Thursday, June 28, 2012

SharePoint 2010 FBA : Forms Based Authentication for Extranet


 Forms based Authentication (FBA) for SharePoint 2010 Extranet Site
  1. 1.  Create new webapplication using central administration with cliams based authentication
  2. 2.  Extend the webapplication and select extranet zone
  3. 3.  Create Membership tables to store users using Aspnet_regsql.exe.
  4. 4.  Path C:\%windir%\Microsoft.NET\Framework\<versionNumber>\aspnet_regsql.exe
  5. 5.  More information on tool :  http://msdn.microsoft.com/en-us/library/ms229862(v=vs.80).aspx
  6. 6.  Update central administration, FBA site, SecurityTokenService config files.
  7. 7.  Updated provider names as shown in below image. Central administration > Secuirty> Specify authentication providers > Select Web Application from right side dropdown > Extranet



According to below configuration my membership and roleproviders are

SQLMembershipProvider
SQLRoleProvider
SQLConnectionString (Connection string name)



FBA Site web.config changes

add below connectionstring after </SharePoint> and before   <system.web> tag

  <connectionStrings>
    <add name="SQLConnectionString" connectionString="data source=APPSDBS04;Integrated Security=SSPI;Initial Catalog=aspnetdb" />
  </connectionStrings>

add below code before </system.web
<membership defaultprovider="i">
      <providers>
        <add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
        <add connectionStringName="SQLConnectionString" passwordAttemptWindow="5" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="true" applicationName="/" requiresUniqueEmail="true" passwordFormat="Hashed" description="Stores and Retrieves membership data from SQL Server" name="SQLMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
      </providers>
    </membership>
<rolemanager defaultprovider="c" enabled="true" cacherolesincookie="false">
      <providers>
        <add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
        <add connectionStringName="SQLConnectionString" applicationName="/" description="Stores and retrieves roles from SQL Server" name="SQLRoleProvider" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
      </providers>
    </rolemanager>

Central Admin Config changes


<sessionState mode="InProc" timeout="20" cookieless="UseCookies" />   below this tag    <roleManager>
      <providers>
        <add connectionStringName="SQLConnectionString"
            applicationName="/"
            description="Stores and retrieves roles from SQL Server"
            name="SQLRoleProvider" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />


      </providers>
    </roleManager>
    <membership>
      <providers>
        <add connectionStringName="SQLConnectionString"
            passwordAttemptWindow="5"
            enablePasswordRetrieval="false"
            enablePasswordReset="true"
            requiresQuestionAndAnswer="true"
            applicationName="/"
            requiresUniqueEmail="true"
            passwordFormat="Hashed"
            description="Stores and Retrieves membership data from SQL Server"
            name="SQLMembershipProvider"
            type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
      </providers>
    </membership>
  </system.webend tag   




</SharePoint> after this tag   

  <connectionStrings>
    <add name="SQLConnectionString" connectionString="data source=APPSDBS04;Integrated Security=SSPI;Initial Catalog=aspnetdb" />
  </connectionStrings>

  <system.web> before this tag   



SecurityTokenserviceapplication Config changes

Go to IIS Manager>SharePoint Web Services\SecurityTokenserviceapplication

Or

C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\WebServices\SecurityToken\web.config

  <system.web>
    <roleManager>
      <providers>
        <add connectionStringName="SQLConnectionString"
            applicationName="/"
            description="Stores and retrieves roles from SQL Server"
            name="SQLRoleProvider" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
      </providers>
    </roleManager>
    <membership>
      <providers>
        <add connectionStringName="SQLConnectionString"
            passwordAttemptWindow="5"
            enablePasswordRetrieval="false"
            enablePasswordReset="true"
            requiresQuestionAndAnswer="true"
            applicationName="/"
            requiresUniqueEmail="true"
            passwordFormat="Hashed"
            description="Stores and Retrieves membership data from SQL Server"
            name="SQLMembershipProvider"
            type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
      </providers>
    </membership>
  </system.web>
<connectionStrings>
    <add name="SQLConnectionString" connectionString="data source=APPSDBS04;Integrated Security=SSPI;Initial Catalog=aspnetdb" />
  </connectionStrings>


</configuration> before this tag   

Update provider names in central administration, you can see this page under

Central administration>Secuirty> Specify authentication providers>Extranet
(if you already extended your site for extranet)



Last step:  just restart the IIS and access your url and you can see login page with forms and windows based authentication options.


You can create users using Asp.net configuration tool or by creating a custom create users page.

Login with your windows Authentication > go to People and groups >here you can add forms users as shown in below post


SharePoint 2010: hide "go back to site" link



<asp:content id="Main" contentplaceholderid="PlaceHolderMain" runat="server">


<style type="text/css">
   
    #s4-simple-gobackcont
    {
       display:none !important;
    }
</style>

</asp:content>


Wednesday, June 27, 2012

SharePoint 2010 UAG : FormLoginDataDefinitions.xml and FormLoginCustom.xml


I followed below blog to configure single sign on in SharePoint.
http://microsoft-iag.blogspot.com/2010/10/uagenable-sso-by-passing-user.html

Andy provided only screen shots in his blog where people cannot copy easily. So I am providing code here to copy easily.

FormLoginDataDefinitions.xml

  <SCRIPT name="SharepointFBA">
      <!-- Possible value javascript or vbscript, if javascript tag could be omitted-->
      <LANGUAGE>javascript</LANGUAGE>
      <!-- Possible value cdata or base64, if javascript tag could be omitted-->
      <!-- Notice that searching for the element to submit is done by id, which by convention is seperated by underlines instead of dollar signs -->
      <BODY encoding="cdata">
        <![CDATA[

                              function FormLoginSubmit()
                              {   
                                    formsCol = document.forms;
                                    if (formsCol.length == 1)
                                    {
                                          try{
                                          var submitbtn = document.getElementById('ctl00_PlaceHolderMain_signInControl_login');
                                          if (submitbtn)
                                                submitbtn.click();
                                        }catch(e){}
                                    }
                                    return false;
                              }
                       
                        ]]>
      </BODY>
    </SCRIPT>


FormLoginCustom.xml

<WHLFILTFORMLOGIN ver="1.0">
      <!-- app_id added by configurator, dont edit -->
    <APPLICATION>
            <APPLICATION_TYPE>SharepointFBA</APPLICATION_TYPE>
           
            <!-- USAGE section is mandatory. "description=" could be "change_password" or "form_login" -->
            <USAGE description="form_login">

            <PRIMARY_HOST_URL><![CDATA[/_forms/default.aspx.*]]></PRIMARY_HOST_URL>
           
            <SCRIPT_NAME source="data_definition">SharepointFBA</SCRIPT_NAME>
           
            <!-- USER_AGENT could be of any type defined in FormLoginDataDefinitions.xml.  any, ie, netscape are used for back compatibility -->
            <USER_AGENT>
                  <!-- AGENT_TYPE could be of any type defined in FormLoginDataDefinitions.xml -->
                  <!-- "search=group" indicates all the values in the tag USER_AGENT_GROUP from FormLoginDataDefinitions.xml -->
                  <AGENT_TYPE search="group">all_supported</AGENT_TYPE>
                  <!-- POLICY should be "multiplatform" or "limited" -->
                  <!-- use "limited" if only "change_password" takes place -->
                  <POLICY>multiplatform</POLICY>
                  <!-- the name of the function to be injected to the form. Not recomended for customization-->
                  <SCRIPT_NAME source="data_definition">FormLoginHandler</SCRIPT_NAME>
            </USER_AGENT>
           
            <LOGIN_FORM>
                  <!-- one of NAME or ID could be used. Value could be blank if no form search required -->
                  <NAME>aspnetForm</NAME>
                  <!-- METHOD could be POST or GET -->
                  <METHOD>POST</METHOD>
                  <!-- CONTROL handling could be "dummy_value", "app_default", "real_value", "conf_default", "user_input" -->
                  <CONTROL handling="dummy_value">
                        <!-- TYPE could only be USER_NAME, PASSWORD, DOMAIN, DOMAIN_USER, USER_PROVIDED, NEW_PASSWORD -->
                        <TYPE>USER_NAME</TYPE>
                        <NAME>ctl00$PlaceHolderMain$signInControl$UserName</NAME>
                        <DEF_VALUE>siteusr</DEF_VALUE>
                  </CONTROL>
                  <CONTROL handling="dummy_value">
                        <TYPE>PASSWORD</TYPE>
                        <NAME>ctl00$PlaceHolderMain$signInControl$password</NAME>
                        <DEF_VALUE>sitepass</DEF_VALUE>
                  </CONTROL>
    </LOGIN_FORM>
     
            </USAGE>
      </APPLICATION>
</WHLFILTFORMLOGIN>

SharePoint 2010 FBA with UAG SSO


We are working on Extranet site which is on UAG. We followed below blog to configure single sign on in SharePoint

http://microsoft-iag.blogspot.com/2010/10/uagenable-sso-by-passing-user.html

User able to see SharePoint FBA site when login through UAG (outside network) with forms authentication.
Here we have a problem like it is showing windows/forms authentication screen (as shown in below picture)



When users selects “forms authentication” from dropdown it is going to home page without asking credentials. however it should not ask.

for this I have implemented java script code (in the sign in page)to redirect to home page automatically with out selecting dropdown.



C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\TEMPLATE\IDENTITYMODEL\LOGIN


<asp:Content ContentPlaceHolderId="PlaceHolderMain" runat="server">

<script language="javascript" type="text/javascript">


    function changeDropdownValues() {


        var ddlLogin = document.getElementById("<%=ClaimsLogonSelector.ClientID %>");

ddlLogin.options[1].innerText = "Internal Employees";       
ddlLogin.options[2].innerText = "External Partners";
        ddlLogin.options[2].selected = true;
    }

     
    _spBodyOnLoadFunctionNames.push("changeDropdownValues");


</script>


<div id="div1" style="display:none">
<SharePoint:EncodedLiteral runat="server"  EncodeMethod="HtmlEncode" Id="ClaimsLogonPageMessage" text="Select the credentials you want to use to logon to Extranet site" />
</div>

<SharePoint:EncodedLiteral runat="server"  EncodeMethod="HtmlEncode" Id="ClaimsLogonPageMessage1" text="Select the credentials you want to use to logon to   Extranet site" />
<br />
<br />

<SharepointIdentity:LogonSelector ID="ClaimsLogonSelector" runat="server" />

<br />
<br />

<SharePoint:EncodedLiteral runat="server"  EncodeMethod="HtmlEncode" Id="Message1" Text="Note:Employees please select Windows Authentication."  />
<br />
<SharePoint:EncodedLiteral runat="server"  EncodeMethod="HtmlEncode" Id="Message2" Text="All other users please select Forms Authentication."  />
</asp:Content>

Followers