Setup Forms Based Authentication Under SharePoint 2010



Similar documents
Business Portal for Microsoft Dynamics GP Field Service Suite

Secret Server Installation Windows 8 / 8.1 and Windows Server 2012 / R2

Ascend Interface Service Installation

Installation Guide v3.0

Configuring Thunderbird for Flinders Mail at home.

Password Reset Server Installation Guide Windows 8 / 8.1 Windows Server 2012 / R2

Sitecore Ecommerce Enterprise Edition Installation Guide Installation guide for administrators and developers

NovaBACKUP xsp Version 15.0 Upgrade Guide

Monitoring SQL Server with Microsoft Operations Manager 2005

HOW TO CONFIGURE SQL SERVER REPORTING SERVICES IN ORDER TO DEPLOY REPORTING SERVICES REPORTS FOR DYNAMICS GP

RoomWizard Synchronization Software Manual Installation Instructions

NSi Mobile Installation Guide. Version 6.2

Virto Password Reset Web Part for SharePoint. Release Installation and User Guide

Citrix EdgeSight for NetScaler Rapid Deployment Guide

BUILDER 3.0 Installation Guide with Microsoft SQL Server 2005 Express Edition January 2008

Microsoft Business Intelligence 2012 Single Server Install Guide

O Reilly Media, Inc. 3/2/2007

Reconfiguring VMware vsphere Update Manager

Issue Tracking Anywhere Installation Guide

Video Administration Backup and Restore Procedures

Instructions. Introduction

QUANTIFY INSTALLATION GUIDE

Tool Tip. SyAM Management Utilities and Non-Admin Domain Users

How To Create An Easybelle History Database On A Microsoft Powerbook (Windows)

DocAve Upgrade Guide. From Version 4.1 to 4.5

Specops Command. Installation Guide

R i o L i n x s u p p o r r i o l i n x. c o m 3 / 5 /

Implementing Microsoft SQL Server 2008 Exercise Guide. Database by Design

Telelogic DASHBOARD Installation Guide Release 3.6

In this topic we will cover the security functionality provided with SAP Business One.

ADFS Integration Guidelines

How to configure the DBxtra Report Web Service on IIS (Internet Information Server)

Defender Token Deployment System Quick Start Guide

Table of Contents Introduction... 2 Azure ADSync Requirements/Prerequisites:... 2 Software Requirements... 2 Hardware Requirements...

Click Studios. Passwordstate. Installation Instructions

MICROSTRATEGY 9.3 Supplement Files Setup Transaction Services for Dashboard and App Developers

Secret Server Installation Windows Server 2008 R2

Integrating LANGuardian with Active Directory

LepideAuditor Suite for File Server. Installation and Configuration Guide

VERALAB LDAP Configuration Guide

Installing and Configuring WhatsUp Gold

SSO BDC is Easy! By Brett Lonsdale, MCTS, MCSD.NET, MCT Lightning Tools 1/12/2008

Census. di Monitoring Installation User s Guide

Upgrading from MSDE to SQL Server 2005 Express Edition with Advanced Services SP2

Microsoft Virtual Labs. Administering the IIS 7 File Transfer Protocol (FTP) Server

SafeGuard Enterprise Web Helpdesk. Product version: 6.1

Installing Cobra 4.7

LAB 1: Installing Active Directory Federation Services

Avatier Identity Management Suite

Installing Globodox Web Client on Windows Server 2012

Reconfiguring VMware vsphere Update Manager

Set Up Setup with Microsoft Outlook 2007 using POP3

Print Audit 6 - SQL Server 2005 Express Edition

SQL Sentry Quick Start 1

GETTING STARTED WITH SQL SERVER

Step by step guide for installing highly available System Centre 2012 Virtual Machine Manager Management server:

TECHNICAL NOTE. The following information is provided as a service to our users, customers, and distributors.

WebSpy Vantage Ultimate 2.2 Web Module Administrators Guide

Windows SharePoint Services Installation Guide

Introduction. Before you begin. Installing efax from our CD-ROM. Installing efax after downloading from the internet

Installing Windows Server Update Services (WSUS) on Windows Server 2012 R2 Essentials

Deploying WinLIMS Web v7.2 to a Windows 2008 x64 box. Table of Contents. Deploying WinLIMS Web v7.2 to a Windows 2008 x64 box... 1

SQL Server Setup for Assistant/Pro applications Compliance Information Systems

Kaseya 2. User Guide. Version 6.1

Perceptive Intelligent Capture Solution Configration Manager

Access It! Universal Web Client Integration

Live Maps. for System Center Operations Manager 2007 R2 v Installation Guide

Introduction. There are several bits of information that must be moved:

Microsoft IAS Configuration for RADIUS Authorization

Integrating Trend Micro OfficeScan 10 EventTracker v7.x

Non-ThinManager Components

Summary This article contains information about an installation of EdgeSight 5.4 Web Server using SQL 2008 R2 (DB and RS) in a lab environment.

Use the below instructions to configure your wireless settings to connect to the secure wireless network using Microsoft Windows Vista/7.

Microsoft Dynamics GP Release

Installing the ASP.NET VETtrak APIs onto IIS 5 or 6

Team Foundation Server 2012 Installation Guide

Click Studios. Passwordstate. Installation Instructions

Microsoft Corporation. Project Server 2010 Installation Guide

Microsoft Dynamics GP. Workflow Installation Guide Release 10.0

How to Create a Delegated Administrator User Role / To create a Delegated Administrator user role Page 1

Cloud Services ADM. Agent Deployment Guide

ThinManager and Active Directory

How to setup a VPN on Windows XP in Safari.

CONFIGURING MICROSOFT SQL SERVER REPORTING SERVICES

SQL Server 2008 R2 Express Edition Installation Guide

NTP Software File Reporter Analysis Server

Acunetix Web Vulnerability Scanner. Getting Started. By Acunetix Ltd.

WhatsUp Gold v16.1 Database Migration and Management Guide Learn how to migrate a WhatsUp Gold database from Microsoft SQL Server 2008 R2 Express

eadvantage Certificate Enrollment Procedures

Kentico CMS 7.0 Intranet Administrator's Guide

NovaBACKUP xsp Version 12.2 Upgrade Guide

Ingenious Testcraft Technical Documentation Installation Guide

Configuring a Custom Load Evaluator Use the XenApp1 virtual machine, logged on as the XenApp\administrator user for this task.

Automatic Setup... 1 Manual Setup... 2 Installing the Wireless Certificates... 18

Jolly Server Getting Started Guide

Smart Auditor 1.3 Installation and Configuration

Installing LearningBay Enterprise Part 2

System Area Management Software Tool Tip: Integrating into NetIQ AppManager

MICROSOFT BITLOCKER ADMINISTRATION AND MONITORING (MBAM)

Transcription:

Introduction This document will cover the steps for installing and configuring Forms Based Authentication (FBA) on a SharePoint 2010 site. The document is presented in multiple steps: Step#1: Step#2: Step#3: Step#4: Step#5: Step#6: Step#7: Prerequisites and assumptions Installing the FBA database Configure IIS to access the FBA database Activate FBA on the SharePoint Web Services website Create a SharePoint application that is FBA enabled (Claims) Activate FBA on the newly created SharePoint application Configure SuperUser and SuperReader accounts Page 1 of 15

Step#1: Prerequisites and assumptions Prerequisites: SharePoint 2010 (Enterprise or Foundation) is installed, up-to-date, and functional You have administrative rights to the server(s) hosting the SharePoint applications You are familiar with and have access to SharePoint 2010 s central administration site You are familiar with and have access to the SQL Database which will house the FBA database Assumptions: This document presents the implementation of Forms Based Authentication from the perspective of least privileged security. As such, the guide will walk through the steps necessary to implement FBA using integrated security rather than SQL User Authentication. Page 2 of 15

Step#2: Installing the FBA database Why? Forms Based Authentication requires a SQL database to store the user logon information. Details: 1. Launch the SQL Server Setup Wizard via the following command line C:\Windows\Microsoft.NET\Framework\V2.0.50727\aspnet_regsql.exe 2. Follow the wizard steps to install and configure the membership database. 3. IMPORTANT: Note the database name being created. The database name will be listed on the Confirm Your Settings wizard screen In our example, we used the default of aspnetdb Page 3 of 15

Step#3: Configure IIS to access the FBA database Why? The Forms Authentication data is stored in the SQL Server created in step#2. IIS needs to be configured to know where to look for the database. Details: 1. Launch Internet Information Services (IIS) Manager 2. Select the top level (machine) entry (Usually named after the server) Why here? Creating the connection string at the top level allows the connection to be inherited by all websites. 3. On the home page (located in the middle of the IIS Manager), double click the Connection Strings icon 4. Add a new connection to point to the SQL Server and database the membership store is stored in. a. IMPORTANT: Note the name of the connection. We use FBAMembershipStore b. The database name must match the membership store database name from step#1 c. Be sure to check Use Windows Integrated Security Page 4 of 15

Step#4: Activate FBA on the SharePoint Web Services website Why? The web service also need to authenticate users. If you do not give the web service site access to the FBA membership store, your FBA will not work Details 1. Select Providers for the SharePoint Web Services site 2. Select.NET Roles from the feature selector and right click in the screen. Click Add on the right click menu. Page 5 of 15

3. Create a new role provider a. Set type to SqlRoleProvider b. Name the provider. We use FBARoleProvider c. Select the connection string you created in Step#3 d. Set the ApplicationName to / Why? See http://weblogs.asp.net/scottgu/archive/2006/04/22/always-set-the- _2200_applicationName_2200_-property-when-configuring-ASP.NET-2.0-Membershipand-other-Providers.aspx Page 6 of 15

4. Select.NET Users from the feature selector and right click in the screen. Click Add on the right click menu. 5. Create a new user provider a. Set type to SqlMembershipProvider b. Name the provider. We use FBAUserProvider c. Select the connection string you created in Step#3 d. Set the ApplicationName to / e. Set the StorePasswordInSecureFormat IMPORTANT: If you select True (and you should), See Encryption, FBA, and IIS Oh My! at the end of this document for additional required steps. Page 7 of 15

6. Determine the Application Pool credentials the SharePoint application is running under a. Right click on the SharePoint Web Services b. Click Manage Web Site -> Advanced Settings from the right click menu c. Note the Application Pool name d. Open the Application Pool Advanced Settings and note the Identity it is running under Page 8 of 15

7. Launch SQL Server Management Studio 8. Under Security -> Logon verify the application pool identity (user) exists as a valid SQL Server logon. If not, create the user. 9. Grant the user the following roles on the aspnetdb database: a. aspnet_membership_fullaccess b. aspnet_roles_fullaccess Page 9 of 15

Step#5: Create a SharePoint application that is FBA enabled (Claims) Why? Well, because this article would be worthless if we didn t actually create a new SharePoint application with FBA Details 1. Launch SharePoint 2010 Central Administration 2. Navigate Application Management -> Manage Web Applications 3. Click New on the ribbon 4. Select Claims Based Authentication radio button 5. Configure the Claims Authentication Types section as follows a. Check the Enable Forms Based Authentication (FBA) checkbox b. In the ASP.NET Membership provider name field, enter FBAUserProvider c. In the ASP.NET Role Manager name, enter FBARoleProvider IMPORTANT: If you used different names, please substitute those names as appropriate 6. Configure all other settings per your individual needs Page 10 of 15

Step#6: Activate FBA on the newly created SharePoint application Why? Well, because this article would be worthless if we didn t actually create a new SharePoint application with FBA Details Repeat all actions under Step#4: Activate FBA on the SharePoint Web Services website replacing out the SharePoint Web Services website with the SharePoint application you created in Step#5. Page 11 of 15

Step#7: Configure SuperUser and SuperReader accounts Why? Per Microsoft: The default Portal Super Reader account is NT Authority\Local Service, which is not correctly resolved in a claims authentication application. As a result, if the Portal Super Reader account is not explicitly configured for a claims authentication application, browsing to site collections under this application will result in an Access Denied error, even for the site administrator This does not make for a good user experience! Details 1. Create two new active directory accounts to represent the Super User & Reader accounts I.E. YourDomain\SuperUser and YourDomain\SuperReader 2. Launch SharePoint 2010 Central Administration 3. Navigate Application Management -> Manage Web Applications 4. Select the site created under Step#5: Create a SharePoint application is FBA enabled 5. Click User Policy on the ribbon 6. Click Add Users 7. Select (All zones) and click Next 8. Enter the appropriate user. Set the permissions to Full Control for the super user account Set the permissions to Full Read for the super reader account 9. Click Finish 10. Repeat steps 6 8 for both the super user and super reader accounts <Continued on next page> Page 12 of 15

11. Launch SharePoint 2010 Management Shell 12. Enter the following script commands: $wa = Get-SPWebApplication -Identity "YourWebApplicationName" $wa.properties["portalsuperuseraccount"] = "i:0e#.w YourDomain\SuperUser" $wa.properties["portalsuperreaderaccount"] = "i:0#.w YourDomain\SuperReader" $wa.update() Please note: -> replace YourWebApplicationName with the appropriate name. -> Replace the SuperUser and SuperReader accounts with the accounts you created -> Do not forget to preface the accounts with i:0#.w (I.E. these should exactly match the accounts displayed by SharePoint User Policy list) See: http://technet.microsoft.com/en-us/library/ff758656.aspx for more details Page 13 of 15

Additional Considerations If you use SharePoint Central Administration for configuring user security, alerts, and other user centric functions (and you will), it is highly recommended you repeat all actions under Step#4: Activate FBA on the SharePoint Web Services website replacing out the SharePoint Central Administration application. This step will configure Central Administration to have access to the FBA Membership Store. Page 14 of 15

Encryption, FBA, and IIS Oh My! Why? So you decided encryption of passwords was a good thing. Good for you! Encryption, however, requires keys to encrypt and decrypt data. In the case of IIS, those keys are (by default) randomly generated. We need to configure all SharePoint Applications which use the FBA Membership Store to use the same encryption and decryption keys. Details 1. Launch Internet Information Services (IIS) Manager 2. Select the SharePoint Web Service application and open the Machine Key 3. Uncheck Automatically generate at runtime and Generate a unique key for each application under the Decryption Key section 4. Click Generate Keys in the Actions pane (Be sure to apply the changes) 5. Copy the generated Decryption Key into NotePad or your favorite editor 6. For each SharePoint application using FBA, manually set the Decryption Key to the one you just generated using the process above Page 15 of 15

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information