Configuring Forms Based Authentication in SharePoint 2016 and SharePoint 2019 – Part 4 – Adding Users to the Membership Database

Configuring forms based authentication (FBA) in SharePoint 2016 and SharePoint 2019 is exactly the same process as configuring it for SharePoint 2013.  I’ve recreated the SharePoint 2013 FBA tutorial specifically for SharePoint 2016 and SharePoint 2019, using screenshots from SharePoint 2016 and Windows Server 2012 R2.  I have changed the tutorial to use the SharePoint FBA Pack to create the FBA users, but otherwise it remains the same and can be used interchangeably between SharePoint 2013 and SharePoint 2016/2019.

I’ll go through all of the steps required to setup FBA for SharePoint 2016 and 2019, from start to finish.  I’ve broken down the steps into 4 sections, so if you already have an existing membership database setup from a previous version of SharePoint, feel free to skip forward to Part 2.

Part 1 – Creating the Membership Database

Part 2 – Editing the Web.Config Files

Part 3 –  Configuring SharePoint

Part 4 – Adding Users to the Membership Database

You can also watch a video of the whole process on YouTube: Configuring Forms Based Authentication in SharePoint 2016 and SharePoint 2019.

Part 4 – Adding Users to the Membership Database

At this point SharePoint has been completely been setup for forms based authentication. Unfortunately people still can’t login with FBA, as no users have been added to the membership database.

There are a few ways to add users to the membership database.  You can manage the users in the membership database using IIS. I prefer to manage the users in SharePoint using the SharePoint FBA Pack. I’m going to show you how to install the FBA Pack and use it to add users to your membership database.

  • You can find downloads and documentation for the SharePoint 2016 FBA Pack at
  • Download the FBA Pack and unzip it to a folder on your hard drive. For this example I’ve unzipped to c:\deploy.deploy folder
  • Open either PowerShell (In Administrator mode) or SharePoint Management Shell.
  • Navigate to the c:\deploy folder: “cd c:\deploy”Powershell
  • Run “.\deploy http:\\win-h472cerv00l” (without quotes and be sure to substitute the url to your site collection where you would like the FBA Pack activated).  Note you can also run “.\deploy” without any parameters – in which case you will have to manually activate the “Forms Based Authentication Management” feature in each site collection you’d like to use it.Deploy FBA Pack
  • The script will deploy the FBA Pack to the SharePoint farm and activate it on your site collection. Note that if you get an error and scripts won’t run because they are not signed, you need to run the following command to allow the script to run: “Set-ExecutionPolicy Unrestricted”. Once you’ve done that, rerun the deploy script.
  • Navigate to your site collection and login as a site collection administrator. Navigate to the Site Settings page. You will notice you now have some new options for managing FBA Users.SharePoint 2016 Site Settings
  • Select “FBA User Management”.SharePoint 2016 FBA Pack Manage Users
  • Click “New User”.SharePoint 2016 FBA Pack New User
  • Fill out the form to create your first user in the FBA database. Be sure to assign them to a SharePoint group so that they will have permissions to login to SharePoint.
  • Now you can try to login as the user you just created. Logout of SharePoint. When logging back into SharePoint, choose to login using Forms Based Authentication. Login using the username and password you created on the FBA User Management screen.SharePoint 2016 FBA Login

That’s it!  You now have Forms Based Authentication setup on SharePoint 2016, and the FBA Pack installed to manage your FBA users.  Be sure to check out the rest of the features of the SharePoint FBA Pack – on top of allowing you to manage users and roles, it also includes web parts for user registration, changing your password and recovering a forgotten password.


63 responses to “Configuring Forms Based Authentication in SharePoint 2016 and SharePoint 2019 – Part 4 – Adding Users to the Membership Database”

  1. Ravi Ranjan Avatar

    Really really Helpful. Thanks a Ton.

  2. Justin Avatar


    I’m using FBA Pack 2013 but user review or email isn’t working. Email is working elsewhere in the farm / site collection. Any thoughts as to why review might not be working? When I test the request account web part the users go right into the users list instead of the review list. The setting is definitely enabled.

    1. Chris Coulson Avatar

      You will get emails for user review, so if you’re not getting them then it’s most likely an issue with your email setup. Try using an internal email address when setting up a user and see if that works. A common issue is that the SMTP server isn’t setup to relay email from the SharePoint server – so in that case internal emails will be delivered, but emails to external domains will not be. If that’s not the issue, I suggest you check the SharePoint logs, it should have an error message related to the issue.

      1. Justin Avatar

        Thanks! I’ll do that. BTW I think I have tested that the farm will forward to external addresses for other mail. For example I can run this mail test script:

        with the target at my gmail address and it works. Email shows up at my gmail. Does this mean that isn’t the issue or do these methods operate in different ways that are beyond my understanding?

        1. Chris Coulson Avatar

          If that test works, the FBA Pack should be able to send email. Check your log file just after attempting to register using the membership request web part. There should be an error message that should give a better idea of what the problem is.

          1. Justin Avatar

            For everyone out there our issue ended up being that port 25 was not open between our DMZ and out internal network. This is why running that powershell script worked when it was run on the App server but the WFE could not forward smtp from the WFE (DMZ) to the App Server.

            This was discovered by looking at the logs on each machine separately.

  3. Gerard Avatar

    Hi Chris,

    Very helpful post. The only comment I can offer if it may help someone is to add an entry in an applications web.config file if you want to set specific permissions and find a user through the people picker settings.

    The entry I added as follows which I had forgotten from the last time I setup a new server.

    <add key=”” value=”%” />
    <add key=”” value=”%” />

  4. Naser Avatar

    Hello Chris,

    I am try to setup an Extranet for our SharePoint 2016 site. Not sure why, but after flowing all the steps I can’t get to SP2016 internet or extranet, now!

    The website cannot display the page

    HTTP 500

    Most likely causes:
    •The website is under maintenance.
    •The website has a programming error.

    However, activation errors even with “Set-ExecutionPolicy Unrestricted” command.
    I’ll be happy to share screen shots if you want. Any help is greatly appreciated.


    Get-SPFeature : Cannot find a Feature object with Path or Id: FBAManagement in scope Local farm.
    At C:\temp\deploy\Activate.ps1:3 char:13
    + $feature = Get-SPFeature $featureName
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidData: (Microsoft.Share…mdletGetFeature:SPCmdletGetFeature) [Get-SPFeature], SPCmdletPipeBindException
    + FullyQualifiedErrorId : Microsoft.SharePoint.PowerShell.SPCmdletGetFeature

    Cannot find an overload for “QueryFeatures” and the argument count: “1”.
    At C:\temp\deploy\Activate.ps1:4 char:2
    + $features = [Microsoft.SharePoint.Administration.SPWebService]::ContentService. …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [], MethodException
    + FullyQualifiedErrorId : MethodCountCouldNotFindBest

    Going to enable Feature
    Enable-spfeature : The Feature is not a Farm Level Feature and is not found in a Site level defined by the Url http://ServerName/.
    At C:\temp\deploy\Activate.ps1:29 char:2
    + Enable-spfeature -identity $featureName -confirm:$false -url $url
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidData: (Microsoft.Share…etEnableFeature:SPCmdletEnableFeature) [Enable-SPFeature], SPCmdletException

    1. Chris Coulson Avatar

      If everything worked before making the config file changes, my guess is that there’s a typo in one of the config files. I’d suggest reverting to the backup copy of the config file you made, make sure everything comes up again, and then attempt the changes once more.

      As for the powershell errors, my guess is that they are also because SharePoint is down and you’re getting the Http 500 errors. Try again once everything’s running again and it should work.

      1. Naser Avatar

        Thanks for quick response. I did reinstate the backup copies and SP2016 is up again. I have done this 3 times now and getting same results! Activation of solution errors as before even the site is backup online. Any suggestion is appreciated. I’ll be happy to do a remote session or a call if you think you can help.

        Best Regards,

        1. Chris Coulson Avatar

          Glad to hear it’s back up. I’d suggest really looking closely at what’s getting pasted into the config file. Maybe some characters aren’t copying properly from the web page.

          If you continue to have issues, I suggest taking a look at our support plan:

          I can walk through the setup with you over a GoToMeeting and get everything going.

  5. Naser Avatar

    Chris, how does connectionStringName=(“FBADB” ?) is defined so web.config to utilize to connect to the server and DB ?


    1. Chris Coulson Avatar

      I’m not exactly sure what you mean here. There’s two things you enter into the machine config:

      The connection string (with the name FBADB). This has the connection information to the database server.

      The membership provider settings. One of the settings is the connection string name, which tells it what database connection settings to use.

  6. Justin Avatar


    I’ve tried reading everywhere, but I can’t find a reference for how identity questions work with FBAPack. There are settings throughout referring to the question page. How does one enable / disable this and manage the questions, or is this just a hook for someone to custom develop their own custom question page? Thanks!

    1. Chris Coulson Avatar

      Hi Justin,

      The identity questions are actually tied to Microsoft’s implementation in their membership provider. See here:

      I don’t like it, and I don’t recommend people use it, as their default implementation doesn’t allow the password to be reset, even by an administrator, if the answer is not known.

      If you’re going to add a custom question page, unfortunately I think it’s going to be a completely custom enhancement. You could possibly build your own membership provider, inheriting from Microsoft’s, to handle your custom identity question implementation.

  7. Marimuthu Avatar

    I’ve followed all the steps, everything is working perfectly. Except I’m not able login using fba. I’m getting “The server could not sign you in. Make sure your user name and password are correct, and then try again.”

    PS: I was able to create/update user accounts successfully using site settings.

    1. Chris Coulson Avatar

      If everything is working perfectly except the login, check the web.config settings for the securitytokenservice. It’s this configuration that’s used for performing the actual login. You might also want to check the app pool the securitytokenservice is running under and ensure that the user account for the app pool has permissions to the membership database.

  8. Shangwu Avatar

    Adding the following two parameters under the SqlMembershipProvider can prevent network brutal force attacks.

    It sets the maxInvalidPasswordAttempts attribute to five invalid attempts and the passwordAttemptWindow to 30 minutes.
    More than five failed attempts will make the account locked.

  9. Michael Avatar

    So, no matter what I do the review and approval only worked once. Now, every time the form to webpart to request membership just creates the user and a not active status. I also cannot get the captcha picture to display anything other than a broken picture icon.

    1. Chris Coulson Avatar

      It almost sounds like the solution was undeployed. Check Central Admin and make sure it’s deployed to the web application you’re using it on. If it does show as deployed, reinstall it using the deploy.ps1 script that comes with it to make sure everything is in place.

  10. Mark Wood Avatar

    I followed your steps exactly and now I get the following when using windows authentication.

    Server Error in ‘/’ Application.

    Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

    Exception Details: System.ArgumentException: fullName

    Source Error:

    An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

    Stack Trace:

    [ArgumentException: fullName]
    Microsoft.SharePoint.Utilities.SPUtility.GetFullUserKeyFromFullName(String fullName) +1229
    Microsoft.SharePoint.SPGlobal.CreateSPRequestAndSetIdentity(SPSite site, String name, Boolean bNotGlobalAdminCode, String strUrl, Boolean bNotAddToContext, Byte[] UserToken, SPAppPrincipalToken appPrincipalToken, String userName, Boolean bIgnoreTokenTimeout, Boolean bAsAnonymous) +4181
    Microsoft.SharePoint.SPWeb.InitializeSPRequest() +257
    Microsoft.SharePoint.SPWeb.EnsureSPRequest() +295
    Microsoft.SharePoint.SPWeb.get_Request() +27
    Microsoft.SharePoint.WebControls.SPControl.EnsureSPWebRequest(SPWeb web) +237
    Microsoft.SharePoint.WebControls.SPControl.SPWebEnsureSPControl(HttpContext context) +838
    Microsoft.SharePoint.Utilities.SPUtility.RedirectToIsolatedDomainForAppWeb() +56
    Microsoft.SharePoint.WebControls.UnsecuredLayoutsPageBase.OnPreInit(EventArgs e) +210
    Microsoft.SharePoint.IdentityModel.Pages.IdentityModelSignInPageBase.OnPreInit(EventArgs e) +17
    System.Web.UI.Page.PerformPreInit() +37
    System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +1145

    Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.7.2106.0

    1. Chris Coulson Avatar

      This error doesn’t look familiar to me. Are you using a custom login page? If so, that could be it. If not, try disabling ‘Enable Forms Based Authentication’ in Central Admin Authentication Providers dialog and see if that does the trick. If that still doesn’t do it, revert the .config files to your backups and see if the error goes away.

      1. Mark Wood Avatar

        No there is no custom logon page and if I turn off forms everything work correctly.

        I have redone everything from step 1 and copy and pasted it to avoid errors and the same thing happens.

        1. Chris Coulson Avatar

          I’m thinking, because I haven’t seen that error before, that there’s probably something up with your SharePoint install or environment. Also, where do you see the error above? In the SharePoint log file? Event viewer?

          1. Sohaib Avatar

            I am also facing the same error. It generates after i selected anyone option from Windows Authentication or Forms Authentication and enter the credentials.

  11. Adam Avatar

    Mark, I encountered the same issue just now, and had to disable Client Integration to fix it.
    After changing the “Enable Client Integation?” Authentication provider setting to No, forms-based and windows authentication are both working.

    1. Vijay Chougule Avatar
      Vijay Chougule

      You saved my day Adam, Thank you for posting your resolution. I have been banging my head around internet for a long time for this issue. Thank you again. Merry Christmas…!

  12. Denis Molodtsov Avatar

    Hi Chris,

    Fantastic Manual. Clear and correct. I was able to setup FBA within 30 minutes.

    Here is an important question. If we have a zone that has both FBA and Claims authentication, what happens when we click on the Word document? I have a problem with Office 2016 refusing to open Office files. It just keeps prompting me for credentials.

    We didn’t have this problem with SharePoint 2013.

    It seems like there is a serious issue between SharePoint 2016 and Office 2016 in cases when FBA is setup. Am I the only one who’ve noticed it?

    1. Denis Molodtsov Avatar

      Turns out that for SharePoint 2016 with FBA, in order for Office to work, we should set SuppressModernAuthForOfficeClients property to true:

      Chris, maybe we can include this to the manual? I’ve described this problem here and I could not solve this problem for more than 1 month. It had a simple solution, but I haven’t seen anyone suggesting it:

      $sts = Get-SPSecurityTokenServiceConfig
      $sts.SuppressModernAuthForOfficeClients = $True

      1. Chris Coulson Avatar

        Denis – Thank you so much for pointing this out. I can’t believe I haven’t noticed this before and that nobody else has pointed this out before now. I’ve added the steps to the end of Part 3.

  13. Sviatoslav Avatar

    Hi Chris,
    Is it possible for NON site collection administrators to manage FBA users using fba user management application page? (SharePoint FBA Pack)

    1. Chris Coulson Avatar

      Sorry, the management pages are set to site collection administrator only.

  14. Ben Hickok Avatar
    Ben Hickok


    Thank you for this article! It has been very helpful. We had the FBA function working on a 2013 site and was able to add users etc. without issue. We migrated to 2016 and the web.config files were all updated to correspond to the new DB. Users that existed in the old system are still able to connect without issue but now when we add new users to the DB they are not available in the people picker. Also on the FBA Users the error is “A Membership Provider has not been configured correctly. Check the web.config setttings for this web application.” I’m not sure what else to look into. I have triple checked all of the config files and they are all showing correct information. Any ideas as to what might be happening?

    Thanks for any help!!

    1. Chris Coulson Avatar

      Does the app pool user for the sharepoint web applications have permissions on the membership database? That would be the first thing i’d look at.

      If existing users can login, but fba doesn’t work when logged in, it sounds like the securitytokenservice setup is correct, but the setup for the webapplication is not correct. I’d compare the .config files between the two as well as check if the app pools run as different users, which would mean different permissions on the db.

      1. Satya Avatar

        I have installed FBA pack and every thing is working fine but when an users added and approved through Membership Request webpart that user is getting full access rather only restricting to visitor access even though the user is not assigned to any roles and groups.

  15. Evan Avatar

    I am setting up FBA for our Microsoft Dynamics AX 2012 R3 Vendor Portal site. It uses a special template that is version14. So, SP is 2013, but the site collection is 2010 (and cannot be upgraded). I’m guessing something about this is preventing the FBA Management options from appearing in the site collection settings after I install the solution. I’ve tried both the 2010 and the 2013 version of the solution.

    My question is, how can I create/manage FBA users WITHOUT using the FBA Management pack?

    1. Chris Coulson Avatar

      Unfortunately i’m not familiar with Dynamics AX, but one thing for the FBA Management options to appear – you have to be logged in as a site collection administrator.

      If that doesn’t work you can use IIS – it also has tools built in to manage FBA users.

  16. Marten Schulze Avatar
    Marten Schulze

    Hello, I need some help and I hope you can help. How can I implement the password reset or password forgot to the log in page. With login page I mean the page there the user can choose between Windows based authentication and FBA. Easy said before the sharepoint login. Thanks to you help so far and thank you for the great documentation.

    1. Chris Coulson Avatar

      You need to create a custom login page. If you’re happy with the existing SharePoint login pages, you can create a copy of them and use them as a starting point. Then you just need to add a link to an anonymous access page with the password recovery web part on it.

  17. Monica Avatar

    Hi. I’m a power user, and have a question, if you may… I’m using SP 2013 on-prem FBA with SQL custom in-house provider (not using the popular FBA pack), and Office 365. Have an issue whith workflow notifications sent to mail-enabled security groups, which do not reach the users. If I just add the group name I receive the error “failed to send notification. Cannot get the full name or email address of user c:0-f|xyzrolemanager|…”. If I use the email address then I get no errors but no email. The admin said that the custom provider doesn’t support email address as a field. Do you know what can be wrong here? Thanks!

    1. Chris Coulson Avatar

      I’m not sure off the top of my head. If it’s based on Microsoft’s role provider, roles don’t have a field for email, but you may be able to update the email address stored in SharePoint for the role using PowerShell. Try the set-spuser cmdlet to see if you can update it with that. Alternatively you could use SharePoint Groups to manage groups of SharePoint users (but i’m guessing you don’t want two places to manage your groups).

  18. Alexis Avatar

    Hi, I have an issue on SharePoint 2019. Everything is fine during the installation/configuration, but after the feature activation, when I try to go go “FBA User Management” (/_layouts/15/FBA/Management/UsersDisp.aspx) from the site settings, I got the error “this site isn’t shared with you” (even with site coll admin, or farm admin, or anyone else). In logs I see “Unexpected Failed to assert permission mask.”, “Acces denied” , “PermissionMask check failed for {7BC14BFC-B4EF-4C55-A87F-405FD07E58F0}. Asking for 0x08000000, have 0x00000000”, “PortalSiteMapProvider was unable to fetch root node, request URL: /_layouts/15/FBA/Management/UsersDisp.aspx”. I don’t understand why … I have to mention that my web app has 2 zones (1 default with claims, 1 internet with FBA activated) and I try to create users from defaul zone (since I have for now 0 FBA users). My site collection is in the new moder experience (don’t know if it can cause problems). Can you help me ? Thank’s in advance.

  19. Chris K Avatar
    Chris K

    This was all very helpful. Thank you for the time you put in to this walk through. It saved me hours for a first time FBA – SP 2019 configuration.

  20. Nigel Avatar

    Hi Chris,

    Thanks for your guide – very helpful!

    I’m setting up FBA on a client’s SPS 2019 environment for an extranet. Everything has gone fine, up until I try to access the FBA User Management in Site Settings. When I follow that link, I get a message saying “A Membership Provider has not been configured correctly. Check the web.config setttings for this web application.”

    I made the changes in the machine.config file (and the web.config for the Security Token Service). I’ve triple checked the Authentication provider in Central Admin for the web application, triple checked the machine.config and web.config files, triple checked the database access, and everything seems fine.

    Do you have any suggestions?

    1. Nigel Avatar

      Doh. Ignore this. I completely forgot that there are 2 servers in this farm, and I had only made the config file changes to one server.

      If anyone else encounters this error message, make sure you configure both servers :p

      Chris, is it maybe worth mentioning in step 2 where the config changes are mentioned, that all servers need the change? It should be obvious, but as demonstrated by me, it’s easy to forget.

      1. Chris Coulson Avatar

        Good idea. Done.

      2. Alex Avatar

        Hi Chris,

        Thanks as well for your reply.

        I am having the same issue as Nigel. I also triple checked the machine.config, the SecurityToken’s web.config, the authentication provider in the Central Admin and the database rights. We have only one server in our DEV environment.

        What else may I have missed? Question: Do I maybe have to change something in the web.config of the web application as well?
        It is really strange to me that in the web application’s web config the default provider is ‘i’ and not the ones that I have added. Example my web application’s web.config:

        Is this correct?

        Thnk you in advance,

        1. Alex Avatar

          I’m pasting here how my web application’s web.config section for the membership and roles is as it did not appeared in my latest response:

          1. Alex Avatar

            Ignore this as well. It was a typo in the connection string in the machine.config.
            Sorry for the spam.
            Chris thanks again for your great guide

          2. James Avatar

            Hello, just for info, I had this exact same issue..

            I double checked my machine.config and web.config, everything was fine…

            But I figured it out, I forgot that I had 2 differents users for my web Apps, and they didn’t had the “db_owner” rights on the FBADB SQL Server…

            Good luck everyone,

            And thank you a lot for this perfect guide


  21. Mohamad Najia Avatar
    Mohamad Najia

    great article.
    However am facing an issue only with IE 11 is not able to authenticate?
    All other browsers are working fine.
    Any ideas?

    1. Chris Coulson Avatar

      I haven’t heard of this before. Maybe IE is setup to go through a proxy and others aren’t? Have you tried on a non-work computer with IE?

      Other suggestions would be to open up the IE Dev Tools (F12) to see where the errors are occurring during authetication – that might give you a hint to the problem.

  22. James Avatar

    Hello, just for info, I had this exact same issue..

    I double checked my machine.config and web.config, everything was fine…

    But I figured it out, I forgot that I had 2 differents users for my web Apps, and they didn’t had the “db_owner” rights on the FBADB SQL Server…

    Good luck everyone,

    And thank you a lot for this perfect guide


  23. CVP Avatar

    has anyone enabled FBA user management for multiple site collections within the same web application? how do you deal with not knowing where a user was created? for example….

    Root level
    Site collection A
    Site collection B
    Site collection C

    All users will show up anywhere you are accessing the FBA User Management. You will get an error if you try editing a user that was not created in the same site collect as where you are currently.

    Would love to hear if others have addressed this before and how.

    Thank you!

    1. Chris Coulson Avatar

      You shouldn’t get an error if you edit a user created in a separate site collection. The user’s profile is stored in each site collection though, so changes to profile fields don’t carry between site collections (This is what SharePoint’s User Profile Sync does for AD users).

      If you are getting errors in this situation, maybe post screenshots/more details in

Leave a Reply

Your email address will not be published. Required fields are marked *