SharePoint 2016

In this article, I will give a step-by-step walk through of the process for configuring SharePoint 2016 Forms Based Authentication “out of the box” without an add-on such as Extranet Collaboration Manager (ExCM). Doing this will also allow us to highlight the limitations of a “basic” SharePoint FBA web application that can be overcome with a professional-grade add-on like ExCM.

In the screenshots below, you can see the changes we need to make to begin configuring FBA:

image

image

In the second screenshot, notice that I have used the “best practices” of assigning a dedicated service account as my Application Pool Identity, as well as renaming my content database from the default cryptic string of characters to one more concise and descriptive.

Now that we have created a new Web Application with dual authentication, let’s navigate to the site and see what it looks like:

image

As you can see, it requires us to choose our authentication method before continuing any further. This page is called the multi-auth selector page and only appears on a web application where multiple authentication providers have been configured – in this case both Windows Authentication and Forms-based Authentication.

Now that we have created our web application, it’s time to decide on a Membership Provider and make the appropriate edits to our web.config files. For this post, I am going to use the SQL Membership Provider, for a couple of reasons. First, it is a more secure way to store external users than Active Directory. Second, since we recommend using SQL with ExCM, I thought it would be a nice way to show you the limitations of the SQL Membership Provider with default settings and how ExCM improves upon them.

First, we need to create our SQL database. SharePoint 2016 uses version 4.0 of the .NET Framework, so we need to use the corresponding “asp reqsql” application to ensure compatibility and create the proper database structure needed to store information for ASP.NET membership, profiles, and roles. You can find the utility in the following location:

image

Once we launch it, we see the following screens:

image

image

In the following screen, we need to specify both our SQL Server name (and instance if applicable), as well as the name for our FBA database. We can simply type directly over the “<default>” name that initially appears. In my case, SQL is installed on this local box and I have chosen to call my database “ExtranetDirectory:”

image

Now we can just continue clicking “Next” and then “Finish” until we see this screen:

image

Now that we have created our database, we need to grant the appropriate access to the App Pool Identities for both the STS and Content Sites. We know that we are using the “sp app pool” for our Content Site because we chose it when creating our Web Application. In some cases, we may be using the same account for all Application Pools, but that’s not always the case. To double-check, we need to open up IIS Manager and the click on “Application Pools:”

image

As we can see, “AWBIKES\sp_farm” is being used for the STS service, so we’ll need to add two accounts (AWBIKES\sp_app_pool and AWBIKES\sp_farm) to our created “ExtranetDirectory” database in SQL Management Studio.
SharePoint 2016 requires a minimum of SQL Server 2014, which is what I am using in this environment.

After launching Management Studio, expand “Databases,” then “ExranetDirectory,” then “Security,” and right click on “Users” to select “New User:”

image

From the next screen, we need to select the “User Type” drop down and choose “Windows User:”

image

I will use “AWBIKES\sp_app_pool” for both the User name and Login name:

image

Next, we need to click on “Membership” in the left hand menu and place a check by each item that ends in “_FullAccess.” There are five in total:

image

Once that’s complete, we click on “OK.” We can now see our newly added user listed:

image

In this particular case, I do not need to add “AWBIKES\Administrator” because that account is a Database Owner (dbo) for all databases and already has the necessary permissions. If you are unsure if a particular account has the appropriate access, simply go ahead and attempt to add them. If they already exist as a “dbo” you will see an error similar to this:

image

Simply click “OK” and move on to the next step…editing the web.config files. Yippee!!

To successfully deploy FBA, we need to edit at least two web.config files. Those are the Security Token Service (STS) and the Content Site. The Central Administration file is optional and is only necessary if we need to resolve FBA names from within Central Administration. Let’s start with the STS file.

** IMPORTANT: MAKE A BACKUP OF YOUR EXISTING WEB.CONFIG FILES FIRST!!!**

Since we are only doing “out of the box” FBA, the edits to both files will be very minimal. I think the easiest way to navigate to the correct location of the web.config files is to open IIS Manager, right click on the appropriate site and select “Explore:”

image

image

Here is what we need to add to the STS file:

<system.web>
<membership>
<providers>
<add name="Ext" connectionStringName="ExtranetDirectory_Connection" applicationName="/" passwordFormat="Hashed" enablePasswordRetrieval="false" enablePasswordReset="true" requiresUniqueEmail="True" requiresQuestionAndAnswer="True" maxInvalidPasswordAttempts="10" passwordAttemptWindow="10" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordStrengthRegularExpression="" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</membership>
<roleManager>
<providers>
<add name="ExtRole" connectionStringName="ExtranetDirectory_Connection" applicationName="/" type="System.Web.Security.SqlRoleProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</roleManager>
</system.web>

See the screenshot below for placement area:

image

Now let’s make the appropriate edits to the Content Site web.config. Using the method described above, we can navigate to the Content Site folder and find the file. Here are the necessary edits based on our configuration:

<add name="Ext" connectionStringName="ExtranetDirectory_Connection" applicationName="/" passwordFormat="Hashed" enablePasswordRetrieval="false" enablePasswordReset="true" requiresUniqueEmail="True" requiresQuestionAndAnswer="True" maxInvalidPasswordAttempts="10" passwordAttemptWindow="10" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordStrengthRegularExpression="" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
<add name="ExtRole" connectionStringName="ExtranetDirectory_Connection" applicationName="/" type="System.Web.Security.SqlRoleProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />



<connectionStrings>
    <add name="ExtranetDirectory_Connection" connectionString="Data Source=SharePoint1;Initial Catalog=ExtranetDirectory;Integrated Security=SSPI" />
  </connectionStrings>

Additionally, if we want to be able to resolve partial username matches in the People Picker we also need to add the following line in the <PeoplePickerWildcards> section:
<add key="Ext" value="%" />
See the screenshots below for placement areas:

image

image

Once all of our edits are made, we save the files. Optionally, we could perform an IIS reset at this point to ensure that our site has loaded the most recent versions.

We are now ready to begin adding some FBA users to our database. This is where things get tricky when using SharePoint’s “out of the box” FBA. There simply is no easy way to add or manage users…and there is NO WAY to allow users to register themselves or perform any type of self-service (reset passwords).

Of course, this is what ExCM has addressed so well for hundreds of companies around the world in SharePoint 2007, 2010, 2013 and 2016.   It allows us to create users manually through the UI, by invitation, and by anonymous (self) registration. ExCM also provides users with many self-service features while also providing additional security elements for our site. Of course, this blog post is primarily about “out of the box” FBA, so let’s look at our options for adding users to the SQL database we created.

The first option is to add users directly from within the SQL Management Studio. Basically, we would perform the same steps as previously mentioned when we added our App Pool Identity as a user to the database. However, this can be very tedious and time consuming if we want to create several users at once. There are many screens to click through and we would have to repeat the same process for each new user.

For this example, I am going to use our Import\Export utility that was covered in a previous blog post to add several new FBA users from the ACME Corporation at once. No need to cover the steps again here, but here is what my import data looked like before exporting it as a CSV file:

image

Now we’re ready to test FBA authentication on our site. I will just use my ACME username from the screen shot above. After we navigate to the site, we need to select “Forms Authentication:”

image

Then, SharePoint’s out-of-the-box forms-based login page is presented and we enter our credentials and click “Sign In:

image

TIP: It is possible to replace the very basic (and ugly J) out-of-the-box SharePoint FBA sign-in page with a much nicer custom sign-in page, if you have access to ASP.NET development resources. Or, if you implement our ExCM add-on, you will be able to save time and resources by using our custom sign-in page that has many nice features and can be fully branded for your organization. Here is an example:

image

If you try to sign in using the form at this point, you would get this:

image

As you can see, we basically receive an “access denied” error because my FBA account does not yet have any permission on the site. (With ExCM, we could have created our user and assigned permissions all at once.) In this instance, we must login to the site and “share” it with our new FBA users:

image

image

Notice above that since I added the “Ext” People Picker entry in the web.config file I was able to just type “matthew” and then find my FBA user.

Now if I sign out of the site with the System Account and try my FBA user again, I see this:

image

So there you have it…”out of the box” FBA configured and working in SharePoint 2016.

One more point -

We've got some great SharePoint extranet demonstration videos SharePoint extranet demonstration videos on our main website that show the business user and administrator experience if you were to include Extranet Collaboration Manager into the mix along with "out-of-the-box" FBA.


by noreply@blogger.com (Mark Lewis) via SharePoint Solutions Blog

No comments:

Post a Comment