Configuring Forms Based Authentication in SharePoint 2016 and SharePoint 2019 – Part 3 – Configuring SharePoint

Configuring forms based authentication (FBA) in SharePoint 2016 and SharePoint 2019 is exactly the same process as configuring it for SharePoint 2013.  I’ve recreated the SharePoint 2013 FBA tutorial specifically for SharePoint 2016 and SharePoint 2019, using screenshots from SharePoint 2016 and Windows Server 2012 R2.  I have changed the tutorial to use the SharePoint FBA Pack to create the FBA users, but otherwise it remains the same and can be used interchangeably between SharePoint 2013 and SharePoint 2016/2019.

I’ll go through all of the steps required to setup FBA for SharePoint 2016 and 2019, from start to finish.  I’ve broken down the steps into 4 sections, so if you already have an existing membership database setup from a previous version of SharePoint, feel free to skip forward to Part 2.

Part 1 – Creating the Membership Database

Part 2 – Editing the Web.Config Files

Part 3 –  Configuring SharePoint

Part 4 – Adding Users to the Membership Database

You can also watch a video of the whole process on YouTube: Configuring Forms Based Authentication in SharePoint 2016 and SharePoint 2019.

Part 3 –  Configuring SharePoint

Now that the membership and role provider have been configured, we can configure SharePoint to use them.  For this example i’m going to edit an existing web application to use forms based authentication. The same settings can be applied when creating a new web application.

  • Open SharePoint Central Administration -> Application Management -> Manage Web Applications.
  • Select the web application you’d like to edit and click “Authentication providers”.sharepoint web application authentication providers
  • Select the zone of the authentication provider you’d like to edit. In this case I only have a single zone setup: “Default”.  If you like, you can add multiple zones by extending the web application.  This will allow you to select different forms of authentication to the same web application depending on the url used to access it.  For example if users hit the web application using the local server name, then it can authenticate them with windows authentication.  If they access it via an external domain name, you could have it authenticate them with FBA. authentication provider zone
  • Check “Enable Forms Based Authentication (FBA)”. Enter the ASP.Net Membership Provider Name and ASP.NET Role Provider Name that you configured in the web.config. For this example we used “FBAMembershipProvider” and “FBARoleProvider” (Without the quotation marks). In this case we left “Enable Windows Authentication” checked. This allows us to login either via Windows Authentication or Forms Based Authentication (SharePoint will prompt you when you login for which method you’d like to use).Click “Save”.Authentication Provider Setup
  • Now when authenticating to the site collection, if you enabled both Windows Authentication and Forms Based Authentication, you’ll be prompted for which method you’d like to use to authenticate. SharePoint select login type

At this time however, you still cannot authenticate with forms based authentication, as we haven’t created any users in the membership database.  In Part 4 i’ll show you how to use the FBA Pack to add users to the membership database.

Important – Additional Steps for enabling FBA for Office Applications

Thank you to Denis Molodtsov for noticing that even with FBA configured in SharePoint 2016, it still won’t authenticate properly when opening a document from SharePoint with Office 2016 (Word, Excel, PowerPoint…).  Office 2016 now uses “Modern Authentication” by default – which does not support Claims authentication.  SharePoint 2016 releases from the June 2016 CU and onward allow Modern Authentication to be turned off.  To turn it off run the following in the SharePoint Management Shell:

$sts = Get-SPSecurityTokenServiceConfig
$sts.SuppressModernAuthForOfficeClients = $True
$sts.update()
iisreset

 

Comments

31 responses to “Configuring Forms Based Authentication in SharePoint 2016 and SharePoint 2019 – Part 3 – Configuring SharePoint”

  1. Michael Patti Avatar
    Michael Patti

    I’m using FBA Pack with a SharePoint 2016 Standard instance. I had initially set this up to use the default Hashed method of storing passwords. That was working fine for creating new users and authenticating them into the site.

    However, I want to allow users to retrieve their passwords, so I switched to the Encrypted method of storing passwords.

    I’m finding that when I do that, I’m able to create new user accounts; but when those users attempt to authenticate, they can’t login. The event viewer on the SP server is reporting the following error when FBA users attempt to login:

    “The security token username and password could not be validated.”

    I’m puzzled as to why authentication would work with the Hashed method, but not with the Encrypted method.

    When switching between the two methods, I was careful to update the machine.config and the web.config on the SecurityTokenServiceApplication so that the settings were identical.

    When I switched back to the Hashed method, I was able to login using FBA user accounts again.

    Any assistance would be appreciated.

    Thanks,
    Michael

    1. Chris Coulson Avatar

      Instead of letting users retrieve their passwords, I’d suggest using the password recovery web part to allow them to reset their passwords. Encrypted is less secure than hashed, as encrypted can be retrieved while hashed cannot.

      If you still would like to get encrypted to work, you will need to add a matching machinekey entry to each .config file with the membership provider. The machinekey is used to encrypt + decrypt the password.

  2. Talha Arain Avatar
    Talha Arain

    I am follow these step and enable form based authentication but my site shows Service Unavailable
    HTTP Error 503. The service is unavailable. and stop pool why

    1. Chris Coulson Avatar

      The app pool is stopped? Does it immediately stop again when you try to restart it? Could be you made a syntax error when editing the .config files, leading to the app not being able to read it. I’d try going back to the backup .config files and see if things come up again. If they do, review your changes – could be a tag wasn’t closed somewhere, or wasn’t put in the right location.

  3. Majd Hasan Avatar
    Majd Hasan

    Hi Chris,

    I did every step as mentioned in the article and for many times, always i got this error :

    Server Error in ‘/’ Application.

    fullName
    Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

    Exception Details: System.ArgumentException: fullName

    Source Error:

    An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

    Stack Trace:

    [ArgumentException: fullName]
    Microsoft.SharePoint.Utilities.SPUtility.GetFullUserKeyFromFullName(String fullName) +1229
    Microsoft.SharePoint.SPGlobal.CreateSPRequestAndSetIdentity(SPSite site, String name, Boolean bNotGlobalAdminCode, String strUrl, Boolean bNotAddToContext, Byte[] UserToken, SPAppPrincipalToken appPrincipalToken, String userName, Boolean bIgnoreTokenTimeout, Boolean bAsAnonymous) +4181
    Microsoft.SharePoint.SPWeb.InitializeSPRequest() +257
    Microsoft.SharePoint.SPWeb.EnsureSPRequest() +295
    Microsoft.SharePoint.SPWeb.get_Request() +27
    Microsoft.SharePoint.WebControls.SPControl.EnsureSPWebRequest(SPWeb web) +237
    Microsoft.SharePoint.WebControls.SPControl.SPWebEnsureSPControl(HttpContext context) +838
    Microsoft.SharePoint.Utilities.SPUtility.RedirectToIsolatedDomainForAppWeb() +56
    Microsoft.SharePoint.WebControls.UnsecuredLayoutsPageBase.OnPreInit(EventArgs e) +210
    Microsoft.SharePoint.IdentityModel.Pages.IdentityModelSignInPageBase.OnPreInit(EventArgs e) +17
    System.Web.UI.Page.PerformPreInit() +37
    System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +1145

    Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.7.2106.0

  4. Chris Coulson Avatar

    When do you get this error? Immediately when trying to open any page on the site?

    If you remove the machine.config changes do the errors go away? How about if you turn off FBA in the authentication providers section?

    My guess would be either a problem with the applicationName in the machine config, or the membership/role provider names in the Authentication Providers setup not matching the machine config. Or possibly some unsupported characters in the applicationName or membership/role provider names.

  5. Maggi Honda Avatar

    After configuring SharePoint 2016 FBA I’m getting this error
    A Membership Provider has not been Configured correctly. Check the web.config Settings for this webApplication

    Maggi Honda
    8139298545

    1. Chris Coulson Avatar

      Unfortunately it looks like there’s some problem with your configuration. The most common issue is permissions not being setup properly on the sql server – so SharePoint can’t connect to the aspnetdb database. That’s where i’d check first.

  6. Ssmuel Avatar
    Ssmuel

    I attempted to activate the FBA on Sharepoint 2019 but receiving this error

    Enable-spfeature : Access denied.
    At C:\deploy\Activate.ps1:29 char:2
    + Enable-spfeature -identity $featureName -confirm:$false -url $url
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidData: (Microsoft.Share…etEnableFeature:SPCmdletEnableFeature) [Enable-SPFeature
    ], SPException
    + FullyQualifiedErrorId : Microsoft.SharePoint.PowerShell.SPCmdletEnableFeature

    1. Chris Coulson Avatar

      It sounds like you’re attempting to install it with an account that doesn’t have full permissions on SharePoint. Try installing it using the same account that was used to install SharePoint. You might also want to make sure that the console/shell is being ‘Run as administrator’.

  7. Nick Chapman Avatar
    Nick Chapman

    Hi Chris (sorry i posted a similar question on the 2013 guide),

    Not sure if you could assist me with a rather strange issue?

    We have a SharePoint 2016 on premise Farm which is configured for FBA and windows authentication (we have several web applications which are also extended, the primary web application is configured for NTLM & Forms the extended is NTLM only ), 1 of the Web applications is causing an issue when we go to save an office document via save as and then browser to the SharePoint site\library we get a script error, what has really thrown me is we do not get this error on the other web applications or again in our test environment, if I browse to the site using the extended web application address everything works fine, which leads me to assume the issue lies somewhere in the Web app\FBA settings\configuration, I have gone through all you articles to check the config files and tried as best I can to compare the working ones against the failing one but I am struggling to see any discrepancies? Could you help in anyway?

    Thanks
    Nick

  8. CVP Avatar
    CVP

    Chris: thank you for this write-up as it has been tremendously helpful.

    We typically have the default web app setup using NTML. We would then extend the web app to another zone, ie Intranet, and then setup the extended webapp using FBA. The extended web app will have a different URL than the default NTLM web app. Got a couple of questions for you:

    1) Is this the recommended approach in terms of having the authentication and the zone (more on this below)? Is it ever advisable to have FBA tied to the default zone and the extended web app be NTML?

    2) Have you noticed weird behaviors when going through a load balancer for the extended FBA web application when it is in the Intranet zone? For example, if you have 2 web front-end servers, but it seemed like only one of the web front-end server is working correctly in this scenario.

    Appreciate any thoughts/insights you might have on this.

    Thank you!

    1. Chris Coulson Avatar

      1) I would always put the windows auth on the default zone, otherwise the search service won’t be able to crawl the site – it will get errors.

      2) I’ve only noticed wierd behaviors with the load balancer when the fba configuration isn’t mirrored exactly between all the servers (i’ve seen setups where one server is configured with different password length requirements, or has different password types configured (hashed vs encrypted etc…). But as long as all web servers are configured identically there should be no problems with the load balancer.

  9. abdul faizan mohammed Avatar
    abdul faizan mohammed

    HI,

    i’ve SharePoint 2013 on prem environment, FBA is configured in it. When i try to open document it is taking me to page which say’s something went wrong and link to go back to the site, if i click on go back to the site, it will open my custom signin page and once i click on windows authentication it will open the sharepoint site and now if i try to reopen the document it will open it.

    Please tell me if there is any solution for it.

    Thanks,
    Faizan.

    1. Chris Coulson Avatar

      There should be more details of the error, either in the event log if it’s an iis error, or the sharepoint log if it’s a sharepoint error. Hopefully that will give a clue as to what is wrong.

      1. abdul faizan mohammed Avatar
        abdul faizan mohammed

        Hi Chris,

        No errors in iis error log and no error in sharepoint log.

        This is particularly happening with FBA configured site and on the Non FBA site it is working properly.

        sorry something went wrong
        an unexpected error has occurred.
        technical details
        correlation id : 0000000-0000-0000-00000000 go back to the site.

        your help will be highly appreciated.

        Thanks,
        Faizan

        1. Chris Coulson Avatar

          With no error logged, i’m not sure what would be causing it. Does it really give you all 0’s for the correlation id? I haven’t seen that before. Usually it’s a guid that can be searched for in the SharePoint logs to get the error details.

  10. Dominic Avatar
    Dominic

    Hi Chris,

    We have a single zone SP2016 on prem setup, which has the FBA pack installed and it has been working solidly for a few years now.

    However what we are now finding is that when 3rd party connectors are trying to connect to our sharepoint they are throwing up an error where its saying the credentials are incorrect.

    I believe that this might be down to the 3rd party program not being able to decipher whether it is a Windows/Forms user.

    Is there any way we can get around this within our setup? or do we need to create a new zone, switch off FBA on Zone1 and Activate it solely on Zone2. Would this have any detrimental effect on our user logon list?

    really appreciate your help on this.

    1. Chris Coulson Avatar

      I’ve run into the issue if it’s only FBA configured on the default zone, but don’t recall having issues if both FBA and AD are configured on that zone. But I guess it very well could be that the 3rd party connectors don’t take that into consideration. Unfortunately, if that’s the case, apart from trying to get the 3rd party provider to handle that scenario, you will probably have to do what you suggested and create a 2nd zone, with FBA activated solely on zone 2. This shouldn’t have a detrimental effect, and I’d say that in general this setup is probably more popular than your current setup (as user’s don’t get prompted to choose to login with windows or forms). The only issue is going to be that now there will be 2 url’s – one for windows login and one for forms. So all of one set of users is going to have to learn to use the new url.

  11. Niusha Avatar
    Niusha

    in Sharepoint2019 an at the end i get the error in “Manage Forms Based Authentication Users”

    “A Membership Provider has not been configured correctly. Check the web.config settings for this web application.”

    i recheck my web.config and nothing seems to be wrong

    is there any solution o any help could resolve it?

    by the way i do the same way in sharepoint2016 and its run without any problem.

    1. Chris Coulson Avatar

      The error pretty much means that the membership provider can’t talk to the database – could be for a variety of reasons. It might be some misconfiguration in the config files. Usually it’s a SQL Server permission issue that causes the problem. You have to make sure that the SharePoint app pool user has DBO permissions on the membership database.

  12. Max Avatar
    Max

    Hey Chris,

    Wonderful article, I got to the last step and I wanted to use forms based auth for the Sharepoint Central Administration Site. I have this all running under a local user account (dev environment) and that’s the reason for needing to swap it over. Every time I log in with an admin account currently it can’t find it and drops me back into System Account, which can’t manage central administration. How would I go about setting Central Administration to do that?

    Thanks

    1. Chris Coulson Avatar

      Honestly i’ve never setup Central Admin to authenticate with FBA, and i’m not sure if it can be. And if you’re using the FBA Pack, it was never meant to work with Central Admin either, so I wouldn’t expect it to work either.

    2. Max Avatar
      Max

      Nevermind, I finally got it to respond to the local account by switching to basic auth in IIS and disabling windows auth. Its been so long since I had to manage these settings I forgot what I was doing. Hope this helps anyone who is using a local account like me.

      Thanks

Leave a Reply

Your email address will not be published. Required fields are marked *