locked
FBA on Sharepoint 2010 RRS feed

  • Question

  • Hi,

    I have some questions regarding FBA:

     

    - Can I have multiple providers for one web application (e.g. I need to authenticate users from two different LDAP servers). I've seen that I can only specify ONE asp.net provider for one application.

    - How can I have form based authentication on Sharepoint-80 ? By default, Sharepoint installs the default "Sharepoint - 80" on port 80. As far as I've seen, one cannot have FBA on an already created web app, so I need to create another one (or do I ?).  Basically I need to have FBA ONLY on port 443, but I want to extend the "Sharepoint 80" to include SSL.  Can I just delete the default and create another on port 80 and then extend it to 443 ?

     

    - What is the best way to have the web app at port 80 to redirect to 443 ? Can I just do that by configuring IIS directly ? Or is it a way through Central Admin ?

    Thanks.

     

    Saturday, February 12, 2011 7:33 PM

Answers

  • For FBA you have to be using claims in SP2010, you can't select FBA if your web application is not running in claims mode 

    I think my point about multiple authentication providers has been mis understood, I was not talking about MemberShipProviders, what I was referring to was you could use Windows Auth/FBA/Trusted Identity with out extending web applications to different zone

    Sound like you are talking about membership provider for FBA, not clear exactly what your use case is but if default membership providers doesn't work for you, you could write a custom one

     


    Microsoft Certified Master | SharePoint 2007
    Blog
    • Marked as answer by Alex S.O_ Sunday, February 13, 2011 11:59 PM
    Sunday, February 13, 2011 1:17 AM
  • Ram, thanks for your answer. Now i have even more questions :)

     

    - How can I check if "Sharepoint - 80" is created in claims mode ? I don't remember having the option in the installation to choose between classic/claims

    - If it is not, should I delete it and create another ? Will this break anything ? Can I just change the port 80 to something else and then create another web app ?

    - You said " Claims mode allows you to have multiple authentication providers on single zone without having to extend the web application to a different zone". However, when I create a new application (in claims mode, and enable FBA) I could only enter one membership provider and one role. Can I just add more providers manually in web.config, and the auth mechanism will go through all ?

     

    Thanks again

    Claims is configurable on the web app level in central admin and requires some additional configuration past just turning it on. You also need to migrate existing permissions from NTLM to claims.

    Additionally you have to register your membership providers in claims, then the web app will see all activated membership providers via the claims provider (which is the primary membership provider when you switch over). This allows for multiple authentication methods for a single web application.

    Also, your existing 2007 FBA login page will need to either be redone (if it's custom branded), or you can use the out of box form login in 2010.

    Reference material for setting up claims:

    http://blogs.technet.com/b/mahesm/archive/2010/04/07/configure-forms-based-authentication-fba-with-sharepoint-2010.aspx

    http://blogs.msdn.com/b/chunliu/archive/2010/03/13/forms-based-authentication-on-a-claim-based-web-app.aspx

     

    Example powershell script:

    $webappurl = "http://webapp"

    $account = "domain\farmadmin"

    $wa = Get-SpWebApplication $webappurl

    Set-SPWebApplication $wa -AuthenticationProvider (New-SPAuthenticationProvider) -Zone Default

    $account = (New-SPClaimsPrincipal -identity domain\farmadmin -identitytype 1).ToEncodedString()

    $zp = $wa.ZonePolicies("Default")

    $p = $zp.Add($account, "PSPolicy")

    $fc = $wa.PolicyRoles.GetSpecialRole("FullControl")

    $p.PolicyRoleBindings.Add($fc)

    $wa.Update()

    $wa = Get-SPWebApplication $webappurl

    $wa.MigrateUsers($true)

    • Marked as answer by Alex S.O_ Sunday, February 13, 2011 4:21 AM
    Sunday, February 13, 2011 2:34 AM

All replies

  • To configure FBA in SharePoint 2010 you have to create the web application in claims mode. Claims mode allows you to have multiple authentication providers on single zone without having to extend the web application to a different zone

    Regarding your other question, if you specify use SSL you dont have to do anything other than just updating bindings to specify SSL cert in IIS


    Microsoft Certified Master | SharePoint 2007
    Blog
    Saturday, February 12, 2011 9:24 PM
  • And how would I create such a webapp (with multiple authentication providers) using Powershell?

    Thanks

    Saturday, February 12, 2011 11:14 PM
  • Ram, thanks for your answer. Now i have even more questions :)

     

    - How can I check if "Sharepoint - 80" is created in claims mode ? I don't remember having the option in the installation to choose between classic/claims

    - If it is not, should I delete it and create another ? Will this break anything ? Can I just change the port 80 to something else and then create another web app ?

    - You said " Claims mode allows you to have multiple authentication providers on single zone without having to extend the web application to a different zone". However, when I create a new application (in claims mode, and enable FBA) I could only enter one membership provider and one role. Can I just add more providers manually in web.config, and the auth mechanism will go through all ?

     

    Thanks again

    Sunday, February 13, 2011 12:25 AM
  • For FBA you have to be using claims in SP2010, you can't select FBA if your web application is not running in claims mode 

    I think my point about multiple authentication providers has been mis understood, I was not talking about MemberShipProviders, what I was referring to was you could use Windows Auth/FBA/Trusted Identity with out extending web applications to different zone

    Sound like you are talking about membership provider for FBA, not clear exactly what your use case is but if default membership providers doesn't work for you, you could write a custom one

     


    Microsoft Certified Master | SharePoint 2007
    Blog
    • Marked as answer by Alex S.O_ Sunday, February 13, 2011 11:59 PM
    Sunday, February 13, 2011 1:17 AM
  • Ram, thanks for your answer. Now i have even more questions :)

     

    - How can I check if "Sharepoint - 80" is created in claims mode ? I don't remember having the option in the installation to choose between classic/claims

    - If it is not, should I delete it and create another ? Will this break anything ? Can I just change the port 80 to something else and then create another web app ?

    - You said " Claims mode allows you to have multiple authentication providers on single zone without having to extend the web application to a different zone". However, when I create a new application (in claims mode, and enable FBA) I could only enter one membership provider and one role. Can I just add more providers manually in web.config, and the auth mechanism will go through all ?

     

    Thanks again

    Claims is configurable on the web app level in central admin and requires some additional configuration past just turning it on. You also need to migrate existing permissions from NTLM to claims.

    Additionally you have to register your membership providers in claims, then the web app will see all activated membership providers via the claims provider (which is the primary membership provider when you switch over). This allows for multiple authentication methods for a single web application.

    Also, your existing 2007 FBA login page will need to either be redone (if it's custom branded), or you can use the out of box form login in 2010.

    Reference material for setting up claims:

    http://blogs.technet.com/b/mahesm/archive/2010/04/07/configure-forms-based-authentication-fba-with-sharepoint-2010.aspx

    http://blogs.msdn.com/b/chunliu/archive/2010/03/13/forms-based-authentication-on-a-claim-based-web-app.aspx

     

    Example powershell script:

    $webappurl = "http://webapp"

    $account = "domain\farmadmin"

    $wa = Get-SpWebApplication $webappurl

    Set-SPWebApplication $wa -AuthenticationProvider (New-SPAuthenticationProvider) -Zone Default

    $account = (New-SPClaimsPrincipal -identity domain\farmadmin -identitytype 1).ToEncodedString()

    $zp = $wa.ZonePolicies("Default")

    $p = $zp.Add($account, "PSPolicy")

    $fc = $wa.PolicyRoles.GetSpecialRole("FullControl")

    $p.PolicyRoleBindings.Add($fc)

    $wa.Update()

    $wa = Get-SPWebApplication $webappurl

    $wa.MigrateUsers($true)

    • Marked as answer by Alex S.O_ Sunday, February 13, 2011 4:21 AM
    Sunday, February 13, 2011 2:34 AM