Category Archives: NOVA Cloudbase
Các bước tiếp theo là cấu hình và sử dụng pfSense
Install pfsense in vmware esxi
How to multi public WAN IP’s with PFSense
PFSense Load Balance Dual Wan 2 ISP IP Choice Cable TV
pfsense WiFi Hotspot
pfsense multi wan / load balancing
pfSense – LoadBalance e FailOver
Configuring a DMZ in pfSense 2.0
PFSENSE Download limit per IP
pfSense 2.0 – Limit Download & Upload bandwidth per IP
Configuring NAT Port Forwarding in pfSense 2.0:
4 – PfSense – Step by Step Firewall, Alias , NAT, Rules, and virtual ip:
Tutorial pfSense Firewall NAT 1:1
Mục đích của việc ảo hoá các thiết bị mạng Router Firewall:
1. Nhằm thay thế, bổ sung hoặc
2. Tiết kiệm chi phí khi phải đầu tư thêm thiết bị mạng định tuyến, tường lửa, NAT, VPN, OpenVPN, DirectMAP, Bridge từ các hãng Cisco / Barracuda, Juniper, Fortigate …
3. Dễ dàng triển khai, kiểm soát và sử dụng hệ thống thiết bị Router này khi chúng được ảo hoá trên hệ thống VMware.
Về cơ bản:
– Hệ thống mạng Router là cách làm đã có từ lâu, trên các thiết bị phần cứng Router Firewall đều có các phần mềm Firmware của các công ty đối tác phát triển phần mềm cho các thiết bị nổi tiếng như: Cisco, Juniper …
– Việc ảo hoá mạng của VMware có thể nói là cuộc cách mạng trong giải pháp triển khai và quản lý mạng hiệu quả, đó là “Phần mềm định nghĩa và thiết lập ra mạng” tôi dịch nôm của từ SDN “Software defined Networking”.
– VMware đang trở thành đế chế số 1 trong giải pháp ảo hoá máy tính và có thể cũng là số 1 về mạng ảo hoá (SDN), gần đây nhất VMware cũng công bố kiến trúc VMware NSX. Cuộc đua công nghệ thật thú vị.
Tham khảo ý kiến:
Với góc nhìn của người làm công nghệ, triển khai, sửa dụng công nghệ VMware tôi có 3 ý kiến sau:
1. VMware có những bước đi công nghệ thật mau chóng, mạnh mẽ, thật đáng để những người làm công nghệ theo đuổi và đổi mới tư duy công nghệ.
2. Loạt bài viết trên, viết về công nghệ mới của VMware theo kiểu “Điếm rất đậm chất Mỹ” nhằm che đây một sức mạng của “Sóng thần” sẽ cuốn phăng đi tất cả các đối tác sản xuất thiết bị như CISCO, Juniper … nếu họ không chấp nhận cuộc chơi mới, thay đổi công nghệ theo cái sân mà VMware là kẻ thiết lập ra nó “NSX”.
3. Giờ là sân chơi của VMware đã đủ rộng, với câu nói “VMware NSX: A tool for peace, not war”, tôi viết lại đây là kiểu “Điếm Mỹ” vì thực tế không phải nó là hoà bình, mà là chiến tranh. Nhưng tất cả các đối tác như CISCO, Juniper dù muốn dù không cũng phải nâng cao công nghệ và không sản xuất phát triển các công nghệ mạng mà VMware dần đưa vào thay thế là SDN. Họ mất thế mạnh, vũ khí chuyên về mạng do vậy làm gì có chiến tranh khi tất cả đều là tù binh và bị cuốn theo Ware của VMware ?
Câu chuyện hài hước này còn dài tập đối với nhiều người, nhưng các nhà phát triển công nghệ thì khá rõ rồi.
– Xây dựng 1 hệ thống mạng và Router Firewall thông qua giải pháp ảo hoá mạng của VMware ESXi 5.1
Bước 1. Tạo và chia tách các máy chủ VM ảo hoặc máy trạm client trong hệ thống mạng vCenter VMware ESXi 5.1 thành 2 lớp mạng ảo : WAN & LAN
–> Mỗi máy ảo dịch vụ ESXi 5.1 sẽ có 2 card mạng ảo.
eM0 ==> WAN
eM1 ==> LAN
Bước 2. Download file ISO bootable cho cài đặt Router firewall từ hãng pfSense (http://pfsense.org )
Bước 3. Cấu hình máy chủ ESXi 5.1 chứa máy VM cài pfsense router cần cấu hình NTP service với 3 địa chỉ phổ biến sau:
Bước 4. Cấu hình và chọn lớp mạng WAN & LAN qua Web trên Router (pfsense).
WAN –> eM0
LAN –> eM1
Bước 5. Kiểm nghiệm vận hành của Windows 7 giao tiếp với Router pfsense sau khi ảo hoá nó.
Video thực hành:
Trân trọng cảm ơn !
1. Cách tăng và chia ổ:
When you created your virtual machine you of course created the number of disks and their sizes as per the requirements, best practice guidelines or just your best estimation for its use. However, as requirements change and the amount of data in your virtual machine grows, from time to time you need add additional storage. How do you resize the virtual disk (.VMDK)?
Resizing virtual disks is relatively straight forward. However, as with anything before making changes ensure you have a backup (especially when making changes to disks).
Note: You cannot change the disk size if you take a snapshot, plus if there was an issue with the disk the snapshot would be useless anyway.
Another thing to be aware of is you can only INCREASE the size of a virtual disk. You cannot reduce the size of a virtual disk, VMware does not currently allow it as it could risk losing data. If you want to reduce the disk size you could either use VMware converter to copy the VM and resize the disks at the same time or create a new smaller virtual disk and copy the data over to it.
To Increase the size of a virtual disk (.VMDK):
1. Shutdown the virtual machine.
2. Right click on the virtual machine and select “Edit Settings”.
3. On the “Hardware” tab, select the virtual disk you would like to resize and in the “Capacity” section enter the required size.
We are not finished yet. If you boot the virtual machine now the OS will not see the new size, it will only see the old size. You need to expand the volume into the new free space. Below are two methods of doing this, and deeding on the guest OS and your preference depends which one you will choose.
Method 1 (Windows DISKPART) will of course only work in windows.
Method 2 (GParted) will work for any OS, including Linux and Unix provided as the file system type is supported by your chosen partition utility.
Method 1 (Windows DISKPART):
1. Click Start –> Run and type “diskmgmt.msc”
2. You will see the free space after your volume.
3. Use DISKPART to extend the volume into all the free space:
select Volume 0
4. You will now see the volume has been extended to use all the free space.
Method 2 (GParted):
To resize the partition on the disk use your favorite partition resizing tool. If you don’t have one mine is GParted, which there is a live CD for. Download the GParted Live CD
1. Click on the “Options” tab and go to “Boot Options”.
2. Tick “Force BIOS Setup” (This will boot into the BIOS screen when the VM is powered on – This is so that you can mount and ISO image before the OS boots.)
3. Click Ok to reconfigure the virtual machine.
4. Connect the ISO image or connect the CD drive with your GParted Live CD (This is easier with force BIOS option set in step 5).
5. Boot into GParted and you will see the current partion in the now much larger disk.
6. Right click on the partition and select “Resize/Move”.
7. Resize the partition to fill entire remaining space and click “Resize/Move”.
8. Click “Apply” to run the resize task. After sometime depending on the size the task will complete.
9. Reboot the computer, remove the CD and boot into the OS.
10. Depending on the OS it may perform a disk check like Windows Server 2003 here.
11. You should now see the disk has been resized.
1. Create a domain service account that the View connection server will use to connect to vCenter. On a domain controller create a new AD service account, and set the password to never expire. In my environment the account is called SVC-View01-001. Name is not important, so use whatever naming convention suits you.
2. Login to the vSphere Web Client and from the Home page click on Administration.
In the Administration page click on Role Manager. Create a new role by clicking on the green plus icon. Call it something like View Administrator.
3. Add all of the privileges to the View Administrator role shown in the VMware table below.
4. In the vSphere Web Client navigate to Home > vCenter > Hosts and Clusters, then click on the vCenter name. Now click on the Manage tab and then the Permission tab. Click on the green plus icon to add a permission.
5. Add the domain service account in the left pane, and change the role to View Administrator in the right pane.
6. Launch the View administrator and in the left pane expand View Configuration. Click on Product Licensing and Usage. Enter your View 5 product license key.
7. Under View Configuration click on Servers. Click on the vCenter Servers tab and click Add. Enter the vCenter’s FQDN, your service account name and password. Review the advanced settings in the lower half of the pane to see if they make sense for your environment. I left the defaults.
8. Since we haven’t yet installed View Composer (optional component), select Do not use View Composer.
9. If you are using vCenter 5.1 and ESXi 5.1, you will be presented with some new storage settings. I would leave the all the defaults, as those will produce the best results. If you are using a third party VDI storage accelerator such as Atlantis Computing ILIO then I would disable these storage features as they won’t provide much benefit.
10. At this point the vCenter should be successfully added and have green check boxes under all features.
We have now covered the major configuration steps for the View Connection server components. Next up is a little AD work, creating a VM template, and adding a few desktops to the View administrator console. You can check out that installment in Part 4 here.
Cấu hình cho phép từ mạng Internet truy cập vào View Server 5.2:
I ran into an issues where my View clients were able to connect internally on the same LAN with no issues to thier View Desktops, but when attempting to use the Security Server from an outside source the connection would authenticate, show available desktops, start to load a desktop and then fail with the error “The connection to the remote computer ended”.
Not a lot of details beyond that. After running firewall logs, netcat, wireshark to no avail, VMWare Support was able to help me find the field that was in error in the View Administrator. Apparently during a reinstall the internal IP of the PCoIP Secure Gateway field was left as the default internal IP instead of the actually public IP. The external URL under the HTTP(S) Secure Tunnel also exibited a simular setting using the actual hostname of the server and was updated to the public DNS name of the Security Server.
Not a difficult soltuion, but one of those things that is easily overlooked after a lot of troubleshooting and not something that I easily found a solution for on the web or in KB articles. Hopefully this will help someone else.
In View Administrator click on Servers, the Connection Server, then Edit.
Update the HTTP(S) Secure Tunnel External URL and the PCoIP Secure Gateway, PCoIP External URL. Check both boxes
Sửa lỗi trường hợp không kết nối vào Desktop VM:
Recently I found myself looking at an error which I’ve seen many times before with different customers View environments in which they are unable to connect to desktops getting the following error..
“The connection to the remote computer ended”
In 99% of cases this is usually due to missing firewall rules between the View Client (thick/thin client) and the View Agent (virtual desktop).
The following VMware KB details this error and how to troubleshoot.
However it only affected my test Windows 8 clients which were previously working.
The only thing that has changed was I had been applying and testing the CIS benemarks for Windows 8 in some new GPOs I had created, it had to be those what had broken it, so I set out trying to find which setting.
Unlinking the new CIS GPOs I found I could now connect to my View desktop succesfully so it definatley a setting in the CIS GPOs. The tough job was going through each setting and testing it to find which (initial guess work was not sucessful).
In the end I found the cause to be the following setting:
“System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing Enabled”
This setting being configured to enabled, caused a conflict with the View 4.5 connection server settings in the environment which resulted in connections to the View agent from a View client with this policy setting to be rejected.
With the release of the VMware Horizon View Feature Pack 1 for VMware Horizon View 5.2 it possible to connect with HTML5 to your View desktop. This without installing additional software. The new HTML5 protocol is called Blast. Connecting by using the Blast HTML protocol can be handy when you are on a device that does not have the VMware View client installed.
The VMware Horizon View Feature Pack 1 contains the following two main components:
- Remote Experience Agent installer
- HTML Access installer
Remote Experience Agent installer contains:
- HTML Access Agent: The HTML Access Agent allows users to connect to Horizon View desktops by using HTML Access
- Unity Touch: With Unity Touch, tablet and smart phone users can easily browse, search, and open Windows applications and files, choose favorite applications and files,and switch between running applications, all without using the Start menu or Taskbar. Unity touch requires a VMware View Client
This component is installed on the View Desktop (XP SP3, Windows Vista (32-bit), Windows 7 or 8 )
HTML Access installer: This installer configures View Connection Server instances to allow users to select HTML Access to connect to desktops. After you run the HTML Access installer, the View Portal displays an HTML Access icon in addition to the View Client icon.
This component is installed on the Blast Secure Gateway know as View Connection Server (Not the Security Server).
Here is an overview of the components and firewall ports that’s needs to be opened:
A single security server can support up to 100 simultaneous connections to Web clients using the Blast protocol. For a complete list and drawing of the firewall ports that needs to be opened in a VMware View Security Server environment see my earlier post here.
In the View Administrator the connections using a the Blast protocol can be monitored:
Unity Touch is supported on the following Horizon View Client versions:
- Horizon View Client for iOS 2.0 or later
- Horizon View Client for Android 2.0 or later
Unity Touch is supported on the following mobile device operating systems:
- iOS 5.0 and later
- Android 3 (Honeycomb)
The following Web browsers are supported:
- Chrome 22 or later
- Internet Explorer 9 or later
- Safari 5.1.7 or later
- Firefox 16 or later
- Mobile Safari on iOS devices running iOS 6 or later
Don’t expect: that the Blast protocol offers:
- The same performance as PCoIP!
- USB and multimedia redirection
- ThinPrint support
But the Blast HTML protocol can be handy when you are on a device that does not have the VMware View client installed.
View Portal. Choose between the View Client or HTML access
Logon screen HTML access
Unity touch from iPhone
Yesterday VMware has released the new Horizon View Client 2.0 iOS client to the Apple AppStore. With this client comes a new functionality called Unity Touch. Unity Touch is somehow a part of what VMware introduced as Project AppShift at VMworld 2012. Unity Touch gives the user a greater experience when accessing a virtual desktop from a tablet running iOS or Android. Check this screenshot-show to see how it works.
First requirement is a VMware View 5.2 environment with the VMware Horizon View 5.2 Feature Pack 2 installed on the server and the virtual desktop. Then update your iOS or Android clients to the newest version.
On the left hand side you can see the black slide out navigation tab.
Clicking on this a menu pops in from the left side giving you access to all installed programs on your desktop as well as to your “My Files”.
Starting an Windows application is so easy now. You don’t need to click the start menu and programs menu anymore. Just click on the application in the menu.
The “My Files” menu gives you access to all your files and on the virtual desktop.
You can also register apps as favorite applications as you can see in the next screenshot. I’ve added the control panel here for demonstration. This helps you to even easier accessing your apps on Windows.
From my view this is a cracking feature in the new release! Working on a virtual desktop from a tablet is so easy now. Unity Touch works with al apps installed to the desktop out of the box. Thanks to my colleague Tim Arenz from http://www.horizonflux.com for provisioning me a desktop on his test environment. This helped a lot with this article.
Today I received a new SSD drive for my home lab. It was time to get some new IOPS in my vSphere environment for testing VMware Horizon View 5.2. I haven’t installed View for a while so I was really surprised about the changes I’ve seen in the product. After the general View installation I’ve deployed a Windows 7 desktop pool first as I wanted to test the new HTML access today. Of course I’ve seen it before and I’ve already played with it but didn’t install it by myself yet. The HTML access option comes as a separate installer for both, the server and the agent side. The remote experience agent which is installed on the virtual desktop also brings the necessary software pieces for the Unity Touch feature. From the VMware website you can download the HTML access for the connection server as well as the user experience agent. Just login to your MyVMware account and check the downloads section. The modules are available under the Horizon View downloads. Starting the installation is easy as usual, just click on the installer.
I was surprised when I did the installation as their was nothing to configure. Only click Next, Next and Finish and all its set.
After installing the HTML access option (Feature Pack 1for View 5.2) the website at https://viewserver/ changes. Before the installation the website offered only the option to download the View Client for accessing the virtual desktops. After installing the Feature Pack you can see the “VMware Horizon View HTML Access” icon.
But before using the new feature you’ve to install the client components on the virtual desktop. Again take the installer, this time copy it to the virtual desktop or desktop template and start the installation.
The only difference to the server installation part is that you have one additional wizard dialog. It gives you the chance to decide if you want to install HTML access only or also install the Unity Touch features. But of course you want it so just click on Install and start the installation.
After the installation and proper configuration of a desktop pool you can go back to the View Connection Server web interface. Click on the HTML access and enjoy!
Ha! There is another trap which you should be aware of! HTML access requires HTML5 support but this is not offered by Internet Explorer 9 i.e. which I’ve used to access my virtual desktop. Lessons learned! I’ve installed IE9 afterwards.
Using a supported web browser gives you this! A fully functional Windows 7 desktop running in a web browser. Great! I love it.
I hope this gives you a quick overview of the HTML Access which comes with the VMware View 5.2 Feature Pack 1. Of course the HTML access doesn’t give you the full functionality of a VMware View Client which is connected via PCoIP but it is great to use on a mobile device for a few use cases.
Prepare Win8 VM for Horizon View 5.2
1. In vCenter provision a new Windows 8 x64 (or x86) VM using hardware version 9. I would do a minimum of 3GB of RAM and a 30GB C drive. Mount the Windows 8 ISO, and do a regular installation.
2. Install VMware tools, then configure the network properties, do Windows update, and join to your domain.
3. By default Windows 8 has aggressive power settings, and the VM will suspend after a while. I recommend using the High Performance power profile. I would also enable remote desktop access as well.
4. As part of your Horizon View 5.2 downloads you should have downloaded the agent installer. Copy the appropriate agent (x86 or x64) to the VM and start the installer.
5. If you are asked to reboot the VM, do so. Re-run the installer and select all defaults and wait for the install to complete.
Configure Active Directory
1. Create a new OU for your VDI computers. We will need to apply a GPO to them, so a new OU makes life easier. I called the OU Windows 8 VDI.
2. Create a domain security group that users will go into that are authorized to get a desktop from the pool that we will define later on. I called my group VDI_Windows 8 Standard. Add a couple of test users to this group.
3. We need to modify the Remote Desktop Users group to allow the group we just created access. You can do this any number of ways, but let’s create a new GPO for this purpose. Link the GPO to the VDI OU you created.
4. Open the GPO and navigate to Computer ConfigurationPoliciesWindows SettingsSecurity SettingsRestricted Groups.
5. Right click on Restricted Groups and add the group Remote Desktop Users. Now add the group you created and added to users to back in step 2. Be sure to add this group under Members of this group in the upper half of the window.
6. Reboot your Win8 and make sure the policy has applied to the computer.
Creating a Desktop Pool
1. Launch the Horizon View Administrator and in the left pane under Inventory select Pools. Click Add Pool.
2. For this mini-pilot effort we will do a Manual Pool using Dedicated with automatic assignment.
3. Choose vCenter virtual machines.
4. You should now see your vCenter server listed.
5. On the Pool ID screen you need to configure the ID, Display Name, Folder and an optional description. The ID has limitations on what characters you can use (e.g. no spaces) and the box will be outlined in red if you violate the rules.
6. The pool settings are highly dependent on your environment, so feel free to tweak them as needed. I changed a few settings to those shown below.
7. Locate the Windows 8 VM(s) that you have provisioned and add them to the pool.
8. If your infrastructure meets the requirements, the wizard will now allow you to choose to use the storage accelerator. If you aren’t using a third-party storage appliance like Atlantis Computing ILIO then I would enable the feature.
9. On the Ready to Complete screen review all of your choices. At the top of the window mark the Entitle users after this wizard finishes.
10. When the Entitle window pops up add your entitlement group (e.g. VDI_Windows 8 Standard).
11. Reboot your Windows 8 VMs, and wait a few minutes. In the View Administrator click on Desktops and you should see your desktop(s) listed. Wait (a while) for the status to change to Available. It could be very slow to change from the Startup status so be patient.
Stay tuned for upcoming installments in the Horizon View 5.2 series, coming to a blog near you.
VMware Horizon View 5.2 Install
1. Provision a Windows Server 2008 R2 SP1 VM, and do your normal configuration such as joining it to your domain. Resist the strong urge to use a Windows Server 2012 VM, as that is not supported. Note to View team: Please get with the program. vCenter 5.0 U2 supports WS2012, why can’t you?
2. Download the Horizon Suite 1.0 components from the VMware site. Copy the Connection Server installer to your newly provisioned VM and start the install process.
3. Once you get to the Destination Folder, you can leave the default value or put it elsewhere like on the D drive. For this example I’ll keep it simple and leave it on the C drive.
4. Next up you need to decide what role this particular server will be used for. For this series we will start off with the View Standard server.
5. The wizard will now prompt you for a data recovery password. Should your View server become inoperable or face other technical issues, you may need the recovery password to well….recover your environment. So make sure you write this down and keep it in a safe place. The password can be from 1 to 128 characters.
6. If in your environment you use the Windows firewall, View can automatically configure the appropriate rules. Since I’m using the Windows firewall, I want View to configure the rules for me. Note that if you want to use the Security server, it requires the use of Windows firewall to establish an IPsec connection to the Connection server. So I would advise using the Windows firewall.
7. Now you need to tell View what administrator group will have access into the View console. I would strongly urge the use of a domain security group vice the local administrator group. Following my favorite RBAC naming convention I’m using APP_View_All_Administrator. You should create your own group.
8. Next up it will ask you if you want to send anonymous data to VMware. I most certainly do NOT, but the choice is yours.
9. Click Install and wait for the installer to complete.
10. Unfortunately the View console relies on the very insecure Adobe Flash player. So download it to the computer(s) that you want to access the View console from.
In Part 2 we will configure the SSL certificate for the View connection server. In this area the View team is light-years ahead of the vCenter team. Installing a trusted SSL certificate is cake, and shockingly uses the Windows OS certificate store (yeah!).
1. Tích hợp Live ID với cơ chế Claims Based Authentication. 1
2. Tích hợp với SharePoint 2010 và sử dụng lại cách đăng nhập truyền thống ASP.NET Membership Database bằng FBA.. 1
2.1. HOW TO:Forms Based Authentication (FBA) on SharePoint 2010. 1
** Note: This FBA configuration method is based upon the pre-release version of SharePoint 2010 and may change in the final release **. 1
2.2. Setup your SharePoint 2010 site. 1
2.3. Setup your User Database. 2
2.4. Provide Access to the Membership Database. 3
2.5. Setup IIS 7.0 Defaults. 4
2.6. Setup the FBA Zone in SharePoint 2010. 8
2.7. IIS 7.0 Web Site Configuration for SharePoint 2010 FBA.. 11
2.8. Set the User as Site Administrator on the SharePoint 2010 Web Site. 12
2.9. Test the site. 14
2.10. Add the reference to the user friendly people picker. 15
3. Final Note. 16
NOVA Technologies đã quyết định sử dụng giải pháp tích hợp LiveID vào NOVAVN.COM. Giải pháp LiveID được xem là một giải pháp cách mạng khi người dùng không còn phải sử dụng hoặc lệ thuộc vào tài khoản trong Active Directory của chính hệ thống SharePoint Portal. Giải pháp tích hợp Live ID sử dụng cơ chế Claims Based Authentication (CBA).
Trong năm 2006, cơ chế thường sử dụng là Forms Based Authentication (FBA) lưu trữ các dữ liệu đăng nhập trong cơ sở dữ liệu ASP.NET Membership Provider SQL. CBA trong SharePoint 2010 giảm bớt những hạn chế có ở FBA.
Về cơ bản, thay vì đăng nhập vào bằng tài khoản Active Directory bạn có thể sử dụng tài khoản Live, Hotmail, Live@edu, MSN. Nếu bạn quên mật khẩu có thể khôi phục thông qua Live. CTO Lê Toàn Thắng (MSTS SharePoint người Việt Nam), MCITP Enterprise Administrator và là Master Trainer về Live@edu Nguyễn Văn Bốn là những người hỗ trợ giải pháp tích hợp này cho NOVAVN.COM.
2. Tích hợp với SharePoint 2010 và sử dụng lại cách đăng nhập truyền thống ASP.NET Membership Database bằng FBA
The following article details FBA configuration on a SharePoint 2010 site. If you are looking for information regarding the configuration of FBA on a SharePoint 2007 / WSS 3.0 site, check out this article instead.
- In Central Admin, create a new site. By default, this will use Windows Authentication. Since we haven’t setup FBA yet, we need to setup the Web Application first as a Windows site.
- Create the Web Application
- Create a default Site Collection, and make a windows user (below we’ve used the Administrator account) a Site Administrator.
- Setup the ASP.NET Membership Database. Note: You can use custom membership stores, DotNetNuke, even Live! credentials. But the .NET membership database is very simple to setup. This requires the SQL Server database. You can use the integrated version that is supplied with SharePoint, Express or a fully featured SQL Server (Standard or Enterprise) Edition.
- Find the setup file aspnet_regsql.exe located at either of the following locations depending upon your OS:
- When the ASP.NET SQL Server Setup Wizard appears, select “Configure SQL Server for application services”, then click Next
- Enter the SQL Server and Database name.
- Above, I have named the database FBADB
- Click Next and Finish
As an administrator, you’ll be able to add and modify user accounts. But from the SharePoint runtime, we’ll have to provide access to the membership store. This can be done in two ways. If using SSPI (Integrated Security) for the connectionstring from SharePoint, you’ll need to determine the Service Account that runs the Application Pool. Then you’ll provide access to this windows (or service) account in SQL Server to the FBADB database. Or, if you don’t want to use SSPI, or don’t want to take the time to figure out the startup service account for SharePoint you can simply create a login to the FBADB database. Following are steps for the second approach.
- Open SQL Server Management Studio (SSMS 2008) and select Security , then Logins
- Right Click Logins and Select “New Login”
- Create a SQL Server account. Below, we’d created the account FBAService with password pw
- Select “User Mapping”
- Mark the checkbox next to FBADB, and select the row.
- In “Database role membership”, make the user a dbo_owner.
- Click OK to save the new user.
- Open up Internet Information Services Manager
- Select the Web Server, then double click Connection Strings
- Click Add..
- Enter the Server (.), Database (FBADB) and the Credentials for the user FBAService (by clicking the Set button). If you want to use SSPI, simpy select “Use Windows Integrated Security” instead.
- Click OK to save
- Click to Select the Server from the Connections pane again, and double click Providers.
- On the Feature dropdown, select .NET Users. Your machine may take a while to respond while the configuration is read.
- On the Actions menu, click Add..
- On the Add Provider form, select SqlMembershipProvider as the Type
- Provide a name: FBA.
- Drop down ConnectionStringName and select FBADB
- Set any other parameters you’d like. I set some Password related options for user interaction later.
- Click OK to save
- From the Feature dropdown, select .NET Roles, then click Add..
- Provide a name: FBARole, and select Type: SqlRoleProvider
- Select the ConnectionStringName: FBADB
- Click OK to save the .NET role.
- Browse to SharePoint 4.0 Central Administration, Select Security
- In Application Security, select Specify Authentication Providers
- Select the Web Application.
- Click the Default Zone.
- Ensure the Web Application is the correct one on the next page!
- Change Authentication Type to Forms
- Check Enable Anonymous (* note that this does not immediately enable Anonymous access; it merely makes the option available on the front-end web application *
- Click Save.
- When the process is finished, the membership provider should now display FBA.
What SharePoint has done behind the scenes is make the necessary changes to the IIS website to support Forms based authentication. But we still have a little problem. If we browse to the site right now, we won’t be prompted for Windows credentials anymore. Not only do we NOT have a user in the .NET membership database, but we have no FBA based administrators. Let’s tackle that next.
- In IIS Manager, select the SharePoint site. In this example, we used the default site (80).
- Double click the .NET Users icon
- Click Set Default Provider from the actions pane on the left and select FBA
- Click OK to save.
- While we’re here, let’s add our first user. This will be used as an administrative account on the FBA site. Click Add..
- Select a User, Email and Password. Depending upon parameters you defined earlier you may be prompted with challenge/response questions.
** The password may require some strength by default. If you receive an error message that states the “password is invalid”, simply add a number or non-alpha character.
- Next, select the SharePoint Central Administation v4 web site from the connections menu in IIS.
- Click .Net Users, then in the Actions menu select “Set Default Provider” and set that to FBA.
- In SharePoint Central Admin v4, go to Application Management
- In the Site Collections section, select “Change Site Collection Administrators”
- On the next page, select the Site Collection we’ve been using.
- You’ll note that the primary site collection administrator has a little red squiggly. Why? We don’t have Windows Authentication enabled for this site and therefore no way to resolve. Delete the Administator account.
- In the field type the user created above (we used fbaadmin), then click the Check Names button. You should see a black underline noting that the name was resolved.
- In a Web Browser, when you access the site http://localhost (if that’s what you used), you’ll be presented with the SharePoint login screen, not a Windows login pop-up. (Wow, and you thought SharePoint 2007 had a spartan login screen. Get a load of this !)
- Login with the fbaadmin credentials and you should be able to access the site.
You know the picker…so you can easily find those needles in the haystack. For that to work in Central Admin and this site against your .NET membership database, you need to add a reference to the provider.
- In IIS Manager, browse to the Central Admin web application. Explore the folder and find the web.config file. Open in Notepad.
- Find the <PeoplePickerWildcards> node and use the following:
< clear />
<add key=”FBA” value=”%” />
If you plan to use the same membership database for multiple sharepoint sites AND you choose to encrypt the passwords, you’ll need to add one final step. In IIS 7, on the first site, select the Machine Keys icon. Copy those keys. In the next site that you create, you’ll need to use the same machine keys and disable “Automtically Generate” and disable “Generate Unique Key”. This is crucial as the machine key is used to determine the encrypted password that is passed back to the .NET membership database.