238 ❘ CHAPTER 9 claims-Based aUtheNticatioN Configuring Forms-Based Authentication Using the following instructions, you will enable FBA for your existing claims-enabled website so that both Windows Integrated and FBA are being used. Enable FBA Follow these steps to enable FBA: 1. Navigate to the Web Applications Management page, select your claims-enabled web appli- cation and click on the Authentication Providers button in the Ribbon. 2. Click the Default link in the Authentication Providers dialog window. Scroll down in Edit Authentication dialog until you reach the Claims Authentication Types section. Enable FBA and add names for the ASP.NET membership provider and the role manager. You can choose your own names or use SQLMembershipProvider and SQLRoleManager. Click Save when you are done and close the Authentication Providers dialog. Remember the names that you have chosen because you will need to refer to them in the web.config file. Also, keep in mind that these names are case sensitive. Install and Configure the SQL Server Database The next step is to create and configure a SQL Server database that will be used for FBA: 1. Open Windows Explorer and navigate to C:\Windows\Microsoft .Net\Framework64\ v2.0.50727 . Locate the aspnet_regsql.exe application and execute it. This will open the ASP.NET SQL Server Setup wizard, shown in Figure 9-10. Click the Next button. FIGURE 910 Creating Claims-Based Web Applications ❘ 239 2. On the Select a Setup Option dialog, shown in Figure 9-11, select the Configure SQL Server for application services option. This should be the default option. Then click the Next button. FIGURE 911 3. In the Select the Server and Database dialog, shown in Figure 9-12, enter the name of the SQL Server. This box should be automatically populated; if not, then enter the proper value for your installation. Use Windows Authentication and accept the default name for the data- base, which will be aspnetdb. Click Next. FIGURE 912 240 ❘ CHAPTER 9 claims-Based aUtheNticatioN 4. Verify that your settings are correct on the Confirm Your Settings page and click the Next button. Once the database has been created, you should receive confirmation, as shown in Figure 9-13. Click the Finish button. FIGURE 913 5. Open SQL Server Management Studio and confirm that the aspnetdb database has been created. 6. Now you can populate the SQL Server database with user information using an applica- tion on CodePlex called MembershipSeeder ( http://cks.codeplex.com/releases/ view/7450#DownloadId=19598 ). You can proceed with the configuration without using the MembershipSeeder application but you will have to manually add users to the aspnetdb tables. This completes the database installation. Configure the Membership and Role Manager The next set of steps configures the membership and role manager, which requires modifying three different web.config files: for the web application, for the Central Administration website, and for the STS: 1. Open IIS Manager by typing INETMGR at a command prompt. Locate the claims-enabled website and select it. Click the Explore option in the Actions section on the right-hand side of the page. 2. Locate the web.config file in the directory. Make a copy of the original file and store the copy in the same location as the original. When you make a copy it should automatically assign it a different name compared to the original. Creating Claims-Based Web Applications ❘ 241 You should never modify any original SharePoint fi les without fi rst making a copy. If for whatever reason you make a mistake or things don’t work correctly, you can always go back to the original confi guration using the copy. 3. Open the original web.config fi le in a text editor of your choice and locate the </SharePoint> element. It should appear immediately before the <system.web> element. 4. Add the following XML to the web.config fi le between the </SharePoint> and <system.web> elements. This information enables the connectivity to the SQL Server database aspnetdb. The code in these instructions is available for download on this book’s website at Wrox.com. <connectionStrings> <add name=”SQLConnectionString” connectionString=”data source=SQL; Integrated Security=SSPI;Initial Catalog=aspnetdb” /> </connectionStrings> Code fi le Chapter09_code.txt 5. The next step is to add the membership provider and the role manager confi guration infor- mation. Locate the <membership defaultProvider=”i”> element and add the following information to the <providers> element: <add connectionStringName=”SQLConnectionString” passwordAttemptWindow=”5” enablePasswordRetrieval=”false” enablePasswordReset=”false” requiresQuestionAndAnswer=”true” applicationName=”/” requiresUniqueEmail=”true” passwordFormat=”Hashed” description=”Stores and retrieves membership data from SQL Server” name=”SQLMembershipProvider” type=”System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a” /> 6. Locate the <roleManager defaultProvider=”c” enabled=”true” cacheRolesInCookie=”false”> element, insert the following text into the <providers> element, and then save and close the web.config fi le: <add connectionStringName=”SQLConnectionString” applicationName=”/” description=”Stores and retrieves roles from SQL Server” name=”SQLRoleManager” type=”System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a” /> 242 ❘ CHAPTER 9 claims-Based aUtheNticatioN 7. To modify the web.config file of the Central Administration web application, add the con- nection string information to the web.config file for the Central Administration web site just like you did in steps 1–4: <connectionStrings> <add name=”SQLConnectionString” connectionString=”data source=SQL; Integrated Security=SSPI;Initial Catalog=aspnetdb” /> </connectionStrings> 8. Locate the <system.web> element and add the following information: <roleManager defaultProvider=”AspNetWindowsTokenRoleProvider” enabled=”true” cacheRolesInCookie=”false”> <providers> <add connectionStringName=”SQLConnectionString” applicationName=”/” description=”Stores and retrieves roles from SQL Server” name=”SQLRoleManager” type=”System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a” /> </providers> </roleManager> 9. Insert the following code immediately after the <roleManager> code entered earlier in step 8, and then save and close the web.config file: <membership defaultProvider=”SQLMembershipProvider”> <providers> <add connectionStringName=”SQLConnectionString” passwordAttemptWindow=”5” enablePasswordRetrieval=”false” enablePasswordReset=”false” requiresQuestionAndAnswer=”true” applicationName=”/” requiresUniqueEmail=”true” passwordFormat=”Hashed” description=”Stores and retrieves membership data from SQL Server” name=”SQLMembershipProvider” type=”System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a” /> </providers> </membership> 10. The final web.config file to be modified is the STS web.config file. Expand the SharePoint Web Services website in IIS Manager and select the SecurityTokenServiceApplication site. 11. Locate the web.config file and make a copy as you did previously. 12. Insert the following code into the web.config file before the </configuration> element, and then save and close the web.config file: <connectionStrings> <add name=”SQLConnectionString” connectionString=”data source=SQL; Integrated Security=SSPI;Initial Catalog=aspnetdb” /> </connectionStrings> <system.web> <roleManager defaultProvider=”c” enabled=”true” cacheRolesInCookie=”false”> <providers> Creating Claims-Based Web Applications ❘ 243 <add name=”c” type=”Microsoft.SharePoint.Administration.Claims.SPClaimsAuth RoleProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c” /> <add connectionStringName=”SQLConnectionString” applicationName=”/” description=”Stores and retrieves roles from SQL Server” name=”SQLRoleManager” type=”System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a” /> </providers> </roleManager> <membership defaultProvider=”i”> <providers> <add name=”i” type=”Microsoft.SharePoint.Administration.Claims .SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c” /> <add connectionStringName=”SQLConnectionString” passwordAttemptWindow=”5” enablePasswordRetrieval=”false” enablePasswordReset=”false” requiresQuestionAndAnswer=”true” applicationName=”/” requiresUniqueEmail=”true” passwordFormat=”Hashed” description=”Stores and retrieves membership data from SQL Server” name=”SQLMembershipProvider” type=”System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a” /> </providers> </membership> </system.web> 13. The final steps in the process involve assigning permissions for users in the SQL Server data- base. First, navigate to the Manage Web Applications page in Central Administration. 14. Select your claims-enabled web application and click the User Policy button in the Ribbon. You should see the Policy for Web Application dialog, shown in Figure 9-14. FIGURE 914 15. Click the Add Users link, which will reveal the Add Users dialog. Choose the Default zone in the Zones drop-down menu, and then click the Next button. 244 ❘ CHAPTER 9 claims-Based aUtheNticatioN 16. On the Add Users dialog, add the administrator account and assign Full Control, as shown in Figure 9-15. Click Finish, and then click OK to close the Policy for Web Application dialog. FIGURE 915 17. It’s time to test the application. Navigate to your top-level site in your claims-enabled web application. An example is shown in Figure 9-16. FIGURE 916 Creating Claims-Based Web Applications ❘ 245 18. If you enabled anonymous access, you should see the Sign In link at the top, upper-right side of the page. Click the Sign In link to display the Sign In dialog, shown in Figure 9-17. FIGURE 917 19. You need to choose which authentication method to use, as the website has two different methods configured. Choose Windows Authentication to sign in to the application. 20. Finally, log out of the application so that you can sign in again using FBA. The MembershipSeeder tool was used to add a user to the database for testing purposes. If you populated the aspnetdb with user information, then you can proceed to test the login. 21. Click the Sign In link and choose the Forms Authentication option to log in. You should be prompted with the Sign In dialog shown in Figure 9-18. FIGURE 918 22. Enter the username and password for the user and click the Sign In button. You should be directed to your top-level site once authenticated. At this point, you have successfully configured a web application with two different methods of authentication. For those SharePoint 2007 websites that were FBA-enabled, you will have to convert them to using CBA using the steps outlined in the exercise after you upgrade them to SharePoint 2010. 246 ❘ CHAPTER 9 claims-Based aUtheNticatioN SUMMARY Claims-based authentication is a new and powerful addition to SharePoint. It provides the capability to unify the authentication process and deliver single sign-on across applications in the enterprise, as well as between organizations and in the cloud. Because it is based on open standards and proto- cols, it is not Microsoft-centric. As a SharePoint administrator, you will discover that CBA provides capabilities that previously did not exist. . For those SharePoint 2007 websites that were FBA-enabled, you will have to convert them to using CBA using the steps outlined in the exercise after you upgrade them to SharePoint 2010. 246 ❘ . Claims-Based Web Applications ❘ 243 <add name=”c” type=”Microsoft .SharePoint. Administration.Claims.SPClaimsAuth RoleProvider, Microsoft .SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c”. defaultProvider=”i”> <providers> <add name=”i” type=”Microsoft .SharePoint. Administration.Claims .SPClaimsAuthMembershipProvider, Microsoft .SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c”