This project is further maintained at the Ventigrate Codeplex Repository (http://ventigrate.codeplex.com).
Please go there to get the latest news or for any questions regarding this topic.
Page was cross-posted to this blog on 09/30/2011.
External User Management
The External User Management solution allows for easy management of users and groups for a SharePoint 2010 environment configured for Forms Based Authentication (FBA), handled by Claims Based Authentication (CBA). It contains management pages for Site Collection Administrators to:
User Management tasks
- Add users
- Edit a user (edit details, password or role membership)
- Unlock a user
- Delete a user
Role Management tasks
Prerequisites
Log4Net is a highly flexible and configurable logging mechanism and is used by this solution. It is included in the Deployment Package and can be installed as a SharePoint Solution Package (.wsp) using STSADM or PowerShell:
STSADM -o addsolution -filename Log4Net.v1.2.10.wsp
STSADM -o deploysolution -name Log4Net.v1.2.10.wsp -allowgacdeployment -immediate
Installation
Add and deploy the SharePoint Solution Package (.wsp) using STSADM or PowerShell:
STSADM -o addsolution -filename Ventigrate.Shared.ExternalMembership.wsp
STSADM -o deploysolution -name Ventigrate.Shared.ExternalMembership.wsp -allowgacdeployment -immediate
Add an internal Alternate Access Mapping "http://extranet" for the Zone on the WebApplication that has the Membership and Role Provider (Claims) configured in it's web.config. This is the key to getting the administration pages to connect to the correct provider.
Activate the Site Collection Feature to make a link to the management pages appear in Site Collection Administration.
FAQ
Q. Will this solution work on SharePoint 2007 ?
A. No, there are certain features that make it work only in SharePoint 2010. But there are similar projects for doing FBA User Management in SharePoint 2007 on CodePlex (CKS http://cks.codeplex.com/).
Q. I don't use a Role Provider or my Membership Provider doesn't allow certain tasks such as Password Change. Can I use this ?
A. It will probably throw some issues since this code wasn't really designed to capture any possible Membership or Role Provider configuration. Feel free to provide improvements through the Discussion Boards http://ventigrate.codeplex.com/discussions.
Q. Will the Advanced Computed Field still work if I migrate from SharePoint 2007 to SharePoint 2010 ?
A. Definitely, but you'll need to upgrade the SharePoint 2007 solution package to the SharePoint 2010 version. Either retract and delete the SharePoint 2007 package prior to deploying the SharePoint 2010 package, or do an upgrade to the new solution. Make sure to IISRESET afterwards !
Q. Other questions ?
A. No problem. Ask them in the Discussion Boards http://ventigrate.codeplex.com/discussions.
Both in SharePoint 2007 and SharePoint 2010 policies can be defined where you grant or deny permissions to specific users on Web Application level. This overrules any permissions the user may or may not have on a Site Collection, Site, List or Item level.
For example: the Search Crawl Account (Content Access Account) will be given Full Read on all Web Applications to ensure all content is indexed.
In this section you have the option to check “Account operates as System”. This effectively hides the real user name and masks it as “System Account”.
Only for Windows Accounts
During experiments with Forms Based Authentication (in SharePoint 2010 through Claims Based Authentication), I found that while it is possible to give policy permissions to a non-Windows User, it is not possible to make it “operate as System”.
The SharePoint Logs confirmed that the underlying mechanism is really looking at Windows User Account Management to perform the lookup:
System.ComponentModel.Win32Exception: i:0#.f|fbamembershipprovider|demouser1 at Microsoft.SharePoint.Win32.SPAdvApi32.LookupAccountName(String strAccountName, String& strDomainName, SID_NAME_USE& sidUse) at Microsoft.SharePoint.Administration.SPPolicy.set_IsSystemUser(Boolean value)