Office SharePoint Server 2007 - Forms Based Authentication (FBA) Walk-through - Part 1

A while back a client asked me to set up Forms Based Authentication (FBA) for them. I said sure (of course) and started to research the steps required to accomplish this. In my oodles and oodles of research I had found many useful but somewhat partial posts. What I mean by this is that not one of the posts I have encountered in my research had ALL of the steps required to get this to work, I was left to aggregate steps from different areas. Most posts assumed you were running as an administrator, maybe even that your SharePoint application pools were running as system accounts with unlimited privileges (on both the operating system and in the database), no "real world" scenarios if you will. Also, all of the posts never made mention of Office SharePoint Server, they all centered around Windows SharePoint Services (more on that later). My aim here is to provide a series of posts that include the following:

1. Each and every step required to setup FBA using the built in Asp.Net Membership and Role providers (Part 1). I will demonstrate one way to accomplish this. There are others and they will be mentioned, but not looked at in any detail.
2. How to enable MySites and the Personalization features included with Office Server and have them actually work with a site using (FBA).
3. A natural extension of 1 and 2 that will demonstrate how to hook into the ADAM membership provider, and get it functioning with MySites and the Personalization features as well.

Initially, after setting FBA up successfully (Part 1), my client then asked me to enable MySites. That's when all hell broke loose. Not only did this not work right away, but after 3 unsuccessful calls to Microsoft support (they could not get it to work and kept parading me in circles, and still are for that matter, maybe they will read this and call me back), and quotes from Microsoft employees saying "it's not supposed to work" or "it does not work", I am pleased to say that it does in fact work and I will show you how (Part 2).

Before we begin I have to say that since I have been told that "it's not supposed to work" or "it does not work", and since I have not found any reliable documentation indicating how to do this, I must add a disclaimer that if it does not work for you, something is different between our environments, or to please call Microsoft . I will do my best to be as detailed as possible about my environment and all of the steps involved. If anything is unclear, please leave a comment and I will do my best to make it a little clearer. One last thing I would like to mention is that I have successfully implemented MySite functionality as well as the other Personalization features of Office SharePoint Server 2007 with Forms Authentication using both the built in Asp.Net Membership and Role providers as well as with an ADAM Membership provider. I have recently received an ADAM Role provider from Adam Buenz and plan on testing that soon but fully expect it to integrate seamlessly (with his help if needed, I hope).

So here we go, this is going to be a long one so bear with me. In the end of the series you will have MySite and the Personalization features working seamlessly with Forms Authentication in your Office SharePoint Server 2007 environment! Good Luck!

One assumption I have made in this process is that you have already created a Shared Services Provider and started the Office SharePoint Server Search service. Also, I am logged on to the development machine as a domain administrator. The term browser in this series means Internet Explorer 7. All of the below steps are to be performed on the Guest machine.

Environment

My environment is as follows. Keep in mind that any variation from this could produce different results. Again, if I forget to mention something obvious, please let me know and I will update the list.

Host Machine

1. Intel(R) Pentium(R) M processor 1.86GHz 1.86GHz
2. 2.00 GB of RAM
3. Microsoft Windows XP Professional, Version 2002, Service Pack 2
4. VMWare Workstation, Version 5.5.3 build-34685

Guest Machine

1. Intel(R) Pentium(R) M processor 1.86GHz 1.86GHz
2. 1.00 GB of RAM
3. Microsoft Windows Server 2003, Standard Edition, Service Pack 1
4. Active Directory (Domain Controller)
5. Microsoft SQL Server 2005, Service Pack 1
6. Microsoft Visual Studio 2005
7. Microsoft Office Server 2007, Version 12.0.0.4518

FBA User & Role Store

Database Creation

We need a place to put our users. The Asp.Net 2.0 Membership and Role providers include a database. The steps to install the database are as follows:

1. Open up a command prompt by clicking Start...Run, then typing cmd and pressing Enter.
2. Switch to the Asp.Net 2.0 Framework directory by typing
   cd c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727
   and pressing Enter.
3. Type aspnet_regsql to launch the ASP.NET SQL Server Setup Wizard.
   
   
   
4. Click Next.
5. Choose Configure SQL Server for application services (the default choice) on the Select a Setup Option screen and click Next.
   
   
   
6. Specify the SQL Server name (your machine name), database name to create (I used AspNetDb_FBADemo), and the credentials to use for this process (database creation). I generally prefix my Membership and Role provider databases with AspNetDb_ such that they appear together in Microsoft SQL Server Management Studio and are easily identifiable should I need to access them, such as to update Security (Step 10). Click Next.
   
   
   
7. Confirm your settings on the Confirm Your Settings screen and click Next.
   
   
   
8. The process takes a few seconds and then The database has been created or modified screen appears. Click Finish to close the wizard.
   
   
   
9. Open Microsoft SQL Server Management Studio and confirm that the database was successfully created.
10. One step that I have not seen mentioned ANYWHERE is to make sure that the account that is running the application pool that will be used by the sites you create below have access to the database we just created. This step is critical as SharePoint will NOT be able to find your users and roles if it does not have the permissions to look for them. This step is what I like to refer to as the MAGIC step that no one tells you about, so I am ruining the surprise and telling you the secret. You will thank me later.

User and Role Creation

Microsoft has given us a great database schema to use as a membership and role provider data store but has not really supplied a "good" tool to manage its contents. When you think about it, this actually makes sense. The providers are intended to be used by other applications so maybe one of the assumptions made was that the tools to maintain the users and roles will be provided by the applications that consume them.

Thankfully, the Microsoft Visual Studio 2005 team had the foresight to create a somewhat rudimentary web application to help us manage the membership and role provider data store. The caveat is that the tool must be launched from Microsoft Visual Studio 2005. You can immediately see that this is not a very good option for those that will be managing the users and roles, i.e.: real users of your application.

I will now walk you thru a set of steps to create a few users and roles that we will be using later.

1. Create a folder on your desktop called FBA Management Site.
2. Open Microsoft Visual Studio 2005.
3. Select File...Open...Web Site.
4. In the Open Web Site dialog, choose the File System icon on the left side of the dialog, then browse to and select the FBA Management Site folder created in step 1.
   
   
   
5. Click Open.
6. In the Solution Explorer, right-click on the web site and select Add New Item.
7. Select Web Configuration File and click Add. There is no need to rename the file, web.config is fine.
8. Replace the empty element with the following snippet. Be sure to replace both