I conducted a training session the other day that included how to deploy and configure FBA (Forms Based Authentication) for SharePoint.
Because I get a few questions about it often, I thought of uploaded some of the content I devised for the training to my blog. Hope it can come of use to you:
Session Objectives:
1) Introduction to Forms Based Authentication
2) Introduction to physical and logical architecture of SharePoint security
3) How to Lab
I’ll also introduce another concept of extending Web Application authentication zones and Alternative Access Mappings.
1. Introduction to Forms Based Authentication
Microsoft SharePoint Web Applications have the ability to make use three types of authentication:
a) Windows/Active Directory
Further choice between:
a. NTLM
b. Kerberos
b) Forms Based (Database)
This article
c) Your custom provider type
Understanding what the difference between authentication and authorization is a good start.
Definitions:
There a good number of definitions on the web, these I find relevant for this article.
Authentication: Is the process of identity verification of a user, machine or software component. (ie a session logon to a web site
Authorization: Once I have authenticated, do I have authorization to access different types of content or activities.
Example: You swipe your credit card. First the card device needs to authenticate to the bank/institution and then the bank needs to authorize your purchase and perform the transaction.
So you have users that aren’t on your Active Directory LDAP or similar directory services and need them to access your SharePoint services – team collaboration across multiple sources. Perhaps they are external clients or suppliers that aren’t on your network.
It’s often a security concern around the means of your corporate data access however bottom line is you need to extend your SharePoint services to external users that may not be part of your network. They may be limited to access only a certain form to a series of project documentation and become involved in your document lifecycle – either way – they need quick and simple access.
Microsoft Windows SharePoint Services offers the ability to extend your SharePoint web application and authorize certain form based users to specific site content by making use of the custom/Forms Based Authentication function.
With a little help from the IEE (Intranet/Extranet Edition of the CKS (Community Kit for SharePoint) application – this becomes quite easy. The IEE is a community initiative that builds on top of the Forms based Authentication feature. SharePoint doesn’t cater for the user administration that well so instead of coding your own method to add/edit users and the other tools your FBA users may need (i.e. Password reminder, Change Password, Request Membership functions) these are now catered as web parts and rolled up into a simple to deploy solution in WSP format. Great! And the best news – the source is available just in case you need to add additional fields or functionality to those web parts.
So once you have activated the FBA toggle button on Central Administration – what happens?
Well, users will now be prompted with the default SharePoint FBA Login page with username and password fields. We need to authenticate using this screen. So in order to ensure you got it setup correctly I’ll take you through an example.
1) Future Proposed Features to the CKS IEE Solution:
- User Management Page (View, Add, Edit, Delete Users)
- Role Management Page (View, Add, Edit, Delete Roles)
- Self-Registration Page and Webpart
- Retrieve Password Page and Webpart
- Change User Settings Page and Webpart (Password, Name, Email etc)
- Login Webpart
- Non-Anonymous Access Features (updated login page with links for self-registration)
- Administration Settings Page (Edit email settings etc)
- FBA Batch Import wizard
- Email Registration Option
- FBA Configuration Feature (Maintain web.config settings)
So keep your eyes on this space.
An idea that might help you:
Keep your initial landing page anonymous and active the necessary IEE Login web parts then manage authorization to site content by means of groups on those respective sites/pages/lists.
The article I included below will introduce you to two zones for a single Web Application – always consider having a windows based zone for editing especially if you going to be working with SharePoint Designer and other client tools. Your designers should use windows based auth for it.
2. Introduction to physical and logical architecture of SharePoint security
Right, now we have to wrap our minds around the security behind the scenes and how SharePoint authenticates and authorizes users and against your databases etc.
Below is a very high level diagram that could assist in understanding the levels of where we will be performing these FBA changes. Remember that Internet Information Services is responsible for the authentication.
3. How to Lab
Pre-Installed Virtual Machine with the following specifications:
- Operating System: Windows Server 2008 Standard Edition
- Database: Microsoft SQL Server 2008 CTP
- Application: Microsoft Office SharePoint Server 2007 with SP1
- IDE: Microsoft Visual Studio 2008
Download the FBA Management solution code at:
High Level Steps:
1) Create a ASP.NET SQL database for FBA User Management Database
2) Configuration of web.config for the FBA User Management Site
3) Creation of Roles and Users via the ASP.NET Web Site Administration Tool
4) Create a SharePoint Web Application (i.e. host header: external.litware.com) (to be FBA)
5) Extend the Web Application in 4 above (i.e. host header: internal.litware.com) (to be Windows Authentication)
6) Use SQL Membership provider and Role Manager custom to configure the Virtual Directory web.config file for the external.litware.com Web Application)
7) Perform the FBA settings on SharePoint the Authentication for Default external.litware.com zone. Your extended Web Application (internal.litware.com) should be set as an Intranet zone.
8) Ensure you can add the FBA administrator account as a secondary site collection administrator.
Dont forget to deploy the IEE solution after running through Dan's artcle above.
Your downloaded zip file will contain FBAManagement.WSP, deploy.bat and undeploy.bat. Ensure you run deploy from command prompt in the same folder as the FBAManagement.wsp file. Eg. deploy
http://external.litware.com.
Over ‘n Out
ML