FBA authorization fails when permission inheritance is cut

I experienced the strangest thing (read: annoying) with Forms Based Authentication.

This is the scenario:

We have a SharePoint Web Application with some Site Collections on it, using Windows Authentication (for internal employees). That Web Application is extended to a second Web Application, that one using Forms Based Authentication, with the accounts residing in a SQL Server database.

This is the problem:

When we add FBA accounts to subsites that have unique permissions (so inheritance is cut from the above site or site collection), it's not possible to log in. Basically, these FBA accounts are not known on the top level Site Collection. Authentication works (you can actually see: Access Denied, logged in as user ...), but authorization doesn't...

This is the solution:

We made an extra FBA Role, containing all the FBA accounts. Then we added that role to the top level Site Collection. Of course, we didn't want users to log in to our top level site. So we created a new Permission Level, having so little permissions, that logging in wasn't possible.

From then on, everything worked like a charm.

Keep on trucking
Tom

Published vrijdag 3 oktober 2008 16:01 by Tom Vandaele
Powered by Community Server (Commercial Edition), by Telligent Systems