Configuring Forms Based Authentication in SharePoint 2013 – Part 3 – Editing the Web.Config Files

Configuring forms based authentication (FBA) in SharePoint 2013 is very similar to SharePoint 2010, but there are some differences due to SharePoint 2013 using .Net 4.0. The web.config entries entries are slightly different. As well, IIS doesn’t support editing .Net 4.0 membership provider configuration through the IIS interface, so all of the configuration has to be done directly in the .config files. I’ll go through all of the steps required to setup FBA for SharePoint 2013, from start to finish. I’ve broken down the steps into 4 sections:

Part 3 – Editing the Web.Config Files

The next thing that has to be done to get forms based authentication working with SharePoint is setting up the membership provider. A membership provider is an interface from the program to the credential store. This allows the same program to work against many different methods of storing credentials. For example you could use an LDAPMembershipProvider to authenticate against Active Directory, or a SQLMembershipProvider to authenticate against a SQL Server database. For this example we’re using the SQLMembershipProvider to authenticate against a SQL Server database.

SharePoint is actually divided up into several web applications – Central Administration, the Security Token Service and all of the SharePoint web applications that you create. Each of those web applications needs to know about the membership provider. Most tutorials have you adding the membership provider settings over and over again in each web config (as well as every time you setup a new SharePoint web application). I prefer to add the membership provider settings directly to the machine.config. By adding it to the machine.config, the configuration is inherited by all of the web.config files on the machine – so you only have to make the changes once, and don’t have to remember to make the changes every time you create a new SharePoint web application.

If you don’t have access to the machine.config, or prefer not to edit it, you will have to make all of these changes to the following web.config files:

SharePoint Central Administration
SecurityTokenServiceApplication
Every SharePoint web application you create that you would like to access via FBA.

NOTE – IF YOU HAVE MULTIPLE SERVERS, THESE STEPS MUST BE PERFORMED ON ALL SERVERS.

BEFORE EDITING ANY .CONFIG FILE – MAKE A BACKUP OF IT. It’s very easy to make a typo.

Navigate to “C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Config” and open “machine.config”.
In the <ConnectionString> section, add the following line:
```
<add connectionString="Server=WIN-C6ES927TE58;Database=aspnetdb;Integrated Security=true" name="FBADB" />
```
Be sure to replace the value for Server with the name of your SQL Server.

In the <membership><providers> section add the following:

<add name="FBAMembershipProvider"
 type="System.Web.Security.SqlMembershipProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
 connectionStringName="FBADB"
 enablePasswordRetrieval="false"
 enablePasswordReset="true"
 requiresQuestionAndAnswer="false"
 applicationName="/"
 requiresUniqueEmail="true"
 passwordFormat="Hashed"
 maxInvalidPasswordAttempts="5"
 minRequiredPasswordLength="7"
 minRequiredNonalphanumericCharacters="1"
 passwordAttemptWindow="10"
 passwordStrengthRegularExpression="" />

You can customize the authentication by modifying each of these options. The most important thing to remember though is that if you define a membership provider in multiple locations for the same database, they MUST ALL USE THE SAME OPTIONS. Otherwise you’ll run into all kinds of problems with users created with one set of options, and later being authenticated against with a different set of options.

Here’s a description of the different options available:

Option	Description
connectionStringName	The name of the database connection to the aspnetdb database.
enablePasswordRetrieval	true/false. Whether the user’s password can be retrieved. I suggest setting this to false for security purposes.
enablePasswordReset	true/false. Whether the user can reset their password. I suggest setting this to true.
requiresQuestionAndAnswer	true/false. Whether accounts also have a question and answer associated with them. The answer must be provided when resetting the password. I suggest setting this to false, as setting it to true prevents an administrator from resetting the user’s password.
applicationName	Setting the application name allows you to share a single membership database with multiple different applications, with each having their own distinct set of users. The default applicationName is /.
requiresUniqueEmail	true/false. Determines if multiple users can share the same email address. I suggest setting this to false, in case you ever want to implement a login by email system.
passwordFormat	Clear, Hashed or Encrypted. Clear stores the password in the database as plain text, so anybody with access to the database can read the user’s password. Encrypted encrypts the user’s password, so although the password isn’t human readable in the database, it can still be decrypted and the user’s actual password retrieved. Hashed stores a one way hash of the password. When a user authenticates, the password they enter is hashed as well and matched against the stored hashed value. Using this method, the user’s password can never be retrieved (even if your database is stolen), only reset. I always recommend using “Hashed” as it is the most secure way of storing the user’s password.
maxInvalidPasswordAttempts	The number of times in a row that a user can enter an invalid password, within the passwordAttemptWindow, before the user’s account is locked out. Defaults to 5.
passwordAttemptWindow	The number of minutes before the invalid password counter is reset. Defaults to 10.
minRequiredPasswordLength	The minimum password length. Defaults to 7.
minRequiredNonalphanumericCharacters	The minimum number of non-alphanumeric characters required in the password. Defaults to 1.
passwordStrengthRegularExpression	A regular expression that can be used to validate the complexity of the password.

In the <roleManager><providers> section add the following:

<add name="FBARoleProvider" connectionStringName="FBADB" applicationName="/"
 type="System.Web.Security.SqlRoleProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

Save and close the machine.config file.

I mentioned that if you modified the machine.config, you’d only have to put the config in a single place. I wasn’t being completely truthful. The SharePoint Web Services configuration overrides the machine.config and clears the entries we created. For that reason, the membership and role providers also need to be added to the SecurityTokenService (But only there – you won’t have to add them to the central admin or other SharePoint web app web.configs.First we need to find the web.config for the SecurityTokenService. Open up IIS. Under sites, SharePoint Web Services, right click on SecurityTokenServiceApplication and click on Explore. Edit the web.config in the folder that opens.

Add the following to the web.config, just before the closing </configuration> tag:

<system.web>
 <membership>
 <providers>
 <add name="FBAMembershipProvider"
 type="System.Web.Security.SqlMembershipProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
 connectionStringName="FBADB"
 enablePasswordRetrieval="false"
 enablePasswordReset="true"
 requiresQuestionAndAnswer="false"
 applicationName="/"
 requiresUniqueEmail="true"
 passwordFormat="Hashed"
 maxInvalidPasswordAttempts="5"
 minRequiredPasswordLength="7"
 minRequiredNonalphanumericCharacters="1"
 passwordAttemptWindow="10"
 passwordStrengthRegularExpression="" />
 </providers>
 </membership>
<roleManager>
 <providers>
 <add name="FBARoleProvider" connectionStringName="FBADB" applicationName="/"
 type="System.Web.Security.SqlRoleProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
 </providers>
 </roleManager>
 </system.web>

Remember to match all of the options with what was entered in the machine.config.Save and close the file.

The role and membership providers have now been setup for SharePoint. Continue on to Part 4 to configure SharePoint to use the membership provider we just setup.

Posted

January 2, 2013

Configuration, Forms Based Authentication, Sharepoint

Chris Coulson

Tags:

.Net, ASP.Net, aspnetdb, central admin, FBA, Forms Based Authentication, IIS, machine.config, Membership, membership provider, SharePoint 2013, SharePoint 2013 FBA Pack, sqlmembershipprovider, web.config

Comments

126 responses to “Configuring Forms Based Authentication in SharePoint 2013 – Part 3 – Editing the Web.Config Files”

Colby

March 19, 2013

Thank you for this tutorial. Its been a great help. I have a couple questions. If I use the script you link to in step 2 to add users in Sharepoint, does the database name need to stay aspnetdb? If so, is there a way around that? I ask that to ask the second question. I would like to create 2 separate Web Applications which use two different User Databases. Is this possible? If so, can you point me in the right direction? Thank you again

Reply
1. Chris Coulson
  
  March 21, 2013
  
  The database name does not need to be aspnetdb – that’s just the default. The wizard for creating the database lets you choose whichever name you’d like. You can also rename it at any time using SQL Server Management Studio. If you change the database name, you just have to change the database name in the connection string, so instead of:
  Database=aspnetdb
  you’d have:
  Database=mydatabasename.
  
  You can use 2 (or as many as you want) user databases. You just need to create a separate connection string and membership/role config for each database. Give them different names in the config. And then when specifying the membership and role provider for the Web Application – just use whichever name you specified in the config file – like FBAMembershipProvider2…
  
  Reply
SNAFU

March 22, 2013

So, it does not appear as though editing the web config files as you describe propagates it throughout all sites created. When I look at the providers for the different sites that I have created, the membership provider doesn’t exist. Although, now that I’m typing this, I don’t see why that would prevent Windows authentication. My forms based users can log in without an issue. my AD users however cannot. Thoughts?

Reply
1. Chris Coulson
  
  March 22, 2013
  
  It should not prevent Windows Authentication. I assume that under Central Admin -> Manage Web Applications -> Authentication Providers that Windows Authentication is turned on (as well as FBA)? If you are using Kerberos for windows authentication, maybe try NTLM to make sure that works.
  
  Also, what happens when you try to login with Windows Auth? You get prompted with a dropdown to choose Windows or Forms Based authentication, and then what?
  
  Reply
SNAFU

March 22, 2013

Windows Auth is turned on and it is using NTLM. When I slect Windows Auth, I am presented with a login box and no matter what account I use, I can’t get in. I actually think I know what the problem is. I haven’t added any users directly to the site collection, but I can’t get in to the site with any credentials to do that.

Reply
1. Chris Coulson
  
  March 22, 2013
  
  If it’s a permission issue, you should get a SharePoint Access Denied page. In that case, try adding the user as a site collection administrator in Central Admin – or login with FBA and add the users to the site collection.
  
  If you get an IIS error message after trying to login, then it’s probably a problem with IIS recognizing the user/credentials.
  
  Reply
SNAFU

March 22, 2013

I’m getting a blank page after I attempt to log in three times. I did add the user as a site collection administrator and I still get nothing. I’m about ready to scrap the whole thing and start over. This is beyond frustrating. I compared the setup in my lab to this setup and I don’t see anything different other than the names.

Reply
1. Chris Coulson
  
  March 22, 2013
  
  That’s strange you’re getting just a blank page. I would expect an IIS error page or a SharePoint Access Denied page.
  
  Maybe try creating a separate web application on SharePoint – set it for windows authentication only – and see if you can login to it.
  
  Reply
2. paisley
  
  March 25, 2014
  
  sounds like you might need to disable the loopback – if trying to access the page from the server (or access it from a client machine)
  
  Reply
Kelvin

March 24, 2013

Thank you for this tutorial.I have one question.
I’m using LDAPMembershipProvider to authenticate against Active Directory, but I get error message “The method or operation is not implemented.” while I click “new user” in Manage Forms Based Authentication Users. Any solution to make it working with LDAPMembershipProvider?

Reply
1. Chris Coulson
  
  March 24, 2013
  
  Are you referring to the FBA Pack? If so, unfortunately the LDAPMembershipProvider doesn’t fully implement all of the MembershipProvider functions, and so it won’t work. The FBA Pack would either have to be modified to work specifically with the LDAPMembershipProvider, or a custom membership provider could be built that inherits from the LDAPMembershipProvider and fills in the missing functionality.
  
  Reply
  1. Kelvin
    
    March 25, 2013
    
    Today I try change to use SQLMembershipProvider but I keep getting a error message “A Membership Provider has not been configured correctly. Check the web.config setttings for this web application.” in FBA user management page.
    
    Reply
    1. Chris Coulson
      
      March 25, 2013
      
      That essentially means that a membership provider either has not been setup, or it’s not working properly. Check that the membership and database connection entries in the .config files are ok. Also, make sure that the membership provider names set in Central Admin for the web application match those in the .config files.
      
      Reply
      1. Kelvin
        
        March 25, 2013
        
        I follow the guide add the connection string,membership provider and role manager in machine.config file but the problem still existing…
Chris Coulson

March 25, 2013

Kelvin – are you sure the aspnetdb database has the proper permissions applied for the web application application pool user? See Part 1.

Reply
1. Kelvin
  
  March 25, 2013
  
  Yes, I’m sure. Do you mind to use teamviewer to remote control my computer help me find out the issue? I already stuck on this problem for whole day.
  
  Reply
  1. Chris Coulson
    
    March 25, 2013
    
    Sure, not a problem. I expect we can get it done under an hour if you just want to purchase a single hour. You might want to also consider the FBA Pack Support Plan:
    http://www.visigo.com/purchase.html
    
    Reply
Kelvin

March 30, 2013

May I know how to configure a page to allow anonymous user can view it? I’m using the member request web part to create a registration page but if the anonymous user can’t view the page then the page is no use.

Reply
1. Chris Coulson
  
  March 31, 2013
  
  There’s a few places that need to be changed to enable anonymous access on a page:
  In the Web Application settings, Anonymous Access has to be enabled.
  In the Permissions for the Site, Anonymous Access has to be turned on (Set it to Lists and Libraries)
  In the permissions for the Document Library that contains the page, Anonymous Access has to be enabled.
  
  There’s some info here:
  http://office.microsoft.com/en-ca/windows-sharepoint-services-help/enable-anonymous-access-HA010113018.aspx
  
  Or you can create an Application Page that inherits from UnsecuredLayoutsPageBase (coding).
  
  Reply
Felix Zhang

July 11, 2013

Hi,
I have done as you said in Part2, but I found that here you version is
“<add name="FBARoleProvider" connectionStringName="FBADB" applicationName="/"
type="System.Web.Security.SqlRoleProvider, System.Web, Version=4.0.0.0, Culture=neutral …"
But in may config after having done in IIS it is
"<add name="FBARoles" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" applicationName="/" connectionStringName="AspNetSqlProvider" description… "
The version is different , yours is 4 and mine is 2.
Thanks

Reply
1. Chris Coulson
  
  July 11, 2013
  
  Right, for SharePoint 2013 you need to use the .Net 4.0 version of the membership providers. It will not work with the .Net 2.0 version (SharePoint 2010 uses .Net 2.0).
  
  For configuring membership providers in IIS, the built in iis tools only support .Net 2.0 on Windows 2008.
  
  Both the .net 2.0 and 4.0 versions will connect to the same membership databases.
  
  Reply
  1. Felix Zhang
    
    July 12, 2013
    
    I’m working on SharePoint 2013, I want to use both FBA and Windows authorization,
    In my SharePoint 2013 Adminstrator Central web.cofig:
    
    <!—->
    
    When it is 2.0 the name is “AspNetWindowsTokenRoleProvider” which has been commented abover it works fine, but I still cannot get the users from my own aspnetdb(FBARoles Provider), So I want to change the “AspNetWindowsTokenRoleProvider” to 4.0 version, but error occurs:
    
    The attribute ‘connectionStringName’ is missing or empty.
    
    In 2.0 version it donot need connectionStringName when use “AspNetWindowsTokenRoleProvider” which I comment above in the web.config, but the version is changed to 4.0 it said need? And it is Widows authorization,does it have a database?
    Could you help?
    Thanks
    
    Reply
    1. Felix Zhang
      
      July 12, 2013
      
      //The below is version 2.0 , use test I remove it, for readable
      // I just copy to here
      <add applicationName="/"
      name="AspNetWindowsTokenRoleProvider"
      type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /
      // The velow is version 4.0
      
      </roleManager
      
      Reply
      1. Felix Zhang
        
        July 12, 2013
Felix Zhang

July 12, 2013

Sorry I can not copy the web.config here, I do not why, the letter will be blank, maybe the security, I hope you will understand what I said.
Thanks

Reply
1. Chris Coulson
  
  July 12, 2013
  
  Sorry, but I don’t have experience with the WindowsTokenRoleProvider. You should already have an entry for it in your machine.config though:
  
  add name=”AspNetWindowsTokenRoleProvider” applicationName=”/” type=”System.Web.Security.WindowsTokenRoleProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a”
  
  Actually – I see your problem – you’re calling it AspNetWindowsTokenRoleProvider, but instead of using a WindowsTokenRoleProvider, you’re using a SQLRoleProvider.
  
  Reply
  1. Felix Zhang
    
    July 15, 2013
    
    you are right, I am too careless.
    But fix this error, I am still can not get the users in aspnetdb.
    When add users, only widows users listed.
    Very thanks for your help.
    
    Reply
Naveen

July 26, 2013

Hello,
This worked for me for FBA. But i am now not able to login to the site using windows authentication. When i select Windows Auth in the drop down it asks me the credentials. When i give my windows credentials its rejecting it. I am the site collection admin for my site collection.

Can you guess what i might have done wrongly.

Thanks,
Naveen.

Reply
1. Chris Coulson
  
  July 27, 2013
  
  Everything sounds ok. I’d double check that your windows user name is set as a site collection admin. If it still doesn’t work, maybe try another user’s windows login.
  
  Reply
Miluska

August 27, 2013

I don’t have permissions to chance machine.config, so i did changes in each web.config…. everything is ok BUT! i couldn’t access with the users to My Site… The mistake is that we need put the connection string also in the Web.config of the Security Token Service…

Reply
1. Chris Coulson
  
  August 27, 2013
  
  Right – if the connection string isn’t put into the machine.config, it will need to be put in every config file that you put the membership provider.
  
  Reply
Larry Bradley

September 4, 2013

Chris,
Very easy to follow instructions. I had to use ASP.net V4 also as I’m using Server 2012 / SPF2013 / SQL2012. I have one existing production SharePoint 2013 site that has been extended already for outside access and works great. I’m currently only using NTLM Windows Authorization. After going through your steps carefully I ended up with the original site no longer working as well as Server Manager would not start. Any ideas? I never touched the original App Pool or Site. Would editing the machine.config cause this? As my server is a VM on a EqualLogic I just restored to my previous snapshot so I wouldn’t be down.

My plans were to keep the existing Web Application intact with the current authentication and then create a new Web Application (for totally different use)to use FBA. Is FBA an all-or-nothing scenario or can I do it the way I am planning?

Reply
1. Chris Coulson
  
  September 4, 2013
  
  If even server manager won’t start, then yes – it’s likely due to editing the machine.config. I’ll make a note to edit the article to include a step to make a backup of your machine.config before editing, in case anything goes wrong.
  
  You do have to be very careful when editing .config files, as missing a closing tag or opening tag will cause the whole .config file to be unusable.
  
  It’s lucky that you had the snapshot. Next time I suggest you make a backup copy of the machine.config, and then you can just overwrite the machine.config with the backup if anything goes wrong. Next time I’d also double check that all opening tags have matching closing tags around the areas that you made changes. It was likely a missing closing tag, or perhaps the entries inserted into the wrong area of the web.config.
  
  As for the FBA only on a separate web application, yes you can do it the way you’re planning. You’d do all the steps the same, just step 4 you’d only apply to the web application you want FBA on.
  
  Reply
  1. Larry Bradley
    
    September 4, 2013
    
    Thanks Chris, I’ll give it another try tomorrow. I was very careful with the tags but obviously I missed something. Great article, thanks for taking the time to write it.
    
    Larry
    
    Reply
    1. Larry Bradley
      
      September 5, 2013
      
      Hello again Chris, day two. I’ve gone back through the exercise quickly this morning but paying very close attention to the details of the file edits. Through testing, I’ve narrowed the problem down to the machine.config file edits. Not sure what part of it is causing the problem as I have used your settings and named providers exactly including the security choices. Only thing different is my server name which I was sure to change in the connection string line. After completing the exercise through step 3 I did a quick iisreset /noforce and at that point again Server Manager won’t work and my SharePoint site previously created that is known to work fine is no longer available… it shows a blank white page with no error (the tab in IE is displaying as it should with the icon). I change back to the original machine.config file and of course the problem is fixed. The only thing I noticed from your examples that I changed was the ending tags. You left a space before the closing /> and I took that out as every other line in the file does not have that space. Any thoughts? I would be willing to send you the machine.config file if you think tht will help.
      
      Reply
      1. Chris Coulson
        
        September 5, 2013
        
        Removing the spaces shouldn’t be a problem. The only thing I can think is that either it’s going in the wrong section, or maybe the text editor you’re using is changing the encoding of the file. To test if it’s the text editor, just add a couple of words to the comment section at the top of your working machine.config and save it. If it no longer works, it’s your text editor.
        
        If that works fine and making the change still breaks things, I’ll take a quick look. Send me your original and modified machine.config. You can get my email address here:
        http://www.google.com/recaptcha/mailhide/d?k=01qW_nIZ-J3XUHl8TNc0hpjw==&c=_4ZctQa6nRqbqVsUEr1V0ONz5j-8t305ROkxA0cYksM=
      2. Chris Coulson
        
        September 5, 2013
        
        I checked the machine.config you sent me. The one thing I saw that looked wrong was in your connection string. In your edited machine.config it says:
        
        connectionstring=
        
        it should be
        
        connectionString=
Colin

September 19, 2013

Hi Chris

Two questions:

I’ve notice that the web application web.config files do not contain the membership and roles changes that were made to the machine.config and SecurityTokenService web.config (as per SNAFU first response).
1. Have I miss something?

When I tried to add .NET users (created from Part 2) to the web application groups, their names are not to be found. The only way I can get those users to appear for selection, is if I go to Central Administration | Managed Web Application, select the web application, select User Policy and add their names here first (with zone Extranet).

But then the permissions assigned to them in the Policy Web Application (eg Full Read) seem to override their web application group permission (Members).

2. Is the way to add users from the Membership Database to groups?

Reply
1. Chris Coulson
  
  September 19, 2013
  
  The web.config files don’t need the changes because they were made to the machine.config – so they inherit the changes. You could put them in the web.config INSTEAD of the machine.config (don’t put them in both or you will run into issues with conflicts) – but then you’d have to remember to put the entries in every new web application web.config you create, instead of in one place in the machine.config.
  
  The users from the membership database can definitely be added to groups. If they’re not showing up in the site collection people finder then likely there’s some configuration error. If you can see the people in the central admin people finder, and you’ve made the membership changes in the machine.config – so they should be the same for central admin and all web applications – then it’s not likely an issue in the config file. My guess is that the membership provider name for the zone (Manage Web applications -> Authentication Providers (Part 4)) doesn’t match the name in your config files.
  
  Reply
Randi

September 19, 2013

hi,
I get this error A Membership Provider has not been configured correctly. Check the web.config setttings for this web application.

I have checked my config file and I have used the same settings as u have in this example, only changed the connectionstring name.

The user I used in sql has permissions because i’m able to add users froom iis, when I added the dummy site to add users from iis.

I have tried several times today and yesterday to figure out if I had something wrong in my config files. I even checked with some config files from other projects where I successfully have it to work for 2010.

I have the same names of the providers added in config file and in sharepoint.

any idea what i’m missing here?

Would be really thankful for any help. i’m a little stucked her right now :/

Reply
1. Chris Coulson
  
  September 19, 2013
  
  Generally that error message either means there is an issue with the web.config or an issue with the database permissions. It sounds like you’ve checked over your web.config pretty carefully, so my guess is that it’s the db permissions.
  
  Just because you can add users from iis doesn’t mean you’ll be able to add users from SharePoint. You’re accessing the db from 2 different users. From iis, you access it from the user currently logged in (probably an administrator, so probably already has admin rights on the db server if it’s on the same machine). For use within SharePoint you have to make sure that the app pool user for the web application being used has permissions on the aspnetdb.
  
  Reply
  1. Randi
    
    September 20, 2013
    
    I still have problems with getting this to work.
    I’m able to add users for sharepoint now.
    And I have assigned the user til a sharepoint site.
    But I cannot logon til sharepoint. in the login window I get the error that username or password is wrong,
    And in the eventlog I get the errormessage:
    An exception occurred when trying to issue security token: The server was unable to process the request due to an internal error.
    
    any idea what I’m missing?
    
    Reply
    1. Chris Coulson
      
      September 20, 2013
      
      If the membership provider works within SharePoint, but you can’t login, the issue is with the SecurityTokenService. Either the web.config or db permissions.
      
      Reply
      1. Randi
        
        September 23, 2013
        
        thanks for your help. I was missing the connectionstring in the security token web config file. Now I can log in to.
        
        have a nice week 🙂
Randi

September 20, 2013

Thanks for answers.
The user is dbowner of the aspnet database.So it should have the right permissions for the database.

Reply
1. Randi
  
  September 20, 2013
  
  I figured it out 🙂 I had to add the permissions on the login, not the user to make I work. Thanks for your help.
  
  Reply
Colin

September 23, 2013

Hi Chris

I think I found the reason/solution to the problem I been having with assigning membership (database) users to the site collection groups.

I have a default web application (used for intranet) which has been extended to an extranet (which uses FBA). I created a membership database user as FBAAdmin, which I have given full control to the extranet (via Central Administration | Managed Web Application, User Policy).

When I log-into the extranet with FBAAdmin, I can assign other membership database users to the site collection groups, BUT I cannot see any users from AD. Whereas if I log-into the default web application (as site owner), I can only see users from AD but none from the membership database.

Is this how it the different zone works? The default (intranet) web application can only see AD users and extranet web application can only see membership database users created from IIS?

Reply
1. Chris Coulson
  
  September 24, 2013
  
  That’s right, I believe you have to be logged in as a windows user for the people picker to work for other window users. You have a couple of options if you also want to manage the extranet users from the intranet:
  
  Probably the easiest would be to modify the intranet zone to allow both windows and FBA users. Alternatively you can create a third zone that allows both that you would use to do any administration.
  
  Alternatively you can simply add the FBA Pack https://sharepoint2013fba.codeplex.com/, which will allow users from any zone to administer FBA users using the FBA Pack Management Pages (The FBA membership config file changes have to be available on any zone you want to use this – but as long as you make the changes in the machine.config they would be available everywhere). So you could use the FBA Pack management pages to admin the FBA users from your windows only auth zone.
  
  Reply
Tim

November 13, 2013

In my multi-server dev farm do all servers including the app servers need to have their web.configs altered?

Reply
1. Chris Coulson
  
  November 13, 2013
  
  If the server hosts either the securitytokenservice or any of your FBA enabled web applications, then yes. Otherwise, no.
  
  Reply
Gerhard

November 22, 2013

Hi Chris,

I followed all the steps provided. I am using a existing membership db from SharePoint 2010. I inserted all the settings in the machine config and the SecurityToken config. I am able to see the users if I go into IIS to my SharePoint web application > .Net Users. However from the login page in SharePoint I am not able to connect using the correct credentials?

Reply
1. Chris Coulson
  
  November 22, 2013
  
  Check the web config for the web application. If you can see the users in IIS on the web application after performing step 4, it is wrong. Configuring the web application in SharePoint sets a default membership provider of type ‘SPClaimsAuthMembershipProvider’. This acts as a proxy provider to the membership provider you name when you setup the web application. It is not compatible with the IIS tools though – so if you can see the users, this is not set to the default.
  
  Reply
  1. Gerhard
    
    November 25, 2013
    
    I removed the web application completely and started from scratch. I created new web application and site collection. So far this worked using my forms db. I could sign in with a form user into the site. I mounted my existing content database from SharePoint 2010 to the new web application and deleted the empty db created. Then the same error occurs – Access Denied. I am also not able to view users from IIS which is correct. Have you had any problems with FBA and existing content db from SP2010? Thanks in advance
    
    Reply
    1. Gerhard
      
      November 25, 2013
      
      I found the problem. The membership names was different in the old SP2010 farm. Thats what caused the access denied error. Thank you for the help and great guide.
      
      Reply
Greg Nagy

November 27, 2013

Chris,

I really appreciate your detailed instructions for using FBA in SharePoint 2013. I was able to get FBA accounts to login correctly on a test site on my SharePoint 2013 server. When I try to apply the same settings to an existing SharePoint 2013 site, Windows authenticated users login fine, but when I try to login FBA accounts, I choose Forms Authentication, type in the username and password, I get a blue bar at the top with “Working on it…” for a few seconds, then I get “Sorry, you don’t have access to this page.” Any idea what you can point me to check that I am missing? I’ve gone through your instructions a second time and can’t find anything wrong.

Thank you!

Reply
1. Chris Coulson
  
  November 27, 2013
  
  It could be that you are getting logged in, but the user you’re logging in as doesn’t have the permissions necessary to view the page they’re being redirected too. Try and make the user a site owner or site collection admin and see if the errors go away.
  
  Reply
  1. Greg Nagy
    
    November 27, 2013
    
    Making my FBA test account a Site Collection Admin allowed the account to login and access the page and site correctly. Since I can’t add all of my users to this field since I have hundreds of just standard members, where do you think I should look next?
    
    Thank you!
    
    Reply
    1. Chris Coulson
      
      November 27, 2013
      
      Does the account work if you remove them from being a site collection admin, and just add them to say the ‘visitors’, or ‘members’ groups? I think you just have some permissions problems there, and you’d have to make sure the users belong to a group with sufficient permissions to view or modify the site.
      
      Reply
Lurch

December 26, 2013

Update to my previous post. I found the log files, and I see the following error cropping up when I try to log in using Forms Authentication:

An exception occurred when trying to issue security token: The content type text/html; charset=utf-8 of the response message does not match the content type of the binding (application/soap+msbin1). If using a custom encoder, be sure that the IsContentTypeSupported method is implemented properly.

The first 1024 bytes of the response were: ‘ IIS 8.0 Detailed Error – 500.19 – Internal Server Error <!– body{margin:0;font-size:.7em;font-family:Verdana,Arial,Helvetica,sans-serif;} code{margin:0;color:#006600;font-size:1.1em;font-weight:bold;} .config_source code{font-size:.8em;color:#000000… c131649c-1651-f0f9-e96f-4cef546e1b4f
…;} pre{margin:0;font-size:1.4em;word-wrap:break-word;} ul,ol{margin:10px 0 10px 5px;} ul.first,ol.first{margin-top:5px;} fieldset{padding:0 15px 10px 15px;word-break:break-all;} .summary-container fieldset{padding-bottom:5px;margin-top:4px;} legend.no-expand-all{padding:2px 15px 4px 10px;margin:0 0 0 -12px;} legend{color:#333333;;margin:4px 0 8px -12px;_margin-top:0px; font-weight:bold;font-size:1em;} a:link,a:visited{color:#007EFF;font-weight:bold;} a:hover{text-decoration:none;} h1{font-size:2.4em;margin:0;color:#FFF;} h2{font-size:1.7em;margin:0'.. c131649c-1651-f0f9-e96f-4cef546e1b4f

Reply
1. Chris Coulson
  
  January 3, 2014
  
  I can’t say i’ve seen that one before. My only guess might be that the securityTokenService config file was edited incorrectly. Maybe an opening or closing bracket was missed, or perhaps the changes were made at the wrong location in the file.
  
  Reply
2. David
  
  May 21, 2015
  
  Lurch,
  
  Did you ever get this resolved? We are encountering the same issue.
  
  Reply
Johannes

January 9, 2014

At first a i wish you happy new year and thank you for that great tutorial.
We use Windows Server 2012 and SharePoint 2013 with AD and FBA Auth..
We followed the complete tutorial but after that, we realized that we need the FBA-Pack. So we installed it.
So far everything is working. Users can create their own account and we can manage them.
But now we have got a problem with all auth.:
We have got multiple webapplications. The auth. should work for all webapplications. But if we login into a website on the second webapplication, the user disconnects from the website of the first webapplication and get an error.
When we want to check the Session State config of the IIS-Website MembershipConfig we got an error that says something like: double listentry type “add” with FBADB […] can not be added.

Any idea what to do?

Reply
1. Chris Coulson
  
  January 9, 2014
  
  If you’ve got an error about extra add’s for FBADB, then you’ve got an error in your web.config.
  
  The FBADB DB connection entry that is added to the machine.config is inherited everywhere, so what I believe has happened is that you’ve also added that same FBADB connection entry to another web.config file.
  
  My best guess is that the extra entry is in the SecurityTokenService config file. If it’s not there though, you’ll have to check the web.configs for each of your SharePoint web applications. Just find the extra entry and delete it and your problems should go away.
  
  Reply
  1. Johannes
    
    January 10, 2014
    
    Thank you. We found an unnecessary entry in the webconfig file of the membershipconfig site.
    Do you have also an idea how we can realize an auth. across different webapplications without re-auth?
    
    Reply
    1. Chris Coulson
      
      January 10, 2014
      
      The problem with single sign on across multiple web applications is that the cookie for each web application is stored for the domain – so as soon as that domain changes, the cookie no longer exists and you can’t login. Couple of options:
      
      1. Use a single web application and set up multiple site collections under it:
      mysite.mydomain.com/sites/site1
      mysite.mydomain.com/sites/site2
      
      2. Have users check the ‘sign me in automatically’ box when they login – they will have to do it for each web application – but they should remain signed in the next time they open their browser. Note that there are settings for this you can set in SharePoint, which you may have to adjust to allow them to stay logged in longer than the default.
      
      3. Use a central login service instead of FBA, like OAuth or SAML. When the user hits the site, a central server will be contacted. Because the login server is always on the same domain, their authentication cookie will always be available so they’ll only have to login once.
      
      Reply
      1. Johannes
        
        January 13, 2014
        
        So if the webapplications are in the same domain, the authentication across them should work?
        
        Because the URLs of our webapplications are like:
        https://sharepoint.domain.de
        https://sharepoint.domain.de:10443
        https://sharepoint.domain.de:20443
      2. Chris Coulson
        
        January 13, 2014
        
        I’m pretty sure that the port numbers also make the browser consider it a single site, so I’m almost 100% this won’t work. You’ll have to use one of the other methods I mentioned earlier.
Rashid Bilgrami

January 10, 2014

How to disable this authentication, i need to disabled it if you have an idea please confirm me

Reply
1. Rashid Bilgrami
  
  January 10, 2014
  
  I mean Form Based Authentication because its giving us a probelm with our custom module
  
  Reply
  1. Chris Coulson
    
    January 10, 2014
    
    SharePoint Central Administration -> Application Management -> Manage Web Applications -> Authentication Providers.
    
    This will let you turn FBA on/off for any zones you’ve setup.
    
    Reply
Venkat

June 10, 2014

Can this work with my own names for Membership Provider and Role Provider. Not using the names for provider/role as “FBAMembershipProvider” and “FBARoleProvider” ?

Reply
1. Chris Coulson
  
  June 10, 2014
  
  Yes, definitely. You can use whatever names you want.
  
  Reply
Paul Yung

June 25, 2014

Will these instructions good for VM ? I ran into so many problems. I have a stand alone (not in a farm) SP 2013 VM running on Windows 2012 (Standard w/o R2).

Reply
1. Chris Coulson
  
  June 25, 2014
  
  Yes – these definitely run on a VM (In fact the instructions/screenshots were all done on a VM – SP 2013 on Windows 2008 R2). What kind of problems are you running into?
  
  Reply
Greg

October 24, 2014

Hi Chris

Thanks for your blog, it’s very helpful. I’ve managed to configure everything and able to log in with .Net/SQL users. The only problem I have is around the .Net Roles. I cannot search for them to add them to Home Visitors/Owners/Members groups. Even if i type them fully exactly (case sesitive etc) as they appear in the .Net roles IIS pane i get an error stating cannot find exact match.

If i type in fba it lists (All Users) FBAMembershipProvider. Do I need to add anything to the for that app or is this just not supported or going to work as I envision, ie: .NET Roles used as groups within the Sharepoint site permissions?

Many thanks

Greg

Reply
1. Greg
  
  October 24, 2014
  
  Apologies, I found the error. I’ve had so many goes at this on a VM using snapshots I had a missing Role setting in the machine.config. Sorting this out and adding the FBA pack 2013 has allowed me to use the roles as I would have expected them to work.
  
  Thanks again for your efforts in compiling this step-by-step article, your contributions are much appreciated.
  
  Reply
manisekhar

November 6, 2014

Hello,

I have created FBA, in people picker I have got the users but. when I am try to login FBA users it’s not taking.

Pls refer below error.

Warning: this page is not encrypted for secure communication. User names, passwords, and any other information will be sent in clear text. For more information, contact your administrator.
The server could not sign you in. Make sure your user name and password are correct, and then try again.

Reply
1. Chris Coulson
  
  November 6, 2014
  
  Logging in actually uses the membership configuration from the SecurityTokenServiceApplication. From within SharePoint, it uses the membership configuration from the machine.config/web.config.
  
  So check the settings in the SecurityTokenServiceApplication, as that is probably where your problem lies.
  
  Reply
David Compton

November 27, 2014

After following these procedures I found that while FBA worked for my site collection I could no longer access the Central Administration website. The error I was getting was

Central Administration shows error 26 – A network-related or instance-specific error occurred while establishing a connection to SQL Server

After a few frustrating hours searching for a problem I found a solution which is:

1. Open SharePoint Central Administration v4 web.config File
2. Find the following Node under System.Web Node & Change Enabled to false :

Hopefully this helps someone else.

Reply
MRiediger

December 17, 2014

Hi All,

if you have multiple instances on your SQL-Server, make sure to specify the alias in the connectionStrings entry! Otherwhise your Membership Provider tries to access the first instance on your SQL-Server by default. Author, please update this in your post ;).

Sample:

Reply
Abdul

February 21, 2015

Hi Chris,

We had a functioning SharePoint 2010 site using FBA and AD authentication. After installing the FBA Pack, we can now only access the SharePoint site with Windows Authentication. When we try to access with Forms Authentication, we receive the following message:
Error: Access Denied
Current User
You are currently singed in as: abdul
Sign in as a different user

Abdul has full control permissions level on FBA and AD.
I can access FBA Membership Request Management with no issues.
I cannot access FBA Site Configuration and FBA Role Management, I get the Error: Access Denied as stated above.
I can access FBA User Management, with limitations: I can delete a user, but I cannot edit or reset password.

Any assistance you can provide is highly appreciated!

Thank you,
Adul

Reply
Abdul

February 21, 2015

Hi Chis,

I uninstalled FBA Pack and reinstalled and followed the steps what you suggested: http://blogs.visigo.com/chriscoulson/sharepoint-2010-fba-pack-released/#comment-38245

As soon as I activated the feature, I get redirected to the error page as stated above:
Error: Access Denied
Current User
You are currently singed in as: abdul
Sign in as a different user

The features that the FBA Pack has to offer I would really like to implement to our SharePoint site.

Please let me know if you have any ideas of what the issue is.

Thank you,
Abdul

Reply
1. Chris Coulson
  
  February 23, 2015
  
  A couple things:
  For accessing the FBA Pack management pages, you need to be a Site Collection Administrator, standard permissions won’t cut it.
  
  If you’re getting access denied for the rest of the site, then you don’t have the appropriate permissions to visit that page OR the page contains an asset that you don’t have permission to view. For example it may contain an image from a seperate site, or an image that hasn’t been published – in which case you’ll get the access denied message.
  
  Also, make sure you have at least version 1.3.4 of the FBA Pack. Previous versions contained a bug where you needed permissions to the root site when accessing a child site.
  
  Reply
Abdul

March 3, 2015

Hi Chris,

Thank you for your reply!

I got everything working, except for one feature, the password reset. I get the following error:
Your current membershipprovider settings prevent a user’s password from being reset. To allow for resetting of a password by an administrator, you must have enablePasswordReset=”true” and requiresQuestionAndAnswer=”false” in your membership provider settings in your web.config.

I have searched and searched and the only solution that came close was from here: https://sharepoint2010fba.codeplex.com/discussions/398560

The second to the last post by ccoulson (Coordinator Jan 27, 2014 at 8:31 AM) stated to find requiresQuestionAndAnswer and change from true to false. I searched through all the .config and did not find the requiresQuestionAndAnswer.

Also, I am using SharePoint 2010, and the last version of the FBA Pack I could find was 1.3.3. (https://sharepoint2010fba.codeplex.com/)

Again Chris, Thank you!
Abdul

Reply
1. Chris Coulson
  
  March 4, 2015
  
  requiresQuestionAndAnswer and enablePasswordReset won’t necessarily be specified in the membership config. If they are not, they will simply default to false (and enablePasswordReset needs to be set to true for the password reset functionality to work).
  
  I suggest you add the parameters to your membership provider so that there’s no confusion as to their values.
  
  You can see examples of all of the parameters in the blog post above.
  
  Reply
  1. Abdul
    
    March 5, 2015
    
    Hi Chris!
    
    What you stated worked. I am now able to reset the password of the users.
    
    Thank you!!!
    Abdul
    
    Reply
Andrew

March 18, 2015

Hi,

Have setup the FBA as per the instructions and listed in the config files that the password be stored in the DB as Hashed. But irrespective of the settings in the machine.config and the security token web.config the passwords still appear in clear text. Is this an issue or a config issue I might have missed?
I have set this up on 3 server farms and all have the same output.
Any pointers?

Thanks
Andrew

Reply
1. Chris Coulson
  
  March 19, 2015
  
  A few things to check:
  When the user was created, was the setting set to Hashed at that time? If the setting was changed to Hashed at a later time, it will not adjust existing passwords already stored in clear text.
  
  Also, make sure that all web/machine config’s have the same setting – it’s the settings of the site that the registration is done on that will be used.
  
  Reply
vishal goyal

May 4, 2015

Hi Chris ,

I have added(rolemanager,membership and connection string)only in Application and ‘Security Token Service’ Web.config still my FBA is working fine then why we need to add changes in Central Admin web.config

Thanks

Reply
1. Chris Coulson
  
  May 4, 2015
  
  You only need to edit the Central Admin web.config if you cannot or do not want to edit the machine.config. If you edit the machine.config, Central Admin will inherit the settings from there.
  
  Reply
  1. vishal goyal
    
    May 9, 2015
    
    But I did not change machine.config still without doing any changes in Central Admin FBA is working fine.
    
    Reply
    1. Chris Coulson
      
      May 9, 2015
      
      Central Admin will still work without the changes. You just won’t be able to search and find the FBA users from Central Admin. If you don’t need to go that, they you are fine.
      
      Reply
Gopi

May 17, 2015

Hi,
This is Gopi.

While configuring the FBA in Share Point 2013 up to step-3 its working fine and after step-3 am starting the share Point central administration it showing an error SP 2013 Configuration Wizard has stopped working.Can you please suggest how to solve the problem.
The Error is…

Problem signature:
Problem Event Name: CLR20r3
Problem Signature 01: psconfigui.exe
Problem Signature 02: 15.0.4420.1017
Problem Signature 03: 50672adb
Problem Signature 04: System.Xml
Problem Signature 05: 4.0.30319.34234
Problem Signature 06: 53cf1d82
Problem Signature 07: 9bf
Problem Signature 08: 0
Problem Signature 09: IOIBMURHYNRXKW0ZXKYRVFN0BOYYUFOW
OS Version: 6.1.7601.2.1.0.274.10
Locale ID: 1033
Additional Information 1: c709
Additional Information 2: c7096b5415dbedc2f6948ab1815c2ad1
Additional Information 3: 571e
Additional Information 4: 571e2e0330f1917f0b78f74c54356bda

Reply
1. Chris Coulson
  
  May 17, 2015
  
  If the errors appeared after changing the config files, then it’s likely you made a typo while making the changes. I suggest you revert to your backup config files to see if it works again.
  
  Reply
Trevor Fielder

May 28, 2015

I set the “enable password reset” to false for both the machine.config and in the IIS Security token web.config. However when an FBA user logs in and clicks the drop down next to their name, they still see the option to change password, and it still works for them. Any ideas?

Reply
1. Chris Coulson
  
  May 28, 2015
  
  Password reset is not the same as the user changing their password. The user is always allowed to change their own password. Disabling ‘Enable Password Reset’ will prevent an administrator from resetting a user’s password. So generally it should be set to true.
  
  Reply
Configuring Forms Based Authentication in SharePoint 2016 – Part 1 – Creating the Membership Database | Chris Coulson's Developer Notes

May 19, 2016

[…] I’ll go through all of the steps required to setup FBA for SharePoint 2016, from start to finish. I’ve broken down the steps into 4 sections, so if you already have an existing membership database setup from a previous version of SharePoint, feel free to skip forward to Part 2. […]

Reply
Santosh Reddy

May 20, 2016

HI,

I configured the above. I successfully used the FBA with LDAP with in the intranet site with no issue and users is login into SP Site.

But with Web server configured with ARR pointing to App Server (SP2013 Server) user is unable to login. After debugging the code of Custom login page i verified SPClaimUtiliy.AuthenticateFormUsers() successfully return true but internally SP 2013 keep re-direct the user to Custom login page.

Can any one help to troubleshoot this issue

Reply
1. Chris Coulson
  
  May 20, 2016
  
  Could it possibly be a permission issue? ie the user logs in, but the homepage contains a reference to an unpublished image. Because the user doesn’t have permissions to view the image, they are redirected to the login page.
  
  Using Chrome Developer Tools (F12) you can check this in the network tab by checking the “preserve log” checkbox. Then you can see if after login you are directed to a page and then immediately redirected back to the login page.
  
  Reply
itguru

September 15, 2016

I have successfully configured FBA and everything working. but when i try to access My setting from FBA for a user – it doesn’t return any error or information.

How can i get user info by clicking My settings?

Reply
Paul Gosney

February 16, 2017

Silly question, regarding the Security Token web.config. I have one central admin server two web front ends. Where do I apply the security token web.config edits. Central Admin, Web front ends or all?

Reply
1. Chris Coulson
  
  February 16, 2017
  
  All. You have to make the machine.config edits for all as well.
  
  Reply
Michael

March 31, 2017

Hi Chris,

i’ve a question concerning the password of an FBA user which is stored in the database. You wrote that the password can be hashed. Is the hash salted and which method is used (sha256, bcrypt, … )?

Cheers,

Michael

Reply
1. Chris Coulson
  
  March 31, 2017
  
  The hashing is done by the membership provider. Details are here:
  https://msdn.microsoft.com/en-us/library/system.web.security.sqlmembershipprovider.passwordformat%28v=vs.110%29.aspx?f=255&MSPPError=-2147217396
  
  Reply
  1. Michael
    
    April 3, 2017
    
    Hi Chris,
    
    is it possible in one of the future versions of the FBA Pack, to integrate to send a link (valid for a specified time: 24 hours) where the external user is clicking on, to set his password in the SharePoint Site? (see: http://usingaspdotnet.blogspot.de/2011/07/sending-reset-password-link-for-one.html)
    Furthermore it would be interesting if the user get a notification, if it’s password expires, meaning it would be nice to have a password change mechanism every 3 month.
    
    Is the integration of both features possible? Could you plan them for one of the next releases?
    
    Cheers,
    
    Michael
    
    Reply
    1. Chris Coulson
      
      April 3, 2017
      
      Hi Michael,
      
      Yes, both of these features are planned for future releases. Unfortunately i’ve been swamped with other projects though, so I wouldn’t expect a release with these features anytime soon.
      
      Reply
Michael

April 3, 2017

Thanks Chris

Reply
Peige

September 7, 2017

Hi Chris,

Quick question—-I followed your diagram. I’m able to log on as administrator but when I attempt to use FBA drop down as an outside user it constantly tells me the following:

The server could not sign you in. Make sure your user name and password are correct.

Any leads as to why this is happening

Reply
1. Chris Coulson
  
  September 7, 2017
  
  When you login as an administrator, can you use the FBA Pack user management pages? (Assuming you installed the FBA Pack)
  
  If so then i’d check the SecurityTokenService web.config file – it’s the configuration from there that is used for logging in.
  
  Reply
Vishwanath Mishra

October 5, 2017

Hi,
I have successfully enabled FBA as described above. Now I have issue regarding User permission. I have assigned “Everyone” AD user group in few subsites now the problem is when I login using SQL server user it get covered in “Everyone” AD user group. Please guide in this regard, I want to exclude SQL user from everyone group.

Reply
1. Chris Coulson
  
  October 5, 2017
  
  Instead of ‘Everyone’, use ‘All Users’ – as it lets you select the authentication source of the users. See here:
  https://sharepoint.stackexchange.com/questions/100967/add-permission-to-all-authenticated-users
  
  Reply
  1. Vishwanath Mishra
    
    October 6, 2017
    
    Thanks Chris! working fine now.
    
    Reply
Shravan

March 12, 2018

Hi Chris,

We have set up the same approach(As described by you) and set PasswordFormat=’Clear’ and everything is working fine.

Now we have the requirement to change the PasswordFormat=’Encrypted’. I have changed the settings on machine.confg file and securitytokenservice web.config file. After doing these changes when I create a new user, the password is storing in encrypted format(Which is as expected).

But when I try to login the method SPClaimsUtility.AuthenticateFormsUser(referer, userName, password) is returning false even though I am giving correct password.Hence I am not able to login.

Is there anything else I need to change in order for this approach to work?

Your help will be appreciated!

Regards,
Shravan

Reply
1. Chris Coulson
  
  March 13, 2018
  
  If you’re using the format ‘encrypted’, you need to ensure the machinekey is set the same on all web servers – so that they all have the same key for encryption/decryption. It’s also possible to set it for individual sites in IIS (and in the web.config), so if it’s set specifically for a site/.config file it needs to be set in all sites/.config files that use that data. In the case of SharePoint, you’d need to ensure it was set for the SecureTokenService web application as well as each SharePoint web application.
  
  I would actually recommend you use the format ‘hashed’ – it’s actually more secure than ‘encrypted’, as it can’t be decrypted. It also doesn’t require setting the same machinekey everywhere.
  
  Reply
  1. Shravan
    
    March 13, 2018
    
    Thanks for your quick reply Chris.
    
    The only reason we are using this method is we need to decrypt the passwords and send to an external vendor. I think if we use Hashed, external vendor nor we can decrypt the password and use it in their system.
    
    Regards,
    Shravan
    
    Reply
    1. Chris Coulson
      
      March 13, 2018
      
      Right – you would not be able to – but sending the users passwords to a third party sounds super insecure – and probably not something your users would appreciate you doing (They probably don’t want you being able to see their passwords at all, since a lot of them probably use the same password for multiple sites). If you want a single sign-on solution i’d look at using SAML. Maybe look at Okta for an easy to implement solution.
      
      Reply
      1. Shravan
        
        March 13, 2018
        
        Yes Chris, The client is ok with this approach. I changed my web.config of all the web applications, Central Administrations, SecureTokenService and the machine.config, All of them have the same machinekeys. But it is still not working. Anymore advise?
        
        Your help will be much appreciated!
        
        Regards,
        Shravan
    2. Chris Coulson
      
      March 13, 2018
      
      Does it work for newly created users? Unfortunately if the machinekey is not the same as when the user was created, you won’t be able to recover already entered passwords.
      
      Reply
      1. Shravan
        
        March 14, 2018
        
        No it is not working for new users as well.
        
        This is my machine.config
        
        Regards,
        Shravan
    3. Chris Coulson
      
      March 14, 2018
      
      Your machine.config was filtered out. Is there any specific error message? Does it just not accept the password when logging in and everything else works? Are there errors in the sharepoint logs?
      
      Reply
Ruben Andrade

September 16, 2018

Hi Chris, in advance thank you so much for your effort on this.

I have checked every reply on the comments section and you suggest to check Secure Token Service config when we are able to manage (create/edit/delete) users, from FBA pack running on SharePoint.

I have reviewed every config file for that service, and it simply does not log in the user on SharePoint.

What could it be. Thanks.

Reply
1. Chris Coulson
  
  September 16, 2018
  
  What error message are you getting? Invalid username and password? User doesn’t have permission? Something else?
  
  Reply
Samuel

July 21, 2020

Recently we got error after clicking FBA Site configuration.

Sorry, something went wrong
The file ‘/_controltemplates/ToolBar.ascx’ does not exist.
Technical Details

Troubleshoot issues with Microsoft SharePoint Foundation.

Correlation ID: 5f21689f-a01b-006f-f467-65e97ed7a751

Date and Time: 7/21/2020 7:46:54 AM

I tried reinstall FBAPack and as well as reset web.config and machine.config, but still doesn’t work. this impact we cannot manage the users, and webpart of new users creation is not working either. Only existing users can sign in.

We are using the SP2013, server os is 2012. any ideas?

Reply
1. Chris Coulson
  
  July 21, 2020
  
  Are you sure you installed the correct version of the FBA Pack for SharePoint 2013?
  
  https://github.com/Visigo/SharePointFBAPack/releases/download/2013.1.3.6.0/SharePoint2013FBAPack.1.3.6.zip
  
  Reply
  1. Samuel
    
    July 22, 2020
    
    I am pretty sure it is 1.3.6 I’ve installed.
    
    I fixed the problem on opening the user management page. but got a new problem. it says “A membership provider has not been configured correctly, Check the web.config settings for this web application.”
    
    Reply
    1. Chris Coulson
      
      July 23, 2020
      
      I was referring to you maybe having SharePoint 2010 or 2016 version installed on 2013, as the possible issue causing the toolbar.ascx error. What was causing the error?
      
      As for the “A membership provider has not been configured correctly….” error, that happens when the FBA Pack can’t communicate with the membership provider db. This is usually a misconfiguration of the membership provider in the config files, or a permissions issue with the app pool user not having access to the membership database on SQL Server.
      
      Reply