How to Configure Forms based Authentication in SharePoint 2013

In this post, we will discuss different types of authentication in SharePoint 2013. Also, we can discuss how to configure windows authentication and also we will discuss how to configure forms-based authentication in SharePoint 2013.

[toc]

SharePoint 2013 supports a variety of authentication methods and authentication providers for the following authentication types:

  • Windows authentication
  • Forms-based authentication
  • SAML token-based authentication

Windows Authentication in SharePoint 2013:

SharePoint 2013 Authentication
SharePoint 2013 Authentication

The authentication works at the web application level. SharePoint platform itself does not supply the actual code to authenticate users. Instead, the SharePoint platform relies on external user authentication systems such as Windows Server and Active Directory or the built-in support in ASP.NET for forms-based authentication (FBA). After an external system has authenticated a user and created a security token, the SharePoint platform is then able to create a profile around that security token to establish and track the user’s identity inside the SharePoint security system.

Also read Authentication and Authorization in SharePoint 2013

When you create a SharePoint web application, you have the option of creating it in either claims mode or classic mode. Classic authentication mode is the older style of user authentication that was used in SharePoint 2007. Though classic mode is still supported in SharePoint 2013 for older scenarios, its use is deprecated and should be avoided.

The authentication process in a SharePoint web application in a scenario in which the user is authenticated with Windows authentication. The first part of the authentication process involves creating a native Windows security token. In the second part of the authentication process, SharePoint Foundation will convert the Windows security token into a FedAuth token by using a local service known as the Security Token Service (STS).

You also have the option of configuring a web application in an on-premises farm to support forms-based authentication by using an ASP.NET authentication provider. In this style of authentication, SharePoint Foundation once again calls upon the STS to create a FedAuth token for the FBA user during the user authentication process.

Read SharePoint 2013 tutorial: SharePoint 2013 permission groups

Claims-based security makes it possible to configure a SharePoint web application to authenticate users by using external identity providers that support an XML-based industry standard known as Security Assertion Markup Language (SAML). More specifically, SharePoint 2013 supports identity providers that support the SAML 1.1 specification. Examples of supported providers include Windows Azure Access Control Service (ACS), Windows Live ID, Google Single Sign-on, and Facebook.

windows authentication sharepoint 2013
windows authentication sharepoint 2013

Steps how windows authentication executes in SharePoint 2013:

  • Client put in the address in the browser and navigate to SharePoint URL, enter their user name and password and click Sign In. These credentials are sent to the SharePoint server.
  • SharePoint 2013 is configured to perform claims-based authentication and connect to a trusted identity provider. SharePoint will pass the user’s credentials to the trusted identity provider and request authentication and a token.
  • The secure token server is Active Directory Federation Services and our data source is Active Directory.
  • ADFS will connect to Active Directory to retrieve attributes about the user signing in.
  • ADFS will authenticate the user (validate that their username and password are correct) and create a token. With ADFSv2 the token created can be one of 2 standards-based formats: either SAML 1.1 or WS-Federation. The token will be digitally signed before it is returned to the calling application. The token can also be encrypted if the environment requires it.
  • The signed token is then returned to SharePoint. This is done using either the SAML 2.0 protocol or the WS-Federation protocol depending on the configuration of ADFS.

Read SharePoint 2013 tutorial: SharePoint permission levels

Once SharePoint receives the token, it will then validate the digital signature on it to ensure that it can trust the token and the claims within it. Once this process is complete and the signature has been validated, the user is now logged into SharePoint. SharePoint now has the current user’s claims in memory (in the SPUser object) and SharePoint knows that it can trust them.

Forms-based authentication in SharePoint 2013

In case of forms based authentication the users and roles will be stored in the sql server database. The web site will use FBA provider to authenticate the users through database.

Forms-based authentication is a claims-based identity management system that is based on ASP.NET membership and role provider authentication. Forms-based authentication can be used against credentials that are stored in an authentication provider, such as the following:

1. AD DS
2. A database such as a SQL Server database
3. An Lightweight Directory Access Protocol (LDAP) data store such as Novell eDirectory, Novell Directory Services (NDS), or Sun ONE

SharePoint 2016 Authentication
SharePoint 2016 Authentication

Configure Forms based Authentication

To configureForms-basedd authentication we have to certain steps:

Configure Forms based Authentication in Central Administration:

First we need to configure Forms based authentication in the Central Administration. Open SharePoint central administration from the Application Management click on Manage web applications.

This will show all the web applications. Select the web application for which you want to implement forms based authentication. Then from the Ribbon click on Authentication Providers like below:

configure forms based authentication sharepoint 2013
configure forms based authentication sharepoint 2013

This will open the Authentication Providers, there click on Default zone link.

configure forms based authentication sharepoint 2013 from central administration
configure forms based authentication sharepoint 2013 from central administration

Then there select the "Enable Forms Based Authentication (FBA)" check box in the Authentication Providers section as shown in the fig below. Then choose a name for "ASP.NET Membership provider name" and one name for "ASP.NET Role manager name".

configure forms based authentication sharepoint 2016
configure forms based authentication sharepoint 2016

After this if you will open any site which are in the web application, it will ask you for credentials.

Need to create Users or Roles Database

SharePoint provides options to create the required database by using aspnet_regsql.exe which is presented in the below directory.

C:\Windows\Microsoft.NET\Framework\v4.0.30319
aspnet_regsql.exe

Visit to the directory and double click on aspnet_regsql.exe

sharepoint 2016 configure forms based authentication
sharepoint 2016 configure forms based authentication

Then it will open the ASP.NET SQL Server Setup Wizard. Click on Next.

sharepoint 2013 configure forms based authentication
sharepoint 2013 configure forms based authentication

Then choose the radio button "Configure SQL Server for application services" like below:

sharepoint 2016 forms based authentication
sharepoint 2016 forms based authentication

Then it will display Confirm Your Settings like below:

SharePoint 2016 forms based authentication
SharePoint 2016 forms based authentication

Then it will display the confirmation message when the database has been created successfully.

SharePoint 2013 forms based authentication tutorial
SharePoint 2013 forms based authentication tutorial

Now we have to change the web.config file of the below 3 places.
Make sure to take a backup of web.config file any time you modify something.

1- Security Token Service Application:

Open IIS and then expand sites -> Select SharePoint Web Services.
Then right click and click on Explorer. This will open the physical directory.
Before modifying anything, kindly take a copy of the web.config file.

Then Open web.config in the directory and before <system.web> add the <connectionStrings>

<connectionStrings>
<add name="SqlConn" connectionString="data source=MYPC;Integrated Security=SSPI;Initial
Catalog=aspnetdb" providerName="System.Data.SqlClient" />
</connectionStrings>

Locate <membership defaultProvider="I" ….> and add the <membership> section
Locate the <roleManager defaultProvider=”c” enabled=”true”. . .> element and add the <roleManager> content. It should look like below:

<system.web>
<membership defaultProvider="AspNetSqlMembers">
<providers>
<add connectionStringName="SqlConn" enablePasswordRetrieval="false" enablePasswordReset="true"
requiresQuestionAndAnswer="true" passwordAttemptWindow="10" requiresUniqueEmail="false"
passwordFormat="Hashed" applicationName="/" name="AspNetSqlMembers"
type="System.Web.Security.SqlMembershipProvider, System.Web, Version=4.0.0.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</membership>
<roleManager defaultProvider="AspNetSqlRoles" enabled="true">
<providers>
<add connectionStringName="SqlConn" applicationName="/" name="AspNetSqlRoles"
type="System.Web.Security.SqlRoleProvider, System.Web, Version=4.0.0.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</roleManager>
</system.web>

Don’t change the default providers…by default they are "I" and "c"

2- Modify Central Administration web application:

Open IIS and then select the central administration application, then right click and click on Explore. This will open the physical directory. Take a backup of the web.config file and then Put below piece of tags after </SafeControls>

<PeoplePickerWildcards>
<clear />
<add key="AspNetSqlMembers" value="%" />
</PeoplePickerWildcards>
After <system.web> add the <membership> section <roleManager> section
<membership defaultProvider="AspNetSqlMembers" userIsOnlineTimeWindow="15" hashAlgorithmType="">
<providers>
<clear />
<add connectionStringName="SqlConn" enablePasswordRetrieval="false" enablePasswordReset="true"
requiresQuestionAndAnswer="true" passwordAttemptWindow="10" applicationName="/"
requiresUniqueEmail="false" passwordFormat="Hashed" name="AspNetSqlMembers"
type="System.Web.Security.SqlMembershipProvider, System.Web, Version=4.0.0.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</membership>
<roleManager enabled="true" cacheRolesInCookie="false" cookieName=".ASPXROLES" cookieTimeout="30"
cookiePath="/" cookieRequireSSL="false" cookieSlidingExpiration="true" cookieProtection="All"
defaultProvider="AspNetWindowsTokenRoleProvider" createPersistentCookie="false" maxCachedResults="25">
<providers>
<clear />
<add connectionStringName="SqlConn" applicationName="/" name="AspNetSqlRoles"
type="System.Web.Security.SqlRoleProvider, System.Web, Version=4.0.0.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a" />
<add applicationName="/" name="AspNetWindowsTokenRoleProvider"
type="System.Web.Security.WindowsTokenRoleProvider, System.Web, Version=4.0.0.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</roleManager>

Then find </appSettings> and add below connection string.

<connectionStrings>
<add name="SqlConn" connectionString="data source=MYPC;Integrated Security=SSPI;Initial Catalog=aspnetdb" providerName="System.Data.SqlClient" />
</connectionStrings>

Don’t change the default providers…by default they are "I" and "c"

3- Change in the web application config file:

Open IIS and then expand web site and then right click on the particular web application where you want to change and click on Explorer. This will open the physical directory of the web application.

Take a backup of the file before modifying anything.

Open web.config in the directory and between </sharepoint> and <system.web> add the <connectionStrings>

<connectionStrings>
<add name="SqlConn" connectionString="data source=MYPC;Integrated Security=SSPI;Initial Catalog=aspnetdb" providerName="System.Data.SqlClient" />
</connectionStrings>

Then Put below piece of tags after </SafeControls>

<PeoplePickerWildcards>
<clear />
<add key="AspNetSqlMembershipProvider" value="%" />
<add key="AspNetSqlMembers" value="%" />
</PeoplePickerWildcards>

Locate <membership defaultProvider="I" ….> and add the “<add …” from <membership> section
Locate the <roleManager defaultProvider=”c” enabled=”true”. . .> element and add the <roleManager> content

Both should look like below:

<roleManager cacheRolesInCookie="false" cookieName=".ASPXROLES" cookiePath="/" cookieProtection="All" cookieRequireSSL="false" cookieSlidingExpiration="true" cookieTimeout="30" createPersistentCookie="false" defaultProvider="c" enabled="true" maxCachedResults="25">
<providers>
<clear />
<add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
<add connectionStringName="SqlConn" applicationName="/" name="AspNetSqlRoles" type="System.Web.Security.SqlRoleProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</roleManager>

<membership defaultProvider="i" hashAlgorithmType="" userIsOnlineTimeWindow="15">
<providers>
<clear />
<add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
<add connectionStringName="SqlConn" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="true" passwordAttemptWindow="10" applicationName="/" requiresUniqueEmail="false" passwordFormat="Hashed" name="AspNetSqlMembers" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</membership>

</system.web>

Now open the iis and do an iisreset.

After this if you will visit the web site, it will display the Login with Forms Authentication option like below:

sharepoint 2013 configure forms based authentication step by step tutorial
sharepoint 2013 configure forms based authentication step by step tutorial

Once you choose that option, it will ask you to enter user name and password to login.

Forms based authenication sharepoint 2013 tutorial
Forms based authenication sharepoint 2013 tutorial

In this tutorial we learned how to configure Forms based Authentication in SharePoint 2013.

>