Deploying the IEE Forms Based Authentication Solution
Is the main page for this endeavor.
The previous FBA solution at www.codeplex.com\fba didn’t have a lot of needed functionality including password change or admin password change. The new project at:
http://www.codeplex.com/Release/ProjectReleases.aspx?ProjectName=CKS&ReleaseId=7675
has some great functionality.
I downloaded and installed the fbamanagement.zip file and unzipped its three files to a directory on my Sharepoint server. Running deploy.cmd however, gave me the following error:
The solution can not be deployed. The feature 'c990a4c5-c5d9-474b-b6f6-67329f1e6a0d' uses the directory "UserAdministration" in the solution. However, it is currently installed in the farm to the directory "FBAConfigurationManagement". Uninstall the existing feature before you install a new version of the solution.
So, I went and found the old deploy.cmd I’d used for the first codeplex FBA management project and edited it to just have the first part of the file, which were the remove commands, like so:
@echo Deploying FBAManagement solution
@set PATH=C:\Program Files\Common Files\Microsoft Shared\web server extensions\12\BIN;%PATH%
stsadm -o deactivatefeature -name FBAUserRoleManagement -url http://vanlaan -force
stsadm -o deactivatefeature -name FBAConfigurationManagement -force
stsadm -o retractsolution -name FBAManagement.wsp -immediate
stsadm -o execadmsvcjobs
stsadm -o deletesolution -name FBAManagement.wsp -override
stsadm -o execadmsvcjobs
Then, I ran the deploy.cmd from the new FBAManagement.zip, and got positive results:
C:\temp\fba\FBAMan>deploy http://vanlaan
Deploying FBAManagement solution
C:\temp\fba\FBAMan>stsadm -o addsolution -filename FBAManagement.wsp
Operation completed successfully.
C:\temp\fba\FBAMan>stsadm -o deploysolution -name FBAManagement.wsp -immediate -allowgacdeployment -force -url http://vanlaan
Timer job successfully created.
C:\temp\fba\FBAMan>stsadm -o execadmsvcjobs
Executing .
Executing solution-deployment-fbamanagement.wsp-0.
Operation completed successfully.
C:\temp\fba\FBAMan>stsadm -o installfeature -name SelfManagement -force
Operation completed successfully.
C:\temp\fba\FBAMan>stsadm -o installfeature -name AdminManagement -force
Operation completed successfully.
C:\temp\fba\FBAMan>stsadm -o activatefeature -name SelfManagement -url http://vanlaan
Operation completed successfully.
C:\temp\fba\FBAMan>stsadm -o activatefeature -name AdminManagement -url http://vanlaan
Operation completed successfully.
And here’s the new links to FBA Management:
When I hit FBA User Management, I get:
Interesting. After lots of looking online, it appears that quite a few members in the community are experiencing this issue.
The funny part is that I *can* go to:
http://vanlaan/_layouts/FBA/Management/Usernew.aspx
And I see the new user creation screen:
http://www.codeplex.com/CKS/Thread/View.aspx?ThreadId=16363
Is the thread that helped me figure this out.
Is the main page for this endeavor.
I emailed a very friendly guy on the codeplex site and got the fixed up pages, which can be downloaded via a link at the end of this article. The file just needs to be unzipped and overwritten to:
C:\Program Files\Common Files\Microsoft Shared\web server extensions\12\TEMPLATE\LAYOUTS\FBA\MANAGEMENT
By default, when you put these fixed up pages in, you can now see http://vanlaan/_layouts/FBA/Management/Userdisp.aspx
Notice that it only displays up to 10 users initially. I did some searching in the .aspx control pages for FBA Management, located at:
C:\Program Files\Common Files\Microsoft Shared\web server extensions\12\TEMPLATE\LAYOUTS\FBA\MANAGEMENT
Inside of userdisp.aspx, about halfway down the code, there’s a line that reads:
PageSize="10" PagerSettings-Mode="NextPreviousFirstLast" >
If you change this number to a higher number, more will be displayed. I’ll change it to 50 on mine:
As you can see, the 1-10 at the bottom went away, and this page will now display up to 50 FBA users on this one page before you need to hit the Next Page right arrow button.
Working on account management, there appears to be two ways to recover a user’s password. On the userdisp.aspx page above, if you click on one of the users names, you’ll be taken to the useredit.aspx page for that user:
Here you can edit their email address or click Reset Password. The password is automatically generated and sent to the email address here. From a helpdesk or administrative point of view, one could potentially change the email address temporarily to the helpdesk personnel assisting the end user to get the password, then change it using the Change Password web part. I bring this up because currently the password complexity is pretty heinous, and nothing I’d want to try to read out to an end user or trust them to get it typed correctly into the Change Password web part. Here are some examples:
eGV*7ROs[WE#qQ
or
=o:F6SH]Msfn_k
Wow. So, there’s one way to reset the password. What I’ve done in a couple of situations now is to have an Account Management page hanging off of the front page of my top portal site collection, like this:
As you can see, you still need the old password to change the password, so there’s still not a true administrative change password. Also, for some reason, it says Old Password twice, when in fact the second field is for the New Password. It works, though—trust me.
So, we’ve got two ways to generate a new, very complex password for the end user—one in FBA User Management, one is to have the user type in their account name in the Recover Password web part, which will e-mail them a new password (nope—not their original one—a newly generated, highly complex one.)
I did some asking, and the folks over at codeplex came through again. Thanks, Siegfriedcw. He brings up some interesting points about the means of password storage in the SQL database, and about how making them retrievable with passwordFormat="Clear" would seriously compromise any security, and most likely damage pre-existing accounts.
Siegfried did some research and initially thought that this expression:
passwordStrengthRegularExpression=""
could control the complexity of the generated passwords. He found, however, that … well, I’ll just quote him here:
“UPATE: while going through the source code I figured out that the randomly generated password does not make use of the passwordStrengthRegularExpression as of yet. Maybe this might be planned for the future, but right now it appears to not have any effect. As far as I can see the new password is created with the following line of code:
System.Web.Security.Membership.GeneratePassword(System.Web.Security.Membership.MinRequiredPasswordLength, System.Web.Security.Membership.MinRequiredNonAlphanumericCharacters);”
So, for now, it looks like we’re stuck with these very complex passwords. Hopefully, there will be some remedy in the final release to set password complexity. For now, I guess prepare your helpdesk people for a long time on the phone with end users, explaining cut and paste.
Download new_fba_management_pages.zip
As you can see, it has no issues mailing an external account, either.
So, administratively, I’ve not seen a way for helpdesk or the IT staff to simply Change an FBA user’s password. As you can in Active Directory, for example. I’ve also tried out the membershipseeder.zip, available at http://www.codeplex.com/CKS/Release/ProjectReleases.aspx?ReleaseId=7450 , which looks like this:
The Password Recovery web part here must have some elements in your web.config for it to work. Again, thanks to the folks at codeplex.com for this assistance:
<system.net>
<mailSettings>
<smtp from="Admin@sharepoint.com">
<network host="yourmailserverhostname" port="25" />
</smtp>
</mailSettings>
</system.net>
After inputting these elements into my web.config using notepad (you’ll find system.net down towards the bottom—at least I did on mine), the email came through fine, and looked a bit like this:
Hi Vaal,
May need your help on this FBA thing.
1. For password recovery, where can i change the email content? I noticed there is a PasswordRecovery.xslt in the project, but it didn't take that template to send out the email.
2. Where can i change the layout, e.g: i want to make the alignment to be on the left (currently it's at center).
3.The password recovery answer textbox, can i use password textbox so that it will hide the answer instead of making it transparent.
If you have a reference on this matter, do please let me know
Thanks. :)
Posted by: Nora | July 10, 2008 at 07:16 PM