Consider: SharePoint 2010, SQL 2008 R2, services are running using domain\admin account.
This is a step by step approach on how to configure SharePoint claim/form based authentication and how this authentication method used to create Project Server 2010 non-domain users.
The following steps need to be done:
1. Create the AspNet DB user/role repository: SQL database
2. Create a web application that uses claim based authentication
3. Update web.config file of Central Admin
4. Add some users in the database using IIS Manager
5. Update web.config file of the web application
6. Update web.config file of the STS (Secure Token Service) Application
7. Create a site collection specifying Windows users as a primary admin and a user from SQL membership as the secondary admin
8. Test the connection to the root of the site collection as the secondary admin using FBA
9. Create the PWA instance
10. Create FBA users in PWA
The following examples values are used in these steps.
| Variables | Values |
| SQL Server Instance Name | epm\sqlexpress |
| Aspnet Database name | aspnetDB |
| Role Provider name | AspNetSqlRoles |
| Membership Provider Name | AspNetSqlMembers |
Login as domain\administrator.
1. Create the AspNet DB user/role repository: SQL database
1.1. Go to C:\Windows\Microsoft.NET\Framework64\v2.0.50727, and find the aspnet_regsql.exe and double-click to launch.
1.2. Choose ‘Configure SQL Server for Application Services’ and click Next.
Configure SQL Server for Application Services
1.3. Click Next and enter the name of the SQL Server, in this case the server name will be epm\sqlexpress and Choose Windows authentication. Leave the default name.
Database server and database name
1.4. Make sure that aspnetdb created in SQL Management Studio on the SQL server and the login user has dbo rights in the aspnetdb database.
login user has dbo rights in the aspnetdb database
2. Create a web application that will use claim based authentication
2.1. Go to the SharePoint Central Administration Web site.
2.2. Click Application Management.
2.3. On the ribbon, click New. A pop-up window appears.
2.4. In the pop-up window, select the Claims Based Authentication option.
2.5. In the pop-up window, in the IIS Web Site section, select a unique name and port number. I have choose port 8080
2.6. In the pop-up window, in the Security Configuration section, set Allow Anonymous = No and set User SSL to Yes or No, depending on whether the site you are extending will be SSL-enabled.
2.7. In the pop-up window, in the Identity Providers section, select Enable ASP.NET Membership and Role Provider and specify a provider name and role manager. For this example AspNetSqlRoles and AspNetSqlMembers and used respectively.
Enable ASP.NET Membership and Role Provider
2.8. In the pop-up window; keep the default setting for Public URL.
2.9. In the pop-up window, in the Application Pool section, choose to create a new pool with a pool name and the account that will be used.
2.10. In the pop-up window, after Database Name set the value for the SQL server and database names for the content database.
2.11. Click OK to close the window. A new Web App will be created.
A new Web App
3. Update web.config file of Central Administration site
The web.config file of the Central administration needs to be updated in three places.
· PeoplePicker
· Add the membershitp/Role tags
· Add the SQL connection String
Before modifying the file do a backup of the original file.
To locate the web.config file, use IIS Manager and choose Explore after selecting the web site.
3.1. Add the following entry after </SafeControls> this tag.
<PeoplePickerWildcards>
<clear />
<add key=”AspNetSqlMembers” value=”%” />
</PeoplePickerWildcards>
It will be look like the following image,
web.config file of the Central administration
3.2. Now go to tag <sessionState mode=”InProc” timeout=”20″ cookieless=”UseCookies” />
And add the following entry after this tag. See image below for clarification.
<roleManager enabled=”true” cacheRolesInCookie=”false” cookieName=”.ASPXROLES” cookieTimeout=”30″ cookiePath=”/” cookieRequireSSL=”false” cookieSlidingExpiration=”true” cookieProtection=”All” defaultProvider=”AspNetWindowsTokenRoleProvider” createPersistentCookie=”false” maxCachedResults=”25″>
<providers>
<clear />
<add connectionStringName=”SqlConn” applicationName=”/” name=”AspNetSqlRoles” type=”System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a” />
<add applicationName=”/” name=”AspNetWindowsTokenRoleProvider” type=”System.Web.Security.WindowsTokenRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a” />
</providers>
</roleManager>
<membership defaultProvider=”AspNetSqlMembers” userIsOnlineTimeWindow=”15″ hashAlgorithmType=”">
<providers>
<clear />
<add connectionStringName=”SqlConn” enablePasswordRetrieval=”false” enablePasswordReset=”true” requiresQuestionAndAnswer=”true” passwordAttemptWindow=”10″ applicationName=”/” requiresUniqueEmail=”false” passwordFormat=”Hashed” name=”AspNetSqlMembers” type=”System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a” />
</providers>
</membership>
membership-central admin
3.3. Now go to the tag </appSettings> and add the following entry. See image for more clarification.
<connectionStrings>
<add name=”SqlConn”
connectionString=”data source=.\SQLEXPRESS;Integrated Security=SSPI;Initial Catalog=aspnetdb”
providerName=”System.Data.SqlClient” />
</connectionStrings>
sql connection central admin web.config
4. Add some users in the database using IIS Manager
4.1 Open IIS Manager and then go to Sites>Sharepoint Central Administration>>net Users. You may get the following error but no worries just keep going.
iis .net users error
4.2 After the error message you will find the .Net Users list. From here on the right handside click Add and add some users for future use. I have added Ashrafh and CBAdmin for my purpose.
add new .net user through IIS
4.3 After adding you can see the list of users in the .net user window.
- list of .net users
5. Update web.config file of the web application
The web.config file of the new web application (the one you’ve setup with the claims authentication type) needs to be updated in three places.
· PeoplePicker
· Add/update the membership/Role tags (AspNetSqlRoles, AspNetSqlMembers)
· Add the SQL connection String
5.1. Locate the web.config file from IIS manager and open it. Find out </SafeControls> tag. And paste the following code after the tag.
<PeoplePickerWildcards>
<clear />
<add key=”AspNetSqlMembers” value=”%” />
<add key=”AspNetSqlMembershipProvider” value=”%” />
</PeoplePickerWildcards>
web.config of webapplication
5.2. Findout the tag <machineKey validationKey .And add the following code after this tag ends up. See image to find the tag.
<roleManager cacheRolesInCookie=”false” cookieName=”.ASPXROLES” cookiePath=”/” cookieProtection=”All” cookieRequireSSL=”false” cookieSlidingExpiration=”true” cookieTimeout=”30″ createPersistentCookie=”false” defaultProvider=”c” enabled=”true” maxCachedResults=”25″>
<providers>
<clear />
<add name=”c” type=”Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c” />
<add connectionStringName=”SqlConn” applicationName=”/” name=”AspNetSqlRoles” type=”System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a” />
</providers>
</roleManager>
<membership defaultProvider=”i” hashAlgorithmType=”" userIsOnlineTimeWindow=”15″>
<providers>
<clear />
<add name=”i” type=”Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c” />
<add connectionStringName=”SqlConn” enablePasswordRetrieval=”false” enablePasswordReset=”true” requiresQuestionAndAnswer=”true” passwordAttemptWindow=”10″ applicationName=”/” requiresUniqueEmail=”false” passwordFormat=”Hashed” name=”AspNetSqlMembers” type=”System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a” />
</providers>
</membership>
update membership area of web.config file
5.3. Find the tag </microsoft.identityModel> and add the following code after that.
<connectionStrings>
<add name=”SqlConn” connectionString=”data source=epm\SQLEXPRESS;Integrated Security=SSPI;Initial Catalog=aspnetdb” providerName=”System.Data.SqlClient” />
</connectionStrings>
sql connection of webapplication
6. Update web.config file of the STS (Secure Token Service) Application
The web.config file of the new STS web application (the one you’ve setup with the claims authentication type) needs to be updated in two places.
· Add the membershitp/Role tags (AspNetSqlRoles, AspNetSqlMembers)
· Add the SQL connection String
This web.config file should be located at: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\WebServices\SecurityToken.
Before modifying the file do a backup of the original file.
- Add the following code after </system.serviceModel> and before <system.web> tag.
<connectionStrings>
<add name=”SqlConn”
connectionString=”data source=.\SQLEXPRESS;Integrated Security=SSPI;Initial Catalog=aspnetdb”
providerName=”System.Data.SqlClient” />
</connectionStrings>
sql connection for STS
- Within <system.web> and </system.web> tag put following code
<membership defaultProvider=”AspNetSqlMembers”>
<providers>
<add connectionStringName=”SqlConn” enablePasswordRetrieval=”false” enablePasswordReset=”true” requiresQuestionAndAnswer=”true” passwordAttemptWindow=”10″ requiresUniqueEmail=”false” passwordFormat=”Hashed” applicationName=”/” name=”AspNetSqlMembers” type=”System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a” />
</providers>
</membership>
<roleManager defaultProvider=”AspNetSqlRoles” enabled=”true”>
<providers>
<add connectionStringName=”SqlConn” applicationName=”/” name=”AspNetSqlRoles” type=”System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a” />
</providers>
</roleManager>
membership for sts
7. Create a site collection specifying a Windows users as a primary admin and a user from SQL membership as the secondary admin
We will now create a site collection on this web application.
1. Go to Central Administration site
2. Create site collections (under Application Management)
3. Ensure the web application with claims authentication enabled is selected in the web application drop-down.
create site collection at port# 8080
4. Provide a title and description for the site collection
5. Select a template.
6. Specify a normal Windows user as primary site collection administrator
7. For the secondary site collection administration, specify the administrator user from the AspNetSqlMembers provider.
specify the administrator user from the AspNetSqlMembers provider
8. Test the connection to the root of the site collection as the secondary admin using CBA/FBA
Enter your FBA/CBA admin account username and password. I have tested the root as well as the subsites. The following is a subsite within a root site.
Test the site collection
So far is the Claim based authentication configured for SharePoint 2010 for nondomain user login. The next steps are specific to Project Server 2010.
9. Create the Project Web Access (PWA) instance
9.1 Create a new Project Web App instance using this blog How to Create a Project Web Access (PWA) site for Project Server 2010
9.2 Specify as the admin account either a Windows account or a membership user.
9.3 Test the connection to this PWA instance as the admin user
Test the connection to this PWA instance as the CBA admin user
10. Create CBA/FBA users in PWA
10.1 To create FBA users in PWA site; login using administrator privilege and then go to Settings>Server settings>Manage users.
10.2 Click new user and fill up the mandatory areas.
Use the following syntax “membershipname|username” ,for example AspNetSqlMembers|Ashrafh
add pwa user
10.3 Assign security groups to the user as per your need. And then click Save.
assign permission to pwa user
10.4 Put the users to the pwa site user group like owner, members, project managers, webadmin etc that suits your need.
10.5 Now try to login using this user at PWA site or at Project Professional to create and publish enterprise projects.
