Office SharePoint Server 2007 - Forms Based Authentication (FBA) w/MySites Walk-through - Part 2

As promised, here is part 2 of my series on hooking up Forms based authentication on a SharePoint 2007 site AND integrating your web application with MySites and the Personalization features of Office SharePoint Server 2007.

I am going to assume that you have read and gone through all of the steps in part 1 of the series.  The steps below ARE dependent on part 1 and I will be making some references to it.  If you have not gone through part 1, I encourage you to read this entire post before trying to implement the solution.  There are quite a few caveats and very UNINTUITIVE steps.  Since none of this is documented (to my knowledge), I have to say that since it is undocumented, it may be unsupported as well.  What I can say for certain, that in my 2 or 3 support calls to Microsoft regarding this issue, I had given up on them helping me.  Essentially I was told on more than one occasion that "it's not supposed to work" or "it does not work".  Of course after those answers, I had to prove to myself that either it does work or support was right.  They do after all claim that this is "pluggable" authentication, and other than the obvious features, like Office integration, or SharePoint Designer integration, I expected all of the functionality to work.  The following is the fruit of my labor.  As a side note, this effort, although it may seem simple after you go thru the steps, took me about 5 weeks of nights and weekends trying to get the sequence of steps and the steps themselves defined.

One major disappointing caveat is MySite search.  Search works fine against the FBA site to which we have a "mirror" intranet version, like we do in our example, but unfortunately we do not have a Windows authentication version of each and every MySite.  I guess we could, technically, but really, that's not going to happen.  I have heard however, through a very reliable source that Microsoft is working VERY VERY hard on getting the SharePoint search crawler to be able to penetrate forms based authentication sites and just maybe, might have a solution in Q2.  I am optimistic about this and can't wait, then we really have a fully searchable FBA solution.

So here goes...

Assumptions

Like any good assumer, I am going to list all of my assumptions here.  If you think that anything is missing, please do let me know and I will update this list.

  • You have created and configured a Shared Services Provider (SSP) and can link to its setting page using either of the following two methods.
    • Click on the Share Services Provider's link in the left navigation in Central Administration.


    • Click on the Create or configure this farm's shared services link in the Office SharePoint Server Shared Services section of the Application Management tab in Central Administration, then select Edit Properties from the dropdown menu that appears when you hover over its name.




  • The SSP Administrative Site URL and the MySite Location URL are each on their own web applications.

     

    It is possible and sometimes desirable for some to locate their MySite site collections within the same Web Application of the site to which they are associated.  What I mean by this is that there are two very different ways in which to setup MySites and they are as follows.  Let's pretend for the sake of conversation, that our site is www.microsoft.com.

    Method #1 - The site www.microsoft.com is its own Web Application.  In turn, www.microsoft.com/mysite is where the MySites site collection is located.  The main benefit to this design is that since we are using FBA as our authentication method, the same cookie will work for both sites and we will not have to log into our MySite independently of logging into the main site.  The main drawback is that MySites will now be created in the same content database(s) that the www.microsoft.com Web Application is using.  This may be an issue when it comes to scaling and capacity planning.  Chris Johnson has outlined the steps needed to produce this scenario here.

    Method #2 - The site www.microsoft.com is its own Web Application.  In turn, my.microsoft.com is where your MySites site collection is located.  The main benefit to this is that MySites are stored in a separate Web Application and can be managed independently.  The main drawback is that since we are using FBA as out authentication method, we will have to log into our MySite separately, the cookie will not be shared.

    Microsoft's best practice dictates that you use Method #2, so that is what I have done in my walkthrough.
  • As indicated above, for the purpose of this post, my SSP Administrative Site URL is http://ossdev:23456/ssp/admin.
  • As indicated above, for the purpose of this post, my MySite Location URL is http://ossdev:23457.
  • You will NOT access the URL in the previous bullet until instructed to do so.  This has the potential to create problems, so please resist the urge.
  • You will NOT click on the MySite link until instructed to do so.  This also has the potential to create problems, so please resist the urge.

Update the Shared Service Provider Administrative Site's web.config File

The web.config file of the Shared Service Provider needs to be updated with the same information you placed into the web.config of your FBA web application.

Determine File Path to web.config.

  1. Open Internet Information Services (IIS) Manager.
  2. Expand Web Sites and select the Shared Service Provider's website, in my case, SharePoint_SSP_Default1 - 23456.  Yours will most likely be different so be sure you select the right site.
  3. Right click on the above website and select Properties.
  4. Select the Home Directory tab.
  5. In the Local path textbox take note of the entire string.  This is the folder on the file system that contains the web.config for the http://ossdev:23456/ssp/admin web application.  We will be updating this file next.
  6. Open Windows Explorer and browse to the folder noted in step 5.
  7. Make a backup copy of the web.config file.

Add Connection String

  1. Add the following connection string snippet immediately above the <system.web> tag.  Be sure to replace the bolded text with the appropriate values from your environment.

    <connectionStrings>
      <add name="AspNetDbFBADemoConnectionString" connectionString="Data Source=OSSDEV;Initial Catalog=AspNetDb_FBADemo;Integrated Security=True" />
    </connectionStrings>

Add Providers

  1. Add the following membership provider and role manager elements immediately inside the <system.web> element.  Again, be sure to replace the bolded text with the appropriate values from your environment.

    <!-- membership provider -->
    <membership defaultProvider="FBADemoMember">
      <providers>
        <add
          connectionStringName="AspNetDbFBADemoConnectionString"
          enablePasswordRetrieval="false"
          enablePasswordReset="true"
          requiresQuestionAndAnswer="false"
          applicationName="/"
          requiresUniqueEmail="false"
          passwordFormat="Hashed"
          maxInvalidPasswordAttempts="5"
          minRequiredPasswordLength="1"
          minRequiredNonalphanumericCharacters="0"
          passwordAttemptWindow="10"
          passwordStrengthRegularExpression=""
          name="FBADemoMember"
          type="System.Web.Security.SqlMembershipProvider,System.Web,Version=2.0.0.0,Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a" />
      </providers>
    </membership>

    <!-- role provider -->
    <roleManager enabled="true" defaultProvider="FBADemoRole">
      <providers>
        <add
          connectionStringName="AspNetDbFBADemoConnectionString"
          applicationName="/"
          name="FBADemoRole"
          type="System.Web.Security.SqlRoleProvider,System.Web,Version=2.0.0.0,Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a" />
      </providers>
    </roleManager>
  2. Save and close the web.config file.
  3. Perform an IISReset and verify that you can still access the SSP.

Update the MySite Host Web Application's web.config File.

The web.config file of the MySite Host Web Application needs to be updated with the same information you placed into the web.config of your FBA web application.

Determine File Path to web.config.

  1. Open Internet Information Services (IIS) Manager.
  2. Expand Web Sites and select the MySite Host website, in my case, SharePoint_MySite_Default1 - 23457.  Yours will most likely be different so be sure you select the right site.
  3. Right click on the above website and select Properties.
  4. Select the Home Directory tab.
  5. In the Local path textbox take note of the entire string.  This is the folder on the file system that contains the web.config for the http://ossdev:23457 web application.  We will be updating this file next.
  6. Open Windows Explorer and browse to the folder noted in step 5.
  7. Make a backup copy of the web.config file.

Add Connection String

  1. Add the following connection string snippet immediately above the <system.web> tag.  Be sure to replace the bolded text with the appropriate values from your environment.

    <connectionStrings>
      <add name="AspNetDbFBADemoConnectionString" connectionString="Data Source=OSSDEV;Initial Catalog=AspNetDb_FBADemo;Integrated Security=True" />
    </connectionStrings>

Add Providers

  1. Add the following membership provider and role manager elements immediately inside the <system.web> element.  Again, be sure to replace the bolded text with the appropriate values from your environment.

    <!-- membership provider -->
    <membership defaultProvider="FBADemoMember">
      <providers>
        <add
          connectionStringName="AspNetDbFBADemoConnectionString"
          enablePasswordRetrieval="false"
          enablePasswordReset="true"
          requiresQuestionAndAnswer="false"
          applicationName="/"
          requiresUniqueEmail="false"
          passwordFormat="Hashed"
          maxInvalidPasswordAttempts="5"
          minRequiredPasswordLength="1"
          minRequiredNonalphanumericCharacters="0"
          passwordAttemptWindow="10"
          passwordStrengthRegularExpression=""
          name="FBADemoMember"
          type="System.Web.Security.SqlMembershipProvider,System.Web,Version=2.0.0.0,Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a" />
      </providers>
    </membership>

    <!-- role provider -->
    <roleManager enabled="true" defaultProvider="FBADemoRole">
      <providers>
        <add
          connectionStringName="AspNetDbFBADemoConnectionString"
          applicationName="/"
          name="FBADemoRole"
          type="System.Web.Security.SqlRoleProvider,System.Web,Version=2.0.0.0,Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a" />
      </providers>
    </roleManager>
  2. Save and close the web.config file.
  3. Perform an IISReset and close all your browser windows, but DO NOT try and access this URL yet.

Assign FBA Admin User Personalization services permissions.

Remember in part 1, we created a handful of FBA users.  One of those users (spadmin) was created to be used as an administrator for our FBA site.  We are going to re-use that user here to manage the SSP once we "flip" it to Forms Authentication.  Yes, that's right, we are going to switch the authentication method of our SSP Administration site to Forms!  How else did you think it would wok with FBA users?  Ideally, you should probably go and create another user for this, maybe sspadmin or something similar.

  1. Browser to your SSP Administration Site.
  2. Click on Personalization services permissions in the User Profile and My Sites section.


  3. Click on the Add Users/Groups link.


  4. Type spadmin into the Users/Groups textbox and click the Check Names button , watch SharePoint resolve the user, then check all of the permissions and click Save.  This will ensure that when we make the switch to Forms Authentication on the SSP site, that our FBA admin user will actually be able to perform the operations listed here.


  5. Perform an IISReset and close all your browser windows.

 

Switch Authentication Providers for SSP and MySites

  1. Click on the Authentication providers link in the Application security section on the Application Management tab in Central Administration.


  2. Verify that the SSP Web Application is selected in the Web Application dropdown in the top right hand corner of the page.


  3. Click on Default.


  4. Select Forms as the Authentication Type, and enter the appropriate values for the Membership provider name and the Role manager name as they exist in this web application's web.config, then click OK.


  5. Perform steps 1 to 4 again for the MySite Web Application.

Update Site Collection Administrator for SSP and MySites

We now need to update the Site Collection Administrators of the SSP and MySite host so we can go make some more changes.

  1. Click on the Site collection administrators link in the SharePoint Site Management section of the Application Management tab in the Central Administration.


  2. Switch the Site Collection dropdown to the SSP admin Site Collection.  Remember, you may have to switch the Web Application to get the correct list of Site Collections (this is done in the popup).  I know of some people who are not too fond of this user interface, myself included).  Notice that since we switched the Authentication Type of our SSP to Forms, we will see a squiggly under the Windows account that was previously the Site Collection Administrator.


  3. Delete the squigglied name (is that a word?) and replace it with spadmin, the FBA admin user we discussed earlier.  Click the Check Names button  and watch SharePoint resolve the FBA admin user, then click OK.

     
  4. Repeat steps 1 to 3 for the MySite Host Site Collection.

Assign My Site Host Permissions to FBA Users

The following steps were the most unintuitive steps ever, in my opinion, and if anyone can tell me why it is required for FBA/MySite integration, but not for Windows/MySite integration I would love to know.  That said, here are the steps.

  1. Browse to your SSP Administration site.
  2. You will be prompted with the standard out of the box FBA login form.  Log in as spadmin.
  3. Click on the My Site settings link in the User Profiles and My Sites section on the SSP Home page.


  4. Click on the My Site Host Permissions link in the loft navigation.


  5. You will be prompted with the standard out of the box FBA login form.  Log in as spadmin.  You will be directed to the People and Groups page.


  6. Click on the Site Permissions link in the left navigation.


  7. Click on Add Users under the New menu item.


  8. Add the 3 roles we created in part 1, Administrator, Manager and Employee.  Ideally we would have created a role that holds all of the FBA users (maybe call it Everyone).  Had we done that in part 1 (we did not and I apologize), we would only have had one role to add here and so long as we always assigned new users to the Everyone role we would never have to come to this page again.  As it stands now, if we were to create another user and place them in a new role, they would not be able to create a MySite.  I think you get my drift here.  Give them Read permission directly and click OK.

    Actually, doing this doesn't actually give users permission to create a MySite, but permission to use the MySite Host site should they already have the permission to create a MySite.  The next section will grant users permission to create MySites.


  9. Close all your browser windows.

Grant Personalization Services Permissions

The next set of steps, as mentioned above is to grant our FBA users the appropriate permission to allow them to create MySites and use the personalization features of Office SharePoint Server 2007.

  1. Browse to your SSP Administration site.
  2. You will be prompted with the standard out of the box FBA login form.  Log in as spadmin.
  3. Click on the Personalization services permissions link in the User Profiles and My Sites section of the SSP Home page.


  4. Click on the Add Users/Groups link.


  5. Type Administrator;Manager;Employee into the Users/Groups textbox and click the Check Names button , watch SharePoint resolve the roles, check only the Create personal site and Use personal features permission, and click Save.  This grants these roles the permission to create a MySite and to use the personalization features.

     
  6. Your screen should resemble the following screen shot.


  7. Perform an IISReset and close all your browser windows.

Assign Roles to Default Reader Site Group

Ideally, we don't want users to have to assign other users Read permission just to view the public areas of their MySites.  When using Windows authentication, the default is to allow all authenticated users to read other users MySites.  Such a group does not exist when using FBA.  Had we created some sort of Everyone role, as suggested earlier in this post, in part 1 of the series, we could have leveraged that role, however, since we did not, we will have the same scenario as before manifest itself should we decide to add a new role in the future, after making the following changes.  So lesson learned #1 would be to create an Everyone role in your role manager and place all of your users in it.

  1. Browse to your SSP Administration site.
  2. You will be prompted with the standard out of the box FBA login form.  Log in as spadmin.
  3. Click on the My Site Settings link in the User Profiles and My Sites section on the SSP Home page.


  4. Scroll down to the Default Reader Site Group section and type or append Administrator; Manager; Employee into the textbox.  You can leave NT AUTHORITY\authenticated users in the textbox or remove it, it does not matter at this point, then click OK.


  5. Close all your browser windows.

 

Test You Solution!

Remember, I made allot of assumptions at the beginning of this post.  One of those assumptions was that you had completed part 1 of this series.  Under the assumption that you have completed part 1, test your solution using these steps.

  1. Browse to http://fbaextranet.attis.org and first login as spadmin.  You should see a My Site link in the top right hand corner of the page.  DO NOT CLICK ON IT YET.
  2. Verify that the Employee role is in the pre-created Visitor SharePoint group and that the Manager role is in the pre-created Member SharePoint group (I have to assume you know how to do this!).
  3. As I mentioned earlier, since we set our My Site Host site collection up on a separate Web Application than our website, we will need to log to our My Site independently of this site.  You may now click on the My Site link!
  4. Login as spadmin and watch the MAGIC!


  5. Check it out!

     
  6. Close your browser, open a new one and browse to http://fbaextranet.attis.org again.
  7. Login as Employee1.  You should see a My Site link in the top right hand corner of the page.  Remember, this user was created in part 1.  Click on the My Site link, logon as Employee1 and again, watch the MAGIC!

     

Caveats

Of course, this solution has a couple of caveats.  The biggest issue I have come across is Search.  At present time, the crawler simply cannot deal with Forms Authentication yet.  This is not a problem for the main website as the crawler simply enters through another zone.  The following TechNet article explains how the crawler interacts with multiple zones and authentication modes in great detail.  I encourage you to read it.  With that said, MySite Search does not work OOB (I say OOB because I am sure someone will come up with a clever solution at some point) because all of the MySites lie behind Forms Authentication.

Now go forth and integrate your Forms Authentication Solutions with MySites and your SSP's.  it will be interesting to see if there is going to be a supported or documented solution put forth by Microsoft.  I guess we will just have to wait and see!

Published 01 March 2007 10:09 PM by Dan Attis
Filed under:

Comments

# Stacy Draper said on 02 March, 2007 01:25 PM
Dan Attis&amp;nbsp;has written down the steps&amp;nbsp;to have Forms Based Authentication (FBA)&amp;nbsp;for SharePoint...
# Mike Walsh's WSS and more said on 03 March, 2007 11:48 PM
# Andrew Connell [MVP MOSS] said on 04 March, 2007 04:27 PM
Enabling MySites with Forms Based Authentication sites
# BobC said on 05 March, 2007 07:32 AM
I don't see any specific mention of user profiles import from the SQL Membership DB.  I have the authentication working, but need help connecting the authenticated user to a user profile.  I believe the problems are due to the SSP not seeing the SQL Membership, so I'll try your approach and get back to you.

Thanks for any feedback.

/bac
# Morgan said on 08 March, 2007 05:29 AM
Hi Dan, Thanks for your article. It is very well written. I also have the problem of user profiles matching with the sql membership.  I have tried your article and it all works until I try to Assign FBA Admin User Personalization services permissions.  I just can't seem to access the sql members from the shared services area.  I have tried creating new "shared services" and "my sites" sites, but it just won't work.  Please any help would be appreciated.  Cheers, Morgan
# Dan Attis said on 08 March, 2007 06:41 AM
Morgan/BobC,

With reference to the previous two comments, can you each please check your SQL Server database security settings and make sure that the account(s) that are being used to run both the web site, the SSP and the MySite host application pools (best practice dictates that these are all different accounts, but sometimes they are not), have access to all of the membership and role schema information within the appropriate database.  If the application pool account(s) cannot read this information, the provider will not be able to access the tables, therefore preventing it from "seeing" the users and roles.
# Morgan said on 15 March, 2007 02:56 AM
Hi Dan, Thanks for your response.  I made sure that all my websites were running on the same application pool (default application pool).  I have double checked and it does have access.  Strange also because it all worked until the shared services area.
# Cliff said on 15 March, 2007 06:27 AM
Morgan and /bac.  If you are like me you started with an AD portal and then extended a FBA web application on top of that.  Well, if that was the case then you also need to extend the default ssp site so that it recognizes FBA user and roles.  If you do that, and then use the extended URL to hit the ssp/admin area you should be able to resolve FBA users and groups and move on with the remainder of the steps.  Great work Dan!!
# Evan said on 15 March, 2007 01:11 PM
Great article. I've hit a brick wall and am hoping for some input. I've got the CA and FBA Sharepoint site going swimmingly. I added (and re-added, and triple checked) the necessary provider information to the SSP site's web.config. For the life of me, the SSP site will *not* resolve users/groups. I've checked the <PeoplePickerWildcards> element, no dice.

Just for kicks, I flipped on FBA on the SSP site (with anon access on) even though the SSP people picker wouldn't resolve, and went to 'Site Collection Administrators' in CA. It resolved people/groups fine. I added a primary and secondary admin to the SSP site. I proceeded to the SSP site, got the forms login page (yay), and logged in. I got an 'Unknown Error' page and found this in the log:

03/15/2007 12:51:54.93 w3wp.exe (0x1680)                       0x1124 Windows SharePoint Services   General                       8dzz High     Exception Type: System.ArgumentNullException  Exception Message: String reference not set to an instance of a String.  Parameter name: s

I'm betting it's related to the fact that, since SSP People Picker won't resolve, I wasn't able to follow the steps detailed in the "Assign FBA Admin User Personalization services permissions." section of this article.

Hope that wasn't too long-winded, and I appreciate everyone's time in advance!

Cheers,

Evan
# SharePoint, SharePoint and stuff said on 22 March, 2007 04:42 AM
Formularbasierte Authentifizierung (auch mit MySites) einrichten Office SharePoint Server 2007 - Forms
# SharePoint, SharePoint and stuff said on 22 March, 2007 04:51 AM
Die SharePoint Kaffeetasse - Links, die mir beim morgentlichen durchforsten der SharePoint-Infos aufgefallen
# SharePoint, SharePoint and stuff said on 22 March, 2007 05:46 AM
Die SharePoint Kaffeetasse - Links, die mir beim morgentlichen durchforsten der SharePoint-Infos aufgefallen
# Ivo Vink said on 27 March, 2007 07:11 AM
great work Dan,

Regretfully I am facing the same problem as Evan and Morgan had. You didn't mention anything about extending the SSP. We didn't extend the CA and that worked so why should we extend the SSP?
Any ideas on how we can get it to work?
BTW all our application pools (including the CA pool) are running under the network service account.
# Marc said on 28 March, 2007 07:08 AM
Thanks for the article Dan, it was a tremendous help.  I originally ran into the same problem Morgan had, but after extending the Shared Services site (per Cliff's suggestion) that issue resolved.  There is one more error that I encountered that I had not anticipated... When I log into a site using the an AD account the document libraries function correctly... but when I log in using the a FBA account I've noticed my ability to upload multiple documents has been removed.  

Has anyone else experienced this?  Why do I feel like getting FBA and SharePoint to work together is like trying to get two cats who hate each other to play with the same string?  
# Tracy said on 28 March, 2007 08:51 AM
Great help for me. But I had a problem with "Assign Roles to Default Reader Site Group".  When I appended the roles to the Default Reader Site Group section, this page just kept running and no response. Any ideas for this?

I already extended the the FBA web application on top of the AD portal, but how to extend the default ssp site? I throught the ssp site was with the same web application as the AD portal, so extended the web application also extended the sites.  Is my thinking totally wrong?

Thanks for any feedback!
# Tracy said on 28 March, 2007 10:59 AM
It works perfectly now. The problem I mentioned before caused by the network problem.

Thanks again for your great article, Dan.
# Todd Baginski's SharePoint 2003 and MOSS 2007 Blog said on 12 April, 2007 03:26 PM
During the Create an Internet-Facing SharePoint Site session I covered the following topics. Setting
# Sven said on 18 April, 2007 04:47 AM
I need to extend the default ssp site so that it recognizes FBA user and roles. Does someone has an idea how?

Thanks in Advance.
# Steve said on 20 April, 2007 01:31 PM
Nice Documentation - we have an issue regarding this where We have a MOSS 2007 portal on our domain using FBA with a SQL DB called  AcASPNetDb in
aspnet_Users table.
.   We have a site under the parent
site called “Our Administration”.  We want this “Our Administration” site to
only be accessible to 3 user roles.
We created the site and added a tab for the site.  We then removed “Inherit
Permissions”.  This allows us to customize the security for that specific
site/tab rather than inheriting the permission from the parent site.  We then
removed permission for all but the three roles we wanted to have access.  
This process has worked for other sites in the portal  where we only wanted
certain roles to have access.

However for the “Our Administration” site, even though the permissions only
show access to those 3 roles, when we test it, we find that all roles still
have access to the site.  This is critical since it subverts our security.

I have logged in as a user that isn't supposed to view this and all the
information still shows up.  Any suggestions ?

# praful said on 29 May, 2007 05:42 AM
hi all,
i added FBAadmin user to webapplication but when i m trying to do same in SSP for step "Personalization services permissions", my user is not recognized. even i extended my SSP default site and add connection string in web.config. can somebody help me out
# Todd Baginski's SharePoint 2003 and MOSS 2007 Blog said on 27 June, 2007 11:37 PM
During the Create an Internet-Facing SharePoint Site session I covered the following topics. Setting
# Pranab's Blog said on 02 July, 2007 09:46 AM
There is already a good no. of examples in different blogs showing how to implement FBA in MOSS 2007/WSS
# Noticias externas said on 02 July, 2007 09:57 AM
There is already a good no. of examples in different blogs showing how to implement FBA in MOSS 2007
# vamsi said on 27 August, 2007 07:45 AM
How to extend SSP site to be able to recognize FBA accounts? Should I just set the default auth provider to FBA? Should I extend another IIS web site for the SSP site and configure the new web application auth. provider as Instranet zone with FBA? Please post the missing step near 'Assign FBA Admin User Personalization services permissions.' step. It wouldnt recognize FBA users until I extend the site to use FBA. I was able to see My Site link for FBA logged in user; but clicking it would give me Access Denied.
# Eli Robillard's World of Blog. said on 07 September, 2007 12:55 PM
There are three great guides to configuing FBA: Andrew Connell had the best article first. Dan Attis
# Chun said on 19 September, 2007 05:52 AM
I got this working fantastic, for those stuck on unresolvable user name.

First create the SSP for windows auth and extend it for forms auth.

Set up the web.config for the forms auth to contain the query string and profile/roles sections.

Update Authentication provider for the FBA to use the membership provider name and role manager name.

Go to CA > Application Management > Site Collection Administrators and you should be able to enter the spAdmin user as a site admin.

Now you can go to either the windows SSP or the extended SSP and set up the Personalisation Services permissions
# Chun said on 19 September, 2007 05:55 AM
I have one further comment about testing the solution and the screen shots in point 5 and 7.

The username appears as FBADemo:Employee1. in the main site it only appears as Employee1. Does anyone have any idea about how to get rid of the FBADemo: bit.

Otherwise i will have to do the whole thing again using a reasonable profile manager name instead.
# Richard M said on 19 September, 2007 12:22 PM
Excellend post Dan, really appreciate it.

For those that might use "Method #1" I thought I would add in some additional comments about two errors/problems I encountered when trying to create the MySites during the "Test You Solution!" phase.

1 - You may get an error stating that Self-service site creation is not activated.  If so then in CA->App Mgmt->Self-Service Site Management you need to enable Self-Service Site Creation.

2 - When creating a site you may get an error message that states "There has been an error creating the personal site. Contact your site administrator for more information."  An entry in the Event Log on the server will be equally unhelpful.  However, using google I saw this KB article (http://support.microsoft.com/kb/937207), you'll have to contact Microsoft Support to get the hotfix.  I'm still waiting to apply it.
# James Stewart said on 01 October, 2007 11:34 AM
This is a great step 2.  Using a lot of documentation, I was able to get through step one and had never seen this post.  I was having a lot of trouble updating and syncing profiles until I ran through step 2 of this post.  Thanks so much!
# CezaryK said on 10 October, 2007 08:45 AM
Hello!
  Thanks for thorough explanation... However I couldn't find any solution on how to get rid of a provider name prefix (in your example FBADemoMember). You'll probably agree that it cannot be displayed in the production environment...
# Jeremy Caney's Weblog said on 16 November, 2007 05:46 PM
We've done quite a few SharePoint 2007 sites but a recent project required diving much deeper into the product, including extensive use of custom web parts, search indexes, and registration on top of the standard arsenal of master pages, layouts, XSL
# Hinsua said on 26 November, 2007 09:51 AM
Good Post!
www.sharepoint2007.co.cc
# 91flhs said on 20 December, 2007 12:46 PM

I have followed this documentation and I can get into all sites using FBA but now I would like to create an import connection but I can't seem to figure out how to do this to SQL server.  My only options are AD/LDAP Directory/BDC/AD Resource.  I think the closest is BDC but I just can't seem to get this working.  Any help would be appreciated.

# blog.ekegren said on 02 January, 2008 09:36 AM
# Pronichkin said on 06 January, 2008 06:11 PM

Great manual! Was interesting to read (in spite of I already figured this out myself).

Did you manage to allow anonymous user browse MySites?

# Adding SQL Membership Roles To MOSS 2007 User Groups | Brilliant Blue Technology said on 30 January, 2008 08:17 PM

Pingback from  Adding SQL Membership Roles To MOSS 2007 User Groups | Brilliant Blue Technology

# shekhar said on 27 February, 2008 07:20 AM

I have followed the same steps as given in the step 1 and step 2, instead i have used active directory membership provider.I am able to configure all the sites for the active directory membership provider , but when i tries to access any of the links reklated  to mysite configuration under shared services i get access denied page.please suggest me the better way as i need to bring form based authen tication using active directory membership provider and also mysite link should be avaliable on the home page of my web application when i sign in the web application using above mentioned form based authentication

# Tony Testa's World said on 02 April, 2008 03:58 AM

SharePoint MySite Forms Based Authentication Missing Steps That Might Come In Handy

# Nick Swan's SharePoint Blog said on 28 May, 2008 03:19 AM
# happySP said on 05 June, 2008 01:57 PM

Consequences of going Forms-Based Authentication:

1) Sharepoint Designer breaks

2) Search breaks

3) MySites breaks

...and probably more i haven't come accross yet.

Sure there are workarounds such as this one to fix the problems, but spending three weeks implementing fixes doesn't sound like an ideal solution.

# happySP said on 05 June, 2008 01:58 PM

Consequences of going Forms-Based Authentication:

1) Sharepoint Designer breaks

2) Search breaks

3) MySites breaks

4) Membership provider name is attached to your user names

...and probably more i haven't come accross yet.

Sure there are workarounds such as this one to fix the problems, but spending three weeks implementing fixes doesn't sound like an ideal solution.

# SEIU SharePoint Development » Blog Archive » FBA SharePoint - perfect walkthrough said on 07 July, 2008 10:32 AM

Pingback from  SEIU SharePoint Development  &raquo; Blog Archive   &raquo; FBA SharePoint - perfect walkthrough

# Ani said on 08 July, 2008 11:42 AM

Hello

When i tried to add the database user to the http://portal , its throwing error "no exact match was found".

Then i checked, whether the administrator account is available as a site collection administrator and yes it is there.

The database is also having the adminstrator in it as a security user.

Still i could nt able to add the database user in the extranet site.

Any help will be appreciated.

Ani

# Ani said on 08 July, 2008 12:52 PM

Hello

Whenever I try to add FBA user, I am getting following error

Index was out of range. Must be non-negative and less than the size of the collection.

Parameter name: index

Can anyone tell me whats wrong I am doing here?

# Ani said on 13 July, 2008 02:12 PM

Hello

I figure out a solution to retreive list item id. First you need to add a new Search Managed Property to the search configuration. Please do the following steps

1. Go into the SSP, Search Settings, Managed Properties, click on "New Managed Property"

2. Give it a like "ItemID"

3. choose type of Integer

4. In the "Mappings to crawled properties" section, choose "Include values from a single crawled property based on the order specified"

5. click on Add Mapping button, search for the one you want (which is ows_ID) like this in the selection dialog, select it and click OK:

Now add this column in query editor column of search core result web part, and then customize xslt mentioned by zimmer.

So once you create XML , you will notice that your itemid will appear in your search result xml, thne do the needful as per zimmer article (www.zimmergren.net/.../moss-2007-customize-the-search-result-using-xslt-part-3-customize-using-sharepoint-designer-2007.aspx)   then you can set 'Title' field as Hyper link with your list item, so your hyper link will be "../dispform.aspx?id={itemid}. This url can be vary depending on your document or form library.

I have implemented this solution successfullt.

Cheers

Ani

# Amandeep Singh said on 14 July, 2008 01:42 PM

I have deployed FBA perfectly, but doesn't allow me to see anything when using Explorer view in extranet. Keep prompting login dialog box again n again. Explorer view working fine in intranet.

What could be the reason? .. can someone help me on it. Thanks

# Ricardo Caldas said on 22 July, 2008 07:27 AM

Hi Dan,

Nice work with the articel.

Hi have a problem with my FBA access.

My PWA working with FBA (SQL server DB) is not working properly. The user can access to the page of PWA normally, but when they try to use the shortcuts for folder or workspaces it redirect the user for an internal page, using the AD and logically they don't have access and gives them a blank page.

Do you have any idea of what could be the problem?

Thank you very much.

# Mirrored Blogs said on 22 July, 2008 08:47 AM

Corps: Petite astuce aujourd&#39;*** concernant l&#39;authentification par formulaire dans SharePoint

# Ricardo Caldas said on 23 July, 2008 06:04 AM

Hi Dan,

Nice work with the article.

Hi have a problem with my FBA access.

My PWA working with FBA (SQL server DB) is not working properly. The user can access to the page

of PWA normally, but when they try to use the shortcuts for folder or workspaces it redirect the

user for an internal page, using the AD and logically they don't have access and gives them a blank page.

Do you have any idea of what could be the problem?

Thank you very much.

# justguy's said on 01 August, 2008 01:20 AM

Hi, Recently I’ve had an interesting challenge (yes, challenge): building a MOSS portal based on Form

Leave a Comment

(required) 
(required) 
(optional)
(required)