Sharepoint 2016 配置FBA 编辑Web,config文件

Posted 2020-10-12

使FBA生效，下一步在Sharepoint中设置Membership Provider，一个Membership Provider是一个从程序到任证库（credential store)的接口。这样允许同一个程序工作在多种不同的存储认证。举例来说，可以使用LDAPMembership在Active Directory上认证或者SQLMembershipProvider在SQL Server上认证。这个例子使用的是Sql Server

Sharepoint上多个站点，Central Administration, Security Token Service 和所有创建的Web Application。每个Web Application都有需要知道membership provider。一种办法是去设置每一个Web.config，还有一种办法是配置machine.config。当machine.config被修改后，每一次创建的Web Application的Web.config从machine.config继承，这样就不用在每一次创建Web Applicaiton的时候修改Web.config。

修改任何.config文件前，备份一下。

进入目录 “C:\\Windows\\Microsoft.Net\\Framework64\\v4.0.30319\\Config”，备份然后打开machine.config。

在<ConnectionString> 节, 增加一行，Server需要改成实际的服务器名。

<add connectionString="Server=win-h472cerv001;Database=aspnetdb;Integrated Security=true" name="FBADB" />

 

在 <membership><providers> 节，增加一下配置

<add name="FBAMembershipProvider"
 type="System.Web.Security.SqlMembershipProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
 connectionStringName="FBADB"
 enablePasswordRetrieval="false"
 enablePasswordReset="true"
 requiresQuestionAndAnswer="false"
 applicationName="/"
 requiresUniqueEmail="true"
 passwordFormat="Hashed"
 maxInvalidPasswordAttempts="5"
 minRequiredPasswordLength="7"
 minRequiredNonalphanumericCharacters="1"
 passwordAttemptWindow="10"
 passwordStrengthRegularExpression="" />

 

　可以自定义每个选项，最重要的是，如果多处的MembershipProvider使用同一个数据库，它们的配置必须相同。否则会出现各种问题，在创建用户时是一些配置，在用户登录时是另一些不同的配置。

Option	Description
connectionStringName	The name of the database connection to the aspnetdb database.
enablePasswordRetrieval	true/false. Whether the user’s password can be retrieved. I suggest setting this to false for security purposes.
enablePasswordReset	true/false. Whether the user can reset their password. I suggest setting this to true.
requiresQuestionAndAnswer	true/false. Whether accounts also have a question and answer associated with them. The answer must be provided when resetting the password. I suggest setting this to false, as setting it to true prevents an administrator from resetting the user’s password.
applicationName	Setting the application name allows you to share a single membership database with multiple different applications, with each having their own distinct set of users. The default applicationName is /.
requiresUniqueEmail	true/false. Determines if multiple users can share the same email address. I suggest setting this to false, in case you ever want to implement a login by email system.
passwordFormat	Clear, Hashed or Encrypted. Clear stores the password in the database as plain text, so anybody with access to the database can read the user’s password. Encrypted encrypts the user’s password, so although the password isn’t human readable in the database, it can still be decrypted and the user’s actual password retrieved. Hashed stores a one way hash of the password.  When a user authenticates, the password they enter is hashed as well and matched against the stored hashed value. Using this method, the user’s password can never be retrieved (even if your database is stolen), only reset.  I always recommend using “Hashed” as it is the most secure way of storing the user’s password.
maxInvalidPasswordAttempts	The number of times in a row that a user can enter an invalid password, within the passwordAttemptWindow, before the user’s account is locked out. Defaults to 5.
passwordAttemptWindow	The number of minutes before the invalid password counter is reset. Defaults to 10.
minRequiredPasswordLength	The minimum password length. Defaults to 7.
minRequiredNonalphanumericCharacters	The minimum number of non-alphanumeric characters required in the password. Defaults to 1.
passwordStrengthRegularExpression	A regular expression that can be used to validate the complexity of the password.

在 <roleManager><providers> 节：

<add name="FBARoleProvider" connectionStringName="FBADB" applicationName="/"
 type="System.Web.Security.SqlRoleProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />