This document discusses configuring claims-based authentication in SharePoint 2010. It involves 3 main steps:
1. Creating a web application in SharePoint Central Administration and enabling forms-based authentication.
2. Configuring the ASP.NET membership provider and role manager by modifying the web.config files for the web application, Central Administration site, and Security Token Service.
3. Adding users to the SQL database using a membership seeding tool and testing authentication with the users.
1. Claims Based Authentication in
SharePoint 2010
Before starting our actual configuration let us first understand what is claims based authentication?
We are going through am simple example: - Now I have Voter-Id Card which is provided by the
Government of India. And I am traveling through Indian railway. In train Ticket checker comes and
asks for identity at that time I can show my Voter-Id card and he said ok, because:-
1. There is a trust between Indian Government and Indian railway.
2. Voter-ID card describes my identity like my name, age, Address...etc.
It means Indian Government provides authority to me, to live or travel anywhere in India .So I can
claim I am Indian. And Indian Government is my Identity Provider.
Before Starting claim Base Authentication we need to understand some basic Concepts:-
What is identity?
It is a set of attribute which describe us uniquely (e.g. our name, age, address, email address etc.)
What is Claim?
Some rights or permission on which bases we can claim we are have the permission for this.
What is Security Token?
Security token is a collection of Claims valid for unique identity for specific time.
htttp://www.parallelminds.biz
Claim based security service not always requires own security, it also can be rely on other security
providers.
2. 1. Create a web Application in SharePoint Central Administrator, click on Claims based
Authentication.
2. Go to Claims Authentication Type section and click on the check box to enable the Enable Forms
based Authentication (FBA). And give the name to ASP.Net Membership provider name and
ASP.Net Role manager.
Note: - These Names are case Sensitive.
3.
4.
5. 3. Once we have created a web application using Claims Based Authentication, we can create a site
collection. Now we can access the site choosing Windows Authentication or Forms Based
Authentication.
8. Step B: - Configure the Membership provider and role manager.
1. Open the Command Prompt and navigate to C:WindowsMicrsooft
.NetFramework64v2.0.50727 and Run “aspnet_regsql.exe”. This will open ASP .Net
SQL Server Setup wizard. On this click on NEXT
9. 2. Specify the Database name. If you don’t specify the database name then it will create
a database call aspnetdb.
Note: - In Database name only give the Database Server name (Don’t give the
instance name because aspnetdb database must be create on root of database, it
means in default instance). After clicking Next button on the next screen it will
show you Server Name and Database name. Then click on Next button.
Important: - if the server is not connected it means on your database server default
instance is not created, so when you will try to connect the server using
Management studio without giving the Instance name it will give you error
“server is not found or named pipe is not enabled “.
Needful: - First create a default instance in Database and give the permission to all
three accounts when you setup the farm like (with all the permission like
dbcreator, dbowner)
srv_sql
srv_setup
srv_farm
10. Then we are able to connect with database with only database server name.
3. Use membership seeder tool to create the users in SQL database. You can find the tool
and information on that from:-
http://cks.codeplex.com/releases/view/7450
After down load the membership seeder tool, in the bin folder again two folders are there name as
Debug
Release
Select release version and run the MembershipSeeder.exe as Run as Administrator
11. Next screen will open as below. First click on Configure button
Change the Database server name.it will ask to Restart the MembershipSeeder tool
1.
2.
12. 3.
Then create the user Just type the name of the user in User Prefix box and password.
13. Step C: - Modify the web. Config file for Membership provider and role manager
We need to modify 3 different web.config files for FBA to work.
1.Web.config of FBA Web application,
2. Web.config of Central Administration Site &
3. Web.config of STS.
Modify Web.config of FBA Web Application. Add below connection string into web.config file
after </SharePoint> and before <system. Web>. (Go to Start->run->type inetmgr -> site ->select
your web application -> right click and explore -> select web config)
Imp: - Take Backup of webconfig file before doing any changes.
<connectionStrings>
<add name="SQLConnectionString" connectionString="data source=SPSQL5;Integrated S
ecurity=SSPI;Initial Catalog=aspnetdb" />
</connectionStrings>
Also add membership provider and Role manager on same web.Config
<roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false">
<providers>
<add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthR
oleProvider, Microsoft.SharePoint,
Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
<add connectionStringName="SQLConnectionString" applicationName="/" descript
ion="Stores and retrieves roles
from SQL Server" name="SQL-
RoleManager" type="System.Web.Security.SqlRoleProvider, System.Web,
Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</roleManager>
<membership defaultProvider="i">
<providers>
<add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthM
embershipProvider,
Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e94
29c" />
<add connectionStringName="SQLConnectionString" passwordAttemptWindow="5"
enablePasswordRetrieval="false" enablePasswordReset="false" requiresQuestion
AndAnswer="true"
applicationName="/" requiresUniqueEmail="true" passwordFormat="Hashed" descr
iption="Stores and Retrieves
membership data from SQL Server" name="SQL-MembershipProvider"
type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.360
0.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</membership>
14. Modify Web.config of the Central Administration web Application.
Add below connection string into web.config file after </SharePoint> and before <system.web>.
<connectionStrings>
<add name="SQLConnectionString" connectionString="data source=SPSQL5;Integrated S
ecurity=SSPI;Initial Catalog=aspnetdb" />
</connectionStrings>
Also add membership provider and Role manager on same web.Config
<roleManager defaultProvider="AspNetWindowsTokenRoleProvider" enabled="true" cacheRol
esInCookie="false">
<providers>
<add connectionStringName="SQLConnectionString" applicationName="/" descript
ion="Stores and retrieves roles
from SQL Server" name="SQL-
RoleManager" type="System.Web.Security.SqlRoleProvider, System.Web,
Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</roleManager>
<membership defaultProvider="SQL-MembershipProvider">
<providers>
<add connectionStringName="SQLConnectionString" passwordAttemptWindow="5"
enablePasswordRetrieval="false" enablePasswordReset="false" requiresQuestion
AndAnswer="true"
applicationName="/" requiresUniqueEmail="true" passwordFormat="Hashed" descr
iption="Stores and Retrieves
membership data from SQL Server" name="SQL-MembershipProvider"
type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.360
0.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</membership>
15.
Modify web.config of STS. We can Navigate the STS web.config from %program
files%common filesMicrosoft Sharedweb server extensions14WebServicesSecurityToken
And Add Below code before </Configuration>
<connectionManagement>
<add address="*" maxconnection="10000" />
</connectionManagement>
</system.net>
<connectionStrings>
<add name="SQLConnectionString" connectionString="data source=PMTSLSQL;Integrated
Security=SSPI;Initial Catalog=aspnetdb" />
</connectionStrings>
<system.web>
<roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false">
<providers>
<add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRo
leProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=7
1e9bce111e9429c" />
<add connectionStringName="SQLConnectionString" applicationName="/" descripti
on="Stores and retrieves roles from SQL Server" name="SQL-
RoleManager" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.3600.
0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</roleManager>
<membership defaultProvider="i">
<providers>
16. <add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMe
mbershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyT
oken=71e9bce111e9429c" />
<add connectionStringName="SQLConnectionString" passwordAttemptWindow="5" ena
blePasswordRetrieval="false" enablePasswordReset="false" requiresQuestionAndAnswer="t
rue" applicationName="/" requiresUniqueEmail="true" passwordFormat="Hashed" descripti
on="Stores and Retrieves membership data from SQL Server" name="SQL-
MembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Vers
ion=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</membership>
</system.web>
Step D:-
1. Go to Central Administration ----->Manage Web Application ----->User Policy.
17.
18. 2. Click on Add User and Select Default Zone. Then Click Next.
19.
20. 3. Insert User name and give full Control. Then click on next button.
21. Thus you can see user in sql aspnetmembership provider is getting recognized
by SharePoint and web application.
4. Now we are going to open our site URL in next tab, and enter user name
and password.
4. You can see that Ravi is getting authenticated from aspnetmembersipprovider like old forms
based authentication. That means SQL database containing aspnetmembershipprovider is
identity provider and SharePoint security token service is Relying Party
5. Now we are able to access our site.