SP2013 FBA SQL Authentication

Problem

I am unable to add FBA users to sites without first adding the user to the web application policy of that web app. Once I add the user(s) at the web app policy level, I can then add them to sites. What am I missing here? Why are my sites not able to see the fba users without first adding them to the web policy?

Scenario

Portal web app (accessible via ntlm only)

I extended the portal web app to EXTRANET (ntlm and FBA)

I modified web.configs for Extranet, CA and STS (see below).. but did not edit the portal web app's web.config.  

CA Role and Member settings
<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">
<providers>
<add connectionStringName="SqlConn"
applicationName="/"
name="SQLRole"
type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
</providers>
</roleManager>
<membership defaultProvider="SQLMember">
<providers>
<add connectionStringName="SqlConn"
applicationName="/"
name="SQLMember"
type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</membership>

EXTRANET (extended(portal)) Role and Member Settings
<membership defaultProvider="i">
<providers>
<add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
<add connectionStringName="SqlConn" applicationName="/" name="SQLMember" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</membership>
<roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false">
<providers>
<add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
<add connectionStringName="SqlConn" applicationName="/" name="SQLRole" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</roleManager>

STS Role and Member Settings
<connectionStrings>
<add name="SqlConn"
connectionString="server=WIN-I6SHQ2N2241;database=aspnetdb;Trusted_Connection=true"/>
</connectionStrings>
<system.web>
<membership defaultProvider="SQLMember">
<providers>
<add connectionStringName="SqlConn"
applicationName="/"
name="SQLMember"
type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</membership>
<roleManager enabled="true">
<providers>
<add connectionStringName="SqlConn"
applicationName="/"
name="SQLRole"
type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
</providers>
</roleManager>

---

- Rick