posted on June 26, 2006 3:43 PM by Kurt
Couldn't find user error for Forms Authentication
(This is the first post in a series on Forms Authentication in SharePoint 2007. I announced this series a little while ago over here)
One of the main problems I was having with SharePoint Forms Authentication was getting it to recognize and list users from my new authentication provider. Once you switch authentication providers, you have to manually add the first authenticated user to SharePoint from the Central Administration. The reason for this is quite simple: the normal administrator credentials you used before won't be recognized under the new provider - so you have no way to log into the site under the new provider.
But what I found was that after going to "Policy for Web Application" (the page where you manually add the first authenticated user), is that Central Administration can't list or recognize your new user names. Being new to using ASP.NET provider model, I assumed I simply had the database set up incorrectly - not so. I just missed one essential step: You must add the provider settings to BOTH the Web Application web.config and the Central Administration web.config. I can't stress this last part enoguh. If you don't add the provider settings to the central admin, you won't be able to access the new credentials store, and thus won't be able to add users.
Sounds pretty intuitive once you think about it (how else would Central Administration know about the new provider) and indeed SharePoint gives a warning about this (albeit a small one) on the left hand side when setting the provider on the Authentication Providers page:
The membership provider must be correctly configured in the web.config file for the IIS Web site that hosts SharePoint content on each Web server. It must also be added to the web.config file for IIS site that hosts Central Administration. [Emphasis mine]
But to first time users of Forms Authentication in SharePoint (which we all are), this is a little counter-intuitive. We kinda assume that adding the provider details for the individual Web Application is enough. And indeed, I think the central admin web.config will become bloated with providers from every site that it's managing. All in all, I think it's a poor choice to rely on the central admin web.config and not using the web.config of the individual sites, but I am sure there are specific reasons why MS chose this model.
I think I'll file this under "things you'll probably run into if you're doing SharePoint Forms Auth." Next up in this series, the infamous "File Not Found" exception you will probably run into if you do Forms Authentication enough.