FBA Claims Super User Halloween Gotcha

I’ve been working with Claims Authentication a lot recently and I’m still tripped up by some of the basics, it would appear. Yesterday, on Halloween, I received an access denied error on my web application after configuring it for Forms Based Authentication. I had previously migrated it to windows claims, but this was my first try moving an existing web application from windows claims to FBA Claims.

The error in the ULS was misleading:

Cannot get Role Manager with name aspnetsqlroleprovider. The role manager for this process was not properly configured. You must configure the role manager in the .config file for every SharePoint process.

After searching all my web.config files for the word aspnetsqlroleprovider I realized I was on a wild goose chase. The culprit was the “Claims Super User Settings” as I will phrase it. I’d dealt with it before when moving the same web application from windows integrated to window claims authentication, but thought I’d properly addressed it the second time around until I got this error.

If you receive an access denied after changing claims authentication settings, take a minute to re-read Configure object cache user accounts in the TechNet SharePoint 2010 Server Operations section. In the case of my FBA implementation, I tried the PowerShell method first, but still received the error afterwards. It wasn’t until I configured the User Policy as described in the reference above that resolved the error.

Claims References

• Configure object cache user accounts, Microsoft TechNet, Published: June 17, 2010
• Migrate from classic-mode to claims-based authentication (SharePoint Server 2010), Microsoft TechNet, Published: October 14, 2010
• Setting up FBA Claims in SharePoint 2010 with Active Directory Membership Provider, Sridhar’s blog [MSFT SharePoint Support Engineer],  January 7, 2010