Tuesday, September 23, 2014

Sharepoint Patching Made EZ

After release of SharePoint 2013 August CU I received many emails and blog comments which showed that there is lots of uncertainty related to SharePoint patching. Especially the difference between the terms Cumulative Update and Server Packages (also known as "Uber" package) seems to be unclear.
Using this post I'm trying to shed some lights on the following aspects:

Cumulative updates (CUs)
server packages (also known as "Uber" packages)
patch baselines
public updates (PUs)
farm patch version information

SharePoint cumulative updates (CUs)

After release of August 2014 CU I read several statements that August CU is not cumulative - but that is not correct! SharePoint fixes are always cumulative! So if SharePoint fixes are cumulative - why is it required to install July 2014 CU as well to have a fully patched SharePoint server?
The reason is that SharePoint is not a monolithic product. It consists of various different and mostly independent components (e.g. Search, Excel Services, Web Content Management, Document Lifecycle components, ...). Each of these independent components is packaged separately. You can get an overview over the different components and their patch level on the "Patch Status" page in the central administration of your SharePoint server:

As these components are independent from each other they can be patched independently. In each CU we ship fixes for various different components. E.g. it might happen that in a specific CU we need to ship a fix for Search but not for Excel Services, then this CU will only contain updates for Search but not for the Excel Services. Each of the shipped update packages is cumulative. That means if we ship fixes for one of the components in a CU, then the CU will contain all previous released fixes for this components as well.
Most of these components consist of a language independent piece (global) and a language dependent piece for the UI. The global and the language specific pieces are packaged separately to support separate installation for different languages (language packs). So we have e.g. a package for the language independent search component piece and a package for the language dependent search component piece. Same for Web Content Management and so on...
Let me give you an example:

In the example above we shipped Search Fixes in January CU and March CU. Excel Services Fixes in February CU and March CU. And WCM Fixes in February and April CU.
As SharePoint fixes are always cumulative the WCM fixes shipped in April CU also included the WCM fixes released in February CU. Same for the Search Fixes shipped in March CU which included the fixes from January CU and for the Excel Services Fixes released in March which included the fixes released in February CU.
The problematic piece here is that in the above example in April CU we don't ship fixes for Search and Excel Services. So if someone installs April CU only he will receive all WCM fixes ever released - but none of the Search of Excel Services fixes. The fix packages are cumulative - but you need more than the fixes from April CU to patch all your components to the latest version.
So if SharePoint fixes work this way - why was it sufficient in the past to install only the latest CU? The answer are the "Uber" packages:

Server Packages (also known as "Uber" Packages)

The "Uber" packages which are usually released with each CU not only include patches for the components updated in the current CU but also all patches released for other components of the product. So they are very similar to a mini service pack.
E.g. for the example above the "Uber" package would look like this:

In the past we always shipped an "Uber" package with every CU so in my blog posts I only listed the "Uber" packages for SharePoint Foundation, SharePoint Server and Project Server. August 2014 CU was the first CU where no "Uber" package was released - so I linked the individual hotfix packages for the patched components from my blog post which include the updates for the packages that have changed in August CU. To ensure that all other components are also on the latest patch level the "Uber" packages of July CU should be installed as well.
Why is there no "Uber" package for August CU?
The reason is a side effect of the new monthly update cadence. In the past we released cumulative updates every second month. Starting in June we began shipping cumulative updates every month. That reduces the timeframe a CU can slip if a problem is found in a CU near the release time. In the past a CU has often slipped 1,2 or even 3 weeks. Now with the monthly update cadence that is no longer possible as it would reduce the timeframe required to build and test the next CU. And that is what happend with August 2014 CU for SharePoint 2013. A problem was identified in one of the fixes included in August CU after all the packages have been built and the fixes were finalized. Rather than skipping the complete CU it was decided to just remove the affected fix package from the CU - and that also means that no "Uber" package was released as this "Uber" package would also contain the affected package.
What happened in August CU can happen again which means that we might see CUs without "Uber" packages more often.

Public Updates (PUs)

Public Updates are also cumulative updates - but only include those packages which include updates which should be distributed to all customers. Public update are either security fixes or other fixes which are recommended to be installed by all customers as they address issues which affect many users. A public update is always a subset of a CU. For more details about PUs and CUs see here:

PUs can be downloaded from Microsoft Download Center and are also published using Windows Update.
They are released on a monthly cadence if required. Be aware that you cannot expect that the latest public update includes all previous public updates for the reasons outlined in the Cumulative Updates section above. The following Graph highlights this:

In the example above you can see that a PU addressing issues in the Search component have been released in January. And two PUs addressing issues in the Excel Service Component have been released in February and March. In the example above no PU is released in April.
SharePoint PUs are cumulative - so installing the Excel Services PU from March will apply also the changes to Excel Services included in February PU and also all other fixes which were added to the same package in previous CUs. But as March PU does not ship any changes for the Search component it will be required to also install January PU to ensure that your system is properly patched with all public updates.
I'm usually not blogging about public updates on my blog as the CUs are a superset of the PU. Means the CUs contain all changes of the PU plus potentially fixes in other components. And "Uber" packages are a superset of the CUs installing the "Uber" packages of the CU will also include the changes from the PUs.
What might be confusing is that even that you installed the CU windows update might present you with additional patches. I'm not a windows update expert so I don't know all the details but it seems that windows update does not recognize that the fixes addressed in the PU have been already applied using a CU as the CU and the PU have different KB article numbers.

Patch baselines

While I'm writing this article about SharePoint patching let me also explain why it is required to install service packs although the CUs often include all fixes from an earlier released service pack. The reason is the patch base line.
Each service pack sets a new patch baseline while CUs don't set such a baseline. The patch baseline is the starting point for patching. Looking at the second picture above (the one explaining the "Uber" packages) you can see that the CU only included fixes for Search but not for any other component. The reason is that no fixes have been released for other components since the patch baseline was defined. When a service pack is installed on the server the patch baseline is set to this service pack.
That allows to speed up the patching process in the future as only those packages have to be updated which have changed since the patch baseline was defined.
For our CUs on the other hand it makes things a little bit more complicated: as we support the previous service pack for 12 more month after releasing a service pack we need to support two patch baselines with our cumulative updates. E.g. at the moment for SharePoint 2013 we support RTM and SP1 as patch baseline - that means our cumulative updates can be installed as well on RTM and on SP1.
That done by packaging the fixes for both patch baselines in the same package. This increases the size of the patches but allows our patches to be installed on both patch baselines: if SP1 is found the CU packages with SP1 as baseline are applied. If RTM is found, then the CU packages with RTM as baseline are applied. 12 months after release of the service pack things get more interesting - and that is also the time when we get more support cases.
Here is what will happen:
1) The CUs will be significantly smaller
As only the CU packages for the latest patch baseline are included in the CU the download size of the CU will be smaller. That often causes concerns with our customers as they are not sure if all fixes from the previous (much bigger CU) are really included in the new CU.
2) Fixes will no longer install on a system which is on a lower patch baseline
If the patch baseline on the SharePoint server is lower than the patch baseline defined in the CU package the CU fails to install. That often causes support cases if a customers forgot to apply the latest service pack for one of his language packs. For the next 12 months CUs can still be applied on such a system as we support the lower patch baseline but suddenly - around 12 months after release of the service pack - the older patch baseline is no longer supported and customers are no longer able to apply the CU.
A very good method to isolate such problems is the Roiscan script which lists the patch baseline and the patch level for all installed products and product components of the Office product family including SharePoint.

Farm Patch Information

One question I really have problems with is: what patch level will I see in central admin when I have applied that CU. The reason is: that information is not really very helpful to understand if the server is properly patched - at least when looking at the version number in "Manage Servers in this farm" page - which is usually referred to.
Why? The version number here is controlled only by one SharePoint component: SharePoint foundation. And here also only by a single DLL which writes the version information to the configuration database during patching. This version number does not give any indication if any of the real SharePoint server components like Excel Services, WCM or Search are properly patched.
To get a more reliable picture you really have to look at the Patch Status page ("Check product and patch installation status"). It contains the patch level for each installed component.
Another question I often hear is: "Why is the patch level in the central admin slightly different from the one in the KB article?"
One reason might be that you looked at the KB article for SharePoint server and not the one for SharePoint foundation. These two components might have slightly different version number - e.g. the SharePoint server package might have been created a couple of days later than the SharePoint foundation package. As the version number on the "Manager Servers in this farm" page in the Central Admin only shows details for the SharePoint foundation component you cannot expect to see the version number listed in the SharePoint server KB article.
But even when looking at the SharePoint foundation KB article there are rare cases that the patch level listed in the central administration is lower than the version number in the KB article. The reason for this is that different fixes are added to the CU at different times. Some fixes modify dlls of the components other just CSS files or JavaScript files. Most of the fixes affect the Microsoft.SharePoint.dll as this is the core component of the SharePoint Foundation component - so its version number usually has the highest version number in the package. But not always! It might be that the last fix being added to the package is a different file. If this is the case, then the version number in the KB article might reflect the version of this other file. If this file is a dll you can verify this in explorer. But if this file is just a CSS file or a Javascript file or any other file which does not carry version information then you might not be able to identify the file which defines the version number in the KB article.

The reason that I don't like questions around the version number in Server in Farm is that you will see the same version number in all the following scenarios:

SP2013 Server RTM plus SharePoint foundation August 2014 CU
SP2013 Server RTM plus some fixes for SharePoint Server August 2014 CU plus SharePoint foundation August 2014 CU
SP2013 Server RTM plus Service Pack 1 plus July 2014 CU plus all fixes for SharePoint Server August 2014 plus SharePoint foundation August 2014 CU

Just looking at this version number will not tell you if a CU installed correctly! It only tells you if the package for the SharePoint Foundation component has been applied but nothing about the other components.

Friday, November 2, 2012

Sharepoint 2010 SSRS Implementation

The procedure contains 8 parts:

1. SQL2008 R2 SSRS for 2010 Add-in is already installed. (As a pre-requisite), if not , manually install the Add-in to the Application Server and manually activate the features. (Backup the web.config file for your Central Administration before installation).

2. Install the Add-in to all the WEB FRONT ENDS. Manually deploy installation without activating the features.

3. Join the Reporting Server to the SharePoint Farm and deploy the Add-in as explained on step2.

A. SSRS Configuration {SQL Server}

B. Web application {SharePoint}

C. Site collection {SharePoint}

D. SSRS integration {SharePoint}

E. Content types {SharePoint}

A. SSRS Configuration {SQL Server}

Log on to your SharePoint 2010 box.

Fire up the SQL Server Reporting Services Configuration Manager.

Connect to the Report Server instance. In my case this is the default SQL Server 2008 R2 instance (MSSQLSERVER)

The first thing you will notice is the Report Server Status. Check the Report Server Mode. It should say Native (we start from native mode in this scenario).

Click Database in the left pane. Click Change Database. Select create a new report server database.
Enter the proper credentials.

Enter a database name and select SharePoint Integrated mode.

Enter the credentials and do not forget the <domain name>\<username> (.\<username> will do as well).

Choose Report Manager URL in the left pane and click the apply button. This will configure the Report Manager virtual directory.

Backup the encryption keys.

B. Web application {SharePoint}

Open the SharePoint Central Administration website.

Choose Application Management > Manage web applications.

Click the New button in the ribbon. This will bring up the Create new web application popup.

Keep the default values to keep things simple except for:

Choose a name for the new IIS Website. I will choose SSRSDemo in this example.

Choose a name for the application pool. I will again choose SSRSDemo.

Make sure you connect to the right database instance. In my example I will connect to the named SQL Server 2008 Express Edition instance named SHAREPOINT.

Choose a database name or keep the default value with the GUID suffix. I will call the database WSS_Content_SSRSDemo.

Hold your horses before you hit the OK button when this information pops up:

5. Click Create Site Collection page to move on to C. Site collection {SharePoint}

C. Site collection {SharePoint}

Enter a title for the site collection. SSRSDemo for example.

Choose a template. I will choose Business Intelligence Center because I want to store my SSRS reports in a BI related environment.

Enter a username for Primary Collection Administrator. Make sure you enter the full domain name. e.g.: <domain name>\<username> (.\username won't work here).

D. SSRS integration {SharePoint}

Go to the SharePoint Central Administration website > General Application Settings > Reporting Services > Reporting Services Integration.

Enter the Report Server Web Service URL which you can find the SQL Server Reporting Services Configuration Manager.

Choose the Authentication Mode. Windows Authentication. Entering.\<username> will do. ( we used TRUSTED ACCOUNT)

Go to the SharePoint Central Administration website > General Application Settings > Reporting Services > Add a Report Server to the Integration.

The server name should already be provided and enter the name of the SQL Server instance which hosts the report server database.

Enter the credentials.

E. Upload a report {SharePoint}

Open your new top level web site we created in C. Site collection {SharePoint}

In case you forgot the URL of the web site, go to SharePoint Central Administration > Web Application and look for the URL.

Go to All site Content > Documents.

In the ribbon, go to Library Tools > Library.

Click Library Settings.

Click Advanced Settings.

In Content Types, check Yes for Allow Management of content types and click OK.

In the columns section, click Add from existing site columns.

In the Select site columns from drop-down box, select Report Server Content Types.

Select all available site content types and click the Add button followed by OK.

Go back to All site content > Documents.

Click the Add Document link.

Enter a title for the report.

There is also the option to create a report yourself if you don't have the reports from the sample reports. It only takes a few seconds to create a report using the Report Builder (see screenshot below).

Click the report you have uploaded to view the result.

Report Builder program will download automatically if not installed and it will integrate with the browser and SharePoint.

Fie Storage Solutions for SharePoint 2010

Remote Blob Storage (RBS) allows you to work with large files in SharePoint by placing them on an external source of storage, completely transparent to the end-user. For example, you can configure a RBS to store all files greater than 100mb on an external drive or a network share folder. In this way the method that currently is used in the portal for uploading “example: drivers, etc.” remains the same, no other user intervention required.

To setup the remote blob storage for SharePoint, requires a SQL Administrator. Since the heart of the implementation and configuration must happen on SQL. Very few configuration steps are taken in SharePoint CA, beside the usual file limitation settings and file types.

What are the drawbacks of Remote BLOB Storage?

· One of the major side effects of RBS is that you cannot use database mirroring when RBS is enabled. Clustering and log shipping are still supported, but if we currently use or plan to use mirroring then RBS is probably not an approach to consider.

· We should be aware that individual RBS providers may or may not support native SQL backups. Fortunately, SharePoint backups, however, will include any files stored in BLOB storage regardless of whether the RBS provider supports native SQL backups.

· We should also be very wary of the fact that data is being stored in a location outside of the database and any implications that may have for security and reliability.

· Another issue we may encounter is that BLOB retrieval performance may be negatively impacted if you move the BLOB store to a slower hard drive. This can also be true if the BLOB store is hosted on a networked location where bandwidth is limited or latency is an issue. On the other hand, BLOB retrieval performance may improve if the hard drive you place it on is faster than the SQL drive. The recommended solution for our environment is to have the location be on the same WFE server in the “data drive” so that it gets backup and replicated automatically.

· It is also worth noting that RBS is enabled at the content database level, not the site collection level. This means that if you have multiple site collections in a content database, enabling RBS on that content database enables RBS on all of those site collections. If this is not the desired behavior, then we may need to move site collections to other content databases.

· Finally, Microsoft has stated that it is not guaranteeing that RBS will seamlessly migrate to the next version of SharePoint. You can always "undo" RBS and pull everything back into the database.

· Remote BLOB storage will not get around the 2 gigabyte limit for files in SharePoint.

What are the benefits of Remote BLOB Storage?

· Database size is reduced. Having a smaller database can be extremely beneficial if you are running out of disk space on your SQL server and don't have the ability to add additional disks.

· Prolongs use of SQL Express. If you are using SQL Express in your SharePoint environment but you are bumping up against the 4 gigabyte database size limit (10 gigabytes in R2) associated with the free edition of SQL Server, then you can use RBS to offload data from the database. Since the data is not in directly in the database it does not count against the size quota.

· Cheaper file storage. Database hard drives tend to be fast and expensive, so archiving a large number of files that are rarely accessed on those disks is not always the best use of fiscal resources. In as much as RBS allows you to move BLOB storage to fast hard drives and see a performance benefit, you can also move them to slower, cheaper hard drives for a budgetary boost when performance is not as much of a concern.

· Database backup time reduced. As database size increases, so does the time to back up the database. If you have a specific maintenance window in which the backup has to occur, the database can grow so large that it becomes difficult or impossible to complete in that time frame. By offloading the BLOB store, the database size is reduced and the database backup time can be reduced as well. You will still need to make a backup of the BLOB store, but that can be done using a separate parallel process.

· Large BLOB performance benefits. Streaming data from a file stream can outperform streaming data directly from a database. However, setting up SQL server for use of a remote file stream is an expensive process. For small files (less than 60KB), it may not be beneficial to bother with a file stream at all. For larger files it can be very beneficial. Fortunately, RBS allows you to configure certain file size thresholds to store smaller files directly in the database and larger files using RBS, so they reside in a location where performance is optimal.

Network Share File Location.

File can be stored on a network share location. A network UNC path can be used to access these files. The folder permission for this location would have rights for the appropriate Users to download the file. However, the SharePoint upload function is nonexistent; the user would have to manually store the file into the network share location.

A custom SharePoint List can be utilized to add “Title and Descriptions” of the files plus a hyperlink to download. However, this is totally outside the scope of SharePoint and does not benefit from a SharePoint backup, nor SharePoint Alerts or any other modifications that could happen in the network Share folder. The network Share folder location would have to remain with the same UNC path name and must be added to an alternative backup solution in the environment.

Sharepoint 2010 Claim Based Authentication with SQL Server as Provider

How to setup the Claim based Authentication with SQL Server as Provider. This is very straight forward. Below are high level tasks we need to do.

1) Setup you AspnetRoleMemberShip Provider

2) Create Claims Based Web Application.

3) Create Site Collection.

4) Configure Web.Config of below Sites

a) Central Administration’s Web.Config

b) Security Token Service’s Web.Config

c) Claim Based Application’s web.Config

Provide Access to User from User Policy in Central Administration.

Details steps are given Below

Setup the AspnetRoleMemberShip Provider database

Go to the SQL Server database server

On the database server, open Windows Explorer.

Navigate to the path %System Drive%\Windows\Microsoft.NET\Framework\v2.0.50727.

To start the ASP.NET SQL Server Setup Wizard, double-click aspnet_regsql.exe.

Complete the wizard

Make sure the Application Pool accounts of the web application(s) and the Central Administration web site have access to the database

Create a new web application with Claim Based Authentication

Select Application Management from Left Menu

Click on Manage Web Applications

Click New Web Application

Select Claims Based Authentication

Identity Providers

Check the Enable Windows Authentication box

Check the Enable ASP.NET Membership and Role Provider checkbox

In the Membership provider name edit box, type MySqlMember

In the Role provider name edit box, type MySqlRole

Create a new site collection

Again Select Application Management

Click Create site collections

Select the newly created web application

Fill in a name and select a template

Modify web.config of the Central Administration site

Open the Central Administration site's web.config file

Find the </configSections> entry

Paste the following XML directly below it.

Note: This is connection String of your SQL Server’s Aspnetdb

<add name="AspNetDb" connectionString="data source=PRAWAL01;Integrated Security=SSPI;

Initial Catalog=aspnetdb" providerName="System.Data.SqlClient" />

</connectionStrings>

Note: Replace {your database Server Name} with Database Name

· Find the <system.web> entry

· Paste the following XML directly below it

<roleManager enabled="true"

cacheRolesInCookie="false"

cookieName=".ASPXROLES"

cookieTimeout="30"

cookiePath="/"

cookieRequireSSL="false"

cookieSlidingExpiration="true"

cookieProtection="All"

defaultProvider="AspNetWindowsTokenRoleProvider"

createPersistentCookie="false"

maxCachedResults="25">

<add connectionStringName="AspNetDb"

applicationName="/" name="MySqlRole"

type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0,

Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

<add applicationName="/"

name="AspNetWindowsTokenRoleProvider"

type="System.Web.Security.WindowsTokenRoleProvider, System.Web, Version=2.0.0.0,

Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

</providers>

</roleManager>

<membership defaultProvider="MySqlMember"

userIsOnlineTimeWindow="15" hashAlgorithmType="">

<add connectionStringName="AspNetDb"

enablePasswordRetrieval="false"

enablePasswordReset="true"

requiresQuestionAndAnswer="true"

passwordAttemptWindow="10"

applicationName="/"

requiresUniqueEmail="false"

passwordFormat="Hashed"

name="MySqlMember"

type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0,

Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

</providers>

</membership>

Modify the web.config of the Security Token Service (STS) virtual directory

· Open the Security Token Service (STS) virtual directory's web.config file location of this file is

C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\WebServices\SecurityToken

· Find the </system.net> entry

· Paste the following XML directly below it

<add name="AspNetDB" connectionString="data source=PRAWAL01;

Integrated Security=SSPI;Initial Catalog=aspnetdb" providerName="System.Data.SqlClient" />

</connectionStrings>

· Paste the following XML directly just above the entry </configuration>

<system.web>

<add connectionStringName="AspNetDB" enablePasswordRetrieval="false" enablePasswordReset="true"

requiresQuestionAndAnswer="true" passwordAttemptWindow="10" applicationName="/" requiresUniqueEmail="false" passwordFormat="Hashed" name="MySqlMember"

type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0,Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

</providers>

</membership>

<add connectionStringName="AspNetDB"

applicationName="/" name="MySqlRole" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

</providers>

</roleManager>

</system.web>

Modify web.config of the claims based web application

· Connection string – Find the </configSections> entry

· Paste the following XML directly below it

<add name="AspNetDB" connectionString="data source=PRAWAL01;

Integrated Security=SSPI;Initial Catalog=aspnetdb"

providerName="System.Data.SqlClient" />

</connectionStrings>

We need to Add Provider to <MemberShip> and <RoleManager>, So the best way is Replace <membership and <roleManager with below XML (This is addition to Default which will be available, if you have more provider already configured, Just add more Provider).

<add connectionStringName="AspNetDB"

enablePasswordRetrieval="false"

enablePasswordReset="true"

requiresQuestionAndAnswer="true"

passwordAttemptWindow="10"

applicationName="/"

requiresUniqueEmail="false"

passwordFormat="Hashed"

name="MySqlMember"

type="System.Web.Security.SqlMembershipProvider,

System.Web, Version=2.0.0.0,


Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

<add name="i"

type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider,

\
Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral,

PublicKeyToken=71e9bce111e9429c" />

</providers>

</membership>

<roleManager enabled="true"

cacheRolesInCookie="false"

cookieName=".ASPXROLES"

cookieTimeout="30"

cookiePath="/"

cookieRequireSSL="false"

cookieSlidingExpiration="true"

cookieProtection="All"

defaultProvider="c"

createPersistentCookie="false"

maxCachedResults="25">

<add connectionStringName="AspNetDB"

applicationName="/"

name="AspNetSqlRoleProvider"

type="System.Web.Security.SqlRoleProvider,

System.Web, Version=2.0.0.0,Culture=neutral,

PublicKeyToken=b03f5f7f11d50a3a" />

<add applicationName="/"

name="MySqlRole"

type="System.Web.Security.WindowsTokenRoleProvider,

System.Web, Version=2.0.0.0,Culture=neutral,

PublicKeyToken=b03f5f7f11d50a3a" />

<add name="c"

type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider,

Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral,

PublicKeyToken=71e9bce111e9429c" />

</providers>

</roleManager>

That’s all to be done for Configuration. Next step is to provide access to users from SQL Server.

Adding User Policy via Central Administration

Open Central Administration

Navigate to Manage Application

Select the Claim Based Application from the List

Select User Policy from Top Ribbon.

Select Telephone Book ‘icon’

Select ‘All Zone’ and Click Next

Enter the Name is FIND text box

Hit Enter key

Select user from List and Provide Access Permission.

Now Open a new Browser window and Type http://<<url>> of your site collection of Claim based Web Application.

Select “forms Authentication”

Enter user name and password

So as per permission given “Full Control” (as Site Owner) in this case, site will allow user in.

Further to this, being a site admin you can add other users from SQL Database to this site’s Member, Owner, Viewer groups.