Sharepoint 2007 - Enabling Custom Authentication using a Custom Membership Provider

Posted on 6/30/2006 @ 8:42 PM in #SharePoint by | Feedback | 50661 views

A big huge GARGANTUAN limitation of Sharepoint 2003 was it's crazy psycho obsession for nothing but Windows Authentication. You could customize that to some extent by placing an ISAPI filter, in front of spsfilter. But then if MS-Word wanted to check-in something for you, over the WebService interface - it would bomb. There were icky sticky workarounds, but none of them were .. in my eyes acceptable.

So frankly, for any large corporate network - Sharepoint 2003 due to these reasons ended up being a more of a pain in the butt, than a good solution.

Well, in Sharepoint 2007, things are changing. Sure you do have Windows Authentication out of the box, but really you could plug in any Membership Provider. WoW !! Try doing that in Sharepoint 2003 :).

Here's how you'd do that.

1. First, we gotta choose a membership provider. What easier choice than the AspNetSqlMembershipProvider - we don't have to write that, comes out of the box. So lets choose that - purely for laziness reasons.

2. Next you need a database for your membership provider. Create it on a SQL Server of your choice by running aspnet_regsql.exe. So say for instance, you could run aspnet_regsql - A all -E. This would create the aspnetdb in your default instance, using Windows Authentication. Alternatively, you could spew out a TSQL script using -sqlexportonly <<filename>>.

3. Once the db is setup - enable some kind of authentication on it. For instance, add SQL Server authentication on it, with your favorite userid/password.

4. Next, go to the SharePoint Central Administration website. Now you could create a brand new application, or edit an existing - either way the steps are fairly similar. Thats not the important part. The important part is, under Application Security - go to Authentication Providers. In there, change it to "Forms" from "Windows", and type in AspNetSqlMembershipProvider as the Membership provider.

5. Find the virtual directory for your Sharepoint Central Administration Website. Open the Web.Config there, and edit the entry for "LocalSqlServer" to point to the aspnetdb that you setup in step #2 & #3. Repeat this for the WebApplication you are working under in SCAW.

6. The next step is to add users into the aspnetdb. (DUH!!). The easiest way to do that, is to simply drop a login.aspx in the WebApplication home directory, with a ASP.NET 2.0 Login control on it. Then using the smart tag on the control in design mode, go to "Administer Website". - Go ahead and setup the users and roles in WAT (Website Administration Tool).

7. Next, under SCAW (Sharepoint Central Administration Website), go to Sharepoint Site Management. Again - you could do this for a brand new site, or existing - either way, it doesn't matter. Go ahead and click on "Site Collection Administrators", and add the administrators out of your aspnetDB. If you don't see any users being queried, make sure you did step #5 correctly.

8. Thats it. Now go to http://<<yourmachinename>>:<<port>>/Sitepath and you should see a FORMS based login. Go ahead and enter the credentials you setup in step #6, and BINGO - Sharepoint 2007 now works with Forms based authentication, using your custom membership provider.

... Try doing that in Sharepoint 2003 :o). HEHE !!

Point of mention: The WebService UI for third party products, i.e. client applications such as MS Word, still insists on using Windows Auth for it's "Client Integration". As far as I can tell, Office 12 doesn't provide an override for that. Rightfully so, Client Integration should be disabled for Forms Auth. Now, you *could* throw in custom credentials using WCF or WSE 3.0, but MS Word won't understand them. You could however integrate your own custom applications into sharepoint using those.

 

Sound off but keep it civil:

Older comments..


On 7/5/2006 2:07:13 PM Anders Rask said ..
Hmm where did all the posts go? :-O

I never got anyone to answer if they had tried implementing both SqlMembershipProvider AND SqlRoleProvider in MOSS 2007 or WSS v3.

I tried implementing it, but cant get it to work as expected.

If anyone has tried this, please post here!

AndersR


On 7/5/2006 2:55:37 PM Sahil Malik said ..
Hey Anders,

Sorry I couldn't move over the comments :(, godaddy doesn't give you a programmatic API for that :(.

Anyway, with my blog setup, I will now be able to focus on the real stuff :). So I will answer your Q .. ehh .. may not be that soon, but I will.

Sahil


On 7/6/2006 9:46:04 AM Anders Rask said ..
Hi Sahil,

oki. Not much documentation on custom provider subject as of now (found 1 or 2 articles on MSDN lib) but recon that will change when MOSS goes gold (yeah right! the docs for SPPT and tahoe was lacking at best... )

btw it would be nice if u could subscribe to comments like on the other blog :-/

Anders


On 7/6/2006 12:19:02 PM Sahil Malik said ..
Anders,

I am thinking of creating a checkbox "Email me when new comments are posted" on a per-post basis - but that can get icky. I may end up annoying a lot of folks with junk mails :-/, of course there will be "unsubscribe", but then it'd be more work for poor Sahil.

I have a few things on my to-do for this blog, I'll be addressin' them 1 by 1. :), but first I wanna get a few sharepoint posts out - just cuz I have a few things to say, and nobody's talkin' about 'em.

SM


On 7/15/2006 10:47:04 AM Sahil Malik said ..
Anders,

I tried AspNetSqlRoleProvider, and I was able to use it with no problems.

Can you elaborate on the specific issues you had?

Sahil Malik


On 7/23/2006 8:36:46 AM kemal said ..
how do i use ActiveDirectoryMembershipProvider and AspNetSqlRoleProvider together in sharepoint?


On 10/31/2006 2:48:22 PM trans642 said ..
Hi I tried an example from


http://msdn.microsoft.com/msdnmag/issues/05/09/WebParts/


With 2003 and 2007 , it gave me som wierd errors.


Any ideas why ?


How come form authentication is being lost?


Regards


On 11/1/2006 8:34:08 AM Sahil Malik said ..
"Some Weird Errors"

Obviously you are doing something weird :)


On 12/5/2006 12:17:02 AM Liz said ..
Hi,

How can I call a web service say (list.asmx) of a forms authentication enabled share point 2007 web application using API?


On 12/7/2006 12:29:06 PM Sahil Malik said ..
Liz -

You can't do forms auth on web services, because forms_auth + web services makes no sense. If you want custom auth on web services, you will have to use soapextensions etc.

SM


On 5/8/2007 7:45:30 AM farrukh said ..
How can i use my custom written authentication provider for some other database. I have tried but could not validate users. Can any one help?


On 7/18/2007 5:17:36 AM Roberto Garcia said ..
The article's header would be 'Enabling Authentication using a Membership Provider'.


In this Post, you don't tell us how to make custom provider working with custom database.


On 7/20/2007 10:39:36 AM Fahd said ..
I need to build a collaboration site for a client, and the main reason we chose WSS 3.0 was the ease by which you can collaborate with Word documents (including the three-state workflow). And since this would be an internet facing solution, my first instinct was to go with Forms Based Authentication Route. But as your "Point of Mention" states I can't do this with FBA. So, in other words, I still cannot have a collaboration website with WSS 3.0 if my users are using Word documents, etc.


On 9/26/2007 4:58:26 PM Anonymous said ..
The title of this article is a bit misleading. It is not about creating a custom membership provider, it is about setting up Sharepoint to use a membership provider that ships with the .NET framework. Following are the most helpful items I have found on actually creating a custom provider:

http://msdn2.microsoft.com/en-us/library/44w5aswa.aspx


http://msdn2.microsoft.com/en-us/library/6tc47t75.aspx


http://msdn2.microsoft.com/en-us/library/aa479030.aspx


http://msdn2.microsoft.com/en-us/library/f1kyba5e.aspx

They are all from the MSDN because it seems like the only place that has help on actually creating true Custom providers (not simple slapping an out of the box provider on and calling is custom like so many "experts" seem inclined to do).


On 9/26/2007 5:13:51 PM Sahil Malik said ..
Yes, this isn't about creating a "Custom" membership provider. But then it is intended to be a sharepoint post, not an ASPNET post.

Anyway, thx. for the links, I am sure many will find them useful.

SM


On 10/29/2007 5:17:31 PM Neel said ..
Hi All,

I am having a problem to get FBA on my sharepoint website, can some please help out

Here are the steps, i have taken, would be happy to provide the code in ZIP files

ASP.NET

1. Created the Custom membership provider (DLL file) in asp.net (found sample on website)

2. Tested in asp.net web admin configuration tool, worked perfect

3. Connected to database, added/modified/deleted user everything worked fine in asp.net

4. Created a test website, added CreateUser.aspx,Login.aspx, tested it, everything worked fine in asp.net

5. Created strong name key for the custom membership dll

SHAREPOINT

What i want to do is to create a web application using forms authentication (my provider)

I am the administrator for the server, has full control on everything on this server

My central admin site is on port 10000.

Created New Website at Port 5000 --> Extended the site on port 5000 (Windows Authentication)

Used an existing sharepoint Pool, added myself as administrator as well as site collection administrators

Added beleow changes to web.config file of the Central admin and the site

In the central admin site the changed the defaultProvider to AspNetWindowsTokenRoleProvider

In the website, it styed the same as mentioned below HDIAspNetSqlRoleProvider

Above the system.wb tag

<connectionStrings>


<add name="HDIConnectionString" providerName="System.Data.SqlClient" connectionString="Server=.;Database=HDIMembershipProvider;Trusted_Connection=True;"/>

</connectionStrings>

Inside system.web tag

<!--Custom Role Provider Configuration-->


<roleManager enabled="true" defaultProvider="HDIAspNetSqlRoleProvider">


<providers>


<add name="HDIAspNetSqlRoleProvider" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"

connectionStringName="HDIConnectionString" applicationName="/"


/>


</providers>


</roleManager

<!--Custom Role Provider Configuration-->

<!--Custom Membership Provider Configuration-->


<membership defaultProvider="HDIMembershipProvider" userIsOnlineTimeWindow="15">

<providers>


<clear/>


<add


name="HDIMembershipProvider"


type="HDI.AspNet.Membership.HDIMembershipProvider"


connectionStringName="HDIConnectionString"


enablePasswordRetrieval="true"


enablePasswordReset="true"


requiresQuestionAndAnswer="true"


writeExceptionsToEventLog="false" />


</providers>


</membership>


<!--Custom Membership Provider Configuration-->

Next steps

1. Added the Custom Membership dll to GAC

2. Added the Custom Provider dll to the _appbin folder of central admin site

3. Added the Custom membership dll to the web.config (Compilation tag) of both central admin as well as the site.

4. For testing purposes Set the security to minimal

5. Application Management --> select the new site on port 5000 --> changed the Authentication to Forms

6. At this Point, if i can search the users using the custom provider, it resolves the id.

7. Use the URL for the site on port 5000 --> site comes up with Form authentication window -->Enter my userid and password, and hit the submit button

SHAREPOINT COMES UP WITH UNKNOWN ERROR

see this related article:

http://www.andrewconnell.com/blog/articles/HowToConfigPublishingSiteWithDualAuthProvidersAndAnonAccess.aspx

Please someone help me out on the sharepoint side to get me on the run, I feel that there is some trivial stuff is missing in the loop.

Thank you in advance, appreciate all your help

Please help me out, i stuck in this from last 2 weeks to get my FBA

Neel


On 10/31/2007 4:41:40 PM Steven Fowler said ..
Neel

I've done two custom membership providers (LDAP and MultiDomain) and may be able to help you out. Send your FBA code, membership provider code, and the web.config and I'll have a look.


On 1/15/2008 3:04:29 PM Matt Tompkins said ..
I have a request to grant access to a SharePoint site based on an attribute in Active Directory. I know that WSS 2.0 and 3.0 integrate nicely with AD. one option is to create an Active Directory security group based on that attribute. However, lets suppose there I have a web service that provides that same attribute's information. Is there an easy way to grant/restrict access based on the result of the web service?


On 7/18/2008 2:42:01 AM suyog Mahindrakar said ..
Thanks For You'r Code.


But it is not working in my scenario.


I am getting error.Aceess denied even i am admin.


On 3/25/2009 7:44:28 AM lili said ..
I'm working on a sharepoint site(Intranet) and I want to use windows authentifications to authenticate users, but I want to store roles in my sql database, so how can I use Windows authentification and role provider???


Tks in advance..


On 1/8/2010 2:56:31 AM Brajendu said ..
Access to a SharePoint site based on an attribute in Active Directory. I know that WSS 2.0 and 3.0 integrate nicely with AD. Then define Custom service to call Role from DB and one option is to create an Active Directory security group based on that attribute.

Thanks.


On 8/14/2010 7:55:19 AM Mukesh Bhavanani said ..
Thanks Sahil.. ur article helped me a lot.. i am new in sharepoint developing and i've become ur biggest fan...

thanks.