FIM 2010 and FBA

May 17, 2011 at 5:36 PM

I am planning to use FBA in a SharePoint extranet environment with both windows users (for internal staff) and form-based users (for external vendors), I am not sure that I need to have Forefront Identity Manager 2010 with FBA.
I was originally thinking using FIM 2010 as a part of environment.

So here my questions:

1- Can we use your FBA with FIM for example to change/reset password of form-based users?
2- Do I have to have for example two user management pages to handle credentials?
3- Can we apply policy management features in FIM to users created in FBA table?
4- Can I enjoy from FBA same password policies features (i.e. minimum characters, case sensitivity, expiration date etc) that I get from AD, FIM?
5- What would be the best topology (components) for having an extranet with both Windows and Form-based authentication? What is the best (or acceptable) arrangement ?


May 17, 2011 at 6:06 PM

I'm not familiar with FIM myself, so I can't really answer your FIM specific questions.  You do not need to have Forefront Identity Manager to use FBA with SharePoint.  You can have both windows and FBA users on the same environment.

1) I don't know about FIM specifically, but there is a Change Password page built in for changing an FBA users password.  There's also a Password Recovery web part that will reset the users password if they forget it.

2) If you're referring to login pages, then yes - but SharePoint comes with that built in.  If you configure both Windows Authentication and Forms Based authentication, when you go to login SharePoint will provide you with a drop down where you can choose which method to use to authenticate.  You will then be redirected to the appropriate page.  Alternatively you can set up separate zones to the same web application - so when a user hits the internal URL they get automatically authenticated with Windows Authentication, and if they hit the external URL they are prompted for their FBA username and password.

3) I'm not sure what kind of policy management features you're referring to.  The same SharePoint user rights can be assigned to both to windows and fba users - there's no differentiation between the two in SharePoint.

4) The password policies have to be configured separately for FBA. Expiration date is not currently an option, but minimum # of characters, minimum non-alphanumeric characters as well as a Regular Expression validator are options.  You can see the configurable properties here:

5) I don't know if there's a best - just experiment and use what best fits your environment.  I believe many people use separate zones (mentioned in #2).

May 20, 2011 at 12:14 AM

Pretty sure this has nothing to do with FIM except for the fact that it delivers functionality quite similar to FIM Self-Service Password Reset (SSPR).

The interesting scenario I see would be to make this a client to FIM SSPR, as this has the opportunity to add features that aren't in the FIM SSPR client.