Wednesday, March 11, 2009

Form Based Authentication

By default, Moss uses windows authentication. But for external users who are not part of your domain, you need to use form based authentication.


1. Enable anonymous access on the web application, that allows you to get in and add users using FBA.

2. Create a new zone for the web application by extending the current web application to another IIS web site. Each zone has a different URL that you can use to address the same web application. So you can use one URL for internal users, and a different URL for external users which can be authenticated through FBA.

3. Add a DNS Host A record for the sub-domain

4. Create a database to store membership

5. Edit the web.config

6. Add FBA tools to the web application, Microsoft does not provide the FBA tools.

7. Add FBA users to the web application using the FBA tool.

8. Optionally disable anonymous access. FBA usernames and passwords are entered in clear text, you will need to secure the FBA site with SSL.

Create Zones

Adding to DNS

  • Create Host A record in DNS to provide internal access
  • Create Host A record at ISP to provide external access

Creating the FBA Database

  • Use aspnet_regsql utility provided by .NET Framework
  • It creates the aspnetdb database by default, you can name it whatever you want
  • It registered that database as a membership provider on the server

Enabling Forms Authentication

  • In order to use that database, you need to edit web.config for the web application
  • Add connection settings are set in:
    • connectionStrings tag
    • membership tag
    • roleManager tag
  • You can also add e-mail information for ASP.NET (allows the FBA tools to send out the users password if they forget it)
    • tag
    • mailSettings tag
    • smtp tag

FBA Tools

  • Not provided by Microsoft
  • You can create them yourself or obtain from third party vendors

Adding FBA Users

  • Add the users using the FBA tools
  • Set the user's permissions in SharePoint

Turning Off Anonymous Access

  • Finally, when you all done setting things up, you need to disable anonymous access in general.
  • Anonymous is required first to add first users, it is a chicken and egg issue.
  • You then use Central Admin > Application Management to disable anonymous access
blog comments powered by Disqus