DevIT

All configuration is same for all versions of SharePoint.

What are the differences between Classic ModeAuthentication and Claims based Authentication?

Classic Mode Authentication: It refers to the integrated windows authentication. You cannot configure the Forms based authentication if your web application is using Classic Mode Authentication. You can convert a web application from Classic Mode Authentication to Claims Based Authentication. However, that can only be done using PowerShell commands and its an irreversible process.

Claims Based Authentication: SharePoint 2010 is built on Windows Identity Foundation. It enables authentication from windows as well as non-windows based systems. This also provides the capability to have multiple authentication in a single URL.

   View configuration screencasts

Steps: 

  1. Create or Convert existing web applications to use Claims Based Authentication
  2. Configure the Membership Provider and Role Manager
    • On SharePoint 2010 server open the command prompt
    • Navigate to C:\Windows\Microsoft.NET\Framework64\v2.0.50727
    • Run “aspnet_regsql.exe”. This will open ASP .Net SQL Server Setup wizard. On this click on NEXT
    • Click on “Configure SQL Server for Application Services”
    • Specify the Database name. If you don’t specify the database name then it will create a database call aspnetdb
  3. Modify web.config files
    We need to modify 3 different web.config files for FBA to work. Web.config of FBA Web application, web.config of Central Administration Site & Web.config of STS:
    • Web Application - C:\inetpub\wwwroot\wss\VirtualDirectories\[PORT]\web.config
    • Central Administration - C:\inetpub\wwwroot\wss\VirtualDirectories\[PORT]\web.config
    • STS (Security Token Service) - C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\WebServices\SecurityToken\web.config

      Add following elements to all three web.config files:
    • Add connection string, this tag is located at configuration/connectionStrings:
      <connectionStrings>      
          <add name="FbaExtranet"    
              connectionString="data source=SQLServer;Integrated Security=SSPI;Initial Catalog=FbaExtranet"/>   
      </connectionStrings>
      
      Connection string has to be added after </SharePoint> and Before <system.web>
      STS web.config does not contains <SharePoint> xml element, you can paste it everywhere inside <configuration> element (check if connectionStrings element not already exist).
       
    • Add Membership Provider (this tag is located at configuration/system.web/membership) and Role Manager (this tag is located at configuration/system.web/roleManager):
      <roleManager defaultProvider="AspNetWindowsTokenRoleProvider" enabled="true" cacheRolesInCookie="false">
          <providers>
              <add name="FbaRoleManager" connectionStringName="FbaExtranet" applicationName="/" 
                  type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.3600.0, 
      Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
          </providers>
      </roleManager>
      
      <membership defaultProvider="FbaMembershipProvider">
          <providers>
              <add name="FbaMembershipProvider" connectionStringName="FbaExtranet" 
                  passwordAttemptWindow="5" enablePasswordRetrieval="false" enablePasswordReset="true" 
                  requiresQuestionAndAnswer="false" applicationName="/" requiresUniqueEmail="true" 
                  passwordFormat="Hashed" 
                  type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.3600.0, 
      Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
          </providers>
      </membership>
      
    • People Picker Wildcards
      The PeoplePickerWildards section is used by SharePoint to perform partial match searches when querying account names. The SQL wildcard character is '%' while the Active Directory wildcard character is '*'. This tag is located at configuration/SharePoint/PeoplePickerWildards.
      <PeoplePickerWildcards>
          <clear />
          <add key="FbaMembershipProvider" value="%" />
      </PeoplePickerWildcards>
      
    • Content Web Application
      <configuration>
        <SharePoint>
          <PeoplePickerWildcards>
            <add key="FBASuiteMembership" value="%" />
          </PeoplePickerWildcards>
        </SharePoint>
        <system.web>
          <membership>
            <providers>
              <add name="FbaMembershipProvider" connectionStringName="FbaExtranet"
                   passwordAttemptWindow="5" enablePasswordRetrieval="false" enablePasswordReset="true"
                   requiresQuestionAndAnswer="false" applicationName="/" requiresUniqueEmail="true" passwordFormat="Hashed"
                   type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
            </providers>
          </membership>
          <roleManager>
            <providers>
              <add name="FbaRoleManager" connectionStringName="FbaExtranet" applicationName="/"
                   type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
            </providers>
          </roleManager>
        </system.web>
        <connectionStrings>
          <add name="FbaExtranet" connectionString="data source=SQLServer;Integrated Security=SSPI;Initial Catalog=FbaExtranet" />
        </connectionStrings>
      </configuration>
                             
      
    • Central Administration
      <configuration>
        <SharePoint>
          <PeoplePickerWildcards>
            <add key="FBASuiteMembership" value="%" />
          </PeoplePickerWildcards>
        </SharePoint>
        <system.web>
          <membership>
            <providers>
              <add name="FbaMembershipProvider" connectionStringName="FbaExtranet"            
                   passwordAttemptWindow="5" enablePasswordRetrieval="false" enablePasswordReset="true"            
                   requiresQuestionAndAnswer="false" applicationName="/" requiresUniqueEmail="true" passwordFormat="Hashed"            
                   type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
            </providers>
          </membership>
          <roleManager>
            <providers>
              <add name="FbaRoleManager" connectionStringName="FbaExtranet" applicationName="/"
                   type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
            </providers>
          </roleManager>
        </system.web>
        <connectionStrings>
          <add name="FbaExtranet" connectionString="data source=SQLServer;Integrated Security=SSPI;Initial Catalog=FbaExtranet" />
        </connectionStrings>
      </configuration>
                             
      
    • STS Token
      <configuration>
        <connectionStrings>
          <add name="FbaExtranet" connectionString="data source=SQLServer;Integrated Security=SSPI;Initial Catalog=FbaExtranet" />
        </connectionStrings>
        <system.web>
          <membership>
            <providers>
              <add name="FbaMembershipProvider" connectionStringName="FbaExtranet"
                   passwordAttemptWindow="5" enablePasswordRetrieval="false" enablePasswordReset="true"
                   requiresQuestionAndAnswer="false" applicationName="/" requiresUniqueEmail="true" passwordFormat="Hashed"
                   type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
            </providers>
          </membership>
          <roleManager>
            <providers>
              <add name="FbaRoleManager" connectionStringName="FbaExtranet" applicationName="/"
                   type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
            </providers>
          </roleManager>
        </system.web>
      </configuration>
                             
      
    • Download all web.config diff files
  4. Configure the Custom Sign-In Page
    Skip this step if you do not have yet created any users in the database. This step can be set at any time later.

Recommendations

Required values for Membership Provider:

  • enablePasswordRetrieval="true" - Indicating whether the current membership provider is configured to allow users to retrieve their passwords.
  • enablePasswordReset="true" - Indicates whether the membership provider is configured to allow users to reset their passwords.
  • requiresQuestionAndAnswer="false" - Indicating whether the membership provider is configured to require the user to answer a password question for password reset and retrieval.
  • passwordFormat="Hashed" - Passwords are encrypted one-way using the SHA1 hashing algorithm.
  • maxInvalidPasswordAttempts="5" - Gets the number of invalid password or password-answer attempts allowed before the membership user is locked out.
  • minRequiredPasswordLength="4" - Gets the minimum length required for a password.
  • minRequiredNonalphanumericCharacters="0" - Gets the minimum number of special characters that must be present in a valid password.

 If You set passwordFormat to Encrypted, You must set all MachineKeys to the same value in following web.config files:

  • Web Application - C:\inetpub\wwwroot\wss\VirtualDirectories\[PORT]\web.config
  • Central Administration - C:\inetpub\wwwroot\wss\VirtualDirectories\[PORT]\web.config
  • STS (Security Token Service) - C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\WebServices\SecurityToken\web.config

Anonymous Access

Our solution also supports an anonymous mode, when sites are published to the internet without need to log on (blogs, corporate websites, forums, helpdesk, etc.)

To configure anonymous mode, click here.