Configuring Forms Based Authentication in SharePoint 2016 – Part 2 – Editing the Web.Config Files

Configuring forms based authentication (FBA) in SharePoint 2016 is exactly the same process as configuring it for SharePoint 2013.  I’ve recreated the SharePoint 2013 FBA tutorial specifically for SharePoint 2016, using screenshots from SharePoint 2016 and Windows Server 2012 R2.  I have changed the tutorial to use the SharePoint FBA Pack to create the FBA users, but otherwise it remains the same and can be used interchangeably between SharePoint 2013 and SharePoint 2016. I’ll go through all of the steps required to setup FBA for SharePoint 2016, from start to finish.  I’ve broken down the steps into 4 sections:

Part 1 – Creating the Membership Database

Part 2 – Editing the Web.Config Files

Part 3 –  Configuring SharePoint

Part 4 – Adding Users to the Membership Database

You can also watch a video of the whole process on YouTube: Configuring Forms Based Authentication in SharePoint 2016.

Part 2 – Editing the Web.Config Files

The next thing that has to be done to get forms based authentication working with SharePoint is setting up the membership provider.  A membership provider is an interface from the program to the credential store.  This allows the same program to work against many different methods of storing credentials. For example you could use an LDAPMembershipProvider to authenticate against Active Directory, or a SQLMembershipProvider to authenticate against a SQL Server database. For this example we’re using the SQLMembershipProvider to authenticate against a SQL Server database.

SharePoint is actually divided up into several web applications – Central Administration, the Security Token Service and all of the SharePoint web applications that you create. Each of those web applications needs to know about the membership provider. Most tutorials have you adding the membership provider settings over and over again in each web config (as well as every time you setup a new SharePoint web application).  I prefer to add the membership provider settings directly to the machine.config. By adding it to the machine.config, the configuration is inherited by all of the web.config files on the machine – so you only have to make the changes once, and don’t have to remember to make the changes every time you create a new SharePoint web application.

If you don’t have access to the machine.config, or prefer not to edit it, you will have to make all of these changes to the following web.config files:

  • SharePoint Central Administration
  • SecurityTokenServiceApplication
  • Every SharePoint web application you create that you would like to access via FBA.

BEFORE EDITING ANY .CONFIG FILE – MAKE A BACKUP OF IT. It’s very easy to make a typo.

  • Navigate to “C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Config” and open “machine.config”.sharepoint_2013_fba_config_1
  • In the <ConnectionString> section, add the following line:
    <add connectionString="Server=win-h472cerv001;Database=aspnetdb;Integrated Security=true" name="FBADB" />

    Be sure to replace the value for Server with the name of your SQL Server.machine config connection string

  • In the <membership><providers> section add the following:
    <add name="FBAMembershipProvider"
     type="System.Web.Security.SqlMembershipProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
     connectionStringName="FBADB"
     enablePasswordRetrieval="false"
     enablePasswordReset="true"
     requiresQuestionAndAnswer="false"
     applicationName="/"
     requiresUniqueEmail="true"
     passwordFormat="Hashed"
     maxInvalidPasswordAttempts="5"
     minRequiredPasswordLength="7"
     minRequiredNonalphanumericCharacters="1"
     passwordAttemptWindow="10"
     passwordStrengthRegularExpression="" />

    You can customize the authentication by modifying each of these options. The most important thing to remember though is that if you define a membership provider in multiple locations for the same database, they MUST ALL USE THE SAME OPTIONS. Otherwise you’ll run into all kinds of problems with users created with one set of options, and later being authenticated against with a different set of options.

    Here’s a description of the different options available:

    Option Description
    connectionStringName The name of the database connection to the aspnetdb database.
    enablePasswordRetrieval true/false. Whether the user’s password can be retrieved. I suggest setting this to false for security purposes.
    enablePasswordReset true/false. Whether the user can reset their password. I suggest setting this to true.
    requiresQuestionAndAnswer true/false. Whether accounts also have a question and answer associated with them. The answer must be provided when resetting the password. I suggest setting this to false, as setting it to true prevents an administrator from resetting the user’s password.
    applicationName Setting the application name allows you to share a single membership database with multiple different applications, with each having their own distinct set of users. The default applicationName is /.
    requiresUniqueEmail true/false. Determines if multiple users can share the same email address. I suggest setting this to false, in case you ever want to implement a login by email system.
    passwordFormat Clear, Hashed or Encrypted. Clear stores the password in the database as plain text, so anybody with access to the database can read the user’s password. Encrypted encrypts the user’s password, so although the password isn’t human readable in the database, it can still be decrypted and the user’s actual password retrieved. Hashed stores a one way hash of the password.  When a user authenticates, the password they enter is hashed as well and matched against the stored hashed value. Using this method, the user’s password can never be retrieved (even if your database is stolen), only reset.  I always recommend using “Hashed” as it is the most secure way of storing the user’s password.
    maxInvalidPasswordAttempts The number of times in a row that a user can enter an invalid password, within the passwordAttemptWindow, before the user’s account is locked out. Defaults to 5.
    passwordAttemptWindow The number of minutes before the invalid password counter is reset. Defaults to 10.
    minRequiredPasswordLength The minimum password length. Defaults to 7.
    minRequiredNonalphanumericCharacters The minimum number of non-alphanumeric characters required in the password. Defaults to 1.
    passwordStrengthRegularExpression A regular expression that can be used to validate the complexity of the password.

    sharepoint_2013_fba_config_3

  • In the <roleManager><providers> section add the following:
    <add name="FBARoleProvider" connectionStringName="FBADB" applicationName="/"
     type="System.Web.Security.SqlRoleProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

    Save and close the machine.config file.
    sharepoint_2013_fba_config_3_1

  • I mentioned that if you modified the machine.config, you’d only have to put the config in a single place.  I wasn’t being completely truthful.  The SharePoint Web Services configuration overrides the machine.config and clears the entries we created. For that reason, the membership and role providers also need to be added to the SecurityTokenService (But only there – you won’t have to add them to the central admin or other SharePoint web app web.configs.First we need to find the web.config for the SecurityTokenService. Open up IIS. Under sites, SharePoint Web Services, right click on SecurityTokenServiceApplication and click on Explore. Edit the web.config in the folder that opens.SharePoint Security Token Service
  • Add the following to the web.config, just before the closing </configuration> tag:
    <system.web>
     <membership>
     <providers>
     <add name="FBAMembershipProvider"
     type="System.Web.Security.SqlMembershipProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
     connectionStringName="FBADB"
     enablePasswordRetrieval="false"
     enablePasswordReset="true"
     requiresQuestionAndAnswer="false"
     applicationName="/"
     requiresUniqueEmail="true"
     passwordFormat="Hashed"
     maxInvalidPasswordAttempts="5"
     minRequiredPasswordLength="7"
     minRequiredNonalphanumericCharacters="1"
     passwordAttemptWindow="10"
     passwordStrengthRegularExpression="" />
     </providers>
     </membership>
    <roleManager>
     <providers>
     <add name="FBARoleProvider" connectionStringName="FBADB" applicationName="/"
     type="System.Web.Security.SqlRoleProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
     </providers>
     </roleManager>
     </system.web>

    Remember to match all of the options with what was entered in the machine.config.Save and close the file.

    sharepoint_2013_fba_config_5

The role and membership providers have now been setup for SharePoint. Continue on to Part 3 to configure SharePoint to use the membership provider we just setup.

14 Responses to “Configuring Forms Based Authentication in SharePoint 2016 – Part 2 – Editing the Web.Config Files”

  1. Bret says:

    Do these config changes need to be done on the distributed cache server and/or the app server?

    • They need to be done anywhere where either authentication is being done or fba users are being queried.

      So no, you shouldn’t need it on the distributed cache server. I don’t expect that any of the services running on the app server require it, but I myself would make the changes there anyways, just in the off chance that one of the services does query the fba users.

  2. john adams says:

    Hi Chris,

    We are having trouble signing in to the SP site using FBA. We have a SP farm configured to use AG’s in SQL and a listener. Please see below for transcript. We tested on our dev box which is not using a listener and it works, but IIS does not seem to like the connection string for the listener:? any help appreciated:

    Token Handler: Claims Forms Sign-In: Membership Provider ‘FBA_Membership’ username-password check for user ‘XXXXXXXXXX@gmail.com’ generated exception. Exception: ‘System.ArgumentException: An error occurred while attempting to initialize a System.Data.SqlClient.SqlConnection object. The value that was provided for the connection string may be wrong, or it may contain an invalid syntax. Parameter name: connectionString —> System.ArgumentException: Keyword not supported: ‘sp16-xxx-sag.XXXXXXX.lan;database’. at System.Data.Common.DbConnectionOptions.ParseInternal(Hashtable parsetable, String connectionString, Boolean buildChain, Hashtable synonyms, Boolean firstKey) at System.Data.Common.DbConnectionOptions..ctor(String connectionString, Hashtable synonyms, Boolean useOdbcRules) … 9978d79d-f239-20d0-53af-3c4b27321734
    02/22/2017 10:27:40.68* w3wp.exe (0x25F4) 0x14B4 SharePoint Foundation Claims Authentication ad1qp Unexpected … at System.Data.SqlClient.SqlConnectionString..ctor(String connectionString) at System.Data.SqlClient.SqlConnectionFactory.CreateConnectionOptions(String connectionString, DbConnectionOptions previous) at System.Data.ProviderBase.DbConnectionFactory.GetConnectionPoolGroup(DbConnectionPoolKey key, DbConnectionPoolGroupOptions poolOptions, DbConnectionOptions& userConnectionOptions) at System.Data.SqlClient.SqlConnection.ConnectionString_Set(DbConnectionPoolKey key) at System.Data.SqlClient.SqlConnection.set_ConnectionString(String value) at System.Data.SqlClient.SqlConnection..ctor(String connectionString, SqlCredential credential) at System.Web.DataAccess.SqlConnectionHolder..ctor(String connectionString)

  3. Ernie Encinas says:

    Hey Chris.
    I have made the necessary changes to web configs in CA, Web App, and Security token. I have added the section for password to not require users to enter secret answer. However, I am getting this error when trying to reset a user’s password from User Management list:
    “Your current membershipprovider settings prevent a user’s password from being reset. To allow for resetting of a password by an administrator, you must have enablePasswordReset=”true” and requiresQuestionAndAnswer=”false” in your membership provider settings in your web.config”. I also have the section for secret question and answer when creating a new profile.
    Appreciate any assistance on resolving this issue.

    Thanks,
    Ernie Encinas
    SharePoint Administrator

    • You should only be getting this error if the active membership provider has settings other than:
      enablePasswordReset=”true” and requiresQuestionAndAnswer=”false”

      It could be that you have multiple membership providers setup. The FBA Pack will use the one specified by name in the ‘Authentication Providers’ option for managing web applications in Central Admin.

      It could also be that you are editing a membership provider entry that is getting overwritten by another .config file. Or possibly that you have multiple servers and haven’t adjusted the .config files in all of them.

      • Ernie Encinas says:

        Chris,
        Thanks for your response and suggestions. I was able to resolve the issues with password reset by running the FBA Configuration Manager for SP2013 and included enablePasswordReset=”true” and requiresQuestionAndAnswer=”false” in the membership provider section. Appears that my SP2016 farm included an additional WFE and APP server that needed the web configs modified.

        Thanks,
        Ernie

  4. Ernie Encinas says:

    Dear Chris,
    I had a question regarding the “FBA Membership Request Management” list. When I try to create new FBA users in the request management list(by saving as pending and the approved) the new users are never sent to the FBA user management list or in SharePoint User Profile store. The reason why I was wanting to use FBA membership request management list is so that I can add custom properties to list for synchronization to SharePoint UPS. Look forward to expertise.

    Thanks,
    Ernie
    SharePoint Administrator

    • I think that doing what you’re doing should work for creating the user’s. I haven’t tried it myself, but that’s all the membership request web part is doing is creating a new item in the membership request list, and then when it is approved it goes and creates the actual user. I expect one or more of the fields is not getting filled out properly. You might want to check the SharePoint log file, it should tell you what errors are occurring when the item approval happens.

      Unfortunately, even if you do get this working, adding new properties to this list will not add the properties to the user’s profile. Right now the fields it pulls from the membership request list are hard coded, so any new columns you add will be ignored. The source code would have to be modified to allow for that.

  5. Andy says:

    Hi Chris,

    Your FBA pack is amazing, and it is working perfectly on my development servers (soon to be production though).

    Just curious, if I already had 1 web application which is configured to use FBA, then I want to add other web applications which will use FBA too, or extend another web application to use FBA (all on different database), then I just need to add the second connection string, membership provider, and role provider under each respective section under the machine.config on the server and STS web.config, right? Do I need further changes aside from those config files?

    Thanks.

    • If you’re adding additional web applications, you don’t need to make any additional changes to the config files – as the machine config entries are shared for everything on the machine. You just have to enter the membership/role provider names in the ‘Authentication Providers’ section of Central Admin (Part 3).

      That is assuming you want to share the same FBA users. If you want a separate set of users, then yes, you’d have to create separate config file entries with different names.

Leave a Response

Trackbacks