Wednesday, May 2, 2007

SharePoint and Forms Authentication

I have recently had the need to work with SharePoint (actually Windows SharePoint Services – WSS 3.0) 2007 and ASP.NET Forms authentication. For something that in the end turns out to be simple to configure, I had a heck of a time locating viable information through MSDN and the blogosphere.

So, with that in mind, I thought I would create a very simple step by step guide to help those who find themselves in the same boat (although I know nobody reads this blog anyway)

Configuring SharePoint 2007 / WSS 3.0 to use Forms Auth

One disclaimer that I'll give here is that I am going to give instructions for the simplest method of configuring MOSS/WSS to use forms auth. The end-result is a global configuration and it may not be the best solution for your particular environment, nor is it a particularly smart/secure idea. With that said, you can always expand upon the ideas presented here to customize the solution for your environment.

Step by step instructions are as follows:

  1. Install and configure MOSS/WSS using whatever configuration you deem fit. (In my case, I needed a bare-bones default installation of WSS, but have also tested these steps with SharePoint 2007 Enterprise Edition)
  2. From the Windows\Microsoft.Net\Framework\v2.0.50727 folder, execute aspnet_regsql
    1. Choose Configure SQL Server for Application Services
    2. Use the default database (which will create a database called aspnetdb on whatever instance you choose in the wizard)
    3. Once the wizard is complete, use SQL Server Mgmt Studio to grant access to the user that will be the security principal for the IIS Application Pool that WSS/MOSS will use. (By default it will be NT AUTHORITY\NETWORK SERVICE)
  3. Open the machine.config file from Windows\Microsoft.Net\Framework\v2.0.50727\CONFIG
    1. Locate the <connectionStrings> element
    2. Replace the connectionString attribute for "LocalSqlServer" with an appropriate string that points to the database you created in step 2
  4. In SharePoint Central Administration, create a new web application
    1. Use the default NTLM authentication
    2. Once done, ensure you restart IIS (use IISRESET /restart from a command prompt)
  5. Create a new Site Collection using the web application you created in step 4
    1. Ensure you assign a Windows account as the site administrator (You should test the site before changing authentication types, so you'll need an account that can access the site)
  6. Ensure the new site works by browsing to it
  7. Open SharePoint Central Administration Application Management
    1. Select Authentication Providers and ensure you select the correct web application (the one you created in step 4)
    2. Set the Authentication Type to "Forms"
    3. Set the Membership Provider to "AspNetSqlMembershipProvider" (It is imperative that you spell this correctly – you can cut/paste from machine.config <membership><providers> element if necessary)
    4. Once you save the configuration, restart IIS
  8. Test the new authentication type
    1. Open the site in the browser. If all is working correctly, you will be presented with SharePoint's default ASP.NET login screen
    2. Try to login with any user/password combination. It should fail and return you to the login screen
  9. Add users to the aspnetdb database
    1. The easiest way to do this is through Visual Studio's ASP.NET web configuration utility
      1. Create a new ASP.NET website project
      2. Don't change anything and build the project
      3. From the Website menu, choose "ASP.NET Configuration"
      4. Once the tool loads, choose "From The Internet" in the authentication column
      5. Add users
  10. Test the site again
    1. Choose a valid username/password combination
    2. You should be able to login, but not access the site (SharePoint will tell you that you don't have access)
  11. Open SharePoint Central Administration Application Management
    1. In the SharePoint Site Management section, add a user as a Primary Site Administrator (Choose a user you added in step 9)
    2. In the Application Security section, add any users to the Site Policy as necessary

Once these steps are followed, you should be able to enjoy WSS/MOSS with forms authentication.

I hope these steps have proven useful.

1 comment:

Anonymous said...

It's nice to see someone explain this... it isn't well documented anywhere on the web that I have found. Thanks for the info!