Tuesday, May 10, 2011

Sharepoint FBA user administration (Forms Based Authentication)

We had a strange error where a user couldnt log on using FBA.   It turned out that the account was locked out, however it started a voyage of discovery into the murkey world of FBA in Sharepoint.

To add an FBA user we use the + _layouts/vCreateUser.aspx which works out fine, however with FBA it was not obvious how to either Reset a users password by the administrator or Delete a user.

Using II7 lots of documents say you can edit the list of users using the IIS7 admin console and open the .Net Users Feature.  However you either get an error saying the "default provider is not a trusted provider", or a time out error saying it cannot connect to the SQL database because of a network or instance-specific error!

It turns out you need to ensure that you need to Set the Default Provider in the .Net Users to the Sharepoint SQLRoleProvider after its given you an error saying it cant connect.  If you manage to get that and your IIS Connection Strings all tidied up then you have a small chance of all the users apearing when you open the .Net Users Feature.

When you get there you can either Delete the user or change its email address but not a lot more - EXCEPT that is to UNLOCK the account.

It turns out that in the web.config file there are a number of settings which handle the account lock out policies for the entry of incorrect passwords.  A good MSDN link for mor info on this is here - however even setting these and iisreset and reboot doesnt seem to want to change the settings for me, so I'll keep digging.

Another useful link on how to setup IIS7 for Sharepoint FBA is here

Sharepoint's link to FBA seems such a cludge and without proper user management tools is not something that can be sensibly rolled out.  Once again such a good idea not quite finished but still rolled out by Microsoft.