FBA for WSS 3/MOSS 2007 with management tool

February 16th, 2011 | Posted by Jeffrey Paarhuis in Configuring | Good to know

I know, Sharepoint 2007 is pretty old. However, this week a client wanted FBA for his WSS 3 environment, so no problemo for the Sharepoint pro. I haven’t done a FBA config for Sharepoint 2007 before, so I did a bit of googling and couldn’t find a very explaining article that covers the whole configuration. There were a few handy sites, including the MSDN, which helped me out getting what I needed.

Further on it will be explained in detail, but here is a summary already:

  • ASP.NET membership database (aspnet_regsql.exe)
  • Extended web application with zone internet
  • Edit web.config of the default web application and the extended web application
  • Install http://fba.codeplex.com/ wsp

Install ASP.NET membership database

Run the tool aspnet_regsql.exe at C:WindowsMicrosoft.NETFrameworkv2.0.50727

Choose the option to configure SQL Server for application services.

Choose the name of the database server in the server field. Choose Windows authentication and type a database name in the Database dropdown field. In this case we creat a database with the name fbadb.

Click next and Finish to complete the creation of the membership database.

Set the right SQL permissions

Because we wan´t to use integrated security with the connection we need to give the application pool identity the appropriate permissions on the membership database. First of all we need to know what the application pool identity is. For that you can go to the IIS Manager and select the Sharepoint site.

Click Advanced Settings… and note the Application Pool

Then click on Application Pools and select the noted application pool

Click Advanced Settings … and note the identity, in our case this is the Network Service

Now, go to SQL management studio and give that user the db_owner permissions on the FBA database we just created.

Extended web application with zone internet

Open Central Administration. Go to Create or extend web application in Application Management and click Extend an existing web application. In web application select the web application you wish to create FBA for.

However we are extending a web application, we need to create a new IIS web site so leave that option on.
I want to  create a subsite for the FBA authentication, so I did set the port back to port 80 and set the host header to extranet.mydomain.com

Allow anonymous authentication and here you can also choose to use SSL or not. I choose not to use SSL. The last thing to do is to set the zone to Internet.

You can go to the url of the extended web application to check if the configuration works.

Last thing to do is to enable FBA on the extended web application. Go back to Central Administration and then click Authentication providers under Application Security. Then click on the Internet zone.

In this screen select the Forms authentication type. Two new fields appear: Membership provider name and Role manager name. This are the names of the membership and role provider we are going to configure in the next step. I’m using FBA for Membership provider name and FBARole for the role manager name.

Click Save and all central admin settings are set.

Edit web.config of the default web application and the extended web application

Next thing to do is to add a few items to the web.config of the web application and the extended web application:

  • Peoplepicker wilcard for FBA
  • Connectionstring for the FBA Database
  • Membership provider for FBA Users
  • Role manager for FBA Roles

Go to the web.config of the web application (not the extended web application) and search for the </sharepoint> closing tag and the <system.web> starting tag; they should be next to eachother.

Just above </SharePoint> you find the following piece of code:

  <clear />      
  <add key="AspNetSqlMembershipProvider" value="%" />      
replace this with the next code:
  <clear />      
  <add key="AspNetSqlMembershipProvider" value="%" />      
  <add key="FBA" value="%" />    

Now add a new ConnectionString section between the </sharepoint> and <system.web> tags:

  <add name="fbaSQL" connectionString="server=localhost;database=fbadb;Trusted_Connection=true" />  

Because I run the database and Sharepoint on the same server I’m using localhost. If you are using a different database server you need to replace localhost with the database server name or ip here, pretty obvious.

Last thing to do is to add a membership and role section in the <system.web> tag. Add the following piece of code just below <system.web> and above <securityPolicy>:

<membership defaultProvider="FBA">      
    <add connectionStringName="fbaSQL" applicationName="/" name="FBA" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"            
      passwordFormat="Hashed" />      
<roleManager enabled="true" defaultProvider="FBARole">      
    <add connectionStringName="fbaSQL" applicationName="/" name="FBARole" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>      

This web.config is done. Now do the same for the web.config of the extended web application.

Install http://fba.codeplex.com/ wsp

Download FBAManagement.wsp and Deploy.cmd from http://fba.codeplex.com/releases/view/2986 and save both files into the same folder. We need to edit some values in the Deploy.cmd so once downloaded go to the folder and rightclick Deploy.cmd and click edit. Now replace both http://aspnet with http://<yoursharepointsite>. Also remove the bin from “stsadm -o addsolution -filename binFBAManagement.wsp” so it reads only “stsadm -o addsolution -filename FBAManagement.wsp”. The code should look like this:

@echo Deploying FBAManagement solution

@set PATH=C:Program FilesCommon FilesMicrosoft Sharedweb server extensions12BIN;%PATH%

stsadm -o deactivatefeature -name FBAUserRoleManagement -url http://mysharepoint -force
stsadm -o deactivatefeature -name FBAConfigurationManagement -force

stsadm -o retractsolution -name FBAManagement.wsp -immediate
stsadm -o execadmsvcjobs
stsadm -o deletesolution -name FBAManagement.wsp -override
stsadm -o execadmsvcjobs

stsadm -o addsolution -filename FBAManagement.wsp
stsadm -o execadmsvcjobs

stsadm -o deploysolution -name FBAManagement.wsp -immediate -allowgacdeployment
stsadm -o execadmsvcjobs

stsadm -o activatefeature -name FBAConfigurationManagement
stsadm -o activatefeature -name FBAUserRoleManagement -url http://mysharepoint
stsadm -o execadmsvcjobs

Save the file and execute it as administrator. Don’t be scared with the file not found and solution not found messages for the first few lines, because thats entirely normal.


All configuration is done. Go to the site settings of the sitecollection. Under site collection administration you find two new links. With Manage FBA Users you can add and edit users and with Manage FBA Roles you can add and edit roles, which is pretty straightforward.

To test FBA you can add a user and give the user some permissions by adding it to the Team Site Members group. Now, login with the user on the extended web application and see the result.

You can follow any responses to this entry through the RSS 2.0 You can leave a response, or trackback.

Leave a Reply

%d bloggers like this: