SharePoint Knowledge Base

Jan 15
Forms Based Authentication in SharePoint

In many situations it's common to have clients or partners access your intranet. We love our clients but we don't want them in our internal security system. We keep their security in SQL and not in AD (active directory). We have a helpdesk (built in SharePoint of course) that we use to support our clients with their SharePoint. Our staff used AD to authenticate

Our staff see AD:


Our clients see FBA like this:


Introduction to FBA (Forms Based Authentication) in SharePoint

SharePoint Products and Technologies) contain features for authentication and authorization that help to make it easier for you to develop and deploy solutions in extranet—environments. SharePoint is are built upon the ASP.NET 2.0 Framework, which allows you to use forms authentication to authenticate users into the system. Because SharePoint Products and Technologies are built upon the ASP.NET 2.0 pluggable authentication provider model, they can now support authentication for users stored in Active Directory, a Microsoft SQL Server database, in an LDAP directory, or in any other directory that has an ASP.NET 2.0 membership provider. Although Windows SharePoint Services 3.0 does not provide any default membership providers, Office SharePoint Server 2007 does provide a built-in LDAP V3 membership and role provider, and ASP.NET 2.0 includes a SQL Server membership and role provider. However, if you want to use a directory and cannot find a membership provider for it, you can write your own! This is a key technology enabler for heterogeneous environments. More here


Steps in the Authentication Process

  1. The client requests a SharePoint resource.
  2. As part of the request pipeline, if the request is not authenticated, the authentication components route the request based on the authentication settings for that zone.
  3. The request is then processed by the authentication components. When more than one authentication method is configured for the given zone, the authentication selection page enables the user to choose the authentication method. If only one authentication method is specified, the request is processed directly by the specified authentication method.
  4. The user is authenticated by the identity provider.
  5. If authentication succeeds, the SharePoint security token service (STS) generates a claims-based token for the user with the information provided by the identity provider. If additional claims providers are configured, the STS augments the user's token with the claims given by the claims provider.
  6. The claims-based token of the user is sent back to the authentication components.
  7. The authentication components redirect the request back to the resource address, with the claims-based token issued for the user.
  8. The rest of the request pipeline is executed and a response is sent back to the requestor (client). As part of the request pipeline, the authorization is completed.


The configuration and management pages can be opened from the Site Settings page:

Select 'FBA Site Configuration' to open the configuration page:

Enable Roles: Allows users to be assigned Membership Roles instead of SharePoint Groups on the User Management page.
Review Membership Requests: Specifies whether new users requests should be automatically granted, or reviewed by an administrator.
Membership Review Site URLs: URLs for pages that can be used in the email templates.
Membership Email: The XSLT email templates to use.

Note that these items can only been seen and used by the site collection administrators.

Add the web parts to pages

There are three highly customizable web parts available: Membership Request, Change Password and Password Recovery. They must be manually added to the page you'd like to use them on:

Change Password:


Membership Request:


Password Recovery:


Changing your Password

A Change Password item has been added to the user menu that will bring the user to a Change Password page:

Reviewing Membership Requests

If "Review Membership Requests" was selected on the configuration page, new registered users will appear in the Membership Request Management page before being enabled on the site. Each user can be edited, and their status changed to either Approved or Rejected. The user will be sent an email with the new status of their account request.

Managing Users

Users can be created, deleted and edited and their passwords reset from the FBA User Management page:

Managing Roles

Roles can be created and deleted from the FBA Roles Management page:


There are no comments for this post.