Installation Procedure for WSS (Windows sharepoint services)

Setting up Dual Authentication on Windows SharePoint Services 3.0 (Forms and NTLM)

Setting up Dual Authentication on Windows SharePoint Services 3.0 (Forms and NTLM)

A client has just asked me to help them setup a WSS server that will be hosted on the Internet, they do want to create a membership based portal and I suggested that they use the ASP.NET membership system and I would demonstrate a prototype. The second objective was that their internal users logging onto the domain will also need to access the same site using their domain accounts, this can be achieved on SharePoint by using zones. Now I chose a forms based authentication (FBA) mechanism, but you could any other.

In a production environment, I would opt to install both on to a machine even though it will be primarily Internet\Extranet facing, even if it is using the local directory services. This gives a backdoor to managing the site should you have problems with the forms authentication mechanism (or other).

Now I searched the web and found many articles on Forms Authentication for WSS and MOSS, however many of them were incomplete and after several attempts of butchering their solutions, I managed to get it under wraps. I hope this helps you out.

Goal

1. Internet users logon to a membership database using forms based authentication (FBA).
2. Internal users logon to the domain.*
3. The SharePoint site is not duplicated for internal and external, thus they share the same site and resources.

* Note if you do not want to use a domain, you can logon to the local machines directory services.

Now I will discuss a easy but vital key point. First, I am going to create a web application for the public facing site, when the web application is created I will use host headers to indicate the site name, this will leave us with a default zone. Then the internal site will be added by extending the web application, to with a different host header.

Create a web application, at this point I did a standard NTLM site and did not configure anything else.

My test configuration network

The basic software and operating systems

• Windows Server 2003 R2 Service Pack 2, installed as a member in a test domain
• SQL Server 2005 Developer Edition
• Internet Information Server
• Windows SharePoint Services 3.0 installed as Farm (with one machine)
• WSS 3.0 SP1

Service accounts (GROUNDING is the domain)

• GROUNDING\Service_SQL
• GROUNDING\Service_OSS_DB
• GROUNDING\Service_OSS_AppPool

Summary of the process

This is quite a lengthy process and very sensitive, so one small error and you will have hours of troubleshooting. I presume that the basic operating systems and SharePoint has been set up.

1. Create the Service Accounts.
2. Install SQL and SharePoint.
3. Install ASP.NET SQL Membership and Role databases.
4. Create a few roles and user accounts.
5. Setup DNS Name Resolution.
6. Provision a Web Application for the Public Facing Site.
7. Provision a Site Collection and Root Site.
8. Extend the web application for internal users.
9. Give rights to Service accounts in Membership database.
10. Test both sites by viewing them.
11. Configure the public site to use the membership provider.
12. Configure the Central administration site and internal site to use the membership provider.
13. Reset IIS
14. Give Site Collection administrative rights to the admin user.
15. Test

Step 1 - Create the Service Accounts

You will need to create the following service account in your domain

• Service_SQL. The account that SQL Server service account will use.
• Service_OSS_DB. The account that the SharePoint will use for the configuration database.
• Service_OSS_AppPool. The account used for the Application Pool of the site. (I used one account for both zones).

Step 2 - Install SQL and SharePoint

Now I am not going to walk you through this, you should be able to do this yourself. Neil has a blog post on how to install SharePoint.

1. Install SQL Server. In my test lab, I used the account Service_SQL for the service accounts in SQL server and installed the database engine only.
2. Install SharePoint
3. Create a farm with as single server, I really do not like working with SQL Server Embedded Edition (SSEE). During the install steps I created the necessary configuration databases and used the service account Service_OSS_DB.
4. Install any service packs and hot fixes. Now since SharePoint Service Pack 1 is out, install it.

Step 3 - Install ASP.NET SQL Membership and Role databases

In this step I will go through the process of installing the standard ASP.NET SQL Membership database. Now this is going to be the easiest for now, however in the future you could write your own membership and role providers using the .NET framework and some serious C# code. Also, this lab is using the SQL provider, however there are other membership providers available for you to use.

1. Execute the following program:
   C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe
2. The ASP.NET SQL Serer Setup Wizard will display
   
3. Click the Next> button.
4. Choose the Configure SQL Server for application services option.
   
5. Click the Next> button.
6. In the Server textbox, type in the SERVERNAME (name of your SQL server).
7. Specify the Authentication method to SQL Serer Authentication, change if yours is different.
8. Type in the name of the database (existing or new) for the membership system.
   In this example I choose to create to create a database called SharePoint_Membership.
   
9. Click the Next> button.
10. Review the confirmation page and click the Next> button.
    
11. The install takes a few seconds to run, the confirmation step is displayed
    
12. Click the Finish> button.

Step 4 - Create a few roles and user accounts

There are various ways to do this, and some pretty easy ones if you have Visual Studio installed. However I am going to do this by running a SQL script. In this step I am going to create the following. Now an important lesson is that the membership database you created can be used by many different applications. Each application can have its own roles, users and members and is uniquely seperated by an "application name".

Important. When using membership you must consistently use the same "application name" when configuring the users, roles, web.config files and any other configuration that membership is involved in. My application will use an application role called SharePoint_Membership.

Users

• Admin
• TestMember1
• TestMember2

Roles

• Administrators
• Members

Role / User

• Admin -> Administrators, Members
• TestMember1 -> Members
• TestMember2 -> Members

1. Open SQL Server Management Studio and connect to the membership database
2. Copy the script below, and make any changes you wish

USE SharePoint_Membership

GO

-- -----------------------------------------

-- Create Roles

EXECUTE [dbo].[aspnet_Roles_CreateRole]

'SharePoint_Membership',

'Administrators'

EXECUTE [dbo].[aspnet_Roles_CreateRole]

'SharePoint_Membership',

'Members'

-- -----------------------------------------

-- Create Users

DECLARE @now datetime

SET @now= GETDATE()

EXECUTE [dbo].[aspnet_Membership_CreateUser]

'SharePoint_Membership'

,'Admin'

,'Pa$$w0rd'

,''

,'admin@grounding.co.za'

,''

,''

,1

,@now

,@now

,0

,0

,null

EXECUTE [dbo].[aspnet_Membership_CreateUser]

'SharePoint_Membership'

,'TestMember1'

,'Pa$$w0rd'

,''

,'testmember1@grounding.co.za'

,''

,''

,1

,@now

,@now

,0

,0

,null

EXECUTE [dbo].[aspnet_Membership_CreateUser]

'SharePoint_Membership'

,'TestMember2'

,'Pa$$w0rd'

,''

,'testmember1@grounding.co.za'

,''

,''

,1

,@now

,@now

,0

,0

,null

-- -----------------------------------------

-- Add Members to Roles

EXECUTE [dbo].[aspnet_UsersInRoles_AddUsersToRoles]

'SharePoint_Membership'

,'Admin'

,'Administrators'

,@now

EXECUTE [dbo].[aspnet_UsersInRoles_AddUsersToRoles]

'SharePoint_Membership'

,'TestMember1'

,'Members'

,@now

EXECUTE [dbo].[aspnet_UsersInRoles_AddUsersToRoles]

'SharePoint_Membership'

,'TestMember2'

,'Members'

,@now

Step 5 - Setup DNS Name Resolution

The next step is to ensure that your name resolution works for your internal network as well as your public network. Ensure that you can ping both the servers. Now, if you are just playing around on a virtual machine and not on a "real" network you could cheat by editing the host file in the c:\WINDOWS\system32\drivers\etc\ directory

Important. This is a quick cheat, however you should make sure that DNS is properly configured in your production environment both for internal and external networks.

1. Click Run from the Start Menu
2. Run the following:
   notepad c:\WINDOWS\system32\drivers\etc\hosts
3. The host file will appear, add the following two lines or the addresses you chose
   127.0.0.1 www.grounding.co.za
   127.0.0.1 portal.grounding.local
4. File, Save the file.
5. Exit Notepad

Step 6 - Provision a Web Application for the Public Facing Site

Now the first step is to provision the public web site in SharePoint, this post is not a tutorial on provisioning, however there are a few important steps to go through

1. Open the Central Administration Web Site in your browser.
2. Click on the Application Management tab.
3. Click the Create or extend Web application link.
   
4. Click the Create a new Web application link.
   
5. Choose the Create a new IIS web site, and give it an appropriate name.
   
6. Change the port (if needed).
7. Important. In the Host Header textbox, type in the name of the URL that users will use to connect to the site. It is important that users can resolve the name.
   
   Take note of the path!
8. In the Load Balancing URL, remove :80.
   Take note that this is the "Default" zone.
   
9. Configure the application pool to use.
   In my lab, I create ad new application pool using the service account Service_OSS_AppPool.
   
10. Configure the content database.
    
11. Check your settings and Click the OK button

Your web application is provisioned

Step 7 - Provision a Site Collection and Root Site

Now what is the point of a a web application without a site, Provision yourself a site collection.

Step 8 - Extend the web application for internal users

You should have a site up for the public facing site, albeit using NTLM for authentication. The next step is to create and extend the web application for internal users.

1. Open the Central Administration Web Site in your browser.
2. Click on the Application Management tab.
3. Click the Create or extend Web application link.
   
4. Click the Create a Extend an existing Web application link.
   
5. Change the Web Application to the public facing web application created two steps ago by clicking on the drop down list.
   
6. For the IIS Site, choose to create a new IIS web site and give it a appropriate name for the internal web site.
7. Change the port if needed for the internal site, I left mine at 80.
8. Important. In the Host Header textbox, type in the name of the URL that internal users will use to connect to the site. It is important that users can resolve the name.
   
9. In the load balancing URL, remove the :80
10. Change the load balancing zone to Intranet.
    
11. Check your settings and click on Ok.

The extended web application will be provisioned.

Step 9 - Give rights to Service accounts in Membership database

Both the Central Administration Site, and your Web Application for your site run under different service accounts. You are going to have to logon to SQL server and give them rights in the SharePoint_Membership database. This step is vital and if you do not follow this, you should get an "Unknown Error" when connecting to the site, pretty descriptive.

Basically in SQL add the user GROUNDING\Service_OSS_Db and GROUNDING\Service_OSS_AppPool to the SharePoint_Membership database. Add them to the roles aspnet_Membership_FullAccess and aspnet_Roles_FullAccess roles.

1. Log onto the SQL Management Studio
2. Connect to your (Local) server or wherever the server resides.
3. Expand the SharePoint_Membership database
4. Expand the Security
5. Right click users, and choose New User...
6. Add the GROUNDING\Service_OSS_Db account
7. Give it aspnet_Membership_FullAccess role rights
   (Careful now, not schema owners!)
8. Give it aspnet_Roles_FullAccess role rights
   (Careful now, not schema owners!)
9. Give the user a name and save it.
10. Do it again for the for the GROUNDING\Service_OSS_AppPool user account.

It is important that you make sure all Application pool and service accounts used by SharePoint have access to the membership database, note that if you have SSP, they need access too for security authorisation.

Step 10 - Test both sites by viewing them

Just to make sure you are on the right track and have not messed up anything, test viewing the site using both internal and external urls

1. Open up a browser
2. Navigate to http://www.grounding.co.za (or yours) to view the public site.
3. Logon with your standard windows account (for now)
4. Confirm, site should appear.
5. Navigate to http://portal.grounding.local (or yours) to view the internal site.
6. Logon with your standard windows account
7. Confirm, the same site should appear as step 4.

Step 11 - Configure the public site to use the membership provider

This is now the tricky part, so pay careful attention!!!! or you will have a nightmare resolving any bugs. In this section we will edit the web.config file to enable membership. This is a bit of a butcher on editing the web.config, as you should be provisioning it properly but hey it works. Be careful if you have multiple servers in the farm as this will need to be done on all servers. (Perhaps one day I will write a blog on how to do this properly).

1. Determine the folder of the public web site, mine is
   C:\Inetpub\wwwroot\wss\VirtualDirectories\www.grounding.co.za80
   (If you did not make a note of the site, open up the IIS Manger and view the properties of the web site. It is on the Home Directory tab).
2. Open the folder in Windows Explorer.
3. Make a backup of the web.config file!
   (You may be really, really sorry if you don't)
4. Edit the web.config file
5. Under the configSections element, place a connectionString element (code below) with the connection string details to the membership database
   
   
   NB: Change the Data Source to your SQL server.
   
   <connectionStrings>
   <remove name="AspNetMembershipConnectionString"/>
   <add name="AspNetMembershipConnectionString"
   connectionString="Data Source=SERVERNAME;Initial Catalog=SharePoint_Membership; Integrated Security=SSPI" />
   connectionStrings>
   
6. In the element, normally under the child element, place the following XML
   

<membership defaultProvider="AspNetMembershipProvider">

<providers>

<remove name="AspNetMembershipProvider" />

<add name="AspNetMembershipProvider"

connectionStringName="AspNetMembershipConnectionString"

enablePasswordRetrieval="false"

enablePasswordReset="true"

requiresQuestionAndAnswer="false"

applicationName="SharePoint_Membership"

requiresUniqueEmail="false"

passwordFormat="Hashed"

maxInvalidPasswordAttempts="5"

minRequiredPasswordLength="1"

minRequiredNonalphanumericCharacters="0"

passwordAttemptWindow="10"

passwordStrengthRegularExpression=""
type="System.Web.Security.SqlMembershipProvider,System.Web,Version=2.0.0.0,
Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a" />

providers>

membership>

<roleManager enabled="true" defaultProvider="AspNetRoleProvider">

<providers>
<remove name="AspNetRoleProvider" />

<add name="AspNetRoleProvider"

connectionStringName="AspNetMembershipConnectionString"

applicationName="SharePoint_Membership"

type="System.Web.Security.SqlRoleProvider,System.Web,Version=2.0.0.0,
Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a" />

providers>

roleManager>

Note that the type="......." must be on one line in the file (formatting issue)


7. Find the PeoplePickerWildcards element and change it to
   

<PeoplePickerWildcards>

<clear />

<add key="AspNetMembershipProvider" value="%" />

<add key ="AspNetSqlMembershipProvider" value ="%" />

PeoplePickerWildcards>

8. Save the web.config file
9. Open the Central Administration Web Site in your browser.
10. Click on the Application Management tab.
11. Click on the Authentication providers link.
    
12. Click the Default Zone link.
    
13. Change the Authentication Type to Forms.
    
14. Type in the name of the Membership provider, AspNetMembershipProvider.
    
15. Type in the name of the Role manager, AspNetRoleProvider.
    
16. Click Ok.

Step 10 - Configure the Central administration site and internal site to use the membership provider

You typically would be using the Central Administration site and internal site (portal.grounding.co.za) to manage and configure the site; part of your management will include applying security to users. However these two sites do not know about the membership database, so you are going to have to add the membership settings to their web.config database, but DO NOT change the authentication provider.

This is a bit of a necessary pain, in the central administration and internal site you will be selecting users and applying security using the people picker. If you do not do this, you should get "No exact match was found." errors :

1. Make a backup of the web.config files!
2. Edit the web.config files exactly the same way as you did in Step 11 - Configure the public site to use the membership provider.
3. There is only one difference in the web.config file though, find the roleManager element and change the defaultProvider ONLY!
   

<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">

Do this for both the Central Admin and Internal site

Step 11 - Reset IIS

The easiest way is to restart the web server, however you may wish to Recycle the application pools.

1. Run IISRESET /noforce

Step 12 - Give Site Collection administrative rights to the admin user

For the purposes of this lab, I will make the membership user admin a Site Collection administrator. If you do not do this and you logon to the public site (currently it does not allow anonymous access), you will get an error that looks like:

This error basically indicates that the user authenticated correctly, however is not authorised to view the page.

1. Open the Central Administration Web Site in your browser.
2. Click on the Application Management tab.
3. Click the Site collection administrators link.
   
4. In the Secondary site collection administrator text box, type admin.
5. Click Check names button.
   The admin username should resolve, and be underlined:
   
6. Click Ok.

Step 13 - Test

1. Open your browser, connect to the internal site and logon with a NTLM user account
   
   
2. Open your browser, connect to the public site and logon with the admin membership user
   
   
   

Out of scope steps

• Make your public site visible to anonymous users.
• Give rights to other members

Reference::

Grounding.co.za