Users can't log in with FBA credentials


I've actually successfully used this software before, but this time I'm running into an issue.

I have one web, one app, and one db server in a Sharepoint farm. I've set up the users database on the db server, and added the membership/role provider web.config information (as well as the connection string) to the web apps (one is AD, one is FBA), Central Admin, and the SecretTokenService. I've also added my membership provider to the requisite PeoplePickerWildcard sections.

One concern is that the STS is on both the app server and web server, so I'm not sure which one matters, but I did both.

Regardless, in CA I can use the PeoplePicker to find my FBA users (via App Mgmt->User Policy), so it seems like it's configured correctly. However...

If I go to the AD website (the only I can log into at the moment), I can see the FBA User Management and the like, and it lists all the users, and I can add/edit/delete. I cannot lookup anyone in the PeoplePicker when adding them to SP groups. I imported an old db of users to this site, btw, so it has a bunch of existing FBA users. It won't see them or any new ones I create.

If I go to the FBA site and try to log in, I can't log in with anyone, whether from the old imported db of users, or new people I create. It just says "The server could not sign you in. Make sure your user name and password are correct, and then try again." each time.

One more thing: I tried creating a new user in IIS->.NET Users. It shows up in the FBA User Management on the AD site, as expected, but it still won't log me in. Perhaps it is not the SP 2010 FBA Pack's fault, but I'm kind of lost otherwise ;P

Any ideas?

I'm pretty sure it's an issue with your membership config in the STS, since that's what is used for logging in.

Of course, double check that your STS web.config settings match those for your web application.

The other common culprit is database permissions. Check what user the STS App pool is running under and ensure that the user has permissions on the membership database.

Thanks for responding so quickly!

I double-checked the service accounts for CA and STS and noticed they didn't actually have any rights to the FBA users DB. I added them both with aspnet_Membership_FullAccess and aspnet_Roles_FullAccess rights, but still no dice.

When I go into CA on our app server, app mgmt->user policy->add users, and use the peoplepicker for a test user (aaaatest), it finds the user. Hovering over it says "[Name_Of_Provider_With_Proper_Case]:aaaatest", which is what I expect and desire. Note: The actual membership provider has been changed to protect myself ;P

When I go into the actual web app and use the peoplepicker for the same test user (aaaatest), it does not find the user. Hovering over it says "No exact match was found for i:0#.f|[name_of_membership_provider_in_lowercase]|aaaatest." What's weird, though, is that the membership provider in the error message is correct, except for being all lowercase. So, if mine was "Member_Provider", it puts it as "member_provider". Is there any significance to this?

The give user db owner rights on the db - that should get it working.

There shouldn't be any significance to the case of the membership provider. I'm almost positive they are not case sensitive. I'd say compare the PeoplePickerWildcards section of the web config between the CA web.config and app web.config.

Well, some combination of giving db owner rights to both service accounts made it happen. I used Fiddler and noticed some 401s when doing a PeoplePicker lookup and when logging in, so I guess that must've been it. Thanks!