Introduction and Configuration SharePoint 2013 Forms Based Authentication

Forms Authentication

Forms-based authentication is an identity management systemthat is based on ASP.NET membership and role provider authentication. To useforms-based authentication to authenticate users against an identity managementsystem that is not based on Windows or that is external, you must register themembership provider and role manager in the Web.config file.

Reason of Using Forms Authentication

• Authentication In default, all the membership authentication is based on AD (ActiveDirection), if the SharePoint Site is publish, it should provide registerand login, then the authentication based AD need to publish the EnterpriseAD Server in extranet, this is not security and convenient, and FormsAuthentication could resolve it well, So the Forms Based Authentication isthe best method.

Principle of Forms Authentication

·The SharePointforms-based login page collects the credentials of the user, which are thensent to the SharePoint 2010 STS.

·The STS calls themembership provider that is associated with that web application, to validatethe user's credentials.

·If this succeeds, theSTS retrieves the roles that the user belongs to and adds these as claims inthe claims-based token that is sent back to the login page.

·From the login page, after the claims-basedtoken is issued, the user is sent back to the request resource.

Note: Ifauthentication is successful, the Web Service will put the credential key inthe Web Services’ cookie, then theauthenticated user wouldn’t need provide the credential with everyrequest.

In a Form basedSharePoint site, to invoke a Web Service, the user must be authenticated withtheAuthentication.asmx Web Service.The Web Service will return theLoginResult objectwhich specifies the authentication status. The Web Service will not generateany exception if the authentication fails; rather the return objectLoginResultwill contain the login status. If authentication is successful, then the WebService will put the credential key in the Web Services’ cookie. But to put thecredential to the Web Service’s cookie, we need to initialize the cookiecontainer of the Web Service

Beside we should understand the follow Provider:

Membership Provider: responsible for verifying user credentials,changing passwords, etc. As a Membership Provider, we'll useSqlMembershipProvider (that ships with ASP.NET 2.0). DotNetNuke provides nativesupport for it. We'll just have to copy someweb.config entries, andwe're done. I'll show you that later in this article.

Role Provider: responsible for role management, verifyinguser roles, etc. A role in Forms based authentication is similar to a usergroup in Active Directory. DotNetNuke doesn't provide native support for SqlRoleProvider(that ships with ASP.NET 2.0), but it does create all stored procedures used byit. The problem is that it does not populate tables used by SqlRoleProviderwith data from its native role management tables.

Advantages of Forms Authentication

·Forms authenticationsupports authentication against a custom data store, such as a Microsoft SQLServer database or Active Directory services.

·Forms authenticationsupports role-based authorization with role lookup from a data store.

·Forms authenticationis smoothly integrated with the Web user interface.

·ASP.NET provides muchof the infrastructure. Relatively little code is required in comparison toMicrosoft Active Server Pages versions 3.0 and earlier.

·ASP.NET formsauthentication does not require Microsoft Internet Explorer. Formsauthentication supports a wide range of Web browser clients.

·Allows you to defineyour own login and error pages, and create login interfaces that requiresomething other than, or in addition to, the traditional user name and password(such as an e-mail address or digits of a telephone number.

·The Web Service will putthe credential key in the Web Services’ cookie, then the authenticated userwouldn’t need provide the credential with every request.

Disadvantages of Forms Authentication

·You must help protectthe initial logon credentials by using SSL because the credentials are sent tothe server as plaintext.

·By default, the cookiethat contains the forms authentication ticket is not secured when you use formsauthentication in a Microsoft ASP.NET Web application. You must also make surethat you help protect the cookie that contains the forms authentication ticket.

Scenario of Forms Authentication

·Allowsyou to define your own login and error pages,andcreate login interfaces that require something other than, or in addition to,the traditional user name and password (such as an e-mail address or digits ofa telephone number

Demo of Forms Authentication

·The step to Configuration Form Based Authentication

• 1. Setting up ASP.NET Forms Authentication User and Role Data Source
  • Create Database
  • Configure Membership and Role Provider and Create User
• 2. Create Web Application and Site Collections
• 3. Configure Web.Config file
  • Configuring FBA web application web.configfile
  • Configuring Central Administration web applicationweb.configfile
  • Configuring Security Token Service web.config file
• 4. Adding User Policy to the FBA Web Application
• 5. Verification Steps

How to configuration the Forms Based Autentication step by step reference to my blog about the link:http://blog.csdn.net/tristan_dong/article/details/8225350(configuration the Forms Based Autentication step by step)

About more infomation to the link: http://msdn.microsoft.com/en-us/library/hh394901(v=office.14).aspx