While developing a recent SharePoint web application it became apparent that there would be two different user groups. Users with existing windows accounts and external users. Time to configure Claims Based Authentication.
ASP.NET Membership Database
Run the following command line statements to launch the ASP.Net SQL Server Setup Wizard:
cd %WinDir%\Microsoft.NET\Framework\v2.0.50727
aspnet_regsql.exe
Web Configuration
In order to configure claims based authentication you need to make changes to three web config files.
- Web Application
- SharePoint Central Administration v4
- Security Token Service
The web config file for the Security Token Service can be found at:
C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\WebServices\SecurityToken
Web Application : Web Config
Role Manager
<providers>
<clear />
<add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
<add connectionStringName="aspmembershipConn" applicationName="/" name="ClaimsBasedRoleManagerName" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</roleManager>
Membership
<providers>
<clear />
<add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
<add name="ClaimsBasedMembershipProviderName" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" applicationName="/" connectionStringName="aspmembershipConn" enablePasswordReset="true" enablePasswordRetrieval="false" passwordFormat="Hashed" requiresQuestionAndAnswer="false" requiresUniqueEmail="true" />
</providers>
</membership>
Connection String
<clear />
<add name="aspmembershipConn" connectionString="Data Source=servername;Integrated Security=SSPI;Initial Catalog=databasename;" />
</connectionStrings>
Add <Clear/> tags to connection string, membership and role providers or you might get conflicts with machine.config
Central Administration : Web Config
<providers>
<add name="ClaimsBasedRoleManagerName" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" applicationName="/" connectionStringName="aspmembershipConn" />
</providers>
</roleManager>
<membership>
<providers>
<add name="ClaimsBasedMembershipProviderName" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" applicationName="/" connectionStringName="aspmembershipConn" passwordFormat="Hashed" />
</providers>
</membership>
Security Token Service : Web Config
<providers>
<add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
<add connectionStringName="aspmembershipConn" applicationName="/" name="ClaimsBasedRoleManagerName" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</roleManager>
<membership defaultProvider="i">
<providers>
<add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
<add name="ClaimsBasedMembershipProviderName" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" applicationName="/" connectionStringName="aspmembershipConn" enablePasswordReset="true" enablePasswordRetrieval="false" passwordFormat="Hashed" requiresQuestionAndAnswer="true" requiresUniqueEmail="true" />
</providers>
</membership>
After you have configured the web config files remember to set permission on the asp membership database for the account the app pool of SharePoint is using so it can access the database.
No comments:
Post a Comment