Configuring Authentication Providers
This
section demonstrates the configuration of forms-based authentication
(FBA) using an ASP.NET SQL Server authentication provider. Additional
information about configuration and examples for authentication
providers can be found on MSDN and TechNet.
The configuration for FBA requires the following major steps:
1. | Modify
the web.config file in the extranet web application to include the
membership provider and role manager for the authentication provider.
This step enables the proper behavior of the people picker in the web
application.
|
2. | Modify
the web.config file in the Central Administration web application to
include the membership provider and role manager for the authentication
provider. This step enables the proper behavior of the people picker in
the Central Administration web application.
|
3. | Modify
the web.config file for the STS web services to include the Membership
provider and role manager for the authentication provider. This step
enables the claims authentication against the SQL authentication
provider.
|
4. | Configured the extranet web application to use FBA, and specify the membership provider and role manager.
|
5. | Add the roles and users to the extranet site collection and grant the appropriate permissions and access.
|
Modify the web.config for the Extranet Web Application
Modify the web.config for each
of the web front ends (WFEs) hosting the extranet web applications. Add
the following connection string between the </SharePoint><system.web> nodes: and
<connectionStrings>
<add name="SQLAuthConnectionString" connectionString="Data Source=abc2010sql;User ID=PartnerCredential;Password=********;Persist Security Info=True;Initial Catalog=PartnerIdentitySystem" />
</connectionStrings>
Find the <roleManager> and <membershipProvider> nodes in the <system.web> parent node. Add the nodes to include the following entries:
<system.web>
...
<roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false">
<providers>
<add name="c"
type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
<add connectionStringName="SQLAuthConnectionString" applicationName="/" description="Stores and retrieves roles from SQL Server" name="SQLRoleManager" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</roleManager>
<membership defaultProvider="i">
<providers>
<add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
<add connectionStringName="SQLAuthConnectionString" passwordAttemptWindow="5" enablePasswordRetrieval="false" enablePasswordReset="false" requiresQuestionAndAnswer="true" applicationName="/" requiresUniqueEmail="true" passwordFormat="Hashed" description="Stores and Retrieves membership data from SQL Server" name="SQLMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</membership>
</system.web>
Find the <PeoplePickerWildcards > nodes in the <SharePoint> parent node. Modify the node to “add” the membership provider name to the people picker:
<PeoplePickerWildcards>
<clear />
<add key="SQLMembershipProvider" value="%" />
</PeoplePickerWildcards>
Modify the web.config for the Central Administration Web Application
Modify the web.config for the Central Administrator web application. Add the following connection string between the </SharePoint> and <system.web> nodes:
<connectionStrings>
<add name="SQLAuthConnectionString" connectionString="Data Source=abc2010sql;User ID=PartnerCredential;Password=********;Persist Security Info=True;Initial Catalog=PartnerIdentitySystem" />
</connectionStrings>
Find the <roleManager> and <membershipProvider> nodes in the <system.web> parent node. Add the nodes to include the following entries:
<system.web>
...
<roleManager defaultProvider="AspNetWindowsTokenRoleProvider" enabled="true" cacheRolesInCookie="false">
<providers>
<add connectionStringName="SQLAuthConnectionString" applicationName="/" description="Stores and retrieves roles from SQL Server" name="SQLRoleManager" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</roleManager>
<membership defaultProvider="SQLMembershipProvider">
<providers>
<add connectionStringName="SQLAuthConnectionString" passwordAttemptWindow="5" enablePasswordRetrieval="false" enablePasswordReset="false" requiresQuestionAndAnswer="true" applicationName="/" requiresUniqueEmail="true" passwordFormat="Hashed" description="Stores and Retrieves membership data from SQL Server" name="SQLMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</membership>
</system.web>
Find the <PeoplePickerWildcards> nodes in the <SharePoint> parent node. Modify the node to “add” the membership provider name to the people picker:
<PeoplePickerWildcards>
<clear />
<add key="SQLMembershipProvider" value="%" />
</PeoplePickerWildcards>
Modify the web.config for the STS Web Services
Edit the web.config of the
STS web services. The web.config is located at C:\Program Files\Common
Files\Microsoft Shared\web server extensions\14\WebServices\
SecurityToken:
<connectionStrings>
<add name="SQLAuthConnectionString" connectionString="Data Source=abc2010sql;User ID=PartnerCredential;Password=********;Persist Security Info=True;Initial Catalog=PartnerIdentitySystem" />
</connectionStrings>
<system.web>
<roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false">
<providers>
<add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
<add connectionStringName="SQLAuthConnectionString" applicationName="/" description="Stores and retrieves roles from SQL Server" name="SQLRoleManager" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</roleManager>
<membership defaultProvider="i">
<providers>
<add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
<add connectionStringName="SQLAuthConnectionString" passwordAttemptWindow="5" enablePasswordRetrieval="false" enablePasswordReset="false" requiresQuestionAndAnswer="true" applicationName="/" requiresUniqueEmail="true" passwordFormat="Hashed" description="Stores and Retrieves membership data from SQL Server" name="SQLMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.3600.0,
Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</membership>
</system.web>
Configure the Membership Provider and Role Manager for the Extranet Web Application
To configure the membership provider and role manager for the extranet web application, perform the following steps:
1. | Open the browser to the Central Administration site.
|
2. | Click Manage Web Application under Application Management.
|
3. | Select the web application and click the Authentication Providers button in the Ribbon.
|
4. | Click the zone for the authentication provider to configure for FBA.
|
5. | In the Edit Authentication page, check Enable Forms-Based Authentication (FBA), as shown in Figure 3.
|
6. | Enter the membership provider name: SQLMembershipProvider.
|
7. | Enter the role manager name: SQLRoleManagerProvider.
|
8. | Select the web application and click the User Policy button on the Ribbon.
|
9. | Click Add Users and choose the default zone (or the zone configured with FBA).
|
10. | Add the users, as shown in Figure 4, with the appropriate permissions as needed for the FBA website. Then, click Finish.
|
Creating an Extranet Service Application Proxy Group
SharePoint
2010 offers a distributed model for shared services or service
applications. Web applications themselves subscribe to use the various
service applications. Application proxy groups can be created to define a
set of service applications. It is recommended that extranet web
applications, one or more application proxy groups be created to ensure
only minimum required service applications are enabled for use in the
extranet web applications. The following PowerShell commands show how to
create a new application proxy group:
1. | Open
a SharePoint 2010 Management PowerShell console and navigate to Start,
All Programs, Microsoft SharePoint 2010, SharePoint 2010 Management
Shell.
|
2. | Use the following command to create the new service application proxy group and add a member to it:
New-SPServiceApplicationProxyGroup [-Identity <the service application proxy group>]
Add-SPServiceApplicationProxyGroupMember [-Identity <the service application proxy group>] [-Member <members to add to the service application proxy group>]
For example:
New-SPServiceApplicationProxyGroup -Identity PartnerExtranet
Add-SPServiceApplicationProxyGroupMember -Identity PartnerExtranet -Member bfea704a-e2a1-429f-8c4d-1372e5524bdc
|
Validating the Partner Extranet Solution
To validate whether the solution works properly, do the following:
1. | Open the browser to the extranet partner site: http://partner.companyabc.com.
|
2. | Choose the authentication provider from the drop-down, as shown in Figure 5, and enter the proper credentials.
|
3. | At this point, you will be logged in to the site using claims-based authentication, as shown in Figure 6. Test all the configured authentication providers.
|
