Configuring Forms Based Authentication in SharePoint 2013 – Part 4 – Configuring SharePoint

Configuring forms based authentication (FBA) in SharePoint 2013 is very similar to SharePoint 2010, but there are some differences due to SharePoint 2013 using .Net 4.0. The web.config entries entries are slightly different. As well, IIS doesn’t support editing .Net 4.0 membership provider configuration through the IIS interface, so all of the configuration has to be done directly in the .config files. I’ll go through all of the steps required to setup FBA for SharePoint 2013, from start to finish. I’ve broken down the steps into 4 sections:

Now that the membership and role provider have been configured, we can configure SharePoint to use them. For this example i’m going to create a new SharePoint web application. The same settings can be applied to an existing web application through the Authentication Providers dialog.

Open SharePoint Central Administration -> Application Management -> Manage Web Applications.
Click “New” to create a new Web Application.
Name the web application and adjust any other options to your preferences.
Check “Enable Forms Based Authentication (FBA)”. Enter the ASP.Net Membership Provider Name and ASP.NET Role Provider Name that you configured in the web.config. For this example we used “FBAMembershipProvider” and “FBARoleProvider” (Without the quotation marks).Also, for this example we left “Enable Windows Authentication” checked. This allows us to login either via Windows Authentication or Forms Based Authentication (SharePoint will prompt you when you login for which method you’d like to use).Click OK.
An Application Created dialog will appear. Click the “Create Site Collection” link to create the first site collection for this web application.
From the Create Site Collection dialog, give the site collection a name and URL and select a template.
For the Primary Site Collection administrator, i’ve left it as my Windows administrator account, so that I can login without FBA. For the Secondary Site Collection Administrator i’ve set it to ‘fbaadmin’ – the FBA account we setup in Part 2 (If you skipped Part 2 because you’re using the SharePoint 2013 FBA Pack, then you can just leave this blank for now and use your domain account to login to SharePoint and create your FBA users). You can set these to whatever is appropriate for your setup. Click OK.
You’ll get the “Top-Level Site Successfully Created” dialog. You can click on the URL to visit the new site collection you just created.
When authenticating to the site collection, if you enabled both Windows Authentication and Forms Based Authentication, you’ll be prompted for which method you’d like to use to authenticate. I’m going to choose to authenticate with Forms Authentication.
You’ll be prompted for a username and password. Enter the username and password that we created in Part 2, and also set as the Secondary Site Collection Administrator.
You’re now logged into the site as a site collection administrator.

That’s it! Now you can authenticate to the site with Forms Based Authentication. You can also create and edit users using the methods discussed in Part 2. Be sure to check out the SharePoint 2013 FBA Pack, which will allow you to manage your forms based users directly within SharePoint, as well as provide methods for users to register, change their password and recover their password.

Posted

January 2, 2013

Configuration, Forms Based Authentication, Sharepoint

Chris Coulson

Tags:

.Net, ASP.Net, aspnetdb, central admin, FBA, Forms Based Authentication, IIS, machine.config, Membership, membership provider, SharePoint 2013, SharePoint 2013 FBA Pack, sqlmembershipprovider, web.config

Comments

155 responses to “Configuring Forms Based Authentication in SharePoint 2013 – Part 4 – Configuring SharePoint”

Benito Deekman

January 9, 2013

Hi,

I found your blog really great and extremely helpful. But I have a small problem when I add new users via ISS my site collection can’t find them, but CA does show then. For example I can add the FBA users as a site collection administrator and works correctly but other users won’t show if I try to share the site or and then to a group. Can you point me in a direction?

regards,

Benito

Reply
1. Chris Coulson
  
  January 9, 2013
  
  Did you update the machine.config like in the example, or did you update each web.config individually? I’m guessing that there’s an issue with the .config entries for the web application you’re having issues with (either the machine.config entries didn’t inherit properly, or there’s a problem with the entries if you added them directly).
  
  Reply
  1. Benito Deekman
    
    January 9, 2013
    
    Used machine.config. How can I check if the inherits is working ?
    
    Reply
    1. Chris Coulson
      
      January 9, 2013
      
      Before it was really easy, because the providers tab in IIS would show you in 2.0. With 4.0 there’s no easy way to verify that I know of. I would just check the web.config for the web application and see what the ‘membership’ section looks like. I would expect to only see a default SharePoint membership provider. If there’s a membership provider with the same name as the one in the machine.config, or a ‘clear’ directive that could be your problem. Same goes for the ‘ConnectionStrings’ and ‘RoleManager’ sections – make sure there’s no ‘Clear’ directive or matching entries from your machine.config. If that all looks good, maybe try adding the entries directly to the web application web.config just to see if that gets it to work.
      
      Reply
JLSF

January 10, 2013

Hello

What happeds with PeoplePicker?

you use machine.config or web.config of each site?

how did you separate users from different sites? use applilcationname=’/’? use peoplePicker?

Thanks

Reply
1. Chris Coulson
  
  January 10, 2013
  
  I don’t change any settings for the PeoplePicker. With the default settings, when you are in any sites belonging to the configured web application, it will show all FBA users for the configured membership provider.
  
  To separate users for different sites:
  If you want COMPLETELY separate users, I do it at the Web Application level, and create an additional membership entry in the machine.config/STS web.config. I either use applicationname to separate it, or point it to a separate membership database.
  
  Alternatively you can follow the Active Directory model:
  All users are available on all sites/web applications. You simply define the permissions for which users can access the site.
  
  Reply
Joss_24

February 5, 2013

Hi Chris,

Great guide mate and thanks for the 2013 FBA Pack it’s just what I’ve been looking for. I have one question for you. Having enabled FBA and NTML on my default site, to allow people picker on that zone, I want to force all users to authenticate via ntlm. I tried using custom signin page /_windows/default.aspx via central management but it throws a runtime error. Is there any way around this without having to create a custom login page in visual studio?

Thanks

Reply
1. Chris Coulson
  
  February 5, 2013
  
  So for this zone you only want to connect via NTLM, but you want FBA enabled so that FBA users come up in the People Picker? If that’s the case i’d probably try just setting the default site to NTLM only and having a second zone setup with FBA. I sort of think that the FBA users would still show up in People Picker in that instance (as they do show up in the people picker in central admin, which doesn’t have it’s own configuration for FBA). The one thing you might have to do is make sure the membership provider is setup in the default site web config (or in the machine.config).
  
  If you really want to login with /_windows/default.aspx – I think you may be out of luck without a custom login page. The problem is that it takes a couple of parameters for which page to redirect to (You can see this with Fiddler using the default login page for an FBA + NTLM site).
  
  So this won’t work:
  /_windows/default.aspx
  
  But this will:
  /_windows/default.aspx?ReturnUrl=%2f_layouts%2fAuthenticate.aspx%3fSource%3d%252F&Source=%2F
  
  You can try putting the parameters in the custom signin page (if it even allows it), but I don’t think it will work as it will always redirect to the root, instead of the resource you’re trying to access.
  
  Reply
Joe Reynolds

February 21, 2013

Chris,
Thanks for the great guide. What I was curious of is what if we want to use a custom FBA provider? Do you know of any walkthroughs for 2013? I found some stuff for 2010 but not much yet on doing it for 2013. Any help would be appreciated. Thanks!

Joe..

Reply
1. Chris Coulson
  
  February 23, 2013
  
  Using a custom FBA provider will be the same for 2013 as it is for 2010. The only real difference is that the custom provider will have to be built with .Net 4.0.
  
  Reply
Leo

April 19, 2013

I use the user which create in the IIS to login spsite,but can not login, it show: “sorry, this site hasn’t been shared with you.” all the account I create havn’t the right to access the spsite. why?

Reply
1. Chris Coulson
  
  April 19, 2013
  
  You have to assign permissions to the user before they can login. Usually I assign a user as a site collection administrator (see the example above) so that that user can login. Then I login to the site with that user and assign permissions to the other users.
  
  Reply
  1. Leo
    
    April 19, 2013
    
    I can use the created user to login the spsite now,I forget to add the users as a member of spsite(visitor,owner,or others). by the way, why can not handle user’s password changing under the freamwork 4.0 in iis, it auto generate a password when click change password button.
    
    Reply
Vince P

April 23, 2013

Great series. Very helpful. Any idea how to get Visual Studio to be able to deploy reports to a Report Library.. When I try it now, I get asked for credentials, but none seem to work.

Reply
Bastiaan

May 3, 2013

I’ve followed your tutorial and setup my environment just like yours. When trying to reach the FBA login site, I can choose from FBA/Windows auth like I’m supposed to, however, when logging in I get this error:
‘File Not Found’.
Server 2012 Datacenter edition & Sharepoint 2013 Enterprise edition.

Any advice?

Reply
1. Chris Coulson
  
  May 3, 2013
  
  When do you get File Not Found? After selecting FBA or Windows Auth? If you select FBA do you at least get the FBA login page? If you select Windows Auth, does it log you in? If you get it right after making any selection, then maybe the web application creation didn’t complete properly – try creating a new web application. Maybe try creating it just for Windows Authentication first, making sure that works, and then adding on the forms based authentication.
  
  Reply
Bastiaan

May 6, 2013

I get the error when going to the site and trying to log in. I get the FBA/windows auth login page, I can fill in one of the users stored in the dummy site and when trying to log in i get the error. Windows auth doesn’t work either.
I’ve tried making a new site/new site collection, but unfortunately that didn’t work either.

Reply
1. Chris Coulson
  
  May 6, 2013
  
  Did you try creating a new web application, and add a new site collection to it? Make it just use windows authentication. If even that doesn’t work, and you still get the File Not Found error, then i’d say there’s something wrong with your current installation of SharePoint.
  
  You can try running the Product Configuration Wizard again, and see if that corrects your issues. If not though, try a clean installation – maybe even in a new environment such as a virtual machine.
  
  Reply
  1. Bastiaan
    
    May 13, 2013
    
    A new web application with new site collection(s) works fine. I tried rebuilding the FBA environment again, but still no luck unfortunately..
    
    Reply
    1. Chris Coulson
      
      May 13, 2013
      
      So does just windows authentication work on the new web application and site collection? Have you tried setting up FBA on it?
      
      Reply
      1. Bastiaan
        
        May 22, 2013
        
        I’ve made a new site collection that works with Windows Authentication on the FBA web app, also gives me 403, access denied. Starting to wonder if I’m ever going to get this to work. Also made a TechNet thread, noone there that can help me either.
Bastiaan

May 22, 2013

Think I’ve found something that might be looking into. Just started to remake the whole environment, right now I’m editting the MembershipConfig site.
I switched it to v2.0, made the connection string, though after going to ‘Providers > .Net Users’, I can’t chose a type.

Screenshot: http://postimg.org/image/58obtidfx/

Is there any way I can get in contact with you via e-mail?

Reply
Chris Coulson

May 22, 2013

That doesn’t look good. I’d say there’s something up with the system.

Email:
http://www.google.com/recaptcha/mailhide/d?k=01JIfs3Gat7m27iXXSZq1jJw==&c=JfAsP4XEHe6kGtZf9G0ajAJFdN25kGQigQ9IUgO2HYs=

Reply
Dan Gleason

June 13, 2013

First off, thank-you for providing your time and effort of the blog and in providing the FBA tool. I have been trying to implement this myself over past couple days, and although close, I am just not getting there.
I followed parts 1 to 4 and installed the tool, and on my main site I get an error that “A membership provider has not been configured correctly. Check the web.config settings for this web application.”

Well, I did and I tried copying the machine.config settings to web.config and got same error.
I create a new site collection and set it as fba and I do not even have the fba choices under site settings so it looks like it is not being inherited.
I was hoping to show this at 3 PM (PST) meeting and I am running out of time. Any suggestions?

Reply
Chris Coulson

June 13, 2013

There’s lots of reason’s why you could be getting an error with the membership provider. My first guess would be permissions – make sure that the application pool identity that SharePoint runs under has permissions to the aspnetdb database.

As for the fba settings not showing up under site settings, you need to be logged in as a site collection administrator to see them (and the feature has to be enabled under Site Collection features, if it isn’t already).

Reply
1. Dan Gleason
  
  June 13, 2013
  
  Good call Chris. In fact I had multiple identities used for Central admin, STS, and main Site collection and I only gave permissions to aspnetdb to one of them. I went into SQL and gave permissions to all three and now on my test site I see the FBA Pack options under site settings.
  But I now have new error. But thanks for getting the first one nailed.
  
  Reply
Tony

July 29, 2013

Thanks for the Article..

We have configured FBA in our SharePoint Server with your article help.
I have a doubt,Currently we are adding FB users using IIS, Is there any way to add .Net Users in to our Membershipconfig site using a web application or a web page.

Reply
1. Chris Coulson
  
  July 29, 2013
  
  Sure – use the SharePoint 2013 FBA Pack:
  https://sharepoint2013fba.codeplex.com/
  
  Reply
  1. Tony
    
    July 29, 2013
    
    Thanks Chris You saved my ass..
    I was searching for this solution 2 days, But today only I reached the correct place. any way big thanks 🙂
    
    Reply
  2. Tony
    
    July 29, 2013
    
    I have one more doubt. Its not related with FormBA
    
    Its related with workflow task form.
    
    We need to edit the page approval task form which is coming from my page approval workflow. We have opened our project in SharePoint Designer so we can see the two .xsn files which is inheriting in our workflow and using Infopath 2013 we will be able to edit that file,but before publishing it we need to save it into some location and on publish button click we are getting this error. “An Unknown error has occured. The form template has been published to server,but it can only be opened in Infopath Filler” We are stuck on this error Any Help will be appreciated thanks in advance !!
    
    Reply
Clayton

August 7, 2013

Hey Chris,

I followed this through to the end, but when I try to add “FBAAdmin” as a secondary admin and do a user search to find this user (or any user I’ve created using this process), they show up twice. Once, in this example, as FBAAdmin, and the other as fbaadmin. In the database, there’s only one record for this user, though.

Also, when searching for a user to make the secondary site collection admin, typing “fbaadmin”, it groups the users found into categories (all users, active directory, forms auth, and organizations). Aside from finding 2 fbaadmins, it lists them under the “Organizations” category instead of “Forms Auth”, where I expected they would be. Is that what’s supposed to happen?

Any thoughts on either would be greatly appreciated.

Thanks!

Reply
1. Chris Coulson
  
  August 7, 2013
  
  Nope – that’s not supposed to happen. I’m guessing that you have multiple membership provider entries pointing to the same membership database. Check your machine.config and your central admin web.config for all membership provider entries (since the central admin web.config will inherit from the machine.config). Make sure there’s no entries that point to the same database (and even though they point to different db connection names – those different db connection entries could point to the same db).
  
  Reply
  1. Clayton
    
    August 8, 2013
    
    Hey Chris,
    
    My config files all look okay, if I understand you correctly. Side note – I tried to do the machine.config solution and couldn’t get that working, so I switched to editing all 3 config files separately, which is probably how we’ll have to do this in production due to the environment we’re working with.
    
    Here are the membership provider sections of each one:
    
    Machine.config:
    
    Central Admin web.config:
    
    My SharePoint site’s web.config:
    
    Am I missing something? I also did a reboot, in case there was some odd thing cached, but it’s still listing each user twice (proper-cased and lowercased), and they’re still showing up under “Organizations” instead of “Forms Auth”.
    
    Many thanks for your help!
    
    Reply
    1. Clayton
      
      August 8, 2013
      
      Sadly, I can’t post the parts of my config files. This site strips them out.
      
      So, to summarize, my machine.config only has one entry, which points to my local SQL server, which isn’t my FBA one.
      
      My Central Admin one only has one, which is the name=”FBAMembershipProvider” one you detail.
      
      My SharePoint site has 2 entries, but they point to different places. This has a default provider called “i”, which I didn’t put there but came as part of the generated file. The type is “Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c”.
      
      Then the one I added as part of your example, with the name of “FBAMembershipProvider”, which points to FBADB.
      
      Reply
      1. Clayton
        
        August 8, 2013
        
        And my Security Token Service web.config also has only one entry and points to the name=”FBAMembershipProvider” as well.
        
        Do I have that in too many places?
        
        (Sorry for so many replies today)
      2. Chris Coulson
        
        August 8, 2013
        
        From what you’ve explained, everything is setup properly. The “i” provider is put there (and is required) by SharePoint – this is normal.
        
        My only other thought is that maybe your PeoplePickerWildcards section has been changed from the default configuration. I don’t have my SharePoint 2013 environment available at this moment to check the default value, but in 2010 it is this (plus some tags I removed to be able to post it) (and I expect 2013 to be the same):
        
        PeoplePickerWildcards>
        clear />
        add key=”AspNetSqlMembershipProvider” value=”%” />
        PeoplePickerWildcards>
        
        If you log into a site collection (instead of central admin) and search for fba users there, do you get duplicates there as well?
  2. Clayton
    
    August 12, 2013
    
    My PeoplePickerWildcards look fine, I think. Central Admin and my FBA test site have that section in the web.config. First a “clear” line, then the one you mention in both.
    
    Logging into a site and searching for FBA users, I only see them listed once.
    
    Reply
    1. Chris Coulson
      
      August 12, 2013
      
      If the search works fine within the site, but has dups in Central Admin – then somewhere in the central admin web.config you have an extra membership provider pointing to that same membership database. The extra entry might not even be in the central admin web config, but in a web.config it inherits from.
      
      I’d check the differences between the membership providers in the central admin web config and the site web.config. The only difference should be the ‘i’ provider in the site web config.
      
      Reply
virendhar

August 8, 2013

Hi.,
I want Create Custom User Registration Page & Login Page in Sharepoint 2013 Using Form Based Authentication.
The User Deatil Will Be Stored on Sql Server DB.
How to Do?

Reply
1. Chris Coulson
  
  August 8, 2013
  
  I usually use the built in SharePoint login page as a base and modify it.
  
  As for the registration page, I use the FBA Pack registration web part as a base and add the extra controls that I need to it.
  
  I usually store the registration values in the SharePoint user’s profile, but it you want to store them in the membership database you can use the profile provider.
  
  Reply
Jian

September 9, 2013

Hi Chris,
Thanks for the very clean and clear explanation of steps! I have followed your steps, skipped step 2 and used your FBA package downloaded from codeplex, and everything works just fine. However, when logging out, regardless of whether the loging was with NTLM or FBA, I get an error page instead of going to the login page again. The error page is generic “Sorry something went wrong … .” I was wondering if you might know why and direct me toward a solution?
Many thanks!

Reply
Jian

September 9, 2013

I should update my post: if I loging using only the FBA, it always properly signs out and redirects to the sing in page. But if I login using the Windows NTLM, upon signing out it gives the errors page. After this, even if I loging using the FBA, upon signing out I get the same error message and it no more redirects to the longin page. I thought this might help.

Reply
1. Chris Coulson
  
  September 9, 2013
  
  I get that too occasionally. You’re right, it only seems to happen after logging in with windows authentication and then logging out. It doesn’t happen every time for me though – it seems to be random.
  
  If I remember correctly, it is pretty easy to get rid of the error and login again – either by navigating directly to the root instead of the page signing out directs you to, or maybe by starting a new browser session (can’t remember).
  
  I think it’s a SharePoint bug, as it has happened to me on a clean SharePoint server – the only changes being having FBA setup and allowing FBA + windows login on the same zone.
  
  Reply
Paul Hebhardt

September 26, 2013

I have configured everything (I think) as you have done in the 4 posts. Things are working pretty well. I can request a registration and then log on using that user using Forms Based Authentication. I have created a Role for the users, and I would like to add this Role to a Group. When I go to Site Settings->People and Groups and select “Add User to Group”, I am unable to see the Role that I created in the People Picker. I am, however, able to find the fba user. I would think that I would also be able to see the Role. Have I done something wrong?

Reply
1. Chris Coulson
  
  September 29, 2013
  
  It should work just as you describe. One thing I find for SharePoint 2013 though is that you have to type in the full name of the group exactly, or it won’t come up in the people picker.
  
  As long as you can create a role on the ‘FBA Role Management’ page, I would think that everything is setup correctly.
  
  Reply
Kaleem

October 1, 2013

Fellow;
I am a newbie to SharePoint. I followed all of the instructions provided with the SharePoint 2013 FBA Pack. Everything is working fine except when I go to the site and choose Form-Based Authentication; I get the default login page. My understanding is that the SharePoint 2013 FBA Pack included a webpart for the login, access request, password reset and more. Also when I go to the site collection where I had deployed this package, I only see default webparts there. What am I missing?
Any help in this matter is appreciated.

Reply
1. Chris Coulson
  
  October 1, 2013
  
  There is actually no login web part, as SharePoint does provide an FBA Login page. There are web parts for Change Password, Password Recovery and Membership Request (Register). There are also management pages for fba users. You should see the FBA management pages in the site collection’s Site Settings page, as long as you are logged in as a site collection administrator. You should also see the FBA web parts when adding a web part to the page. If you’re not seeing any of this, make the Forms Based Authentication Management feature is activated in the Site Collection Features (Site Settings).
  
  Reply
Kaleem

October 1, 2013

Ok, I found my answer. There is no custom login webpart provided in the pack.
So first of all thank you for providing this pack. It makes is so much easier to deploy FBA.
Does anyone have a custom login page webpart that is easy to customize. I really don’t want to customize the default login page.
Thank you.

Reply
Kaleem

October 1, 2013

I didn’t see your response Chris before I posted my follow up. Thank you for a quick reply.

Reply
Sorin

October 11, 2013

Great article, Chris! This is what I was looking for.
Works great. Thanks.
Sorin

Reply
rkennedy

October 30, 2013

Many thanks for this excellent write up and the work you’ve done on the FBA pack, truly appreciated!

I have a quick question:

My current project uses what should be a common SP configuration: a publishing site with anonymous and FBA enabled on one zone and only NTLM on the other. I’ve created (as I’ve done on previous versions of SharePoint) the web application enabling anonymous and FBA on the Default zone, then extended it with an Intranet zone which uses only NTLM.

This way round has always worked well for me before but with SP2013 I’m seeing some problems (such as on occasion the claims default provider entries reappear in the anon web.config!).

My noddy question is: is there a recommended way round to set this up? Is it 1) create a web app, configure the default zone for anonymous & FBA and extend the web app to an Intranet zone which uses NTLM or 2) create a web app and configure the default zone for NTLM and extend web app to an Internet zone for anonymous and FBA. I’m struggling to find any guidance.

Thanks in advance…

Reply
1. Chris Coulson
  
  October 30, 2013
  
  I would do 2 – configure the default zone for NTLM and extend an internet zone for anonymous and FBA. The reason for this is that search will crawl the default zone, and needs windows authentication on it to authenticate. No windows authentication on the default zone = no search.
  
  Reply
johns

November 7, 2013

Is it possible for FBA users to edit their own email address if needed?

Reply
1. Chris Coulson
  
  November 7, 2013
  
  The email address for an FBA user is no different than that of a standard user, so they can use any built in SharePoint methods for editing their email address (My Settings for SharePoint 2013 foundation, My Site for Standard/Enterprise).
  
  Reply
Lurch

December 26, 2013

Two things:

1. I had to set my application pool to .NET 4.0 before I saw the .Net Roles, .NET Users and providers to appear. When I had my application pool set to .NET 2.0 I did not have this option. This is confusing and contradictory to what you said. I am using Windows Server 2012 with SQL server 2012 running Share point 2013. Has something changed in these versions to reverse what you were describing?

2. I have followed your instructions to the letter. However, when I try to log in with any account I create, using the IIS method (I can’t get the FBA plug in to work), I get the error: “The server could not sign you in. Make sure your user name and password are correct, and then try again.”. I have tried various accounts with and without passwords, tweaked the permission settings and tried various database settings, but I can’t get my log in to work.

Can you please send detains on how I can find out what is failing? Is there a Share point log I can access?

Reply
1. Lurch
  
  December 27, 2013
  
  An update to my last post. I have tried a number of things to fix the issue, but keep getting the following errors, cropping up in my ULS logs.
  
  SharePoint Foundation
  Claims Authentication
  fo1t
  Monitorable
  STS Call: Failed to issue new security token. Exception: System.ServiceModel.FaultException`1[Microsoft.IdentityModel.Tokens.FailedAuthenticationException]: The security token username and password could not be validated. (Fault Detail is equal to Microsoft.IdentityModel.Tokens.FailedAuthenticationException: The security token username and password could not be validated.).
  
  SharePoint Foundation
  Claims Authentication
  fsq7
  High
  SPSecurityContext: Request for security token failed with exception: System.ServiceModel.FaultException: The security token username and password could not be validated. at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.ReadResponse(Message response) at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr) at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst) at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext(Uri context, Boolean bearerToken, SecurityToken onBehalfOf, SecurityToken actAs, SecurityToken delegateTo, SPRequestSecurityTokenProperties properties)
  
  SharePoint Foundation
  Claims Authentication
  8306
  Critical
  An exception occurred when trying to issue security token: The security token username and password could not be validated..
  
  How on earth do I fix this??!!
  
  Reply
2. Chris Coulson
  
  January 3, 2014
  
  Yes, unfortunately Windows Server 2012 reversed things, and now .Net Users and Roles in IIS only works with .Net 4.0. I’ve added a note to the blog post.
  
  As for the errors you’re experiencing, there’s definitely an error somewhere in your configuration. A couple of things to check:
  
  Permissions from the app pool to the database.
  
  Ensuring that the web.config for the SecurityTokenService has been modified according to the instructions.
  
  Reply
Veronica Mejia

January 27, 2014

Hola! Muchas gracias por la ayuda con la creación de este manual!!, mi pegunta es: Ya me quedo el sitio pero en mi usuario al subir algún archivo y en mi inicio de sesión aparece 0#.f|policiaturisticamembership|VeronicaMejia, mi pregunta es como puedo editarlo de moso que solo aparezca mi nombre??
Muchas Gracias

Reply
Veronica Mejia

January 27, 2014

Hello! ! Thank you very much for the help with the creation of this manual

My site works fine but my user appears well
“. 0 # f | policiaturisticamembership | VeronicaMejia”

as I can edit so that only my name appears? and You can change the email that is sent to users?

Many Thanks and regards

Many Thanks and regards

Reply
1. Chris Coulson
  
  January 27, 2014
  
  You can edit the name and change the email that is sent to users if you use the FBA Pack:
  
  https://sharepoint2013fba.codeplex.com/
  
  If you log into the site as a site collection administrator, there will be extra menu options in the Site Settings page that will let you do this.
  
  Reply
  1. Veronica Mejia
    
    January 27, 2014
    
    Thank you very much
    
    Reply
Veronica Mejia

January 29, 2014

Create the site now forms in sharepoint 2010, I want to install the package you suggested 2010, but it applies in your web application if you put the url of where I want to apply, I can do?

thank you very much

Reply
1. Chris Coulson
  
  January 29, 2014
  
  The FBA Pack will always be deployed to all web applications, but will not be activated automatically.
  
  If you add a url as a parameter on the command line, it will activate the FBA pack on that site collection.
  
  You can go to Site Collection Features to activate the FBA Pack on other site collections.
  
  Reply
Veronica Mejia

January 29, 2014

I could already apply but do not let me change the sharepoint web parts tells me they are not safe, that is done in this case?

Reply
1. Chris Coulson
  
  January 29, 2014
  
  Do you mean you get a not safe error when trying to deploy in PowerShell? If so, check out the instructions here:
  
  https://sharepoint2010fba.codeplex.com/documentation
  
  You can run the following in PowerShell to allow the unsigned deploy script to be run:
  
  Set-ExecutionPolicy Unrestricted
  
  Reply
Veronica Mejia

January 29, 2014

Files were installed but did not appear in the section “users and permissions” configurations for FBA.
I appear to change web parts PASSWORD and two but I will not let others that have installed certificate.

Reply
1. Chris Coulson
  
  January 29, 2014
  
  If the menu items do not appear in the Users and Permissions section, then the feature needs to be activated. Activate the Forms Based Authentication Management feature on the Site Collection Features page.
  
  I also wouldn’t be surprised if this is what’s causing your web part problems.
  
  Reply
Nima

February 7, 2014

Hi dear Chris

Thanks for your very good posts on sharepoint 2013.

I recently install SP 2013 and when I want to see every site (that has been create using it) I get this prompt to enter Username and Password for Windows Authentication(like this):

http://i.stack.imgur.com/rqsp6.png

Is there any way to show login page instead of this prompt without need to configure FBA?

thanks

Reply
1. Chris Coulson
  
  February 7, 2014
  
  Unfortunately if you want an actual login page with a username and password, you’ll have to configure FBA.
  
  Most SharePoint installations don’t have to worry about the Windows Authentication prompt, since it’s usually hosted on the company LAN, and the user is automatically logged in with their windows credentials.
  
  If you want to access the page externally (or you’re not logged in to the same windows network that SharePoint is hosted on), you can either enter your windows credentials when prompted (most browsers will cache the credentials so you only have to do it once per visit to the site), or setup FBA so the user gets a login page.
  
  If the SharePoint users are from outside your windows network (anonymous internet users etc….) they you’ll probably want to setup FBA with the SQL Membership provider as described in these blog posts – which will keep their usernames out of your Active Directory.
  
  If the SharePoint users have local windows network accounts, then you’d set up FBA using an Active Directory/LDAP membership provider (not described here, but very similar process) – so the users can use their windows usernames and passwords to login.
  
  Reply
  1. Nima
    
    February 7, 2014
    
    Thanks dear Chris.That’s very useful
    
    Reply
Veronica Mejia

March 7, 2014

Hello, good day

My question is

How I can remove the words “warning this page is not encrypted …..”? that appears when the user authenticates

Thank you very much or your help

Reply
1. Chris Coulson
  
  March 7, 2014
  
  The best way is to run the site (or at least the login page) under SSL. Otherwise the password you enter is sent in clear text over the network. If the login page is running on ssl, the message will disappear.
  
  Reply
kc

March 15, 2014

I tried the machine.config approach. I’m not sure what’s going on but if I do a search for “fba” nothing shows up unless I specifically put “fbaadmin” even then I get two entries in the Organizations group when I believe it should in the Forms Auth group. This is what I see: http://i.imgur.com/qeKuw3X.png

I made the entry (pretty sure it’s correct) in machine.config and I made the entry required in web.config for the SecurityTokenServiceApplication.

I’m not sure what I did wrong.

Reply
1. Chris Coulson
  
  March 17, 2014
  
  I think something is wrong – but i’m not sure what. I don’t even have an ‘Organizations’ section in my people picker. When I search for a user, they do show up under ‘Forms Auth’.
  
  As for searching by partial names though – unfortunately the people picker will only find users by full words/email addresses. However, the select users box will recognize partial usernames – so i’ll usually just type the names directly in there and not use the people picker.
  http://imgur.com/d3i8iBf
  
  You may want to try installing the FBA Pack to further check your setup. The user management page for the FBA Pack generally won’t work if the FBA configuration is incorrect.
  
  Reply
  1. kc
    
    March 18, 2014
    
    Hi Chris,
    
    Thanks for the response. I did manage to install the FBA Pack 2013 and it seems to work fine. All the names show up in the user manager settings. However, it’s when I try to set permissions that the names don’t show up unless fully typed out. I just noticed though that if I type in an FBA user’s full name and select them. The instant search results will remember them the next time I start typing their name. Is this normal behavior, does the account need to be cached for the search to pick up them?
    
    Reply
    1. Chris Coulson
      
      March 18, 2014
      
      In the dialog that you posted, yes the usernames have to be fully typed out. But in the dialog that I posted, it recognizes them for me if it’s only partially typed out. And I don’t have to have typed the name in before for it to work.
      
      If everything shows up though in the user manager settings, your FBA settings should be fine.
      
      Reply
Aaron

March 19, 2014

Hey Chris,
This is an amazingly good article. Do you know of any more articles that are written as well that do the exact same thing but with AD LDS?
Thanks.

Reply
1. Chris Coulson
  
  March 19, 2014
  
  I work with the SQL membership provider almost exclusively, and I don’t do much with AD – so unfortunately no I don’t.
  
  Reply
Sergio

March 26, 2014

I have followed your guide, steps 1, 3 and 4 (as ive also used the FBA2013 pack so I skipped step 2), when I try and connect I get the login page asking if I want to use windows or forms based authentication, if I choose windows, then I get a Runtime Error and the page wont load.

As i followed each of your steps (I updated the machine.config and the and web services web.config files) and didn’t change any of the settings, any idea what ive not done?

Reply
1. Chris Coulson
  
  March 26, 2014
  
  My guess is that you’ve made a typo in a web.config/machine.config. Double check your entries. Also make sure they were put in the right location. A missing or misplaced bracket can make the whole file useless.
  
  Reply
Martin

May 2, 2014

Great series. Very helpful. Any idea how to get Visual Studio to be able to deploy reports to a Report Library? When I try it now, I get asked for credentials, but none seem to work

Reply
1. Chris Coulson
  
  May 2, 2014
  
  Are you talking in relation to SharePoint? Or with Sql Server Business Intelligence Development Studio directly to reporting services?
  
  Reply
Jim Harrison

October 24, 2014

Chris: Thank you for this post, it is very thorough and extremely helpful. I have a strange issue I’m hoping you can help me with.

We have a Development environment that was set up by someone else. Apparently, they configured FBA in the site, but then ended up never using it. They did not bother configuring FBA in the production environment since it was not being used. However, now whenever I apply patches and run the Products Config Wizard it gives me errors because the Prod environment is missing the Feature ID for FBAM.

I don’t actually need to use FBA, but I’d like to get rid of this error that is blocking upgrades from completing properly. Should I just install the FBA Pack and not activate it? Or is there some other way to install the Feature so that this upgrade error goes away? Thanks.

Reply
1. Chris Coulson
  
  October 24, 2014
  
  You should be able to uninstall the feature which should get rid of the error. See if the feature is visible in ‘Site Settings’ -> ‘Site Collection Features’. If it is, you should be able to deactivate it there. You can also try in Central Admin to see if the FBA Pack is listed under Central Admin -> Manage Farm Solutions and uninstall it from there.
  
  If no luck with the above, you can try the ‘Disable-SPFeature’ powershell command:
  http://technet.microsoft.com/en-us/library/ff607879(v=office.15).aspx
  
  And finally, if no luck with that, I’d say just deploy the FBA Pack, deactivate the feature from site settings and then remove the FBA Pack.
  
  Reply
Eric Mao

October 30, 2014

Hi Chris,
This is great article and app to make my project possible. I have over thousand users which I want to transfer them from a sqlserver database to sharepoint2013. I followed your steps and everything works fine except the password restriction, users in database are using different format password which do not match the password limitation for the FAB pack, so is there any way I may change the password restriction in the FAB pack instead of asking thousand users to change their passwords. Thank you very much.

Reply
1. Chris Coulson
  
  October 30, 2014
  
  Hi Eric,
  
  Yes – check the web.config settings in Part 3. There are options for minimum password length, minimum non-alphanumeric characters, as well the option to use a regular expression to validate the password.
  
  Reply
  1. Eric Mao
    
    October 30, 2014
    
    Thank you for replay. in , I have modified machine.config file and changed the password min-number from “7” to “3”, and even deleted the “NonalphanumericCharacters” line but still got “Invalid Password” error when I tried to use a simple password.
    
    I have copied the section to STS web.config and restarted IIS and FAB in SharePoint feature, still got no luck, it looks the changes have never been affected. So would be somewhere else need to do ? Thank a lot.
    
    Reply
    1. Chris Coulson
      
      October 30, 2014
      
      I think the issue is that you deleted the non-alphanumeric characters parameter. By deleting it, it will revert to it’s default, which I believe is 1. You need to explicitly set it to 0.
      
      Reply
Max

November 12, 2014

Hi,

Great article! I have one FBA running on a webapp and it is working great, but when I create a new database and go through step 1 to 4 for a new webapp I get a RunTime Error and I can’t login at the ‘first’ webapp with the FBA users.

Notes: The current error page you are seeing can be replaced by a custom error page by modifying the “defaultRedirect” attribute of the application’s configuration tag to point to a custom error page URL.

I have changed the names of the FBADB, FBAMembershipProvider and FBARoleProvider with a ‘2’ at the end and added the new lines in the machine and web file. Also gave the permissions in the SQL Management.

Thanks in advance.

Max

Reply
1. Chris Coulson
  
  November 12, 2014
  
  If you get a runtime error with the first web app that used to work, there’s a good chance that when you modified the machine.config file, you made some sort of typo (forgot to close a tag, etc..).
  
  Reply
Armand Cloutier

January 2, 2015

Good morning Chris, Great article and great information. Do you know how to edit the text in the forms based authentication login page. We would really like it to be somewhat branded. Any advice or help would be great.

Thanks

Reply
1. Chris Coulson
  
  January 5, 2015
  
  What I do is just take a copy of the built in SharePoint aspx page and modify that copy (I’ll take a copy and modify the master page that it references as well). Then in the Web Application settings in central admin, you can set the location of the login page. Just set it to the location of your updated copy.
  
  I’ll also usually create a WSP using Visual Studio containing the updated login and master pages, so that they will be deployed to new web front ends and easily deployed to other farms (so you don’t have to always remember to copy the files).
  
  Reply
Hamza

April 7, 2015

Hi,
I have followed all the steps you performed for enabling FBA throw sharepoint and everything seems right, but for some reasons after creating the site collection the server doesn’t find it.

Hope you can help me.

Reply
1. Chris Coulson
  
  April 8, 2015
  
  Can’t find the site collection? Can you access other site collections on the same web application? Other web applications?
  
  If you can’t access the web application at all, check your alternate access mappings and make sure that it matches up with the url you’re using to access the web application (and that dns points it to your server).
  
  Reply
  1. Hamza
    
    April 8, 2015
    
    I get this error only for web application that uses farm based authentication.
    The others Web application works just fine.
    
    Reply
    1. Chris Coulson
      
      April 8, 2015
      
      What’s the error? There may be more information about the error in the event viewer, or possibly the SharePoint log file.
      
      Reply
Ray

April 14, 2015

Hi, Chris

Thank you very much for the information. It helped me a lot. However, I have a question. Once setup FBA for sharepoint2013, how can I add lots of users to the sharepoint site? We use FBA to allow external users to access the sharepoint site. It works fine. However, now we need to migrate a lot of users (i.e. using their email address as loginname) from a legacy site to sharepoint site. and we can not ask users to register by themselves or add them from User Management page (because of too many of them).

Is there any other way to do this?

Thanks

Ray

Reply
1. Chris Coulson
  
  April 14, 2015
  
  You could write a Powershell script to do this. Alternatively we include a tool with the FBA Pack Premium Support Plan to add and update users from an Excel Spreadsheet / Tab Separated Value file. See http://www.visigo.com/#support.
  
  Reply
Dan

May 8, 2015

I am new to sharepoint and am trying to setup a FBA so that I can access a sharepoint site from a smart TV web browser. I follow the steps but when I go to System Settings/Manage Farm Solutions in the Central admin, I don’t have the FBA.wsp available. Also, when I go the site settings/site collection features — the option isn’t there to activate the FBA. I’ve tried creating several sites following different directions and still nothing works.

I am completely lost at this point.

Any help would be appreciated.

Reply
1. Chris Coulson
  
  May 8, 2015
  
  Hi Dan,
  
  I’m not sure where you’re referencing fba.wsp from. If you go through this blog post, starting at part 1, there’s no need to install and wsp’s in SharePoint to configure FBA. Just follow the instructions step by step and you should be able to get it all configured.
  
  Once you have FBA setup, if you want to manage the FBA users within SharePoint, you might want to install the SharePoint 2013 FBA Pack. You can download it here:
  https://sharepoint2013fba.codeplex.com/
  
  Reply
Neel

June 3, 2015

Chris,

I have setup the membershipdb, configured the web.config files on web, sts, ca, installed visigo wsp, all set and one, added users using webpart works perfect, I can see users in iis by changing the default providers and I have reset it back

I am not able to login using the same credentials, I have tried all the options on google and msdn

I get below error:

The server could not sign you in. Make sure your user name and password are correct, and then try again

Hope you can provide some clues, I can do everything except logging in using the FBA, I also have 2 roles set up admin and user, I can see them in sharepoint people picker

Please provide some clues

Reply
1. Chris Coulson
  
  June 3, 2015
  
  If it’s only the login that’s not working, that means there’s an issue with the security token service config – as that is what processes the login. Double check the web.config for the security token service. Also check that the app pool user for the security token service has the appropriate permissions to the aspnetdb database.
  
  Reply
Ravi

June 25, 2015

Hi,

I done all the above mentioned steps, but while accessing FBA User Management and Role Management getting below error

“A Membership Provider has not been configured correctly. Check the web.config setttings for this web application”

Do I need to do any updates for Web.Config files for Central Administrator and Web Application ?

Reply
1. Chris Coulson
  
  June 26, 2015
  
  You shouldn’t need to update the web.config for central administration and the web application if you updated the machine.config – they will take their config from there.
  
  But double check the config settings you put in. Also ensure that the the web application’s app pool user has permissions to the database – as that will cause this error too.
  
  Reply
Pedro Ramos

July 29, 2015

Hello Chris first I want to thank for this detailing tutorial. Let me ask something and I apology if someone ask the same question before me. I want my website complete anonymous, not login except for specific section or specific pages same like Register or sign In section. For that reason I want to use domain users and the rest of the world to register to the specific section. Can I modify this workaround for that purpose?

Reply
1. Chris Coulson
  
  July 29, 2015
  
  Absolutely. You can setup everything like in the tutorial to add FBA authentication. Then it’s just a matter of applying the proper permissions to your content.
  
  Just set the permissions for the document library containing your home page and other anonymous pages to allow anonymous access.
  
  Then you can have separate document libraries for the page you would like people to login to access, and just assign the appropriate permissions to it.
  
  Reply
vinay

July 31, 2015

Hi,
I have followed all the steps as you have explained. As you are able to get user (like FABTest) from people picker of secondary administrator but in my case I am not getting any users which I have created . Please help .

Reply
1. Chris Coulson
  
  August 3, 2015
  
  I would double check all of your machine.config changes (or if you didn’t change the machine.config – the changes would have to go into your central admin web config). Also check that the app pool user for Central Admin has the appropriate permissions on the aspnetdb database.
  
  Reply
Amr

December 7, 2015

i applied this series but i have some difference because i already have membership data base after i completed this topic membership users working well but i got error when i try to get FBA roles using “FBA Role Management” link :

ProviderException: The role ‘Role name’ was not found.]
System.Web.Security.SqlRoleProvider.GetUsersInRole(String roleName) +1385
Visigo.Sharepoint.FormsBasedAuthentication.FBARolesView.ExecuteSelect(DataSourceSelectArguments selectArgs) +350
System.Web.UI.DataSourceView.Select(DataSourceSelectArguments arguments, DataSourceViewSelectCallback callback) +28
System.Web.UI.WebControls.DataBoundControl.PerformSelect() +313
System.Web.UI.WebControls.BaseDataBoundControl.EnsureDataBound() +146
System.Web.UI.WebControls.CompositeDataBoundControl.CreateChildControls() +192
System.Web.UI.Control.EnsureChildControls() +189
System.Web.UI.Control.PreRenderRecursiveInternal() +60
System.Web.UI.Control.PreRenderRecursiveInternal() +222
System.Web.UI.Control.PreRenderRecursiveInternal() +222
System.Web.UI.Control.PreRenderRecursiveInternal() +222
System.Web.UI.Control.PreRenderRecursiveInternal() +222
System.Web.UI.Control.PreRenderRecursiveInternal() +222
System.Web.UI.Control.PreRenderRecursiveInternal() +222
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +4297

any advice?

Reply
1. Chris Coulson
  
  December 7, 2015
  
  First, check to ensure your role provider is setup properly in the web.config/machine.config and also that the name you entered in the .config file matches the role provider name in the web application settings.
  
  If all that is ok, i’m thinking there may be a problem with the data in your membership database – as the error message is from microsoft’s membership provider component. You could try to connect to it with iis to see if you get the same error message.
  
  Reply
Vanda

January 27, 2016

Hi Chris,
Thank you for providing such detail instruction on configuring FBA, this helps lot. Before I use Power Shell script to manage users.
I have some issues after installing the SharePoint 2013FBAPack – not all the FBAmanagement menus working properly. i.e when click “Create User” or edit an existing user, I got this error

Sorry, something went wrong
Object reference not set to an instance of an object.
Technical Details
Troubleshoot issues with Microsoft SharePoint Foundation.

Correlation ID: 186e599d-5b5f-707d-accf-f2d1398099e0

Date and Time: 1/27/2016 3:09:39 PM

The detail error from Log shows:

01/27/2016 15:09:39.77 w3wp.exe (TRSPWEBSVR01:0x17C0) 0x176C SharePoint 2010 FBA Pack General 00000 High System.NullReferenceException: Object reference not set to an instance of an object. at Visigo.Sharepoint.FormsBasedAuthentication.UserNew.OnLoad(EventArgs e) 186e599d-5b5f-707d-accf-f2d1398099e0

I try undeploy and deploy several times, still can’t fix. Please help. Also I don’t know why the log file show “2010 FBA Pack”, I downloaded the “SharePoint2013FBAPack.1.3.5” dated January 22, 2015 from the link.

Thanks.

Reply
1. Chris Coulson
  
  January 27, 2016
  
  It showing 2010 FBA Pack is a bug – the 2013 fba pack is based on the 2010 one. I’ve raised an issue to correct this in the next version:
  
  https://sharepoint2013fba.codeplex.com/workitem/41
  
  The error you’re getting doesn’t look familiar – I would think it’s a deployment problem.
  
  Can you go to Central Admin -> Manage Farm Solutions and make sure that the FBA Pack is deployed to the web application that you are using it on. If it is, try undeploying/redeploying from there.
  
  Another possibility – are you using the FBA Pack from Central Admin? If so, that’s probably the problem, as it’s meant to be used directly on SharePoint site collections.
  
  Reply
Elton Ferreira

February 15, 2016

Tanks for this post, this is very good.

Reply
jin

June 16, 2016

Great tutorial. I do have one problem recently with the installed FBA on our SP 2013: for some reason in our system, we lost access to the FBA user management access except the site primary admin. When it was first installed, many of the farm admin members can manage FBA users. Is there somewhere we can check and revers the changes? Thanks -Jin

Reply
1. Chris Coulson
  
  June 20, 2016
  
  My guess is that they were all site collection administrators at some point, as the menu items are only visible to site collection admins. If others were able to access it before, then somebody had customized the code before installing it on your system.
  
  Reply
vas

October 18, 2016

With your help our extranet is running almost a year now, and it is smooth. However, i am looking for a .wsp file for a fba page. I have found some good sources, but either they do not have dual authentication (fba, and windows) or else they do not have in .wsp. Since i lack visual studio knowledge, i have not been able to do this.
It would be very nice if someone volunteered to put up a fba sign-in page with dual authentication that can be used for any company.
Thanks!!!

Reply
Christian

December 13, 2016

FBA based web application work well with reporting services?

Reply
1. Chris Coulson
  
  December 13, 2016
  
  I haven’t tested with it, so I’m not sure.
  
  Reply
saeed

April 9, 2017

Great Article Thank you, i just followed the same steps for my case and i wonder why i am unable to login from sharepoint FBA form when the password format is hashed or encrypted??? when i set the password format to clear through database (clear =0, encrypted = 2, hashed = 1). i would be very pleased to know the reason of my problem!!

Reply
1. saeed
  
  April 9, 2017
  
  when i set the password format to clear through database (clear =0, encrypted = 2, hashed = 1) it just work***
  
  Reply
  1. Chris Coulson
    
    April 10, 2017
    
    If you’re using ‘Encrypted’ you have to make sure you’re using the same machinekey everywhere, or it won’t be able to decrypt the password. Hashed though should work just as well as clear though, so i’m not sure why that’s not working.
    
    Reply
    1. saeed
      
      April 10, 2017
      
      Thanks Chris, my problem was that i am using the membership through web api inside SharePoint and i had to move the membership configuration to the web api web.config as well, everything worked as expected and with Hash password format 🙂
      
      Reply
chuck

April 25, 2017

Hey Chris,

We have FBA setup for a number of applications and we would like to use the FBA pack. We are using SQL authentication in the connection string instead of windows authentication and it has to be setup this way because the database resides in another windows domain and there are no trusts setup between the two. FBA is setup and working on 4 different web applications but we get the error “A Membership Provider has not been configured correctly. Check the web.config setttings for this web application.” when we try and use the FBA pack. You mentioned this can happen if the app pool doesn’t have db access which it doesn’t on a thread above. Am I missing something, I would expect it would use the rules of the application that the FBA pack runs in. We can login and do everything but the FBA pack is throwing that error. I appreciate your assistance.

Reply
1. Chuck
  
  April 25, 2017
  
  OK, issue resolved. Very strange one as the settings from my web apps config literally disappeared. I think it happened when I extended my web app (that is a guess). It shouldn’t have touched the parent config though. Even stranger is I could still login to the app using fba so go figure. I setup the code on my dev box and debugged and noticed it was returning the incorrect role provider when the base membership provider called GetAllUsers (OOTB membership method). So I checked the config again and the settings disappeared from my VM. That is the only reason I know I am not going crazy is I duplicated it in two different environments. So I added them back and obviously it worked. I have never seen this behavior but thought I would post it in case anyone ran into similar issues.
  
  Reply
  1. Chris Coulson
    
    April 25, 2017
    
    Glad to hear that you resolved the issue. The reason the login worked, but the FBA Pack did not is that the login uses the config file settings from the SecurityTokenService, while once you’re logged in the web application config settings are used. So as long as your SecurityTokenService config is good you’ll be able to login.
    
    Reply
Tedmond Lasseter

November 2, 2017

Looks like some files were not deployed.
Please advise.

Application error when access /_layouts/15/FBA/Management/UsersDisp.aspx, Error=The file ‘/_layouts/15/FBA/Management/UsersDisp.aspx’ does not exist.

Reply
1. Chris Coulson
  
  November 3, 2017
  
  I’d go into Central Admin – Manage Farm Solutions and retract the solution and then redeploy it.
  
  Reply
Tedmond Lasseter

November 3, 2017

Thanks 🙂 and Resolved. This was a case of Strange Inheritance. I inherited a Dev server with multiple versions of SharePoint installed and the files deployed to the wrong hive. I copied the fba directory from the wrong hive to the correct 15 hive and the software appears to be working. Is there anything I need to worry about?

Reply
1. Chris Coulson
  
  November 3, 2017
  
  Probably. I’m not sure why it would be in the wrong hive. I’m also surprised that 2 versions of SharePoint actually can coexist on the same machine. Since it’s just a dev server, i’d probably recommend that if you continue to run into problems, just recreate the dev server and put each version of SharePoint in their own VM.
  
  Reply
  1. Tedmond Lasseter
    
    November 4, 2017
    
    Hi Chris, I think I found a bug. When one performs an in place upgrade from 2010 to 2013, their are some hooks left behind along with a hive. i.e. hive 14 and 15 are left on the servers. I am an IT pro and could use your help with the deployment as it is starting to create issues.
    
    Reply
    1. Chris Coulson
      
      November 5, 2017
      
      Sure, we can do support call over GoToMeeting and I can take a look at your environment. Support plans are available for purchase here:
      https://www.visigo.com/products/sharepoint-fba-pack/support-plan/
      
      Reply
      1. Tedmond Lasseter
        
        November 6, 2017
        
        Hi Chris, Thank You for supporting your product with multiple options. I was able to create a workaround by installing the solution to both hives. Syntax used was:
        
        Install-SPSolution -Identity visigo.sharepoint.formsbasedauthentication.wsp –allwebapplications -gacdeployment -CompatibilityLevel{14,15}.
Fernando Vargas

November 7, 2017

First off, Thanks for this great contribution!

I am noticing a strange symptom whereby FBA users are not getting their email address in a new SP Site collection.
Using _layouts/15/FBA/Management/UsersDisp.aspx shows the email address but only IsInSharePoint flag=No but not after adding the user to the site.
Once the user is added to a site group, then UserDisp.aspx does not display the email address.

Any suggestions are appreciated.
Thanks,

Reply
1. Chris Coulson
  
  November 7, 2017
  
  Hi Fernando,
  
  I think what might be happening is that you have user syncing turned on, so when you add the user to the site, it gets automatically updated from it’s My Site user profile which does not contain the email address.
  
  If you’d like to verify if that’s the case, you can do so by updating the user’s email address on the FBA User Management page for one of these users. If it’s the syncing that’s doing it, it should still show the updated user’s email address for a short period of time after updating, but it will then get erased again.
  
  Reply
  1. Fernando Vargas
    
    November 8, 2017
    
    Thanks Chris.
    I was thinking about User Profile Synchronization (UPS) as well but the SP 2013 Server farm does not have UPS connections defined (I didn’t set it up. I am just trying to diagnose this FBA issue).
    
    Once the email address is updated using the UserDisp.aspx, it sticks.
    
    here is more detail of the setup as it is and what I am doing to test:
    
    on WebApp1, Site Collection 1: User registration and UserDisp.aspx shows email address and IsInSharePoint=True and actual dates for Modified and Created for this site collection
    
    On WebApp1, Site Collection 2: UserDisp.aspx shows email address, IsInSharePoint=False and blank Modified and Created dates for this site collection
    
    A user logs in to WebApp1 Site Collection 1 and is then redirected to WebApp1, Site Collection 2.
    
    After 4 minutes: On WebApp1, Site Collection 2, UserDisp.aspx shows blank email address, IsInSharePoint=True, Created date matches last login date for this site collection and Modified date is 4 minutes after Last Login.
    
    The 4 minute interval clearing the email address after logging in does suggest a timer job.
    Do you think SP is trying to synch it with the UPS and when it doesn’t find a profile clears out the email?
    
    Do you setup a UPS connection to the FBA Provider? How?
    
    Thanks for you help. I hope you have some suggestions.\
    
    Reply
    1. Chris Coulson
      
      November 8, 2017
      
      Yeah – the 4 minute interval certainly sounds like a timer job to me. And my guess is the user profile syncing even though it wasn’t setup. Check your timer jobs for a user profile sync job and see if you can disable it.
      
      I think that if My Sites is installed it automatically sets up syncing between My Sites user profiles and all site collection user profiles.
      
      Unfortunately the FBA Pack currently doesn’t support updating the My Site user profiles to address this.
      
      Reply
  2. Fernando Vargas
    
    November 8, 2017
    
    Also, when I check the user profiles in the UPS, FBA users do not have a WorkEmail address.
    
    Reply
Stacy

December 8, 2017

HI Chris,

There’s only one issue that I’m facing. The FBA Role Management is generating an unexpected result in my 2016 SharePoint farm.

I’m seeing these medium level’s immediately before the unexpected

############################################################

Entering Monitored Scope (ScriptWebPart.OnLoad). Parent=Request (GET:http://portal.domain.com/_layouts/15/FBA/Management/RolesDisp.aspx)

############################################################

Entering Monitored Scope (PublishingHttpModule.IsContextPageForOutputCache). Parent=ScriptWebPart.OnLoad

############################################################

Leaving Monitored Scope: (PublishingHttpModule.IsContextPageForOutputCache) Execution Time=0.0156702591740327; CPU Milliseconds=0; SQL Query Count=0; Parent=ScriptWebPart.OnLoad

############################################################

SPRequestModule.ErrorAppHandler Begin

############################################################

Application error when access /_layouts/15/FBA/Management/RolesDisp.aspx, Error=Object reference not set to an instance of an object.
at Visigo.Sharepoint.FormsBasedAuthentication.FBARolesView.ExecuteSelect(DataSourceSelectArguments selectArgs)
at System.Web.UI.DataSourceView.Select(DataSourceSelectArguments arguments, DataSourceViewSelectCallback callback)
at System.Web.UI.WebControls.BaseDataBoundControl.EnsureDataBound()
at System.Web.UI.WebControls.CompositeDataBoundControl.CreateChildControls()
at System.Web.UI.Control.EnsureChildControls()
at System.Web.UI.Control.PreRenderRecursiveInternal()
at System.Web.UI.Control.PreRenderRecursiveInternal()
at System.Web.UI.Control.PreRenderRecursiveInternal()
at System.Web.UI.Control.PreRenderRecursiveInternal()
at System.Web.UI.Control.PreRenderRecursiveInternal()
at System.Web.UI.Control.PreRenderRecursiveInternal()
at System.Web.UI.Control.PreRenderRecursiveInternal()
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

############################################################

Then I get this unexpected level
############################################################
############################################################

System.NullReferenceException: Object reference not set to an instance of an object.
at Visigo.Sharepoint.FormsBasedAuthentication.FBARolesView.ExecuteSelect(DataSourceSelectArguments selectArgs)
at System.Web.UI.DataSourceView.Select(DataSourceSelectArguments arguments, DataSourceViewSelectCallback callback)
at System.Web.UI.WebControls.BaseDataBoundControl.EnsureDataBound()
at System.Web.UI.WebControls.CompositeDataBoundControl.CreateChildControls()
at System.Web.UI.Control.EnsureChildControls()
at System.Web.UI.Control.PreRenderRecursiveInternal()
at System.Web.UI.Control.PreRenderRecursiveInternal()
at System.Web.UI.Control.PreRenderRecursiveInternal()
at System.Web.UI.Control.PreRenderRecursiveInternal()
at System.Web.UI.Control.PreRenderRecursiveInternal()
at System.Web.UI.Control.PreRenderRecursiveInternal()
at System.Web.UI.Control.PreRenderRecursiveInternal()
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
############################################################

and that is followed by this high level event
############################################################

Getting Error Message for Exception System.Web.HttpUnhandledException (0x80004005): Exception of type ‘System.Web.HttpUnhandledException’ was thrown. —> System.NullReferenceException: Object reference not set to an instance of an object.
at Visigo.Sharepoint.FormsBasedAuthentication.FBARolesView.ExecuteSelect(DataSourceSelectArguments selectArgs)
at System.Web.UI.DataSourceView.Select(DataSourceSelectArguments arguments, DataSourceViewSelectCallback callback)
at System.Web.UI.WebControls.BaseDataBoundControl.EnsureDataBound()
at System.Web.UI.WebControls.CompositeDataBoundControl.CreateChildControls()
at System.Web.UI.Control.EnsureChildControls()
at System.Web.UI.Control.PreRenderRecursiveInternal()
at System.Web.UI.Control.PreRenderRecursiveInternal()
at System.Web.UI.Control.PreRenderRecursiveInternal()
at System.Web.UI.Control.PreRenderRecursiveInternal()
at System.Web.UI.Control.PreRenderRecursiveInternal()
at System.Web.UI.Control.PreRenderRecursiveInternal()
at System.Web.UI.Control.PreRenderRecursiveInternal()
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.HandleError(Exception e)
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest()
at System.Web.UI.Page.ProcessRequest(HttpContext context)
at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
############################################################

I’m also seeing this high level that follows the unexpected, too

############################################################
SPOIncidentsDetectionJob.GetSPOIncidentBitStatus: spoIncidentJob was null. Accessing the cached bit of the SPOIncidentsDetectionJob

Do you know how I can resolve this?

Stacy

Reply
1. Chris Coulson
  
  December 8, 2017
  
  Hi Stacy,
  
  I expect you also get an error on the screen when you visit the ‘FBA Role Management’ page? What does it show on the screen when you visit that page?
  
  I’m thinking this is a misconfiguration of your membership provider. Does the FBA User Management page work properly? Can you create and edit users with it.
  
  Thanks,
  Chris
  
  Reply
Stacy

December 9, 2017

Hi Chris,

I can create and edit users, as long as I don’t select enable roles on the FBA Site configuration page. When I do the following:

Navigate to FBA Site configuration page, select Enable Roles, click Ok
then the FBA User management page throws a correlation.

The FBA Role Management page is where the above ULS entries are from, when I try to open FBA Role Management, it throws the error, with or without the Enable Roles checked on the FBA site management.

Any guidance you can give me will be much appreciated, thanks in advance,

Stacy

Reply
Stacy

December 9, 2017

Hi Chris,

I also just noticed that this post should really be on the SharePoint 2016, since it’s 2016 that I’m getting these errors. The 2013 solution worked fine in my 2013 dev farm.

Thanks,

Stacy

Reply
Stacy

December 9, 2017

Hi Chris,

Thanks for that reply.

The FBA Role Management page churns for awhile then it produces a correlation that the above lines are from.

Here’s what I have in my membership provider

This is from the machine config

###################################################

###################################################

This is from the web.config of the security token svc app

###################################################

###################################################

Thanks for looking at this

Stacy

Reply
Stacy

December 9, 2017

Hey Chris,

The blog seems to have stripped out my code that I pasted in.

Stacy

Reply
Stacy

December 9, 2017

Hey Chris,

thanks for your reply. I had erroneously updated the profile providers with the FBARoleProvider line, versus the Role Provider in the machine.config. After making that change to follow your post, all is well with the world and peace is restored!

Really love this site! I am going to write a re-blogurtation of this on my site and explain to people what not to do, in otherwords, tell them what I did. thanks for the help and have a great weekend!

Stacy

Reply
1. Chris Coulson
  
  December 10, 2017
  
  Glad to hear that you got it figured out!
  
  Reply
Ravi Singh

June 28, 2018

Hi Chris,

I have configured FBA in my development environment and it is working fine. I have extended one of my web application into internet zone. It was single box installation and people picker is able to detact FBA users.

I made the same change in UAT and things looks good to me. I am able to add users for FBA also.

When I am trying to share document with FBA user people picker is not showing FBA user. In my UAT I have 2ASs and 2WFEs. Do I need to configure something to get these users in UAT.

Regards

Ravi Singh

Reply
1. Chris Coulson
  
  June 28, 2018
  
  If the FBA Pack user management tools work fine in UAT, you should have things configured correctly. Can you add users to SharePoint groups on SharePoint’s People and Groups page? If everything’s working in development maybe compare the ‘PeoplePickerWildcards’ section of the web.config between Dev and UAT.
  
  Reply
Ravi Singh

July 4, 2018

Thanks a lot Chris, its working fine for me. I made changes in PeoplePickerWildcards.

Regards,

Ravi

Reply
Ravi Singh

July 4, 2018

Hi Chris,

Sorry to bother you again.

I have extended my web application on another url with form based authentication settings. I am accessing site as a windows user. whenever I am accessing new library, settings page or anything else, it is showing me login screen again. Can you help to resolve the issue. I think system is not retaining login token in browser.

Your response is highly appreciated

Regards

Ravi

Reply
1. Chris Coulson
  
  July 5, 2018
  
  I’m not sure off the top of my head. I’d say make sure that the domain isn’t changing when switching to these different pages – as the auth cookie will be saved based on the domain being accessed. Otherwise i’d probably use the network tab in the chrome dev tools to debug what is going on.
  
  Reply
azhar ali buttar

July 17, 2018

while working on my share point app, had the error. PFarm property CustomAppRedirect value is false or not set. Used ULSViewer to detect the problem and found the solution at under given URL.

https://www.windowstechupdates.com/spfarm-property-customappredirect-value-is-false-or-not-set/

I hope this will help someone

Reply
Talha

March 12, 2019

after implementation of fba my site does not open in sharepoint designer kindly guide me about solution ?

Reply
1. Chris Coulson
  
  March 17, 2019
  
  Configuring FBA should not prevent SharePoint Designer from working. Does everything else work? Do you get a certain error message?
  
  Reply
Nick Chapman

May 10, 2019

Hi Chris,

Not sure if you could assist me with a rather strange issue?

We have a SharePoint 2016 on premise Farm which is configured for FBA and windows authentication (we have a web applications and an extended web applications), on only 1 of the Web applications (We have 4 in total) when we go to save an office document via save as and then browser to the SharePoint site\library we get a script error, what has really thrown me is we do not get this error on the other web applications or again in our test environment, if I browse to the site using the extended web application address everything works fine, which leads me to assume the issue lies somewhere in the Web app settings\configuration, I have gone through all you articles to check the config files and tried as best I can to compare the working ones against the failed one but I am struggling to see any discrepancies? Could you help in anyway?

Thanks
Nick

Reply
1. Chris Coulson
  
  May 10, 2019
  
  Is it a script error or a server error? What’s the error? You should be able to get details from the browser developer console + network tab. If it’s a server error, you can get the details from the sharepoint log file. It does seem strange that it only happens on one server. Did somebody maybe modify the config file on the one server. The contents of the server folders on each server should be close to identical – if the error messages don’t help much, i’d probably diff between the folders on the different servers to see if there are file differences. Another thing you can try is running psconfig on the server to see if it fixes up any issues. Also, make sure you’re at the same patch level on all servers – maybe try installing the latest CU on all servers.
  
  Reply