Forms Based Authentication in SharePoint 2007

There are a number of posts on the web that describe how to setup your SharePoint 2007 site using Forms Based Authentication instead of the standard Windows Based Authentication.  This post will try to consolidate several of those posts and add a few comments, tips and tricks into the mix.

Overall Installation Guides

• FBA for SharePoint 2007 - Installation guide – Simple Talk(recommended)
• FBA for SharePoint 2007 - Installation Guide – Part 1
• FBA for SharePoint 2007 - My Sites - Part 2

FBA?

SharePoint was designed around Windows Authentication which means if you want a user account, it needs to be tied to a machine account. This is unwieldy if you want your site to be a public site where anyone can sign up and create an account, or if a large number of users are external to your domain.

Enter Forms Based Authentication (FBA).  FBA allows you to setup SharePoint to authenticate users against a database using the standard .Net membership and role provider mechanism. By themselves these mechanisms are quite nice, and are even integrated into IIS7 allowing for a relatively easy way to manage users and accounts. But when you pair FBA with SharePoint you run into some issues.

Holes, Holes, and More Holes

Integrating FBA into SharePoint 2007 is certainly doable, but it leaves a bunch of holes open that need plugging. Some of these major holes are:

• The SharePoint search mechanism does not work on a FBA site
• The MySites functionality does not work on FBA
• Managing FBA users and roles is not natively supported in SharePoint
• There is no built-in mechanism for password management and sign-ups.
• SharePoint Designer 2007 cannot open/edit FBA sites.

Sure each of the above issues are fixable to some degree.  In fact the FBA Community Kitalleviates most of the management issues. But the real issue with FBA is that it opens so many holes that YOU need to plug. When configuring your site for FBA beware: it will require much more work and testing than normal.

Tips

When setting up several FBA sites some of these tips may help speed you along:

• Create a single “template” database for yourself that you use to start each site. This database should have at least 1 admin account that you can use to login. If all your sites have several common users, then go ahead and set them up in the database first before making copies of your database. This will make setup MUCH faster.
• Use IIS7 to manage users and roles. Once you have your site installed with the proper membership and role providers in the web.configs, you can use IIS7 to manage the users and roles.  This makes for quick setup of many users ahead of time.
• Create Authentication Zones to allow access to your site using both Windows authentication and FBA. By doing this you will allow not only the use of Windows accounts to access your site, but it will also allow SharePoint Designer 2007 to open and edit your site.  To do this, under SharePoint Central Admin go to the Application Management tab and select Authentication Providers. Make sure your site is selected, and Add a new Windows authentication zone using a different access url name. Note: the new name could be something like http://win.mysite.com where the win denotes windows authentication is used, and http://mysite.com is the FBA authenticated entry point.