There have been several blog posts about the implementation and the use of Forms Based Authentication in a SharePoint environment. Last two days I have been digging into FBA because there is obviously a growing interest among companies about this authentication method.
To start of I found a great help (must read!) in 2 posts by Dan Attis about setting up FBA and how to enable MySites and Personalization features for your FBA users:
Dan's primary purpose was about serving the customers, as in making the FBA part the most important one.
Well, I like to turn things around.
You're working at a company with a bunch of freelancers. Let's say a newspaper. When a freelancer works for you, you would like to give him access to your SharePoint environment. Since you use a lot of freelancers (and not always for a long time) you don't want to put them into your Active Directory.
You have an intranet portal. All your ("real") employees are registered in Active Directory and they are using MySites and Personalization features. Your freelancers don't need MySites nor Personalization features, since they are never long enough around to use them properly.
How to: (I will not go too detailed, since all the pure technical steps are beautifully described in the posts by Dan Attis)
- Create a User database and some users.
- Extend the already existing portal, creating a new IIS web site. (You can choose port and host header as you like)
- Choose "Extranet" as zone in the Load Balanced URL section.
- Add the connectionStrings entry and the Membership and Role Provider sections to the web.config file of the newly created Web Application AND to the web.config file of the Central Administration Web Application.
- In the Central Administration web.config, change the default RoleManager to "AspNetWindowsTokenProvider"
- In Application Management, change the Authentication Provider for the Extranet zone to Forms and enter the Membership and Role Provider names.
You're ready to go.
Thoughts and problems:
- It is not possible to enable MySites and Personalization features for both Active Directory users and FBA users. That is because the SSP has to be changed to Forms Based Authentication itself. (In our situation, it wasn't required anyway ) It would require separate SSP's to accomplish this.
- In our situation, the search works because it uses the Windows Based Authentication site to crawl. When going completely Forms Based, additional configuration would be required. But, searching into FBA sites (for example FBA Mysites) still causes problems.
- User Administration. Well, you could write something yourself to access and administer the SQL Database. Or you could go to this link and use the webpart. Although it's still pretty basic, it has some cool features.
I've just begun to explore FBA, so probably more posts to come. So I give it a
To be continued...
Keep on rocking