Configuring a site collection for multiple authentication providers

Posted: July 31, 2007 in MOSS 2007

                Here is the scenario. You have a wonderful intranet site going and you’d like to share it with the outside world. You do NOT want this externally facing site using your AD, so you decide to use forms authentication for your external access. Also, you need SSL set up for the external site since you’d rather not broadcast unencrypted content across the web.

1.       Configure your SQL forms authentication DB

a.       Determine you access methods for the forms auth DB (Integrated is the suggested way to go here)

b.      Create your forms Authentication database on your SQL box

                                                                           i.      Just make sure you name it something intelligent

c.       The preferred way to run the following command is from a machine with Visual Studio. However, if you do not have VS you can find the exe for this call in the C:WINDOWSMicrosoft.NETFrameworkv2.0.50727  folder.

                                                                           i.      Run the aspnet_regsql.exe command to create the forms auth table structure and SPs

1.       Run down on all commands for this utility http://msdn2.microsoft.com/en-us/library/x28wfk74.aspx

2.       Aspnet_regsql.exe  –E  -S <servername> -d <database name> -A all

d.      Adding the first user(s)

                                                                           i.      Add your first user via SQL Server Management Studio by calling the following SP:

declare @now datetime      

set @now= GETDATE()

exec aspnet_Membership_CreateUser ‘appName’, ‘userid’,’password’,”,’email@somewhere.com’,”,”,1,@now,@now,0,0,null

                                                                         ii.      http://msdn2.microsoft.com/en-us/library/aa478949.aspx more info on these scripts

e.      Adding users/role via web app

                                                                           i.      In VS.Net 05 Create a new web app

                                                                         ii.      Add connection strings to your authentication DB within the configuration tabs of your web config

1.       <system.web>

    <compilation debug=”false”/>

   <authentication = “forms” />

</system.web>

<connectionStrings>

 <add name=”MyFormsAuthServer” connectionString=”server=servername;database=authDBName;integratedsecurity=SSPI” />

</connectionStrings>

 

 

                                            I.            From within Visual Studio à Project Menu à ASP.Net Configuration

                                          II.            On the web form that pops up, use the UI to create your users and roles

                                        III.            Now onto the REAL FUN!

2.       Extending the forma authentication web app 

                                            I.            Open the MOSS Central Admin console. In Application Management, Create or Extend Web Application à Extend Existing Web Application.

1.       Make sure the internal web application that you want to expose is selected

2.        Set the web app name and port approrpriately

Note: Take some forethought in the name and ports you use. With some planning you can use these to make life easier or make your IIS and MOSS admin consoles a mess.

3.       Set allow anonymous to “yes”

4.       Choose the correct Zone (probably extranet or Internet), do not choose default.

5.       Click “ok”

                                          II.            Now that your site is extended into the new zone, in the MOSS central admin console click the Authentication providers link in the Application security section

3.       Add the forms authentication provider to web app web config

                                       i.                  Navigate to the web config for your extended site (created in step 2.)

                                     ii.                  Just after the configsections section insert the connection string for your forms authentication provider.

<connectionStrings>

    <add name="ConnectionString" connectionString="server=serverName ;database=FormsAuthDBName;Integrated Security=SSPI;" providerName="System.Data.SqlClient" />

 </connectionStrings>

                                    iii.                  Now scroll down to the system.web section and add the following sections:

<membership defaultProvider="AcAspNetSqlMembershipProvider">

      <providers>

 <add name="AcAspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"  connectionStringName="ConnectionString" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" applicationName="/" requiresUniqueEmail="false" passwordFormat="Hashed"  maxInvalidPasswordAttempts="5" minRequiredPasswordLength="1" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" passwordStrengthRegularExpression=""/>

      </providers>

    </membership>

    <!– role provider –>

    <roleManager enabled="true" defaultProvider="AcAspNetSqlRoleProvider">

      <providers>

 <add name="AcAspNetSqlRoleProvider" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="ConnectionString" applicationName="/" />

      </providers>

    </roleManager>

                                                                       iv.      Now repeat the same steps on the web config within your MOSS Central administration console, with one exception. The “defaultProvider” will need to be changed in the Cental Admin web config to “AspNetWindowsTokenRoleProvider.” If you do not do this, your central administration will no longer allow you to authenticate.

                                                                         v.      If after doing this, your Central admin site crashes when you try to bring it up.

1.       Check the make sure your changes are properly formed in the web config.

2.       Check your connection string and make sure it is valid

3.       Enable full “ugly” error messages on your central admin web application. This will give you the full text of whatever error was made in the config changes. (9 times out of ten there is something with the connection to the DB).

4.       Configure forms authentication on your extended site

                                                                       I.               You should see the zone you extended your web app listed, click on it

                                                                     II.               Select your authentication type

                                                                   III.               Check the “enable anonymous access”

                                                                   IV.               Click OK

5.       Set forms authentication user as secondary site administrator

                                                         i.      From within the SharePoint central administration console à  application management section à click Site Collection administrators.

                                                       ii.      Make sure your site collection is selected. You will note the one on the port that was extended and assigned extranet zone is NOT listed in the listing. It is for lack of a better term, a second window into the one it was extended from. So we are making the administrator settings on the one we extended.

                                                      iii.      Add your forms authentication user to the secondary site administrator column.

1.       This will allow this user to access the site via forms auth and add in the other forms authentication users.

2.       If the site cannot resolve the forms auth username in the secondary site administrator then you have not properly modified the Central administration site web.config

6.       Additional Notes

                                                  I.            When trying to add forms auth users to your form auth site, you will need to log into the forms auth site. The integrated site knows nothing about those users as it does not have the forms auth provider info in its web config.

                                                II.            When configuring SSL for these sites, you will want to take care to look into alternate access mappings. I have seen this create a serious issue. Basically, if you set this up, then apply SSL, and suddenly your forms auth site tries to resolve to your integrate security site as soon as your users enter their credentials, you will need to work on your alternate access mappings.

                                              III.            It is likely your folks using Forms auth will have issues saving and checking out documents on your portal. You will fix this with a combination of enabling client integration in the extranet zone for the FBA provider and checking the  “Sign me in automatically” box on the login page.  

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s