locked
Login/Forms Authentication and Custom SQL Table?? RRS feed

  • Question

  • Hi,

    We are using MOSS 2007.  I wanted to know how would I go about creating a custom login form that would:

    1. Authenticate via AD
    2. Once authenticated, the script would query a table in a SQL 2005 database for some permission/role information
    3. Display a folder structure (My Reports, Corporate Reports), and the documents that are contained in these folders are permissioned.

    So when the user is on the SharePoint site, the folders that they see are permissioned based on values stored in a SQL table in some other database.

    Any help highly appreciated.

    -Westside
    Tuesday, April 7, 2009 12:36 AM

Answers

  • For #1, you have 2 options and it depends on what version of SharePoint you have.
    If you have WSS or the MOSS version doesn't work exactly like you need, you'll need to use the .NET LDAP provider, check out this link http://blogs.msdn.com/solutions/archive/2007/08/27/forms-based-authentication-fba-in-wss-3-0-moss-2007.aspx

    Basically 2 options to do FBA against AD.

    As far as #2 goes, and performing some code after the user is authenticated for roles, what you could do is a custom role provider that reads from SQL 2005.  Check out this MSDN article about writing custom membership/role providers.  The key here is that you write one for SharePoint cause SharePoint only really uses like 2 methods of the role provider, so you don't have to call all the other methods since they are never called anway.

    #3 since you wrote a custom role provider, you can then in your site, use SharePoint permissions to lock down your reports, and then just display a list of those reports to the user and it will be security trimmed for them.

    My advice from experience is to make sure you create your web application first as NTLM and keep that as your "admin" site.  Then extend the web application into a new zone and then set the new zone to use your custom membership/role providers.  Most SharePoint FBA walkthroughs will tell you this as well.

    Tony Testa www.tonytestasworld.com
    Tuesday, April 7, 2009 1:11 AM

All replies

  • For #1, you have 2 options and it depends on what version of SharePoint you have.
    If you have WSS or the MOSS version doesn't work exactly like you need, you'll need to use the .NET LDAP provider, check out this link http://blogs.msdn.com/solutions/archive/2007/08/27/forms-based-authentication-fba-in-wss-3-0-moss-2007.aspx

    Basically 2 options to do FBA against AD.

    As far as #2 goes, and performing some code after the user is authenticated for roles, what you could do is a custom role provider that reads from SQL 2005.  Check out this MSDN article about writing custom membership/role providers.  The key here is that you write one for SharePoint cause SharePoint only really uses like 2 methods of the role provider, so you don't have to call all the other methods since they are never called anway.

    #3 since you wrote a custom role provider, you can then in your site, use SharePoint permissions to lock down your reports, and then just display a list of those reports to the user and it will be security trimmed for them.

    My advice from experience is to make sure you create your web application first as NTLM and keep that as your "admin" site.  Then extend the web application into a new zone and then set the new zone to use your custom membership/role providers.  Most SharePoint FBA walkthroughs will tell you this as well.

    Tony Testa www.tonytestasworld.com
    Tuesday, April 7, 2009 1:11 AM
  • Hi,

    Thanks for the links.  Yes, we have MOSS 2007.

    I have heard, and it seems to be true, that with FORMS Based Auth you can't query multiple domains.  If I am wrong, I would like to see an example or know if this is NOT true.  In our environment, we have multiple domains.  So if you open our GAL (global address list) you can see everyone regardless of which domain they are in.  We have a trust setup essentially that allows this to happen.  For some reason, we are unable to get FBA to work with multiple domains even though we have a cross domain type of trust setup.  We have an LDAP provider in our web.config file for the particular web app and it points to our domain controller but for some strange reason users in different domains can't login through the FBA site. 

    When we use NTLM, it works fine, a user in DomainA\John.Doe and DomainB\Rick.Jones can both login successfully when using NTLM authentication. 

    -Westside



    Tuesday, April 7, 2009 1:47 AM
  • I just stumbled on this link http://blogs.msdn.com/harsh/archive/2007/01/10/forms-based-authentication-in-moss.aspx and if you look at the bottom for the ASPNET AD provider, if you look at the LDAP query, it looks like you might be able to specify multiple domains in the LDAP connection string.

    Otherwise if hte above doesn't work, since the FBA using AD behind the scenes uses LDAP, LDAP queries always specifiy DC which means domain and you can only specify one, hence why your other domain accounts don't work.  You could possibly write your own membership provider that in code you, you query LDAP, and if you don't find the user in domain A, you query again for domain B, and if its not in either, you return false, otherwise if the user is found, you return true (or whatever the method in the membership provider returns).

    I don;t have a VM handy that I can test all this with, so I can't guarentee the info, but it looks like it might work.

    Tony Testa www.tonytestasworld.com
    Tuesday, April 7, 2009 2:03 AM