Setting up Claims Based Authentication in SharePoint 2010


So, finding information (that’s accurate and reliable) for migrating FBA or to a claims based authentication system in SharePoint 2010 seems few and far between. After having done my own claims and FBA migration I thought I’d share my notes for what worked for me.

External References
•    <a href="http://www.hardwaregeeks.com/index.php?URL=http%3A%2F%2Fblogs.technet.com%2Fb%2Fmahesm%2Farchive%2F2010%2F04%2F07%2Fconfigure-forms-based-authentication-fba-with-sharepoint-2010.aspx">http://blogs.technet.com/b/mahesm/archive/2010/04/07/configure-forms-based-authentication-fba-with-sharepoint-2010.aspx</a>
•    <a href="http://www.hardwaregeeks.com/index.php?URL=http%3A%2F%2Fblogs.msdn.com%2Fb%2Fchunliu%2Farchive%2F2010%2F03%2F13%2Fforms-based-authentication-on-a-claim-based-web-app.aspx">http://blogs.msdn.com/b/chunliu/archive/2010/03/13/forms-based-authentication-on-a-claim-based-web-app.aspx</a>

Web.config Changes

<span style="font-size: 18px; font-weight: bold;">Web.config for web application with forms based login</span>
    <membership defaultProvider="i" userIsOnlineTimeWindow="20">
      <providers>
        <clear />
        <!-- added for SQL FBA -->
    <add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
    <add connectionStringName="FBAUsers" passwordStrengthRegularExpression="^(?=.*d)(?=.*[a-z])(?=.*[A-Z]).{7,25}$" applicationName="/" maxInvalidPasswordAttempts="5" passwordAttemptWindow="15" passwordFormat="Hashed" name="SqlUserMembershipProvider" type="System.Web.<a href="http://www.hardwaregeeks.com/index.php/Microsoft/comments/sharepoint_2010_claims_and_fba/#" target="_blank">Security</a>.SqlMembershipProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" requiresQuestionAndAnswer="false" enablePasswordRetrieval="false" enablePasswordReset="true" />
      </providers>
    </membership>
    <roleManager enabled="true" defaultProvider="c" cacheRolesInCookie="false">
      <providers>
    <add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
    <add connectionStringName=" FBAUsers " applicationName="/" description="Stores and retrieves roles from SQL Server" name="FBARoleProvider" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
      </providers>
    </roleManager>

<connectionStrings>
    <!-- Added for SQL FBA -->
    <add name="FBAUsers " connectionString="Initial Catalog=ExternalUsers;data source=DatabaseServer;Integrated Security=SSPI;" />
  </connectionStrings>
  <location path="_layouts/login.aspx">
    <system.web>
      <authorization>
        <allow users="*" />
      </authorization>
    </system.web>
  </location>
  <system.net>
    <!-- Added for password reset/retrieval -->
    <mailSettings>
      <smtp from="email@place.doesntexist">
        <network host="mail.serverdoesntexist.amazing" />
      </smtp>
    </mailSettings>
    <!-- -->
  </system.net>
<h2>Web Config for Central Admin</h2>
<membership defaultProvider="SqlUserMembershipProvider" userIsOnlineTimeWindow="20">
      <providers>
        <clear />
        <!-- added for SQL FBA -->
    <add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
    <add connectionStringName=" FBAUsers " passwordStrengthRegularExpression="^(?=.*d)(?=.*[a-z])(?=.*[A-Z]).{7,25}$" applicationName="/" maxInvalidPasswordAttempts="5" passwordAttemptWindow="15" passwordFormat="Hashed" name="SqlUserMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" requiresQuestionAndAnswer="false" enablePasswordRetrieval="false" enablePasswordReset="true" />
      </providers>
    </membership>
    <roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider" cacheRolesInCookie="false">
      <providers>
    <add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
    <add connectionStringName=" FBAUsers" applicationName="/" description="Stores and retrieves roles from SQL Server" name="FBARoleProvider" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
      </providers>
    </roleManager>
  <connectionStrings>
    <!-- Added for SQL FBA -->
    <add name=" FBAUsers" connectionString="Initial Catalog=Database;data source=DatabaseServer;Integrated Security=SSPI;" />
  </connectionStrings>
<h2>Web.config for SecureToken Service</h2>
<h3>%programfiles%common filesMicrosoft Sharedweb server extensions14WebServicesSecurityToken</h3>
<connectionStrings>
    <!-- Added for SQL FBA -->
    <add name=" FBAUsers" connectionString="Initial Catalog=Database;data source=DatabaseServer;Integrated Security=SSPI;" />
  </connectionStrings>
<system.web>
    <membership defaultProvider="i" userIsOnlineTimeWindow="20">
      <providers>
        <clear />
        <!-- added for SQL FBA -->
    <add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
    <add connectionStringName=" FBAUsers" passwordStrengthRegularExpression="^(?=.*d)(?=.*[a-z])(?=.*[A-Z]).{7,25}$" applicationName="/" maxInvalidPasswordAttempts="5" passwordAttemptWindow="15" passwordFormat="Hashed" name="SqlUserMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" requiresQuestionAndAnswer="false" enablePasswordRetrieval="false" enablePasswordReset="true" />
      </providers>
    </membership>
    <roleManager enabled="true" defaultProvider="c" cacheRolesInCookie="false">
      <providers>
    <add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
    <add connectionStringName=" FBAUsers" applicationName="/" description="Stores and retrieves roles from SQL Server" name="FBARoleProvider" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
      </providers>
    </roleManager>
</system.web>
<h2>Migrate Web Application to Claims Based Tokens using PowerShell</h2>
<div>This will change existing permissions to be claims tokens rather than whatever they are currently.</div>
$webappurl = "http://url"
$account = "domainusername"
$wa = Get-SpWebApplication $webappurl
Set-SPWebApplication $wa -AuthenticationProvider (New-SPAuthenticationProvider) -Zone Default
$account = (New-SPClaimsPrincipal -identity domainusername -identitytype 1).ToEncodedString()
$zp = $wa.ZonePolicies("Default")
$p = $zp.Add($account, "PSPolicy")
$fc = $wa.PolicyRoles.GetSpecialRole("FullControl")
$p.PolicyRoleBindings.Add($fc)
$wa.Update()
$wa = Get-SPWebApplication $webappurl
$wa.MigrateUsers($true)
  1. #1 by HP on September 15, 2011 - 3:17 am

    After carrying out “Migrate Web Application to Claims Based Tokens using PowerShell”
    and firing $wa.MigrateUsers($true),
    How to check whether it worked correctly and what properties it changed ?

    • #2 by Maarten on September 16, 2011 - 10:05 am

      After migrateusers has ran you will see an extra bit in the login id of each user/group in the permissions page.

      Before migrateuser: DOMAIN\username
      After: i:0#.w|DOMAIN\username

(will not be published)


%d bloggers like this: