Forms Authentication on Extended Web App in Extranet Zone

I am having difficulties using this solution with our extranet architecture. Here is a short explanation:

Default Zone - Accessed only using Windows (NTLM) authentication using
Extranet - Acessed only using Forms authentication using

The problem is in the default zone, the links show up on the Site Settings page, however when you click on FBA User Management or FBA Role Management, the following error is displayed:

A Membership Provider has not been configured correctly. Check the web.config setttings for this web application.

I temporarily enabled Forms authentication in the Default zone, and after that was enabled I was able to sucessfully open the Management pages referenced above.

Is it possible to use this solution in the scenario desribed?

Another user posted the same problem.  I'll put a fix in the next release.

I initially thought you were experiencing the same problem as in this thread:

While doing some testing though, the user and role management pages were working fine for me, only the web parts were having problems when the default zone was not configured for FBA.

I managed to reproduce your problem when I didn't setup the membership providers in the web config for my application extension.  I was still able to authenticate (I think it uses the membership provider for "SecurityTokenServiceApplication" to authenticate), but I got the same error when accessing the user or role management pages. So check your application extension web config to make sure that your SQL membership providers are set up.

I am experiencing the same issue, even after validating that the extended web application has the same membership providers. Is there something specific I should be checking with the providers? 

I'd probably check the extension in IIS and make sure that you see the membership and role provider that you use under 'Providers'. And make sure that they are selected and typed in correctly under 'Authentication Providers' in SharePoint.  Unfortunately i'm not sure what parts of SharePoint use the web application settings, as it seems the login uses the SecurityTokenServiceApplication settings. I assume you can login using FBA?  Do the user and role management pages work?


I've got a similar setup where I have the default zone for a web application running with claims based NTLM and FBA. This web app is then extended to a number of different FBA only access URLs. The FBA only URLs are so far working OK in that they are prompting for a username/pwd combination. 

However, the Manage Users page in the default zone is not working. I am also getting the "A Membership Provider has not been configured correctly. Check the web.config setttings for this web application." error on both the manage users and manage roles pages. 

The <membership> section of my default zone web.config is:


    <membership defaultProvider="i">
        <add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
        <add name="SQLFBAMembership" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="FBAExtranetConn" enablePasswordReset="false" enablePasswordRetrieval="false" passwordFormat="Clear" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" />
    <roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false">
        <add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
        <add name="Admin" type="System.Web.Security.SqlRoleProvider, System.Web, Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="FBAExtranetConn" />


IIS looks to be OK with the "WebsiteX > Providers > .NET Roles" showing the "admin" role as specified in the web.config. Also in the "WebsiteX > Providers > .NET Users" section the "SQLFBAMembership" provider is listed. SP Central Admin also reflects the correct settings for the authentication providers for this zone.

Has anyone managed to resolve this?

I assume you can also login to the default zone using FBA?

Yeah I can get into the default zone with FBA fine. However this auth method restricts me down to a "user" level and the FBA user/role management pages aren't even accessible. I need to access them via the NTLM auth method.

Yes, only site collection administrators are allowed to access the user/role management pages.  You'd have to add the FBA user as Site Collection Administrators.  Could you maybe try that to see if you can access it as an FBA user in the zone?

The NTLM access should work though.  That's how I usually access the pages - as a NTLM user on a zone with both FBA and NTLM access.  I assume that your NTLM user is a site collection administrator?

NTLM user is the primary site collection admin and still can't access the pages (same error). 

I can't add the FBA user to the site collection admins because the people picker doesn't want to return results. I fear there is a larger FBA configuration issue at play here.

Yeah, if the people picker doesn't return the results, there's something else wrong.  I'd say to check your web.config for Central Admin and Security Token Service, but you mentioned that the FBA only extensions work fine.  Does the people picker work for the FBA only extensions?  Are you sure the database connection is configured in the default web.config?

I seem to be having the same issue as described here. I have an app at port 81 using both NTLM and forms(winth sql membership). The app was extended to port 82 where it uses only NTLM. On port 81 (with NTLM and forms) userdisp.aspx works fine and i can see forms auth users in the People Picker. However on port 82 (with just NTLM), i get the message A Membership Provider has not been configured correctly. Check the web.config setttings for this web application.

If I enable Forms on port 81, i can log on using forms auth and userdisp.aspx works fine and i can even see forms auth users in the People Picker. This tells me the srttings in my web.config are good. But once I turn off forms auth I can no longer see people in the people picker and userdisp.aspx gives me the error again.

I notice in iis that the web apps have inherited a membership provider named 'ASPNetSqlMembershipProvider' of type and a membership provider named AspNetWindowsTokenRoleProvider of type Do these need to be removed foe me to use the FBARole Provider?

I see now that I didn't understand the earlier questions asked. Unfortunately forms authentication needs to be turned on in the zone you're going to be using the FBA pack in order for it to work.  The default membership provider is used at times, and it is configured with the values from the current zone.  So if the current zone isn't configured in Central Admin with the membership and role provider values, the FBA Pack won't work.  Raise an issue in the Issue Tracker and i'll put a fix in the next release to search the other zones for settings if they don't exist for the current zone.

How do I turn on the FBA Pack in the Extranet Zone?

I have a default zone in my web application that is AD / NTLM.

I have an extranet zone that is FBA (an extended web application and so a different website and web.config)

I only see the management links under "Users and Permission" under the Site Settings of the default zone.

Can I get them to be visible in the Extranet Zone?

You need to be a site collection administrator to see the links. So as long as you sign in as a site collection administrator in the extranet zone, you should see the links.
You are absolutely correct. I made my FBA "admin" account the secondary site collection administrator and then everything works as expected. Thanks for the quick response.