29 January, 2007

Forms-based authentication in WSS 3.0

One of the cool things about the security model in WSS 3.0 is that you're no longer restricted to Active Directory when it comes to authenticating users. Because WSS 3.0 is using ASP.NET 2.0's provider model you can authenticate your users in any way you want, including forms-based authentication.

Forms-based authentication is useful in an extranet scenario where you don't want external users in your Active Directory. But what's really cool is that you can configure SharePoint to use multiple authentication providers for the same site. That means you can have external users of an extranet logging in by typing a username and a password (forms-based authentication) and still provide a seamless user experience for internal users of that same extranet by authenticating them based on their existing Active Directory credentials (windows integrated authentication).

There are two really good posts on how to configure SharePoint to use multiple authentication providers:

Now, my whole point of this post was to share a couple things based on my experience with configuring this:

  • The first couple of times I configured dual authentication carefully following the instructions in the posts above, it simply wouldn't work for me. I didn't get any useful error messages, SharePoint just didn't want to resolve my forms-based authenticated users. After many hours of frustration I realised that the account that my SharePoint application pool was running under didn't have access to the database where my users were stored. So, after you've created your ASP.NET 2.0 framework database with the aspnet_regsql.exe tool make sure to grant permissions to your SharePoint application pool account.
  • Following Andrew Connell's tip, Visual Studio 2005's ASP.NET Configuration Website is a quick and easy way to verify your web.config settings and to add some users into your database. But for your end users, you want to provide a more user friendly and secure way of adding new users. One way of achieving this is to create a new web part page that is only accessible by site owners. Using SharePoint Designer you drop the standard CreateUserWizard ASP.NET 2.0 control onto that page. Remember to set the MembershipProvider property for that control as well as other properties you may want to customise. Similarily, you can also utilise the other standard ASP.NET 2.0 controls, such as ChangePassword, PasswordRecovery, etc.

Update: I just came across this great post on Chandima's Blog. It's another detailed guide on how to configure forms-based authentication. He has also released an early version of a SharePoint feature he is working on. This feature will add user administration functionality to a site using forms-based authentication. Nice work!

Stay tuned to my SharePoint musings: Subscribe via email or RSS.


Henry said...

Hey Krisitan, thanks for the post. Have you had any experience with usign forms based authentication for AD users logging in from outside of the network? I've tried to do this but it seems that sharepoint does not recognize a FBA user the same as a windows authenticated user, even though they have the same login. Any suggestions? Thanks!

Kristian Kalsing said...

You would have two different urls poitning to the same website. One url is for internal users using AD authentication and the other url is for external users using forms-based authentication.
Most likely you would only have the external url facing the Internet. So for AD users to log in from outside the network they would come through the FBA url. Hence they would need a set of FBA username and password as well.

Jeremy Mullinax-Hill said...

I spoke with Microsoft and several SharePoint MVPs. Everyone seemed as if they had never taken into consideration that you would need to map an FBA user to a SharePoint profile. Finally I spoke with someone at Microsoft who told me that this is what I needed to do, but that I would have to write a program that creates the profiles, since the People Picker validates the user against AD. I have yet to try it out, but it seems logical.

cholliday said...

Have you tried the PasswordRecovery Control? When I try to use that in a sharepoint page it fails. But if I use it outside of sharepoint it works fine.

Etherknight said...

Maybe you can settle a bet for me. Can one turn up only WSS feature-set and still use AD logins? Or is that a feature exclusive to the full blown Sharepoint Server (MOSS)?

Anonymous said...

how to assign permission to database for our sharepoint applicaiton pool?
please help.

Anonymous said...


How to integrate WSS 3.0 authentication with AD?

Anonymous said...

Check this out!