locked
Windows Authentication and Forms Based Authentication with AD LDAP provider are not the same useraccount RRS feed

  • Question

  • Hello we have a Sharepoint 2010 environment and we want to implement a mixed mode authentication. Windows Authentication while accessing from inside the network and Forms Based Authentication to the same web application while accessing from outside the network.

    All users are present in the Active Directory. The Form Based Authentication is configured with LDAP and is connected to 
    the same domain as the Windows Authentication.

    When i'm configure the mixed mode authentication i have 2 differend users, one domain\usersname and one fba\username. What i want to achieve is that the both authentications is with the same useraccount.

    Please i hope there is someone who can help me with my problem.

    Monday, March 18, 2013 6:03 PM

Answers

  • I looked at this when i was starting out in SharePoint and not since. As such i may be utterly wrong however as far as i know...

    The seperation of FBA and AD accounts is deliberate and pretty much absolute. The only way that you could merge the two into the same identity would be to use the Windows Identity Foundation to create your own authentication provider and then use that instead of AD. Internally your provider could either authenticate against AD or your own FBA system, but provide a single unified identity to SharePoint. Whilst that's possible i don't know if it's supported and i'm pretty sure it's a bad idea unless you've got a really good developer team to back you up and a rock solid business case.

    The reccomended way to achieve your objectives is to use UAG to authenticate your external users (possibly using FBA) and then pass their credentials as if they were using AD to authenticate. That way the users are still authenticated to SharePoint using AD, so the same accounts, but can be forced to use two factor auth / RSA / pinsafe / other to get into the extranet extended web applications.



    Monday, March 18, 2013 6:11 PM

All replies

  • I looked at this when i was starting out in SharePoint and not since. As such i may be utterly wrong however as far as i know...

    The seperation of FBA and AD accounts is deliberate and pretty much absolute. The only way that you could merge the two into the same identity would be to use the Windows Identity Foundation to create your own authentication provider and then use that instead of AD. Internally your provider could either authenticate against AD or your own FBA system, but provide a single unified identity to SharePoint. Whilst that's possible i don't know if it's supported and i'm pretty sure it's a bad idea unless you've got a really good developer team to back you up and a rock solid business case.

    The reccomended way to achieve your objectives is to use UAG to authenticate your external users (possibly using FBA) and then pass their credentials as if they were using AD to authenticate. That way the users are still authenticated to SharePoint using AD, so the same accounts, but can be forced to use two factor auth / RSA / pinsafe / other to get into the extranet extended web applications.



    Monday, March 18, 2013 6:11 PM
  • Hello Alex,

    thanks for your information i will have a look at the UAG maybe that’s something for us. But it is weird that there are no options to realize such a thing.

    If there is someone else with another idea, I like to hear it.

    Wednesday, March 20, 2013 8:32 AM