238
❘
CHAPTER 9 claims-Based aUtheNticatioN
Configuring Forms-Based Authentication
Using the following instructions, you will enable FBA for your existing claims-enabled website so
that both Windows Integrated and FBA are being used.
Enable FBA
Follow these steps to enable FBA:

1. Navigate to the Web Applications Management page, select your claims-enabled web appli-
cation and click on the Authentication Providers button in the Ribbon.

2. Click the Default link in the Authentication Providers dialog window. Scroll down in Edit
Authentication dialog until you reach the Claims Authentication Types section. Enable FBA
and add names for the ASP.NET membership provider and the role manager. You can choose
your own names or use SQLMembershipProvider and SQLRoleManager. Click Save when
you are done and close the Authentication Providers dialog. Remember the names that you
have chosen because you will need to refer to them in the
web.config file. Also, keep in mind
that these names are case sensitive.
Install and Configure the SQL Server Database
The next step is to create and configure a SQL Server database that will be used for FBA:

1. Open Windows Explorer and navigate to C:\Windows\Microsoft .Net\Framework64\
v2.0.50727
. Locate the aspnet_regsql.exe application and execute it. This will open the
ASP.NET SQL Server Setup wizard, shown in Figure 9-10. Click the Next button.
FIGURE 910
Creating Claims-Based Web Applications
❘
239

2. On the Select a Setup Option dialog, shown in Figure 9-11, select the Configure SQL Server
for application services option. This should be the default option. Then click the Next button.
FIGURE 911
3. In the Select the Server and Database dialog, shown in Figure 9-12, enter the name of the
SQL Server. This box should be automatically populated; if not, then enter the proper value
for your installation. Use Windows Authentication and accept the default name for the data-
base, which will be aspnetdb. Click Next.
FIGURE 912
240
❘
CHAPTER 9 claims-Based aUtheNticatioN
4. Verify that your settings are correct on the Confirm Your Settings page and click the Next
button. Once the database has been created, you should receive confirmation, as shown in
Figure 9-13. Click the Finish button.
FIGURE 913
5. Open SQL Server Management Studio and confirm that the aspnetdb database has been created.

6. Now you can populate the SQL Server database with user information using an applica-
tion on CodePlex called MembershipSeeder (
/>view/7450#DownloadId=19598
). You can proceed with the configuration without using
the MembershipSeeder application but you will have to manually add users to the aspnetdb
tables.
This completes the database installation.
Configure the Membership and Role Manager
The next set of steps configures the membership and role manager, which requires modifying three
different
web.config files: for the web application, for the Central Administration website, and for
the STS:


1. Open IIS Manager by typing INETMGR at a command prompt. Locate the claims-enabled
website and select it. Click the Explore option in the Actions section on the right-hand side of
the page.

2. Locate the web.config file in the directory. Make a copy of the original file and store the copy
in the same location as the original. When you make a copy it should automatically assign it a
different name compared to the original.
Creating Claims-Based Web Applications
❘
241
You should never modify any original SharePoint fi les without fi rst making a
copy. If for whatever reason you make a mistake or things don’t work correctly,
you can always go back to the original confi guration using the copy.
3. Open the original web.config fi le in a text editor of your choice and locate the
</SharePoint> element. It should appear immediately before the <system.web> element.

4. Add the following XML to the web.config fi le between the </SharePoint> and
<system.web> elements. This information enables the connectivity to the SQL Server
database aspnetdb.
The code in these instructions is available for download on this book’s website
at Wrox.com.
<connectionStrings>
<add name=”SQLConnectionString” connectionString=”data source=SQL;
Integrated Security=SSPI;Initial Catalog=aspnetdb” />
</connectionStrings>
Code fi le Chapter09_code.txt
5. The next step is to add the membership provider and the role manager confi guration infor-
mation. Locate the
<membership defaultProvider=”i”> element and add the following
information to the

<providers> element:
<add connectionStringName=”SQLConnectionString” passwordAttemptWindow=”5”
enablePasswordRetrieval=”false” enablePasswordReset=”false”
requiresQuestionAndAnswer=”true” applicationName=”/”
requiresUniqueEmail=”true” passwordFormat=”Hashed” description=”Stores
and retrieves membership data from SQL Server”
name=”SQLMembershipProvider”
type=”System.Web.Security.SqlMembershipProvider, System.Web,
Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a” />
6. Locate the <roleManager defaultProvider=”c” enabled=”true”
cacheRolesInCookie=”false”>
element, insert the following text into the <providers>
element, and then save and close the
web.config fi le:
<add connectionStringName=”SQLConnectionString” applicationName=”/”
description=”Stores and retrieves roles from SQL Server”
name=”SQLRoleManager” type=”System.Web.Security.SqlRoleProvider,
System.Web, Version=2.0.3600.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a” />
242
❘
CHAPTER 9 claims-Based aUtheNticatioN
7. To modify the web.config file of the Central Administration web application, add the con-
nection string information to the
web.config file for the Central Administration web site just
like you did in steps 1–4:
<connectionStrings>
<add name=”SQLConnectionString” connectionString=”data source=SQL;
Integrated Security=SSPI;Initial Catalog=aspnetdb” />
</connectionStrings>

8. Locate the <system.web> element and add the following information:
<roleManager defaultProvider=”AspNetWindowsTokenRoleProvider” enabled=”true”
cacheRolesInCookie=”false”>
<providers>
<add connectionStringName=”SQLConnectionString” applicationName=”/”
description=”Stores and retrieves roles from SQL Server”
name=”SQLRoleManager” type=”System.Web.Security.SqlRoleProvider,
System.Web, Version=2.0.3600.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a” />
</providers>
</roleManager>
9. Insert the following code immediately after the <roleManager> code entered earlier in step 8,
and then save and close the
web.config file:
<membership defaultProvider=”SQLMembershipProvider”>
<providers>
<add connectionStringName=”SQLConnectionString” passwordAttemptWindow=”5”
enablePasswordRetrieval=”false” enablePasswordReset=”false”
requiresQuestionAndAnswer=”true” applicationName=”/”
requiresUniqueEmail=”true” passwordFormat=”Hashed” description=”Stores
and retrieves membership data from SQL Server”
name=”SQLMembershipProvider”
type=”System.Web.Security.SqlMembershipProvider, System.Web,
Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a” />
</providers>
</membership>
10. The final web.config file to be modified is the STS web.config file. Expand the SharePoint
Web Services website in IIS Manager and select the SecurityTokenServiceApplication site.

11. Locate the web.config file and make a copy as you did previously.


12. Insert the following code into the web.config file before the </configuration> element,
and then save and close the
web.config file:
<connectionStrings>
<add name=”SQLConnectionString” connectionString=”data source=SQL;
Integrated Security=SSPI;Initial Catalog=aspnetdb” />
</connectionStrings>
<system.web>
<roleManager defaultProvider=”c” enabled=”true” cacheRolesInCookie=”false”>
<providers>
Creating Claims-Based Web Applications
❘
243
<add name=”c” type=”Microsoft.SharePoint.Administration.Claims.SPClaimsAuth
RoleProvider,
Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral,
PublicKeyToken=71e9bce111e9429c” />
<add connectionStringName=”SQLConnectionString” applicationName=”/”
description=”Stores and retrieves roles from SQL Server”
name=”SQLRoleManager” type=”System.Web.Security.SqlRoleProvider,
System.Web, Version=2.0.3600.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a” />
</providers>
</roleManager>
<membership defaultProvider=”i”>
<providers>
<add name=”i” type=”Microsoft.SharePoint.Administration.Claims
.SPClaimsAuthMembershipProvider, Microsoft.SharePoint,
Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c” />

<add connectionStringName=”SQLConnectionString” passwordAttemptWindow=”5”
enablePasswordRetrieval=”false” enablePasswordReset=”false”
requiresQuestionAndAnswer=”true” applicationName=”/”
requiresUniqueEmail=”true” passwordFormat=”Hashed” description=”Stores
and retrieves membership data from SQL Server”
name=”SQLMembershipProvider”
type=”System.Web.Security.SqlMembershipProvider,
System.Web, Version=2.0.3600.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a” />
</providers>
</membership>
</system.web>
13. The final steps in the process involve assigning permissions for users in the SQL Server data-
base. First, navigate to the Manage Web Applications page in Central Administration.

14. Select your claims-enabled web application and click the User Policy button in the Ribbon.
You should see the Policy for Web Application dialog, shown in Figure 9-14.
FIGURE 914
15. Click the Add Users link, which will reveal the Add Users dialog. Choose the Default zone in
the Zones drop-down menu, and then click the Next button.
244
❘
CHAPTER 9 claims-Based aUtheNticatioN
16. On the Add Users dialog, add the administrator account and assign Full Control, as shown in
Figure 9-15. Click Finish, and then click OK to close the Policy for Web Application dialog.
FIGURE 915
17. It’s time to test the application. Navigate to your top-level site in your claims-enabled web
application. An example is shown in Figure 9-16.
FIGURE 916
Creating Claims-Based Web Applications

❘
245
18. If you enabled anonymous access, you should see the Sign In link at the top, upper-right side
of the page. Click the Sign In link to display the Sign In dialog, shown in Figure 9-17.
FIGURE 917
19. You need to choose which authentication method to use, as the website has two different
methods configured. Choose Windows Authentication to sign in to the application.

20.
Finally, log out of the application so that you can sign in again using FBA. The MembershipSeeder

tool was used to add a user to the database for testing purposes. If you populated the aspnetdb
with user information, then you can proceed to test the login.

21. Click the Sign In link and choose the Forms Authentication option to log in. You should be
prompted with the Sign In dialog shown in Figure 9-18.
FIGURE 918
22. Enter the username and password for the user and click the Sign In button. You should be
directed to your top-level site once authenticated.
At this point, you have successfully configured a web application with two different methods of
authentication. For those SharePoint 2007 websites that were FBA-enabled, you will have to convert
them to using CBA using the steps outlined in the exercise after you upgrade them to SharePoint 2010.
246
❘
CHAPTER 9 claims-Based aUtheNticatioN
SUMMARY
Claims-based authentication is a new and powerful addition to SharePoint. It provides the capability
to unify the authentication process and deliver single sign-on across applications in the enterprise,
as well as between organizations and in the cloud. Because it is based on open standards and proto-
cols, it is not Microsoft-centric. As a SharePoint administrator, you will discover that CBA provides

capabilities that previously did not exist.