Configuring Forms Based Authentication in SharePoint 2013 – Part 3 – Editing the Web.Config Files

Configuring forms based authentication (FBA) in SharePoint 2013 is very similar to SharePoint 2010, but there are some differences due to SharePoint 2013 using .Net 4.0. The web.config entries entries are slightly different. As well, IIS doesn’t support editing .Net 4.0 membership provider configuration through the IIS interface, so all of the configuration has to be done directly in the .config files. I’ll go through all of the steps required to setup FBA for SharePoint 2013, from start to finish.  I’ve broken down the steps into 4 sections:

Part 1 – Creating the Membership Database

Part 2 – Adding Users to the Membership Database

Part 3 – Editing the Web.Config Files

Part 4 –  Configuring SharePoint

Part 3 – Editing the Web.Config Files

The next thing that has to be done to get forms based authentication working with SharePoint is setting up the membership provider.  A membership provider is an interface from the program to the credential store.  This allows the same program to work against many different methods of storing credentials. For example you could use an LDAPMembershipProvider to authenticate against Active Directory, or a SQLMembershipProvider to authenticate against a SQL Server database. For this example we’re using the SQLMembershipProvider to authenticate against a SQL Server database.

SharePoint is actually divided up into several web applications – Central Administration, the Security Token Service and all of the SharePoint web applications that you create. Each of those web applications needs to know about the membership provider. Most tutorials have you adding the membership provider settings over and over again in each web config (as well as every time you setup a new SharePoint web application).  I prefer to add the membership provider settings directly to the machine.config. By adding it to the machine.config, the configuration is inherited by all of the web.config files on the machine – so you only have to make the changes once, and don’t have to remember to make the changes every time you create a new SharePoint web application.

If you don’t have access to the machine.config, or prefer not to edit it, you will have to make all of these changes to the following web.config files:

  • SharePoint Central Administration
  • SecurityTokenServiceApplication
  • Every SharePoint web application you create that you would like to access via FBA.

BEFORE EDITING ANY .CONFIG FILE – MAKE A BACKUP OF IT. It’s very easy to make a typo.

  • Navigate to “C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Config” and open “machine.config”.sharepoint_2013_fba_config_1
  • In the <ConnectionString> section, add the following line:
    <add connectionString="Server=WIN-C6ES927TE58;Database=aspnetdb;Integrated Security=true" name="FBADB" />

    Be sure to replace the value for Server with the name of your SQL Server.sharepoint_2013_fba_config_2

  • In the <membership><providers> section add the following:
    <add name="FBAMembershipProvider"
     type="System.Web.Security.SqlMembershipProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
     connectionStringName="FBADB"
     enablePasswordRetrieval="false"
     enablePasswordReset="true"
     requiresQuestionAndAnswer="false"
     applicationName="/"
     requiresUniqueEmail="true"
     passwordFormat="Hashed"
     maxInvalidPasswordAttempts="5"
     minRequiredPasswordLength="7"
     minRequiredNonalphanumericCharacters="1"
     passwordAttemptWindow="10"
     passwordStrengthRegularExpression="" />

    You can customize the authentication by modifying each of these options. The most important thing to remember though is that if you define a membership provider in multiple locations for the same database, they MUST ALL USE THE SAME OPTIONS. Otherwise you’ll run into all kinds of problems with users created with one set of options, and later being authenticated against with a different set of options.

    Here’s a description of the different options available:

    Option Description
    connectionStringName The name of the database connection to the aspnetdb database.
    enablePasswordRetrieval true/false. Whether the user’s password can be retrieved. I suggest setting this to false for security purposes.
    enablePasswordReset true/false. Whether the user can reset their password. I suggest setting this to true.
    requiresQuestionAndAnswer true/false. Whether accounts also have a question and answer associated with them. The answer must be provided when resetting the password. I suggest setting this to false, as setting it to true prevents an administrator from resetting the user’s password.
    applicationName Setting the application name allows you to share a single membership database with multiple different applications, with each having their own distinct set of users. The default applicationName is /.
    requiresUniqueEmail true/false. Determines if multiple users can share the same email address. I suggest setting this to false, in case you ever want to implement a login by email system.
    passwordFormat Clear, Hashed or Encrypted. Clear stores the password in the database as plain text, so anybody with access to the database can read the user’s password. Encrypted encrypts the user’s password, so although the password isn’t human readable in the database, it can still be decrypted and the user’s actual password retrieved. Hashed stores a one way hash of the password.  When a user authenticates, the password they enter is hashed as well and matched against the stored hashed value. Using this method, the user’s password can never be retrieved (even if your database is stolen), only reset.  I always recommend using “Hashed” as it is the most secure way of storing the user’s password.
    maxInvalidPasswordAttempts The number of times in a row that a user can enter an invalid password, within the passwordAttemptWindow, before the user’s account is locked out. Defaults to 5.
    passwordAttemptWindow The number of minutes before the invalid password counter is reset. Defaults to 10.
    minRequiredPasswordLength The minimum password length. Defaults to 7.
    minRequiredNonalphanumericCharacters The minimum number of non-alphanumeric characters required in the password. Defaults to 1.
    passwordStrengthRegularExpression A regular expression that can be used to validate the complexity of the password.

    sharepoint_2013_fba_config_3

  • In the <roleManager><providers> section add the following:
    <add name="FBARoleProvider" connectionStringName="FBADB" applicationName="/"
     type="System.Web.Security.SqlRoleProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

    Save and close the machine.config file.
    sharepoint_2013_fba_config_3_1

  • I mentioned that if you modified the machine.config, you’d only have to put the config in a single place.  I wasn’t being completely truthful.  The SharePoint Web Services configuration overrides the machine.config and clears the entries we created. For that reason, the membership and role providers also need to be added to the SecurityTokenService (But only there – you won’t have to add them to the central admin or other SharePoint web app web.configs.First we need to find the web.config for the SecurityTokenService. Open up IIS. Under sites, SharePoint Web Services, right click on SecurityTokenServiceApplication and click on Explore. Edit the web.config in the folder that opens.sharepoint_2013_fba_config_4
  • Add the following to the web.config, just before the closing </configuration> tag:
    <system.web>
     <membership>
     <providers>
     <add name="FBAMembershipProvider"
     type="System.Web.Security.SqlMembershipProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
     connectionStringName="FBADB"
     enablePasswordRetrieval="false"
     enablePasswordReset="true"
     requiresQuestionAndAnswer="false"
     applicationName="/"
     requiresUniqueEmail="true"
     passwordFormat="Hashed"
     maxInvalidPasswordAttempts="5"
     minRequiredPasswordLength="7"
     minRequiredNonalphanumericCharacters="1"
     passwordAttemptWindow="10"
     passwordStrengthRegularExpression="" />
     </providers>
     </membership>
    <roleManager>
     <providers>
     <add name="FBARoleProvider" connectionStringName="FBADB" applicationName="/"
     type="System.Web.Security.SqlRoleProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
     </providers>
     </roleManager>
     </system.web>

    Remember to match all of the options with what was entered in the machine.config.Save and close the file.

    sharepoint_2013_fba_config_5

The role and membership providers have now been setup for SharePoint. Continue on to Part 4 to configure SharePoint to use the membership provider we just setup.

77 Responses to “Configuring Forms Based Authentication in SharePoint 2013 – Part 3 – Editing the Web.Config Files”

  1. Colby says:

    Thank you for this tutorial. Its been a great help. I have a couple questions. If I use the script you link to in step 2 to add users in Sharepoint, does the database name need to stay aspnetdb? If so, is there a way around that? I ask that to ask the second question. I would like to create 2 separate Web Applications which use two different User Databases. Is this possible? If so, can you point me in the right direction? Thank you again

    • The database name does not need to be aspnetdb – that’s just the default. The wizard for creating the database lets you choose whichever name you’d like. You can also rename it at any time using SQL Server Management Studio. If you change the database name, you just have to change the database name in the connection string, so instead of:
      Database=aspnetdb
      you’d have:
      Database=mydatabasename.

      You can use 2 (or as many as you want) user databases. You just need to create a separate connection string and membership/role config for each database. Give them different names in the config. And then when specifying the membership and role provider for the Web Application – just use whichever name you specified in the config file – like FBAMembershipProvider2…

  2. SNAFU says:

    So, it does not appear as though editing the web config files as you describe propagates it throughout all sites created. When I look at the providers for the different sites that I have created, the membership provider doesn’t exist. Although, now that I’m typing this, I don’t see why that would prevent Windows authentication. My forms based users can log in without an issue. my AD users however cannot. Thoughts?

    • It should not prevent Windows Authentication. I assume that under Central Admin -> Manage Web Applications -> Authentication Providers that Windows Authentication is turned on (as well as FBA)? If you are using Kerberos for windows authentication, maybe try NTLM to make sure that works.

      Also, what happens when you try to login with Windows Auth? You get prompted with a dropdown to choose Windows or Forms Based authentication, and then what?

  3. SNAFU says:

    Windows Auth is turned on and it is using NTLM. When I slect Windows Auth, I am presented with a login box and no matter what account I use, I can’t get in. I actually think I know what the problem is. I haven’t added any users directly to the site collection, but I can’t get in to the site with any credentials to do that.

    • If it’s a permission issue, you should get a SharePoint Access Denied page. In that case, try adding the user as a site collection administrator in Central Admin – or login with FBA and add the users to the site collection.

      If you get an IIS error message after trying to login, then it’s probably a problem with IIS recognizing the user/credentials.

  4. SNAFU says:

    I’m getting a blank page after I attempt to log in three times. I did add the user as a site collection administrator and I still get nothing. I’m about ready to scrap the whole thing and start over. This is beyond frustrating. I compared the setup in my lab to this setup and I don’t see anything different other than the names.

    • That’s strange you’re getting just a blank page. I would expect an IIS error page or a SharePoint Access Denied page.

      Maybe try creating a separate web application on SharePoint – set it for windows authentication only – and see if you can login to it.

    • paisley says:

      sounds like you might need to disable the loopback – if trying to access the page from the server (or access it from a client machine)

  5. Kelvin says:

    Thank you for this tutorial.I have one question.
    I’m using LDAPMembershipProvider to authenticate against Active Directory, but I get error message “The method or operation is not implemented.” while I click “new user” in Manage Forms Based Authentication Users. Any solution to make it working with LDAPMembershipProvider?

    • Are you referring to the FBA Pack? If so, unfortunately the LDAPMembershipProvider doesn’t fully implement all of the MembershipProvider functions, and so it won’t work. The FBA Pack would either have to be modified to work specifically with the LDAPMembershipProvider, or a custom membership provider could be built that inherits from the LDAPMembershipProvider and fills in the missing functionality.

      • Kelvin says:

        Today I try change to use SQLMembershipProvider but I keep getting a error message “A Membership Provider has not been configured correctly. Check the web.config setttings for this web application.” in FBA user management page.

        • That essentially means that a membership provider either has not been setup, or it’s not working properly. Check that the membership and database connection entries in the .config files are ok. Also, make sure that the membership provider names set in Central Admin for the web application match those in the .config files.

          • Kelvin says:

            I follow the guide add the connection string,membership provider and role manager in machine.config file but the problem still existing…

  6. Kelvin – are you sure the aspnetdb database has the proper permissions applied for the web application application pool user? See Part 1.

  7. Kelvin says:

    May I know how to configure a page to allow anonymous user can view it? I’m using the member request web part to create a registration page but if the anonymous user can’t view the page then the page is no use.

  8. Felix Zhang says:

    Hi,
    I have done as you said in Part2, but I found that here you version is
    “<add name="FBARoleProvider" connectionStringName="FBADB" applicationName="/"
    type="System.Web.Security.SqlRoleProvider, System.Web, Version=4.0.0.0, Culture=neutral …"
    But in may config after having done in IIS it is
    "<add name="FBARoles" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" applicationName="/" connectionStringName="AspNetSqlProvider" description… "
    The version is different , yours is 4 and mine is 2.
    Thanks

    • Right, for SharePoint 2013 you need to use the .Net 4.0 version of the membership providers. It will not work with the .Net 2.0 version (SharePoint 2010 uses .Net 2.0).

      For configuring membership providers in IIS, the built in iis tools only support .Net 2.0 on Windows 2008.

      Both the .net 2.0 and 4.0 versions will connect to the same membership databases.

      • Felix Zhang says:

        I’m working on SharePoint 2013, I want to use both FBA and Windows authorization,
        In my SharePoint 2013 Adminstrator Central web.cofig:


        <!—->

        When it is 2.0 the name is “AspNetWindowsTokenRoleProvider” which has been commented abover it works fine, but I still cannot get the users from my own aspnetdb(FBARoles Provider), So I want to change the “AspNetWindowsTokenRoleProvider” to 4.0 version, but error occurs:

        The attribute ‘connectionStringName’ is missing or empty.

        In 2.0 version it donot need connectionStringName when use “AspNetWindowsTokenRoleProvider” which I comment above in the web.config, but the version is changed to 4.0 it said need? And it is Widows authorization,does it have a database?
        Could you help?
        Thanks

        • Felix Zhang says:

          //The below is version 2.0 , use test I remove it, for readable
          // I just copy to here
          <add applicationName="/"
          name="AspNetWindowsTokenRoleProvider"
          type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /
          // The velow is version 4.0

          </roleManager

  9. Felix Zhang says:

    Sorry I can not copy the web.config here, I do not why, the letter will be blank, maybe the security, I hope you will understand what I said.
    Thanks

    • Sorry, but I don’t have experience with the WindowsTokenRoleProvider. You should already have an entry for it in your machine.config though:

      add name=”AspNetWindowsTokenRoleProvider” applicationName=”/” type=”System.Web.Security.WindowsTokenRoleProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a”

      Actually – I see your problem – you’re calling it AspNetWindowsTokenRoleProvider, but instead of using a WindowsTokenRoleProvider, you’re using a SQLRoleProvider.

      • Felix Zhang says:

        you are right, I am too careless.
        But fix this error, I am still can not get the users in aspnetdb.
        When add users, only widows users listed.
        Very thanks for your help.

  10. Naveen says:

    Hello,
    This worked for me for FBA. But i am now not able to login to the site using windows authentication. When i select Windows Auth in the drop down it asks me the credentials. When i give my windows credentials its rejecting it. I am the site collection admin for my site collection.

    Can you guess what i might have done wrongly.

    Thanks,
    Naveen.

    • Everything sounds ok. I’d double check that your windows user name is set as a site collection admin. If it still doesn’t work, maybe try another user’s windows login.

  11. Miluska says:

    I don’t have permissions to chance machine.config, so i did changes in each web.config…. everything is ok BUT! i couldn’t access with the users to My Site… The mistake is that we need put the connection string also in the Web.config of the Security Token Service…

  12. Chris,
    Very easy to follow instructions. I had to use ASP.net V4 also as I’m using Server 2012 / SPF2013 / SQL2012. I have one existing production SharePoint 2013 site that has been extended already for outside access and works great. I’m currently only using NTLM Windows Authorization. After going through your steps carefully I ended up with the original site no longer working as well as Server Manager would not start. Any ideas? I never touched the original App Pool or Site. Would editing the machine.config cause this? As my server is a VM on a EqualLogic I just restored to my previous snapshot so I wouldn’t be down.

    My plans were to keep the existing Web Application intact with the current authentication and then create a new Web Application (for totally different use)to use FBA. Is FBA an all-or-nothing scenario or can I do it the way I am planning?

    • If even server manager won’t start, then yes – it’s likely due to editing the machine.config. I’ll make a note to edit the article to include a step to make a backup of your machine.config before editing, in case anything goes wrong.

      You do have to be very careful when editing .config files, as missing a closing tag or opening tag will cause the whole .config file to be unusable.

      It’s lucky that you had the snapshot. Next time I suggest you make a backup copy of the machine.config, and then you can just overwrite the machine.config with the backup if anything goes wrong. Next time I’d also double check that all opening tags have matching closing tags around the areas that you made changes. It was likely a missing closing tag, or perhaps the entries inserted into the wrong area of the web.config.

      As for the FBA only on a separate web application, yes you can do it the way you’re planning. You’d do all the steps the same, just step 4 you’d only apply to the web application you want FBA on.

      • Thanks Chris, I’ll give it another try tomorrow. I was very careful with the tags but obviously I missed something. Great article, thanks for taking the time to write it.

        Larry

        • Hello again Chris, day two. I’ve gone back through the exercise quickly this morning but paying very close attention to the details of the file edits. Through testing, I’ve narrowed the problem down to the machine.config file edits. Not sure what part of it is causing the problem as I have used your settings and named providers exactly including the security choices. Only thing different is my server name which I was sure to change in the connection string line. After completing the exercise through step 3 I did a quick iisreset /noforce and at that point again Server Manager won’t work and my SharePoint site previously created that is known to work fine is no longer available… it shows a blank white page with no error (the tab in IE is displaying as it should with the icon). I change back to the original machine.config file and of course the problem is fixed. The only thing I noticed from your examples that I changed was the ending tags. You left a space before the closing /> and I took that out as every other line in the file does not have that space. Any thoughts? I would be willing to send you the machine.config file if you think tht will help.

  13. Colin says:

    Hi Chris

    Two questions:

    I’ve notice that the web application web.config files do not contain the membership and roles changes that were made to the machine.config and SecurityTokenService web.config (as per SNAFU first response).
    1. Have I miss something?

    When I tried to add .NET users (created from Part 2) to the web application groups, their names are not to be found. The only way I can get those users to appear for selection, is if I go to Central Administration | Managed Web Application, select the web application, select User Policy and add their names here first (with zone Extranet).

    But then the permissions assigned to them in the Policy Web Application (eg Full Read) seem to override their web application group permission (Members).

    2. Is the way to add users from the Membership Database to groups?

    • The web.config files don’t need the changes because they were made to the machine.config – so they inherit the changes. You could put them in the web.config INSTEAD of the machine.config (don’t put them in both or you will run into issues with conflicts) – but then you’d have to remember to put the entries in every new web application web.config you create, instead of in one place in the machine.config.

      The users from the membership database can definitely be added to groups. If they’re not showing up in the site collection people finder then likely there’s some configuration error. If you can see the people in the central admin people finder, and you’ve made the membership changes in the machine.config – so they should be the same for central admin and all web applications – then it’s not likely an issue in the config file. My guess is that the membership provider name for the zone (Manage Web applications -> Authentication Providers (Part 4)) doesn’t match the name in your config files.

  14. Randi says:

    hi,
    I get this error A Membership Provider has not been configured correctly. Check the web.config setttings for this web application.

    I have checked my config file and I have used the same settings as u have in this example, only changed the connectionstring name.

    The user I used in sql has permissions because i’m able to add users froom iis, when I added the dummy site to add users from iis.

    I have tried several times today and yesterday to figure out if I had something wrong in my config files. I even checked with some config files from other projects where I successfully have it to work for 2010.

    I have the same names of the providers added in config file and in sharepoint.

    any idea what i’m missing here?

    Would be really thankful for any help. i’m a little stucked her right now :/

    • Generally that error message either means there is an issue with the web.config or an issue with the database permissions. It sounds like you’ve checked over your web.config pretty carefully, so my guess is that it’s the db permissions.

      Just because you can add users from iis doesn’t mean you’ll be able to add users from SharePoint. You’re accessing the db from 2 different users. From iis, you access it from the user currently logged in (probably an administrator, so probably already has admin rights on the db server if it’s on the same machine). For use within SharePoint you have to make sure that the app pool user for the web application being used has permissions on the aspnetdb.

      • Randi says:

        I still have problems with getting this to work.
        I’m able to add users for sharepoint now.
        And I have assigned the user til a sharepoint site.
        But I cannot logon til sharepoint. in the login window I get the error that username or password is wrong,
        And in the eventlog I get the errormessage:
        An exception occurred when trying to issue security token: The server was unable to process the request due to an internal error.

        any idea what I’m missing?

  15. Randi says:

    Thanks for answers.
    The user is dbowner of the aspnet database.So it should have the right permissions for the database.

  16. Colin says:

    Hi Chris

    I think I found the reason/solution to the problem I been having with assigning membership (database) users to the site collection groups.

    I have a default web application (used for intranet) which has been extended to an extranet (which uses FBA). I created a membership database user as FBAAdmin, which I have given full control to the extranet (via Central Administration | Managed Web Application, User Policy).

    When I log-into the extranet with FBAAdmin, I can assign other membership database users to the site collection groups, BUT I cannot see any users from AD. Whereas if I log-into the default web application (as site owner), I can only see users from AD but none from the membership database.

    Is this how it the different zone works? The default (intranet) web application can only see AD users and extranet web application can only see membership database users created from IIS?

    • That’s right, I believe you have to be logged in as a windows user for the people picker to work for other window users. You have a couple of options if you also want to manage the extranet users from the intranet:

      Probably the easiest would be to modify the intranet zone to allow both windows and FBA users. Alternatively you can create a third zone that allows both that you would use to do any administration.

      Alternatively you can simply add the FBA Pack https://sharepoint2013fba.codeplex.com/, which will allow users from any zone to administer FBA users using the FBA Pack Management Pages (The FBA membership config file changes have to be available on any zone you want to use this – but as long as you make the changes in the machine.config they would be available everywhere). So you could use the FBA Pack management pages to admin the FBA users from your windows only auth zone.

  17. Tim says:

    In my multi-server dev farm do all servers including the app servers need to have their web.configs altered?

  18. Gerhard says:

    Hi Chris,

    I followed all the steps provided. I am using a existing membership db from SharePoint 2010. I inserted all the settings in the machine config and the SecurityToken config. I am able to see the users if I go into IIS to my SharePoint web application > .Net Users. However from the login page in SharePoint I am not able to connect using the correct credentials?

    • Check the web config for the web application. If you can see the users in IIS on the web application after performing step 4, it is wrong. Configuring the web application in SharePoint sets a default membership provider of type ‘SPClaimsAuthMembershipProvider’. This acts as a proxy provider to the membership provider you name when you setup the web application. It is not compatible with the IIS tools though – so if you can see the users, this is not set to the default.

      • Gerhard says:

        I removed the web application completely and started from scratch. I created new web application and site collection. So far this worked using my forms db. I could sign in with a form user into the site. I mounted my existing content database from SharePoint 2010 to the new web application and deleted the empty db created. Then the same error occurs – Access Denied. I am also not able to view users from IIS which is correct. Have you had any problems with FBA and existing content db from SP2010? Thanks in advance

        • Gerhard says:

          I found the problem. The membership names was different in the old SP2010 farm. Thats what caused the access denied error. Thank you for the help and great guide.

  19. Greg Nagy says:

    Chris,

    I really appreciate your detailed instructions for using FBA in SharePoint 2013. I was able to get FBA accounts to login correctly on a test site on my SharePoint 2013 server. When I try to apply the same settings to an existing SharePoint 2013 site, Windows authenticated users login fine, but when I try to login FBA accounts, I choose Forms Authentication, type in the username and password, I get a blue bar at the top with “Working on it…” for a few seconds, then I get “Sorry, you don’t have access to this page.” Any idea what you can point me to check that I am missing? I’ve gone through your instructions a second time and can’t find anything wrong.

    Thank you!

    • It could be that you are getting logged in, but the user you’re logging in as doesn’t have the permissions necessary to view the page they’re being redirected too. Try and make the user a site owner or site collection admin and see if the errors go away.

      • Greg Nagy says:

        Making my FBA test account a Site Collection Admin allowed the account to login and access the page and site correctly. Since I can’t add all of my users to this field since I have hundreds of just standard members, where do you think I should look next?

        Thank you!

        • Does the account work if you remove them from being a site collection admin, and just add them to say the ‘visitors’, or ‘members’ groups? I think you just have some permissions problems there, and you’d have to make sure the users belong to a group with sufficient permissions to view or modify the site.

  20. Lurch says:

    Update to my previous post. I found the log files, and I see the following error cropping up when I try to log in using Forms Authentication:

    An exception occurred when trying to issue security token: The content type text/html; charset=utf-8 of the response message does not match the content type of the binding (application/soap+msbin1). If using a custom encoder, be sure that the IsContentTypeSupported method is implemented properly.

    The first 1024 bytes of the response were: ‘ IIS 8.0 Detailed Error – 500.19 – Internal Server Error <!– body{margin:0;font-size:.7em;font-family:Verdana,Arial,Helvetica,sans-serif;} code{margin:0;color:#006600;font-size:1.1em;font-weight:bold;} .config_source code{font-size:.8em;color:#000000… c131649c-1651-f0f9-e96f-4cef546e1b4f
    …;} pre{margin:0;font-size:1.4em;word-wrap:break-word;} ul,ol{margin:10px 0 10px 5px;} ul.first,ol.first{margin-top:5px;} fieldset{padding:0 15px 10px 15px;word-break:break-all;} .summary-container fieldset{padding-bottom:5px;margin-top:4px;} legend.no-expand-all{padding:2px 15px 4px 10px;margin:0 0 0 -12px;} legend{color:#333333;;margin:4px 0 8px -12px;_margin-top:0px; font-weight:bold;font-size:1em;} a:link,a:visited{color:#007EFF;font-weight:bold;} a:hover{text-decoration:none;} h1{font-size:2.4em;margin:0;color:#FFF;} h2{font-size:1.7em;margin:0'.. c131649c-1651-f0f9-e96f-4cef546e1b4f

    • I can’t say i’ve seen that one before. My only guess might be that the securityTokenService config file was edited incorrectly. Maybe an opening or closing bracket was missed, or perhaps the changes were made at the wrong location in the file.

  21. Johannes says:

    At first a i wish you happy new year and thank you for that great tutorial.
    We use Windows Server 2012 and SharePoint 2013 with AD and FBA Auth..
    We followed the complete tutorial but after that, we realized that we need the FBA-Pack. So we installed it.
    So far everything is working. Users can create their own account and we can manage them.
    But now we have got a problem with all auth.:
    We have got multiple webapplications. The auth. should work for all webapplications. But if we login into a website on the second webapplication, the user disconnects from the website of the first webapplication and get an error.
    When we want to check the Session State config of the IIS-Website MembershipConfig we got an error that says something like: double listentry type “add” with FBADB [...] can not be added.

    Any idea what to do?

    • If you’ve got an error about extra add’s for FBADB, then you’ve got an error in your web.config.

      The FBADB DB connection entry that is added to the machine.config is inherited everywhere, so what I believe has happened is that you’ve also added that same FBADB connection entry to another web.config file.

      My best guess is that the extra entry is in the SecurityTokenService config file. If it’s not there though, you’ll have to check the web.configs for each of your SharePoint web applications. Just find the extra entry and delete it and your problems should go away.

      • Johannes says:

        Thank you. We found an unnecessary entry in the webconfig file of the membershipconfig site.
        Do you have also an idea how we can realize an auth. across different webapplications without re-auth?

        • The problem with single sign on across multiple web applications is that the cookie for each web application is stored for the domain – so as soon as that domain changes, the cookie no longer exists and you can’t login. Couple of options:

          1. Use a single web application and set up multiple site collections under it:
          mysite.mydomain.com/sites/site1
          mysite.mydomain.com/sites/site2

          2. Have users check the ‘sign me in automatically’ box when they login – they will have to do it for each web application – but they should remain signed in the next time they open their browser. Note that there are settings for this you can set in SharePoint, which you may have to adjust to allow them to stay logged in longer than the default.

          3. Use a central login service instead of FBA, like OAuth or SAML. When the user hits the site, a central server will be contacted. Because the login server is always on the same domain, their authentication cookie will always be available so they’ll only have to login once.

  22. Rashid Bilgrami says:

    How to disable this authentication, i need to disabled it if you have an idea please confirm me

  23. Venkat says:

    Can this work with my own names for Membership Provider and Role Provider. Not using the names for provider/role as “FBAMembershipProvider” and “FBARoleProvider” ?

  24. Paul Yung says:

    Will these instructions good for VM ? I ran into so many problems. I have a stand alone (not in a farm) SP 2013 VM running on Windows 2012 (Standard w/o R2).

    • Yes – these definitely run on a VM (In fact the instructions/screenshots were all done on a VM – SP 2013 on Windows 2008 R2). What kind of problems are you running into?

  25. Greg says:

    Hi Chris

    Thanks for your blog, it’s very helpful. I’ve managed to configure everything and able to log in with .Net/SQL users. The only problem I have is around the .Net Roles. I cannot search for them to add them to Home Visitors/Owners/Members groups. Even if i type them fully exactly (case sesitive etc) as they appear in the .Net roles IIS pane i get an error stating cannot find exact match.

    If i type in fba it lists (All Users) FBAMembershipProvider. Do I need to add anything to the for that app or is this just not supported or going to work as I envision, ie: .NET Roles used as groups within the Sharepoint site permissions?

    Many thanks

    Greg

    • Greg says:

      Apologies, I found the error. I’ve had so many goes at this on a VM using snapshots I had a missing Role setting in the machine.config. Sorting this out and adding the FBA pack 2013 has allowed me to use the roles as I would have expected them to work.

      Thanks again for your efforts in compiling this step-by-step article, your contributions are much appreciated.

  26. manisekhar says:

    Hello,

    I have created FBA, in people picker I have got the users but. when I am try to login FBA users it’s not taking.

    Pls refer below error.

    Warning: this page is not encrypted for secure communication. User names, passwords, and any other information will be sent in clear text. For more information, contact your administrator.
    The server could not sign you in. Make sure your user name and password are correct, and then try again.

    • Logging in actually uses the membership configuration from the SecurityTokenServiceApplication. From within SharePoint, it uses the membership configuration from the machine.config/web.config.

      So check the settings in the SecurityTokenServiceApplication, as that is probably where your problem lies.

Leave a Response

Current day month ye@r *

Trackbacks