Configuring Forms Based Authentication in SharePoint 2013 – Part 2 – Adding users to the Membership Database

Configuring forms based authentication (FBA) in SharePoint 2013 is very similar to SharePoint 2010, but there are some differences due to SharePoint 2013 using .Net 4.0. The web.config entries entries are slightly different. As well, IIS doesn’t support editing .Net 4.0 membership provider configuration through the IIS interface, so all of the configuration has to be done directly in the .config files. I’ll go through all of the steps required to setup FBA for SharePoint 2013, from start to finish.  I’ve broken down the steps into 4 sections, so if you already have an existing membership database setup from a previous version of SharePoint, feel free to skip forward to Part 3.

Part 1 – Creating the Membership Database

Part 2 – Adding Users to the Membership Database

Part 3 – Editing the Web.Config Files

Part 4 –  Configuring SharePoint

Part 2 – Adding Users to the Membership Database

Now that we’ve created an empty membership database, we need to add some users to it that can be used to login.  You have a couple of options for doing this.  If you’d like to do all of your user management in SharePoint, then you can install the SharePoint 2013 FBA Pack and skip to Part 3. If you’d like to be able to manage the users outside of SharePoint, and setup some inital users, then continue on to learn how to manage the FBA users with IIS.

To manage users in IIS, we’re going to create a dummy site just for managing users.  In SharePoint 2010 and earlier it was possible to edit the users directly from a SharePoint web application site, as long as the default membership provider was set to the membership provider you were going to edit. This is no longer possible, as previous versions of SharePoint ran against ASP.NET 2.0 (3.5), but SharePoint 2013 runs on ASP.NET 4.0.  IIS does not support editing users and roles for ASP.NET 4.0 applications. To get around this, we’ll create a dummy/blank ASP.NET 2.0 web site just for editing users. The asp.net 2.0 and 4.0 membership databases are exactly the same, which makes this possible.

NOTE: These directions were created on Windows 2008 R2.  On Windows 2012 they have reversed things and the .Net Users and .Net Roles options are only available for .Net 4.0 and are not available for .Net 2.0 – So on Windows 2012 please use .Net 4.0 where 2.0 is mentioned in the directions.

  • Open IIS.
  • Right click on Sites and select “Add Web Site…”sharepoint_2013_fba_edit_users_1
  • A configuration dialog will appear. Just give it a meaningful name, point it to an empty folder and give it a random unused port number and click OK.sharepoint_2013_fba_edit_users_2
  • Click on “Application Pools”. An application pool of the same name should have been created. The .Net Framework for that application pool should show as “2.0″.  If it doesn’t, you’ll need to modify it’s settings and change it to “2.0″.sharepoint_2013_fba_edit_users_3
  • You’ll also have to set the identity the account runs as to the same as SharePoint, so that it will have permissions to read and write to the membership database. Select the application pool and click “Advanced Settings…” in the right panel. In the dialog that comes up, click on the Identity to change it. Choose “Custom account” and enter the SharePoint service account username and password. Click OK on all of the open dialogs to close them.sharepoint_2013_fba_edit_users_4
  • The identity should now match the identity used for the SharePoint application pools.sharepoint_2013_fba_edit_users_5
  • We’re now going to create a database connection to the membership database. Select your new site and open the “Connection Strings” page from the Features view.sharepoint_2013_fba_edit_users_6
  • From the Connection Strings page, click “Add…” on the right side panel. On the Add Connection String dialog that appears, give it a name (I used “FBADB”), enter your server name and enter “aspnetdb” for your database name. Select “Use Windows Integrated Security” and click OK. We’ve now created the database connection.sharepoint_2013_fba_edit_users_7
  • We’re now going to create the membership provider, that will let us edit users in the membership database. From the site Features view, click “Providers”. (If “Providers”, “.Net Users” and “.Net Roles” is missing from the features view, then the associated application pool is configured for .Net 4.0. Go back and configure it for .Net 2.0).sharepoint_2013_fba_edit_users_8
  • From the Providers page, select “.Net Users” under Feature. Click “Add…” in the right side panel. In the dialog that appears, chose “SQLMembershipProvider” for type. Give it a name. For this example I used FBAMembershipProvider_2_0.  I added the _2_0 so as not to confuse it with the “FBAMembershipProvider” entry we will be creating when we set it up for SharePoint. Select the different options you want associated with your membership provider.  I have some more detail on the options available in the next section when we setup the membership provider for SharePoint. One thing I must stress though is that the options you pick here MUST match the options you use when you setup the membership provider for SharePoint. If they don’t, the users you create here will not work properly.For options, I chose:
    Option Value
    EnablePasswordReset True
    EnablePasswordRetrieval False
    RequiresQuestionAndAnswer False
    RequiresUniqueEmail True
    StorePasswordInSecureFormat True
    ConnectionStringName FBADB (This must match the database connection we setup earlier)
    ApplicationName /

    Click OK to close the dialog and create the membership provider.

    sharepoint_2013_fba_edit_users_9

  • We’re now going to add users to the membership database. Click “.Net Users” from the Features view.sharepoint_2013_fba_edit_users_11
  • The first thing we have to do before we can create users is configure the default membership provider. Click “Set Default Provider…” in the right side panel.  When the dialog appears, choose the membership provider we just created and click OK.sharepoint_2013_fba_edit_users_12
  • Now that the default membership provider is selected, we’re presented with an empty .Net Users page, as there are not yet any users in the database. Click “Add…” in the right side panel to add a user.sharepoint_2013_fba_edit_users_13
  • From the “Add .Net User” dialog, give the user a name, email and password. In this example i’m creating an admin user that i’m going to use as the SharePoint Site Collection administrator.The password needs to be at least 7 characters long and must contain at least 1 non-alphanumeric character. Since we set RequiresQuestionAndAnswer to false when configuring the membership provider, the Question and Answer fields can be left blank.Click OK to create the user and close the dialog.sharepoint_2013_fba_edit_users_14
  • Now the .Net Users page lists the one user you have created. You can use this page to add and edit users in the future.sharepoint_2013_fba_edit_users_15
  • If you are going to use Roles in SharePoint, you can create a Role provider from the Providers page, and then use the .Net Roles page to add roles – very similar to how we added the membership provider and added users.sharepoint_2013_fba_edit_users_10

Now that we’ve added a user to our membership database, you can continue on to Part 3 to learn how to configure the membership provider for SharePoint.

28 Responses to “Configuring Forms Based Authentication in SharePoint 2013 – Part 2 – Adding users to the Membership Database”

  1. JLSF says:

    Hello

    if you follow this procedure but on windows server 2012 with IIS,
    providers for .net Users and .net Roles are not available in any case of .Net v2 or .Net v4.0

    some guide?

    Thanks

  2. SNAFU says:

    I figured out that I neded to use .NET 4.0 in order to get Providers cion to show up, but going through the option in the Add Provider Dialog, I cannot enter the connection string name that I chose earlier in the process. Any thoughts or guidance would be helpful. Thanks.

  3. SNAFU says:

    Yes, I was. I was able to finally enter the connection string, I had to delete the site and start over. But now I’m getting an error when I try to add users. The error message says that the system cannot find the file specified. I hit ok and set the default provider, but the Add link never shows up on the right. Clearly I missed something in the setup, but I followed your instructions and don’t see what it could possibly be.

    • I’m not sure – as long as the provider and db connection were successfully created, and that provider was selected as the default provider on the users page, you should be able to add users.

      One thing you might want to consider is using the FBA Pack to manage all of your FBA Users. It’s been released now for SharePoint 2013. So if you want, you can skip this step, and as long as FBA is properly configured in SharePoint (parts 3 & 4), you should be able to manage all of your users within SharePoint using the FBA Pack.

      http://sharepoint2013fba.codeplex.com/

  4. Wan says:

    Hi Chris,

    Do you have solution if we want to perform user authentication using sharepoint 2010/2013 either from AD or MS SQL? Means we can have both authentication in single form. thanks.

    • What I have seen done before is a custom login page for forms based authentication, based on the SharePoint FBA login page. They’ve then just added a “Windows Authentication” link to the page, which redirects the user to SharePoint’s windows authentication page.

  5. Felix Zhang says:

    Hi,
    I following as you said, when I choose the Application Pool to 2.0, The Providers showed, but when I acted as “add” both “.NET Roles” and “.NET Users” error occured “Could not load file or assembly ‘Microsoft.SharPoint,Version=15.0.0.0,Cultre=neurtal,PublicKeyToken=71e9bce111e9429c’The systeme cannot find the file specified”
    Do you know how to resolve it ?

    Thanks.

    • Are you sure you created a new blank site when you did this? I just can’t think of why a new blank site would even reference Microsoft.SharePoint in the config file (which is the only reason I would think you’d get the error).

      • Felix Zhang says:

        Yeah, you are right. I changed the Provider on the Site which created by SharePoint 2013 Central Administrator, I created it followed as “http://blogs.msdn.com/b/kaevans/archive/2010/07/09/sql-server-provider-for-claims-based-authentication-in-sharepoint-2010.aspx”, the blog is based on SharePoint 2010, my version is SharePoint 2013.
        Could you help me, I need use myself Form Authentication instead Windows Authentication.
        I thinkd if I following as the post said successfully, then I just replace the Provider with my Provider.
        I need SharePoint site not a blank site.
        Thanks

        • So you created your own custom membership provider? If that’s the case, it should work fine with SharePoint 2013. The one thing that you have to make sure of is that you change and recompile your membership provider to work with .Net 4.0. SharePoint will not work with .Net 3.5 components.

  6. Clayton says:

    Hey Chris,

    I’m in the Providers part of MembershipConfig. I selected .Net Users from the dropdown. I’m trying to add “FBAMembershipProvider_2_0″. However, the dropdown for type is empty, so I can’t save this and I can’t proceed. Any thoughts?

    Thanks!

    • Are you on Windows 2008 or 2012? If you’re on 2012, apparently the supported .net versions are reversed, and you have to create a .net 4.0 app pool.

      Otherwise, i’m not sure. I’d probably check other sites hosted in IIS and see if there are types listed in the providers section.

      If all else fails, you can continue with the SharePoint FBA setup and install the SharePoint 2013 FBA Pack to manage the users within SharePoint.

      • Clayton says:

        Appreciate the quick response. Yeah, I’m in 2012. I’ll switch it back to 4 and keep going. Thank you very much for a great article!

  7. Colin says:

    Chris

    I realised after completing all four parts of your instruction that the FBAMemberShipProvider_4_0 (had to use .NET 4.0) that was created as per above, did not have the same option values as the FBAMembershipProvider for Sharepoint (from the machine.config).
    After correcting the values for FBAMemberShipProvider_4_0 and clicking OK, an error message came up with:
    Filename: \\?\C:\innetpub\wwwroot\aspet_users\web.config
    Line number:4
    Error:Cannot add duplicate collection entry of type ‘add’ with unique key attribute ‘name’ set to ‘FBADB’

    How can I edit that entry with the correct values?
    Do I need to delete that entry and redo from scratch, if so, would the deletion affect the default membership provider that was config with that entry?

    Also the creation of the role provider in the last step, does the name of the role provider need to match anything in the web.config file or site collection group name?

    • It sounds like you’ve added duplicate connection strings in your web.config. Don’t forget that if you’ve added the item to the machine.config, it will be inherited by all other web.configs – so if you put the same entry in the web.config you’ll get this duplicate error.

      The role provider name doesn’t need to match anything – but you do need to set your web application to use that particular role provider, specified by name (Part 4).

  8. Steve says:

    Thanks for sharing… this is very helpful. Althought I am still running into problems getting this to work.

    I don’t understand why setting up these impartant capabilities is so difficult and why Microsoft does not provide simple instructions.

    -Steve

  9. RuiCastelo says:

    Hi,
    From the Providers page, select “.Net Users” under Feature. Click “Add…” in the right side panel. In the dialog that appears, chose “SQLMembershipProvider” for type.
    My pool is on 2.0 and nothing shows on the type, but when I put 4.0 it shows the SQLMenbershipProvider and others… Should I put 4.0?

    • Yes- I’m guessing you’re running Windows Server 2012. This article was written using Windows Server 2008 R2. On 2008 .Net Users only works with 2.0 membership providers. On 2012 they switched things around and it only works with .Net 4.0 membership providers. I need to update this in the article.

  10. Sam says:

    Thanks for the info but won’t work for me. Using Win Server 2012, all software and databases on the same machine. Followed instructions multiple times but when get to ‘add users to the membership database. Click “.Net Users”’ always get error:

    “A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: SQL Network Interfaces, error: 26 – Locating Server/Instance Specified)”

    Any ideas or should I give up on this working?
    Thanks

    • From the error message it looks like it can’t even connect to the configured SQL Server database. Double check your connection string, particularly the server name you’re connecting to. Also, connect to that server using SQL Server Management Studio and make sure you can connect using the same server name in the connection string.

  11. Sam says:

    Hi Chris

    It was my mistake, my ASP.NET membership database was named differently and not called ‘aspnetdb’ as in your example. Everything looks ok now.

    Thanks for getting back to me!

  12. Mark Ward says:

    I am getting a Trust issue when I try to go back into the .net user module. Say that users cannot be retieved. Any help would be apprec.

    • I’m not sure what you mean by a “Trust” issue. Is there a specific error message? I’m guessing the default membership and role providers are not set to the new provider config you setup, or maybe you chose the wrong type for the provider config.

Leave a Response

Current day month ye@r *

Trackbacks