Trying to implement Forms-based authentication
Thanks for the reply. I have numbered your reply below for which I have some questions. 1) You can't have a common URL for different Zones. Each Zone must have a unique URL because each zone is a different IIS website that points at the same content database -- So in this case, if I need a common URL for default or extranet zones, what are the options? I need to go with alternate access mappings? Please suggest and if so with any examples. 2) If FBA is applied to the extranet zone you don't have to add the provider settings to the default zone that is still using NTLM or Kerberos. But if you don't you will need to login through the extranet zone to add FBA users. If you add it to both zones you will be able to add FBA users no matter how you are logged in. -- FBA on extranet is fine with us. So I will uncomment the web.config changes I made to the default zone. As far as addition of users for FBA it will be only for extranet. 3) As I said, You shouldn't add the defaultProvider attribute in CA since CA isn't using FBA for authentication. Otherwise the settings look fine. -- CA is not using FBA and it remains the same. So I will comment all the web.config changes I made? Many thanks again,
October 25th, 2010 8:34pm

Scenario: I have a web-application that is set to windows-authentication and is created as anonymous. This is at default zone. I want to change this to forms based authentication. I tried extending web-application and creating new zone as Extranet but it is asking me to specify the url (within load-balanced url) that should not be same as the url of the default zone url. Dont' know why. Please suggest. But for now, I had a question. If I modify the default zone to be forms based, will it cause any problems? I am assuming that this will be default for any type of user (internal, external etc) ? Please let me know. Also as far as web.config changes (considering changes to default zone ), is it fine if I modify web.config of this site plus the central admin web.config? If there are another 5 web-applications (that are totally different but reside in same farm), do I need web.config of those web-application also? Please suggest. Our goal is that this website (even when accessed internally) will be through form-based authentication only. So
Free Windows Admin Tool Kit Click here and download it now
October 25th, 2010 10:05pm

I'll try to provide answers to all of your questions. 1. Each zone must have a different URL address. That's why its asking for the seperate address. 2. Yes, you can change the default zone to FBA. If you do you will need to make sure that the content Access account for crawling your content in that content source is also an FBA account. Otherwise Search won't work. You will also need to setup user profile import for the FBA users or People search won't work either. 3. When changing the Web.config of CA just make sure not to set the default provider attribute. Adding one or more membership providers to the CA web.config won't have any effect on non-FBA web applications. 4. You should only change web.configs for the web applications that will be FBA. non-FBA sites should not contain a membership provider setting.Paul Stork SharePoint Server MVP
October 25th, 2010 10:34pm

thanks for the reply. So if I chose extranet, I will need to specify unique url. But how do I specify one common URL whether it is internal, default, extranet etc? If I go with modifying default zone directly, your reply (point 2) has lot of importance. Can you provide more details as to how I can setup content access account? as far as your reply (point 4), if I were to use Extranet then the web.config of default zone (same web-application as that of Extranet) also needs to be modified? The below msdn link talks about this. As far your reply (point 3), here are the additions I did to web.config of CA. I have followed this link http://msdn.microsoft.com/en-us/library/bb975136(v=office.12).aspx <membership defaultProvider="fbaMembers"> <providers> <add connectionStringName="fbaSQL" applicationName="/" name="fbaMembers" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /> </providers> </membership> <roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider"> <providers> <add connectionStringName="fbaSQL" applicationName="/" name="fbaRoles" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/> </providers> </roleManager> <connectionStrings> <add name="fbaSQL" connectionString="server=sqldb;database=aspnetdb;Trusted_Connection=true" /> </connectionStrings> <PeoplePickerWildcards> <clear /> <add key="AspNetSqlMembershipProvider" value="%" /> <add key="fbaMembers" value="%" /> -------only this is line is added. </PeoplePickerWildcards>
Free Windows Admin Tool Kit Click here and download it now
October 25th, 2010 10:59pm

for your 3rd part: you need to change the web.config file for only those web app where you want to turn ON the Form Based Authentication. No need to change web.config other web app. For 2nd part, I am not sure, You need to use default zone as the Windows authentication and then you can use any of the other zone for the FBA.Best practice. I am not sure why its asking you the host name, i tried on my machine but no issue so far. hope this works thanks waqas SharePoint administrator, MCTS,MCITP
October 25th, 2010 11:30pm

Hello Waqas105, My reply to your point "I am not sure why its asking you the host name, i tried on my machine but no issue so far." reply-> I meant the URL input box which is within load balanced URL. Thanks for your other points. I will check them now.
Free Windows Admin Tool Kit Click here and download it now
October 25th, 2010 11:41pm

You can't have a common URL for different Zones. Each Zone must have a unique URL because each zone is a different IIS website that points at the same content database. To enable FBA crawling of content take a look at the following support articles: http://support.microsoft.com/kb/939077/ http://technet.microsoft.com/en-us/library/cc287830(office.12).aspx If FBA is applied to the extranet zone you don't have to add the provider settings to the default zone that is still using NTLM or Kerberos. But if you don't you will need to login through the extranet zone to add FBA users. If you add it to both zones you will be able to add FBA users no matter how you are logged in. As I said, You shouldn't add the defaultProvider attribute in CA since CA isn't using FBA for authentication. Otherwise the settings look fine. Paul Stork SharePoint Server MVP
October 25th, 2010 11:59pm

1) There are no options. Each zone must have a unique URL and you can't use the same AAM for two different zones. There is just no way to have the same URL for different zones. 3) You shouldn't comment out all the web.config changes you made in CA. Just remove the default provider attribute. Having them there won't hurt anything. Not having them means you won't be able to reference an FBA user in CA. This is important for things like setting the Site Collection Administrators.Paul Stork SharePoint Server MVP
Free Windows Admin Tool Kit Click here and download it now
October 26th, 2010 9:34am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics