locked
Kerberos and FBA RRS feed

  • Question

  • Hi,

    I'm wondering if it is possible to configure Kerberos only for "App Pool Service Account" in a Web Application with Forms Based Authentication. Yes, it seems weird but our needs is the following :

    We need to consult some data in an external database, and we don't want to use BCS. Is there a way to authenticate the app pool service account in the external database ?

    THX

    Wednesday, July 22, 2015 9:56 AM

Answers

  • That means it will use windows authentication for the current user that the process is running as. You haven't said how you're running the query to get that data, presumably a custom web part?

    The textbook answer is to use the Secure Store, as Trevor says. Normally you'd use that with BCS and there's loads of examples of how to do that.

    Wednesday, July 22, 2015 3:09 PM

All replies

  • FBA and Kerberos cannot be setup together on a single web application. Moreover Kerberos is always end to end authentication. You need to enable it for every level of authentication from database->SharePoint->end user.

    http://social.technet.microsoft.com/Forums/en-US/9dac23a7-5a24-4ac4-9d90-800053e25b1f/kerberos-and-formsbased-authentication

    Hope this helps.


    Thanks Mohit

    Wednesday, July 22, 2015 10:53 AM
  • FBA and Kerberos cannot be setup together on a single web application. Moreover Kerberos is always end to end authentication. You need to enable it for every level of authentication from database->SharePoint->end user.

    http://social.technet.microsoft.com/Forums/en-US/9dac23a7-5a24-4ac4-9d90-800053e25b1f/kerberos-and-formsbased-authentication

    Hope this helps.


    Thanks Mohit

    That is incorrect and a misinterpretation of that thread. You can use FBA and Windows Authentication (using Kerberos) on the same Web application. They are merely two different claims providers.

    However that isn't what Lexxus is describing either. Lexxus: Do you want to pass through user credentials to authenticate with, or do you wish to use the App Pool Service Account's identity to be used to retrieve the data to SharePoint?

    If this is not using BCS how do you plan to connect to the data?

    Wednesday, July 22, 2015 1:13 PM
  • Ok, thanks for info.

    Thanks Mohit

    Wednesday, July 22, 2015 1:35 PM
  • This is what the Secure Store Service is for. Take a group of users and have them auth as a particular set user. Kerberos and FBA are mutually exclusive.

    You can still set up the Web App using Kerberos, but the FBA users will never receive a Kerberos ticket from the KDC.


    Trevor Seward

            

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Wednesday, July 22, 2015 2:21 PM
  • Hi,

    thx for your help.

    We are migrating ASP.NET page into SharePoint. This page get data in a classic way (Connection to a SQL DataBase + Retrieve data using "integrated security").

    First, I already tried to migrate this page in SharePoint and test it. It did not work, SQL refuse the connection saying that Anonymous does not have sufficient permissions.

    There's a double hop. So I'm wondering if we can use the App Pool Service Account's identity in order to retrieve external data from external database with"integrated security". That's why I am thinking about Kerberos.

    I also read on some others posts that I can use the Secure Store Service to store login/password, and connect external database with a SQL login.

    Please let me know if Kerberos is a possible way or if only can use the Secure Store and BCS.

    Wednesday, July 22, 2015 2:26 PM
  • I think I am a little bit confused. Who is actually the user who attempts to connect to the external database when I use a connection string with "Integrated Security=true" ? App pool or authenticated user ?
    Wednesday, July 22, 2015 2:47 PM
  • That means it will use windows authentication for the current user that the process is running as. You haven't said how you're running the query to get that data, presumably a custom web part?

    The textbook answer is to use the Secure Store, as Trevor says. Normally you'd use that with BCS and there's loads of examples of how to do that.

    Wednesday, July 22, 2015 3:09 PM
  • Yes, with a custom webpart :)

    Thanks again. I think I will use SSS instead.

    Wednesday, July 22, 2015 3:16 PM