Mixed Authentication: FBA and Windows (AD)

Jan 10, 2012 at 12:34 AM

I was wondering if the FBA Pack would allow me to accomplish the following:

I would like to have a single Web App (Site Collection) that supports both FBA and Windows AD Authentication.

The Windows AD Authentication should be automatic.

The user should be prompted for FBA if not authenticated via AD.

Whenever the user is logged in, the proper controls should be used for Password Recovery and Password Reset (depending on FBA or Windows).

 

I think I have done something very similar to this, but the one thing that annoyed me was instead of the AD users being automatically logged in (IE is set to do this in our Corporate Group Policy), the user had to actually choose from a "Drop Down" if they wanted "Forms Based" or "Windows". (Which, I think would be confusing to an external user and unnecessary to an internal user.)

I know this is a very generic question, and I will get more specific if this is something that can provide me what I described above. I just didn't want to spend alot of time trying to set this up, if it won't provide the results I need.

Thanks for any feedback!

Shayne

Coordinator
Jan 10, 2012 at 3:01 AM

If you want to login automatically with AD and have a seperate login for FBA, then out of the box the only way I know how to do it is to create two urls. So AD users would visit one url, and FBA users another.  You can set that up in central admin by creating two different zones for your web app - one with AD authentication only, and one with FBA authentication only.

If you want it to auto detect using the same URL, then I think you'll have to create your own custom login page, and code the logic yourself.

Jan 10, 2012 at 4:31 PM

 

What if I want to have AD enabled simply to manage the Forms Users (using the provided web parts)? I guess I am in the same boat... I either have to create a Forms Based account for the (internal) admins, live with the "choose Forms Based or Windows Based" drop down or customize it.

Or....

Right now, instead of "Extending" the application for our Forms Based/External Apps, we have simply been creating an additional Web App. This External Web App could only have Forms Based Auth (as you suggested), while the internal only has Windows Auth. Although, wouldn't I only be able to manage the Forms Based users on the "External" Web App? (Which takes me back to square 1, lol.)

(I know by creating a sperate app and site collection, we are not sharing the Content Database between the two "apps". Although, these particular apps are basically glorified "ASP .Net" applications (hosted in SharePoint) and consist of Visual Web Parts with a SQL Server (NOT the SharePoint SQL Server) as their datasource. Right now, they don't really use any of the SharePoint functionality. As we become more familiar with SharePoint development, hopefully this will change! I am just mentioning it, in case it make a difference in your answer.)

Coordinator
Jan 10, 2012 at 4:45 PM

If you only want to have AD to manage the forms users, I would create a seperate zone for the AD users and just have them access the same web app via a different url.  Then the fba users url stays exactly the same and they are immediately prompted with their login page. The AD users would have to know to use a different url, but they would be logged in immediately. Or if you want to keep it even simpler, why not just use FBA only and assign the AD users a username and password.

Jan 10, 2012 at 6:48 PM

 

Here is what I have done.

I created the Web App (AD Only), then I extended it to the "Extranet" zone and enabled "Forms Bases" only.

Now, when I am deploying the FBA Pack, do I only deploy it to the "Extranet" Zone/Web Application? Or, both? In order to manage the users on the Default site (AD Only), it seems like I need to deploy it to both (even though it doesn't know or do "Forms Based"???).

Thanks for your help and putting up with my limited knowledge!

Jan 10, 2012 at 6:57 PM

 

I just answered my own questions. It seems by deploying it to one of the Zones, actually deploys it to both.

One more question. To take advantage of the Membership Request, I assume I need to turn on Anonymous Authentication and add some code to see if the user is logged in and if not, then redirect to the page containing the Membership Request Web Part. Is that how that should work?

Coordinator
Jan 10, 2012 at 7:03 PM

That's right - even though it's two different zones, it's still only the one web application. The zones are really just different ways to authenticate to the same web application.

As for the membership request, yes generally you'd place it on a page with anonymous access. If you make your home page anonymous access as well, then you can just have a link to the registration page. The other way you can do it is to customize the login page and add a link to the registration page.

Jan 10, 2012 at 7:06 PM

 

Adding a link to the login page seems ideal. This must be pretty easy. Do you know if there is an example laying around? I am sure many people ohave done this, huh?

Coordinator
Jan 10, 2012 at 7:13 PM

This link (and pretty much all the tutorials out there) talk about completely customizing the page, including code behind:

http://blogs.msdn.com/b/kaevans/archive/2010/07/09/creating-a-custom-login-page-for-sharepoint-2010.aspx

That's probably a little more in depth than you want to go. You should be able to get away with taking a copy of the login page (the filename is in the article), add your link to the .aspx, and then just set the location of the new login page in Central Admin.

Jan 10, 2012 at 8:39 PM

 

That is exactly what I was thinking, since all I need to do is add a link.

 

Thanks!

Jan 10, 2012 at 9:07 PM

 

Does the "Request Access" web part generate an email to the Admins of the site?

Coordinator
Jan 10, 2012 at 9:12 PM

No, just to the person registering. If you're using the membership review list, you could add an alert to it, so that the admins are notified when a new member registers.