Configuring Forms Based Authentication in SharePoint 2013 – Part 3 – Editing the Web.Config Files

Configuring forms based authentication (FBA) in SharePoint 2013 is very similar to SharePoint 2010, but there are some differences due to SharePoint 2013 using .Net 4.0. The web.config entries entries are slightly different. As well, IIS doesn’t support editing .Net 4.0 membership provider configuration through the IIS interface, so all of the configuration has to be done directly in the .config files. I’ll go through all of the steps required to setup FBA for SharePoint 2013, from start to finish.  I’ve broken down the steps into 4 sections:

Part 1 – Creating the Membership Database

Part 2 – Adding Users to the Membership Database

Part 3 – Editing the Web.Config Files

Part 4 –  Configuring SharePoint

Part 3 – Editing the Web.Config Files

The next thing that has to be done to get forms based authentication working with SharePoint is setting up the membership provider.  A membership provider is an interface from the program to the credential store.  This allows the same program to work against many different methods of storing credentials. For example you could use an LDAPMembershipProvider to authenticate against Active Directory, or a SQLMembershipProvider to authenticate against a SQL Server database. For this example we’re using the SQLMembershipProvider to authenticate against a SQL Server database.

SharePoint is actually divided up into several web applications – Central Administration, the Security Token Service and all of the SharePoint web applications that you create. Each of those web applications needs to know about the membership provider. Most tutorials have you adding the membership provider settings over and over again in each web config (as well as every time you setup a new SharePoint web application).  I prefer to add the membership provider settings directly to the machine.config. By adding it to the machine.config, the configuration is inherited by all of the web.config files on the machine – so you only have to make the changes once, and don’t have to remember to make the changes every time you create a new SharePoint web application.

If you don’t have access to the machine.config, or prefer not to edit it, you will have to make all of these changes to the following web.config files:

  • SharePoint Central Administration
  • SecurityTokenServiceApplication
  • Every SharePoint web application you create that you would like to access via FBA.


BEFORE EDITING ANY .CONFIG FILE – MAKE A BACKUP OF IT. It’s very easy to make a typo.

  • Navigate to “C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Config” and open “machine.config”.sharepoint_2013_fba_config_1
  • In the <ConnectionString> section, add the following line:
    <add connectionString="Server=WIN-C6ES927TE58;Database=aspnetdb;Integrated Security=true" name="FBADB" />

    Be sure to replace the value for Server with the name of your SQL Server.sharepoint_2013_fba_config_2

  • In the <membership><providers> section add the following:
    <add name="FBAMembershipProvider"
     type="System.Web.Security.SqlMembershipProvider, System.Web, Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
     passwordStrengthRegularExpression="" />

    You can customize the authentication by modifying each of these options. The most important thing to remember though is that if you define a membership provider in multiple locations for the same database, they MUST ALL USE THE SAME OPTIONS. Otherwise you’ll run into all kinds of problems with users created with one set of options, and later being authenticated against with a different set of options.

    Here’s a description of the different options available:

    Option Description
    connectionStringName The name of the database connection to the aspnetdb database.
    enablePasswordRetrieval true/false. Whether the user’s password can be retrieved. I suggest setting this to false for security purposes.
    enablePasswordReset true/false. Whether the user can reset their password. I suggest setting this to true.
    requiresQuestionAndAnswer true/false. Whether accounts also have a question and answer associated with them. The answer must be provided when resetting the password. I suggest setting this to false, as setting it to true prevents an administrator from resetting the user’s password.
    applicationName Setting the application name allows you to share a single membership database with multiple different applications, with each having their own distinct set of users. The default applicationName is /.
    requiresUniqueEmail true/false. Determines if multiple users can share the same email address. I suggest setting this to false, in case you ever want to implement a login by email system.
    passwordFormat Clear, Hashed or Encrypted. Clear stores the password in the database as plain text, so anybody with access to the database can read the user’s password. Encrypted encrypts the user’s password, so although the password isn’t human readable in the database, it can still be decrypted and the user’s actual password retrieved. Hashed stores a one way hash of the password.  When a user authenticates, the password they enter is hashed as well and matched against the stored hashed value. Using this method, the user’s password can never be retrieved (even if your database is stolen), only reset.  I always recommend using “Hashed” as it is the most secure way of storing the user’s password.
    maxInvalidPasswordAttempts The number of times in a row that a user can enter an invalid password, within the passwordAttemptWindow, before the user’s account is locked out. Defaults to 5.
    passwordAttemptWindow The number of minutes before the invalid password counter is reset. Defaults to 10.
    minRequiredPasswordLength The minimum password length. Defaults to 7.
    minRequiredNonalphanumericCharacters The minimum number of non-alphanumeric characters required in the password. Defaults to 1.
    passwordStrengthRegularExpression A regular expression that can be used to validate the complexity of the password.


  • In the <roleManager><providers> section add the following:
    <add name="FBARoleProvider" connectionStringName="FBADB" applicationName="/"
     type="System.Web.Security.SqlRoleProvider, System.Web, Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

    Save and close the machine.config file.

  • I mentioned that if you modified the machine.config, you’d only have to put the config in a single place.  I wasn’t being completely truthful.  The SharePoint Web Services configuration overrides the machine.config and clears the entries we created. For that reason, the membership and role providers also need to be added to the SecurityTokenService (But only there – you won’t have to add them to the central admin or other SharePoint web app web.configs.First we need to find the web.config for the SecurityTokenService. Open up IIS. Under sites, SharePoint Web Services, right click on SecurityTokenServiceApplication and click on Explore. Edit the web.config in the folder that opens.sharepoint_2013_fba_config_4
  • Add the following to the web.config, just before the closing </configuration> tag:
     <add name="FBAMembershipProvider"
     type="System.Web.Security.SqlMembershipProvider, System.Web, Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
     passwordStrengthRegularExpression="" />
     <add name="FBARoleProvider" connectionStringName="FBADB" applicationName="/"
     type="System.Web.Security.SqlRoleProvider, System.Web, Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

    Remember to match all of the options with what was entered in the machine.config.Save and close the file.


The role and membership providers have now been setup for SharePoint. Continue on to Part 4 to configure SharePoint to use the membership provider we just setup.

126 Responses to “Configuring Forms Based Authentication in SharePoint 2013 – Part 3 – Editing the Web.Config Files”

  1. Colby says:

    Thank you for this tutorial. Its been a great help. I have a couple questions. If I use the script you link to in step 2 to add users in Sharepoint, does the database name need to stay aspnetdb? If so, is there a way around that? I ask that to ask the second question. I would like to create 2 separate Web Applications which use two different User Databases. Is this possible? If so, can you point me in the right direction? Thank you again

    • The database name does not need to be aspnetdb – that’s just the default. The wizard for creating the database lets you choose whichever name you’d like. You can also rename it at any time using SQL Server Management Studio. If you change the database name, you just have to change the database name in the connection string, so instead of:
      you’d have:

      You can use 2 (or as many as you want) user databases. You just need to create a separate connection string and membership/role config for each database. Give them different names in the config. And then when specifying the membership and role provider for the Web Application – just use whichever name you specified in the config file – like FBAMembershipProvider2…

  2. SNAFU says:

    So, it does not appear as though editing the web config files as you describe propagates it throughout all sites created. When I look at the providers for the different sites that I have created, the membership provider doesn’t exist. Although, now that I’m typing this, I don’t see why that would prevent Windows authentication. My forms based users can log in without an issue. my AD users however cannot. Thoughts?

    • It should not prevent Windows Authentication. I assume that under Central Admin -> Manage Web Applications -> Authentication Providers that Windows Authentication is turned on (as well as FBA)? If you are using Kerberos for windows authentication, maybe try NTLM to make sure that works.

      Also, what happens when you try to login with Windows Auth? You get prompted with a dropdown to choose Windows or Forms Based authentication, and then what?

  3. SNAFU says:

    Windows Auth is turned on and it is using NTLM. When I slect Windows Auth, I am presented with a login box and no matter what account I use, I can’t get in. I actually think I know what the problem is. I haven’t added any users directly to the site collection, but I can’t get in to the site with any credentials to do that.

    • If it’s a permission issue, you should get a SharePoint Access Denied page. In that case, try adding the user as a site collection administrator in Central Admin – or login with FBA and add the users to the site collection.

      If you get an IIS error message after trying to login, then it’s probably a problem with IIS recognizing the user/credentials.

  4. SNAFU says:

    I’m getting a blank page after I attempt to log in three times. I did add the user as a site collection administrator and I still get nothing. I’m about ready to scrap the whole thing and start over. This is beyond frustrating. I compared the setup in my lab to this setup and I don’t see anything different other than the names.

    • That’s strange you’re getting just a blank page. I would expect an IIS error page or a SharePoint Access Denied page.

      Maybe try creating a separate web application on SharePoint – set it for windows authentication only – and see if you can login to it.

    • paisley says:

      sounds like you might need to disable the loopback – if trying to access the page from the server (or access it from a client machine)

  5. Kelvin says:

    Thank you for this tutorial.I have one question.
    I’m using LDAPMembershipProvider to authenticate against Active Directory, but I get error message “The method or operation is not implemented.” while I click “new user” in Manage Forms Based Authentication Users. Any solution to make it working with LDAPMembershipProvider?

    • Are you referring to the FBA Pack? If so, unfortunately the LDAPMembershipProvider doesn’t fully implement all of the MembershipProvider functions, and so it won’t work. The FBA Pack would either have to be modified to work specifically with the LDAPMembershipProvider, or a custom membership provider could be built that inherits from the LDAPMembershipProvider and fills in the missing functionality.

      • Kelvin says:

        Today I try change to use SQLMembershipProvider but I keep getting a error message “A Membership Provider has not been configured correctly. Check the web.config setttings for this web application.” in FBA user management page.

        • That essentially means that a membership provider either has not been setup, or it’s not working properly. Check that the membership and database connection entries in the .config files are ok. Also, make sure that the membership provider names set in Central Admin for the web application match those in the .config files.

          • Kelvin says:

            I follow the guide add the connection string,membership provider and role manager in machine.config file but the problem still existing…

  6. Kelvin – are you sure the aspnetdb database has the proper permissions applied for the web application application pool user? See Part 1.

  7. Kelvin says:

    May I know how to configure a page to allow anonymous user can view it? I’m using the member request web part to create a registration page but if the anonymous user can’t view the page then the page is no use.

  8. Felix Zhang says:

    I have done as you said in Part2, but I found that here you version is
    “<add name="FBARoleProvider" connectionStringName="FBADB" applicationName="/"
    type="System.Web.Security.SqlRoleProvider, System.Web, Version=, Culture=neutral …"
    But in may config after having done in IIS it is
    "<add name="FBARoles" type="System.Web.Security.SqlRoleProvider, System.Web, Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" applicationName="/" connectionStringName="AspNetSqlProvider" description… "
    The version is different , yours is 4 and mine is 2.

    • Right, for SharePoint 2013 you need to use the .Net 4.0 version of the membership providers. It will not work with the .Net 2.0 version (SharePoint 2010 uses .Net 2.0).

      For configuring membership providers in IIS, the built in iis tools only support .Net 2.0 on Windows 2008.

      Both the .net 2.0 and 4.0 versions will connect to the same membership databases.

      • Felix Zhang says:

        I’m working on SharePoint 2013, I want to use both FBA and Windows authorization,
        In my SharePoint 2013 Adminstrator Central web.cofig:


        When it is 2.0 the name is “AspNetWindowsTokenRoleProvider” which has been commented abover it works fine, but I still cannot get the users from my own aspnetdb(FBARoles Provider), So I want to change the “AspNetWindowsTokenRoleProvider” to 4.0 version, but error occurs:

        The attribute ‘connectionStringName’ is missing or empty.

        In 2.0 version it donot need connectionStringName when use “AspNetWindowsTokenRoleProvider” which I comment above in the web.config, but the version is changed to 4.0 it said need? And it is Widows authorization,does it have a database?
        Could you help?

        • Felix Zhang says:

          //The below is version 2.0 , use test I remove it, for readable
          // I just copy to here
          <add applicationName="/"
          type="System.Web.Security.SqlRoleProvider, System.Web, Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /
          // The velow is version 4.0


  9. Felix Zhang says:

    Sorry I can not copy the web.config here, I do not why, the letter will be blank, maybe the security, I hope you will understand what I said.

    • Sorry, but I don’t have experience with the WindowsTokenRoleProvider. You should already have an entry for it in your machine.config though:

      add name=”AspNetWindowsTokenRoleProvider” applicationName=”/” type=”System.Web.Security.WindowsTokenRoleProvider, System.Web, Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a”

      Actually – I see your problem – you’re calling it AspNetWindowsTokenRoleProvider, but instead of using a WindowsTokenRoleProvider, you’re using a SQLRoleProvider.

      • Felix Zhang says:

        you are right, I am too careless.
        But fix this error, I am still can not get the users in aspnetdb.
        When add users, only widows users listed.
        Very thanks for your help.

  10. Naveen says:

    This worked for me for FBA. But i am now not able to login to the site using windows authentication. When i select Windows Auth in the drop down it asks me the credentials. When i give my windows credentials its rejecting it. I am the site collection admin for my site collection.

    Can you guess what i might have done wrongly.


    • Everything sounds ok. I’d double check that your windows user name is set as a site collection admin. If it still doesn’t work, maybe try another user’s windows login.

  11. Miluska says:

    I don’t have permissions to chance machine.config, so i did changes in each web.config…. everything is ok BUT! i couldn’t access with the users to My Site… The mistake is that we need put the connection string also in the Web.config of the Security Token Service…

  12. Chris,
    Very easy to follow instructions. I had to use V4 also as I’m using Server 2012 / SPF2013 / SQL2012. I have one existing production SharePoint 2013 site that has been extended already for outside access and works great. I’m currently only using NTLM Windows Authorization. After going through your steps carefully I ended up with the original site no longer working as well as Server Manager would not start. Any ideas? I never touched the original App Pool or Site. Would editing the machine.config cause this? As my server is a VM on a EqualLogic I just restored to my previous snapshot so I wouldn’t be down.

    My plans were to keep the existing Web Application intact with the current authentication and then create a new Web Application (for totally different use)to use FBA. Is FBA an all-or-nothing scenario or can I do it the way I am planning?

    • If even server manager won’t start, then yes – it’s likely due to editing the machine.config. I’ll make a note to edit the article to include a step to make a backup of your machine.config before editing, in case anything goes wrong.

      You do have to be very careful when editing .config files, as missing a closing tag or opening tag will cause the whole .config file to be unusable.

      It’s lucky that you had the snapshot. Next time I suggest you make a backup copy of the machine.config, and then you can just overwrite the machine.config with the backup if anything goes wrong. Next time I’d also double check that all opening tags have matching closing tags around the areas that you made changes. It was likely a missing closing tag, or perhaps the entries inserted into the wrong area of the web.config.

      As for the FBA only on a separate web application, yes you can do it the way you’re planning. You’d do all the steps the same, just step 4 you’d only apply to the web application you want FBA on.

      • Thanks Chris, I’ll give it another try tomorrow. I was very careful with the tags but obviously I missed something. Great article, thanks for taking the time to write it.


        • Hello again Chris, day two. I’ve gone back through the exercise quickly this morning but paying very close attention to the details of the file edits. Through testing, I’ve narrowed the problem down to the machine.config file edits. Not sure what part of it is causing the problem as I have used your settings and named providers exactly including the security choices. Only thing different is my server name which I was sure to change in the connection string line. After completing the exercise through step 3 I did a quick iisreset /noforce and at that point again Server Manager won’t work and my SharePoint site previously created that is known to work fine is no longer available… it shows a blank white page with no error (the tab in IE is displaying as it should with the icon). I change back to the original machine.config file and of course the problem is fixed. The only thing I noticed from your examples that I changed was the ending tags. You left a space before the closing /> and I took that out as every other line in the file does not have that space. Any thoughts? I would be willing to send you the machine.config file if you think tht will help.

  13. Colin says:

    Hi Chris

    Two questions:

    I’ve notice that the web application web.config files do not contain the membership and roles changes that were made to the machine.config and SecurityTokenService web.config (as per SNAFU first response).
    1. Have I miss something?

    When I tried to add .NET users (created from Part 2) to the web application groups, their names are not to be found. The only way I can get those users to appear for selection, is if I go to Central Administration | Managed Web Application, select the web application, select User Policy and add their names here first (with zone Extranet).

    But then the permissions assigned to them in the Policy Web Application (eg Full Read) seem to override their web application group permission (Members).

    2. Is the way to add users from the Membership Database to groups?

    • The web.config files don’t need the changes because they were made to the machine.config – so they inherit the changes. You could put them in the web.config INSTEAD of the machine.config (don’t put them in both or you will run into issues with conflicts) – but then you’d have to remember to put the entries in every new web application web.config you create, instead of in one place in the machine.config.

      The users from the membership database can definitely be added to groups. If they’re not showing up in the site collection people finder then likely there’s some configuration error. If you can see the people in the central admin people finder, and you’ve made the membership changes in the machine.config – so they should be the same for central admin and all web applications – then it’s not likely an issue in the config file. My guess is that the membership provider name for the zone (Manage Web applications -> Authentication Providers (Part 4)) doesn’t match the name in your config files.

  14. Randi says:

    I get this error A Membership Provider has not been configured correctly. Check the web.config setttings for this web application.

    I have checked my config file and I have used the same settings as u have in this example, only changed the connectionstring name.

    The user I used in sql has permissions because i’m able to add users froom iis, when I added the dummy site to add users from iis.

    I have tried several times today and yesterday to figure out if I had something wrong in my config files. I even checked with some config files from other projects where I successfully have it to work for 2010.

    I have the same names of the providers added in config file and in sharepoint.

    any idea what i’m missing here?

    Would be really thankful for any help. i’m a little stucked her right now :/

    • Generally that error message either means there is an issue with the web.config or an issue with the database permissions. It sounds like you’ve checked over your web.config pretty carefully, so my guess is that it’s the db permissions.

      Just because you can add users from iis doesn’t mean you’ll be able to add users from SharePoint. You’re accessing the db from 2 different users. From iis, you access it from the user currently logged in (probably an administrator, so probably already has admin rights on the db server if it’s on the same machine). For use within SharePoint you have to make sure that the app pool user for the web application being used has permissions on the aspnetdb.

      • Randi says:

        I still have problems with getting this to work.
        I’m able to add users for sharepoint now.
        And I have assigned the user til a sharepoint site.
        But I cannot logon til sharepoint. in the login window I get the error that username or password is wrong,
        And in the eventlog I get the errormessage:
        An exception occurred when trying to issue security token: The server was unable to process the request due to an internal error.

        any idea what I’m missing?

        • If the membership provider works within SharePoint, but you can’t login, the issue is with the SecurityTokenService. Either the web.config or db permissions.

          • Randi says:

            thanks for your help. I was missing the connectionstring in the security token web config file. Now I can log in to.

            have a nice week 🙂

  15. Randi says:

    Thanks for answers.
    The user is dbowner of the aspnet database.So it should have the right permissions for the database.

  16. Colin says:

    Hi Chris

    I think I found the reason/solution to the problem I been having with assigning membership (database) users to the site collection groups.

    I have a default web application (used for intranet) which has been extended to an extranet (which uses FBA). I created a membership database user as FBAAdmin, which I have given full control to the extranet (via Central Administration | Managed Web Application, User Policy).

    When I log-into the extranet with FBAAdmin, I can assign other membership database users to the site collection groups, BUT I cannot see any users from AD. Whereas if I log-into the default web application (as site owner), I can only see users from AD but none from the membership database.

    Is this how it the different zone works? The default (intranet) web application can only see AD users and extranet web application can only see membership database users created from IIS?

    • That’s right, I believe you have to be logged in as a windows user for the people picker to work for other window users. You have a couple of options if you also want to manage the extranet users from the intranet:

      Probably the easiest would be to modify the intranet zone to allow both windows and FBA users. Alternatively you can create a third zone that allows both that you would use to do any administration.

      Alternatively you can simply add the FBA Pack, which will allow users from any zone to administer FBA users using the FBA Pack Management Pages (The FBA membership config file changes have to be available on any zone you want to use this – but as long as you make the changes in the machine.config they would be available everywhere). So you could use the FBA Pack management pages to admin the FBA users from your windows only auth zone.

  17. Tim says:

    In my multi-server dev farm do all servers including the app servers need to have their web.configs altered?

  18. Gerhard says:

    Hi Chris,

    I followed all the steps provided. I am using a existing membership db from SharePoint 2010. I inserted all the settings in the machine config and the SecurityToken config. I am able to see the users if I go into IIS to my SharePoint web application > .Net Users. However from the login page in SharePoint I am not able to connect using the correct credentials?

    • Check the web config for the web application. If you can see the users in IIS on the web application after performing step 4, it is wrong. Configuring the web application in SharePoint sets a default membership provider of type ‘SPClaimsAuthMembershipProvider’. This acts as a proxy provider to the membership provider you name when you setup the web application. It is not compatible with the IIS tools though – so if you can see the users, this is not set to the default.

      • Gerhard says:

        I removed the web application completely and started from scratch. I created new web application and site collection. So far this worked using my forms db. I could sign in with a form user into the site. I mounted my existing content database from SharePoint 2010 to the new web application and deleted the empty db created. Then the same error occurs – Access Denied. I am also not able to view users from IIS which is correct. Have you had any problems with FBA and existing content db from SP2010? Thanks in advance

        • Gerhard says:

          I found the problem. The membership names was different in the old SP2010 farm. Thats what caused the access denied error. Thank you for the help and great guide.

  19. Greg Nagy says:


    I really appreciate your detailed instructions for using FBA in SharePoint 2013. I was able to get FBA accounts to login correctly on a test site on my SharePoint 2013 server. When I try to apply the same settings to an existing SharePoint 2013 site, Windows authenticated users login fine, but when I try to login FBA accounts, I choose Forms Authentication, type in the username and password, I get a blue bar at the top with “Working on it…” for a few seconds, then I get “Sorry, you don’t have access to this page.” Any idea what you can point me to check that I am missing? I’ve gone through your instructions a second time and can’t find anything wrong.

    Thank you!

    • It could be that you are getting logged in, but the user you’re logging in as doesn’t have the permissions necessary to view the page they’re being redirected too. Try and make the user a site owner or site collection admin and see if the errors go away.

      • Greg Nagy says:

        Making my FBA test account a Site Collection Admin allowed the account to login and access the page and site correctly. Since I can’t add all of my users to this field since I have hundreds of just standard members, where do you think I should look next?

        Thank you!

        • Does the account work if you remove them from being a site collection admin, and just add them to say the ‘visitors’, or ‘members’ groups? I think you just have some permissions problems there, and you’d have to make sure the users belong to a group with sufficient permissions to view or modify the site.

  20. Lurch says:

    Update to my previous post. I found the log files, and I see the following error cropping up when I try to log in using Forms Authentication:

    An exception occurred when trying to issue security token: The content type text/html; charset=utf-8 of the response message does not match the content type of the binding (application/soap+msbin1). If using a custom encoder, be sure that the IsContentTypeSupported method is implemented properly.

    The first 1024 bytes of the response were: ‘ IIS 8.0 Detailed Error – 500.19 – Internal Server Error <!– body{margin:0;font-size:.7em;font-family:Verdana,Arial,Helvetica,sans-serif;} code{margin:0;color:#006600;font-size:1.1em;font-weight:bold;} .config_source code{font-size:.8em;color:#000000… c131649c-1651-f0f9-e96f-4cef546e1b4f
    …;} pre{margin:0;font-size:1.4em;word-wrap:break-word;} ul,ol{margin:10px 0 10px 5px;} ul.first,ol.first{margin-top:5px;} fieldset{padding:0 15px 10px 15px;word-break:break-all;} .summary-container fieldset{padding-bottom:5px;margin-top:4px;}{padding:2px 15px 4px 10px;margin:0 0 0 -12px;} legend{color:#333333;;margin:4px 0 8px -12px;_margin-top:0px; font-weight:bold;font-size:1em;} a:link,a:visited{color:#007EFF;font-weight:bold;} a:hover{text-decoration:none;} h1{font-size:2.4em;margin:0;color:#FFF;} h2{font-size:1.7em;margin:0'.. c131649c-1651-f0f9-e96f-4cef546e1b4f

    • I can’t say i’ve seen that one before. My only guess might be that the securityTokenService config file was edited incorrectly. Maybe an opening or closing bracket was missed, or perhaps the changes were made at the wrong location in the file.

    • David says:


      Did you ever get this resolved? We are encountering the same issue.

  21. Johannes says:

    At first a i wish you happy new year and thank you for that great tutorial.
    We use Windows Server 2012 and SharePoint 2013 with AD and FBA Auth..
    We followed the complete tutorial but after that, we realized that we need the FBA-Pack. So we installed it.
    So far everything is working. Users can create their own account and we can manage them.
    But now we have got a problem with all auth.:
    We have got multiple webapplications. The auth. should work for all webapplications. But if we login into a website on the second webapplication, the user disconnects from the website of the first webapplication and get an error.
    When we want to check the Session State config of the IIS-Website MembershipConfig we got an error that says something like: double listentry type “add” with FBADB […] can not be added.

    Any idea what to do?

    • If you’ve got an error about extra add’s for FBADB, then you’ve got an error in your web.config.

      The FBADB DB connection entry that is added to the machine.config is inherited everywhere, so what I believe has happened is that you’ve also added that same FBADB connection entry to another web.config file.

      My best guess is that the extra entry is in the SecurityTokenService config file. If it’s not there though, you’ll have to check the web.configs for each of your SharePoint web applications. Just find the extra entry and delete it and your problems should go away.

      • Johannes says:

        Thank you. We found an unnecessary entry in the webconfig file of the membershipconfig site.
        Do you have also an idea how we can realize an auth. across different webapplications without re-auth?

        • The problem with single sign on across multiple web applications is that the cookie for each web application is stored for the domain – so as soon as that domain changes, the cookie no longer exists and you can’t login. Couple of options:

          1. Use a single web application and set up multiple site collections under it:

          2. Have users check the ‘sign me in automatically’ box when they login – they will have to do it for each web application – but they should remain signed in the next time they open their browser. Note that there are settings for this you can set in SharePoint, which you may have to adjust to allow them to stay logged in longer than the default.

          3. Use a central login service instead of FBA, like OAuth or SAML. When the user hits the site, a central server will be contacted. Because the login server is always on the same domain, their authentication cookie will always be available so they’ll only have to login once.

  22. Rashid Bilgrami says:

    How to disable this authentication, i need to disabled it if you have an idea please confirm me

  23. Venkat says:

    Can this work with my own names for Membership Provider and Role Provider. Not using the names for provider/role as “FBAMembershipProvider” and “FBARoleProvider” ?

  24. Paul Yung says:

    Will these instructions good for VM ? I ran into so many problems. I have a stand alone (not in a farm) SP 2013 VM running on Windows 2012 (Standard w/o R2).

    • Yes – these definitely run on a VM (In fact the instructions/screenshots were all done on a VM – SP 2013 on Windows 2008 R2). What kind of problems are you running into?

  25. Greg says:

    Hi Chris

    Thanks for your blog, it’s very helpful. I’ve managed to configure everything and able to log in with .Net/SQL users. The only problem I have is around the .Net Roles. I cannot search for them to add them to Home Visitors/Owners/Members groups. Even if i type them fully exactly (case sesitive etc) as they appear in the .Net roles IIS pane i get an error stating cannot find exact match.

    If i type in fba it lists (All Users) FBAMembershipProvider. Do I need to add anything to the for that app or is this just not supported or going to work as I envision, ie: .NET Roles used as groups within the Sharepoint site permissions?

    Many thanks


    • Greg says:

      Apologies, I found the error. I’ve had so many goes at this on a VM using snapshots I had a missing Role setting in the machine.config. Sorting this out and adding the FBA pack 2013 has allowed me to use the roles as I would have expected them to work.

      Thanks again for your efforts in compiling this step-by-step article, your contributions are much appreciated.

  26. manisekhar says:


    I have created FBA, in people picker I have got the users but. when I am try to login FBA users it’s not taking.

    Pls refer below error.

    Warning: this page is not encrypted for secure communication. User names, passwords, and any other information will be sent in clear text. For more information, contact your administrator.
    The server could not sign you in. Make sure your user name and password are correct, and then try again.

    • Logging in actually uses the membership configuration from the SecurityTokenServiceApplication. From within SharePoint, it uses the membership configuration from the machine.config/web.config.

      So check the settings in the SecurityTokenServiceApplication, as that is probably where your problem lies.

  27. David Compton says:

    After following these procedures I found that while FBA worked for my site collection I could no longer access the Central Administration website. The error I was getting was

    Central Administration shows error 26 – A network-related or instance-specific error occurred while establishing a connection to SQL Server

    After a few frustrating hours searching for a problem I found a solution which is:

    1. Open SharePoint Central Administration v4 web.config File
    2. Find the following Node under System.Web Node & Change Enabled to false :

    Hopefully this helps someone else.

  28. MRiediger says:

    Hi All,

    if you have multiple instances on your SQL-Server, make sure to specify the alias in the connectionStrings entry! Otherwhise your Membership Provider tries to access the first instance on your SQL-Server by default. Author, please update this in your post ;).


  29. Abdul says:

    Hi Chris,

    We had a functioning SharePoint 2010 site using FBA and AD authentication. After installing the FBA Pack, we can now only access the SharePoint site with Windows Authentication. When we try to access with Forms Authentication, we receive the following message:
    Error: Access Denied
    Current User
    You are currently singed in as: abdul
    Sign in as a different user

    Abdul has full control permissions level on FBA and AD.
    I can access FBA Membership Request Management with no issues.
    I cannot access FBA Site Configuration and FBA Role Management, I get the Error: Access Denied as stated above.
    I can access FBA User Management, with limitations: I can delete a user, but I cannot edit or reset password.

    Any assistance you can provide is highly appreciated!

    Thank you,

  30. Abdul says:

    Hi Chis,

    I uninstalled FBA Pack and reinstalled and followed the steps what you suggested:

    As soon as I activated the feature, I get redirected to the error page as stated above:
    Error: Access Denied
    Current User
    You are currently singed in as: abdul
    Sign in as a different user

    The features that the FBA Pack has to offer I would really like to implement to our SharePoint site.

    Please let me know if you have any ideas of what the issue is.

    Thank you,

    • A couple things:
      For accessing the FBA Pack management pages, you need to be a Site Collection Administrator, standard permissions won’t cut it.

      If you’re getting access denied for the rest of the site, then you don’t have the appropriate permissions to visit that page OR the page contains an asset that you don’t have permission to view. For example it may contain an image from a seperate site, or an image that hasn’t been published – in which case you’ll get the access denied message.

      Also, make sure you have at least version 1.3.4 of the FBA Pack. Previous versions contained a bug where you needed permissions to the root site when accessing a child site.

  31. Abdul says:

    Hi Chris,

    Thank you for your reply!

    I got everything working, except for one feature, the password reset. I get the following error:
    Your current membershipprovider settings prevent a user’s password from being reset. To allow for resetting of a password by an administrator, you must have enablePasswordReset=”true” and requiresQuestionAndAnswer=”false” in your membership provider settings in your web.config.

    I have searched and searched and the only solution that came close was from here:

    The second to the last post by ccoulson (Coordinator Jan 27, 2014 at 8:31 AM) stated to find requiresQuestionAndAnswer and change from true to false. I searched through all the .config and did not find the requiresQuestionAndAnswer.

    Also, I am using SharePoint 2010, and the last version of the FBA Pack I could find was 1.3.3. (

    Again Chris, Thank you!

    • requiresQuestionAndAnswer and enablePasswordReset won’t necessarily be specified in the membership config. If they are not, they will simply default to false (and enablePasswordReset needs to be set to true for the password reset functionality to work).

      I suggest you add the parameters to your membership provider so that there’s no confusion as to their values.

      You can see examples of all of the parameters in the blog post above.

  32. Andrew says:


    Have setup the FBA as per the instructions and listed in the config files that the password be stored in the DB as Hashed. But irrespective of the settings in the machine.config and the security token web.config the passwords still appear in clear text. Is this an issue or a config issue I might have missed?
    I have set this up on 3 server farms and all have the same output.
    Any pointers?


    • A few things to check:
      When the user was created, was the setting set to Hashed at that time? If the setting was changed to Hashed at a later time, it will not adjust existing passwords already stored in clear text.

      Also, make sure that all web/machine config’s have the same setting – it’s the settings of the site that the registration is done on that will be used.

  33. vishal goyal says:

    Hi Chris ,

    I have added(rolemanager,membership and connection string)only in Application and ‘Security Token Service’ Web.config still my FBA is working fine then why we need to add changes in Central Admin web.config


    • You only need to edit the Central Admin web.config if you cannot or do not want to edit the machine.config. If you edit the machine.config, Central Admin will inherit the settings from there.

      • vishal goyal says:

        But I did not change machine.config still without doing any changes in Central Admin FBA is working fine.

        • Central Admin will still work without the changes. You just won’t be able to search and find the FBA users from Central Admin. If you don’t need to go that, they you are fine.

  34. Gopi says:

    This is Gopi.

    While configuring the FBA in Share Point 2013 up to step-3 its working fine and after step-3 am starting the share Point central administration it showing an error SP 2013 Configuration Wizard has stopped working.Can you please suggest how to solve the problem.
    The Error is…

    Problem signature:
    Problem Event Name: CLR20r3
    Problem Signature 01: psconfigui.exe
    Problem Signature 02: 15.0.4420.1017
    Problem Signature 03: 50672adb
    Problem Signature 04: System.Xml
    Problem Signature 05: 4.0.30319.34234
    Problem Signature 06: 53cf1d82
    Problem Signature 07: 9bf
    Problem Signature 08: 0
    OS Version: 6.1.7601.
    Locale ID: 1033
    Additional Information 1: c709
    Additional Information 2: c7096b5415dbedc2f6948ab1815c2ad1
    Additional Information 3: 571e
    Additional Information 4: 571e2e0330f1917f0b78f74c54356bda

    • If the errors appeared after changing the config files, then it’s likely you made a typo while making the changes. I suggest you revert to your backup config files to see if it works again.

  35. Trevor Fielder says:

    I set the “enable password reset” to false for both the machine.config and in the IIS Security token web.config. However when an FBA user logs in and clicks the drop down next to their name, they still see the option to change password, and it still works for them. Any ideas?

    • Password reset is not the same as the user changing their password. The user is always allowed to change their own password. Disabling ‘Enable Password Reset’ will prevent an administrator from resetting a user’s password. So generally it should be set to true.

  36. Santosh Reddy says:


    I configured the above. I successfully used the FBA with LDAP with in the intranet site with no issue and users is login into SP Site.

    But with Web server configured with ARR pointing to App Server (SP2013 Server) user is unable to login. After debugging the code of Custom login page i verified SPClaimUtiliy.AuthenticateFormUsers() successfully return true but internally SP 2013 keep re-direct the user to Custom login page.

    Can any one help to troubleshoot this issue

    • Could it possibly be a permission issue? ie the user logs in, but the homepage contains a reference to an unpublished image. Because the user doesn’t have permissions to view the image, they are redirected to the login page.

      Using Chrome Developer Tools (F12) you can check this in the network tab by checking the “preserve log” checkbox. Then you can see if after login you are directed to a page and then immediately redirected back to the login page.

  37. itguru says:

    I have successfully configured FBA and everything working. but when i try to access My setting from FBA for a user – it doesn’t return any error or information.

    How can i get user info by clicking My settings?

  38. Paul Gosney says:

    Silly question, regarding the Security Token web.config. I have one central admin server two web front ends. Where do I apply the security token web.config edits. Central Admin, Web front ends or all?

  39. Michael says:

    Hi Chris,

    i’ve a question concerning the password of an FBA user which is stored in the database. You wrote that the password can be hashed. Is the hash salted and which method is used (sha256, bcrypt, … )?



  40. Michael says:

    Thanks Chris

  41. Peige says:

    Hi Chris,

    Quick question—-I followed your diagram. I’m able to log on as administrator but when I attempt to use FBA drop down as an outside user it constantly tells me the following:

    The server could not sign you in. Make sure your user name and password are correct.

    Any leads as to why this is happening

    • When you login as an administrator, can you use the FBA Pack user management pages? (Assuming you installed the FBA Pack)

      If so then i’d check the SecurityTokenService web.config file – it’s the configuration from there that is used for logging in.

  42. Vishwanath Mishra says:

    I have successfully enabled FBA as described above. Now I have issue regarding User permission. I have assigned “Everyone” AD user group in few subsites now the problem is when I login using SQL server user it get covered in “Everyone” AD user group. Please guide in this regard, I want to exclude SQL user from everyone group.

  43. Shravan says:

    Hi Chris,

    We have set up the same approach(As described by you) and set PasswordFormat=’Clear’ and everything is working fine.

    Now we have the requirement to change the PasswordFormat=’Encrypted’. I have changed the settings on machine.confg file and securitytokenservice web.config file. After doing these changes when I create a new user, the password is storing in encrypted format(Which is as expected).

    But when I try to login the method SPClaimsUtility.AuthenticateFormsUser(referer, userName, password) is returning false even though I am giving correct password.Hence I am not able to login.

    Is there anything else I need to change in order for this approach to work?

    Your help will be appreciated!


    • If you’re using the format ‘encrypted’, you need to ensure the machinekey is set the same on all web servers – so that they all have the same key for encryption/decryption. It’s also possible to set it for individual sites in IIS (and in the web.config), so if it’s set specifically for a site/.config file it needs to be set in all sites/.config files that use that data. In the case of SharePoint, you’d need to ensure it was set for the SecureTokenService web application as well as each SharePoint web application.

      I would actually recommend you use the format ‘hashed’ – it’s actually more secure than ‘encrypted’, as it can’t be decrypted. It also doesn’t require setting the same machinekey everywhere.

      • Shravan says:

        Thanks for your quick reply Chris.

        The only reason we are using this method is we need to decrypt the passwords and send to an external vendor. I think if we use Hashed, external vendor nor we can decrypt the password and use it in their system.


        • Right – you would not be able to – but sending the users passwords to a third party sounds super insecure – and probably not something your users would appreciate you doing (They probably don’t want you being able to see their passwords at all, since a lot of them probably use the same password for multiple sites). If you want a single sign-on solution i’d look at using SAML. Maybe look at Okta for an easy to implement solution.

          • Shravan says:

            Yes Chris, The client is ok with this approach. I changed my web.config of all the web applications, Central Administrations, SecureTokenService and the machine.config, All of them have the same machinekeys. But it is still not working. Anymore advise?

            Your help will be much appreciated!


        • Does it work for newly created users? Unfortunately if the machinekey is not the same as when the user was created, you won’t be able to recover already entered passwords.

        • Your machine.config was filtered out. Is there any specific error message? Does it just not accept the password when logging in and everything else works? Are there errors in the sharepoint logs?

  44. Ruben Andrade says:

    Hi Chris, in advance thank you so much for your effort on this.

    I have checked every reply on the comments section and you suggest to check Secure Token Service config when we are able to manage (create/edit/delete) users, from FBA pack running on SharePoint.

    I have reviewed every config file for that service, and it simply does not log in the user on SharePoint.

    What could it be. Thanks.

  45. Samuel says:

    Recently we got error after clicking FBA Site configuration.

    Sorry, something went wrong
    The file ‘/_controltemplates/ToolBar.ascx’ does not exist.
    Technical Details

    Troubleshoot issues with Microsoft SharePoint Foundation.

    Correlation ID: 5f21689f-a01b-006f-f467-65e97ed7a751

    Date and Time: 7/21/2020 7:46:54 AM

    I tried reinstall FBAPack and as well as reset web.config and machine.config, but still doesn’t work. this impact we cannot manage the users, and webpart of new users creation is not working either. Only existing users can sign in.

    We are using the SP2013, server os is 2012. any ideas?

Leave a Response


  1. […] I’ll go through all of the steps required to setup FBA for SharePoint 2016, from start to finish.  I’ve broken down the steps into 4 sections, so if you already have an existing membership database setup from a previous version of SharePoint, feel free to skip forward to Part 2. […]