MOSS and Forms-Based Authentication: the Tricks

There are three great guides to configuing FBA: Andrew Connell had the best article first. Dan Attis built on this by getting My Sites and Profile imports working (Part 1, Part 2). Then Stacey Draper wrote it for people who prefer paper in his chapter of Real World SharePoint. They all configure the web application using host headers, and this is why:

If you distinguish your web application by port alone, you will receive a 403 Forbidden Error when you try to reach many (but not all) application pages stored in the _layouts folder. For example, /_layouts/sitemanager.aspx and AccessDenied.aspx will work, but settings.aspx and viewlsts.aspx will not. The solution is to instead configure the web applications with host headers.

A related issue points to a problematic ASP.NET fix (KB 928365) though the symptoms appear different - site settings remains available and only the user permission pages are unavailable. 

If you only want FBA, and do not want Active Directory at all (as the walk throughs do for the internal-facing site), you can. It works. You do not need to set up two sites as Andrew, Dan and Stacey do. However, the Index service will not crawl an FBA-only MOSS site. This is why it is recommended that you set up multiple authentication -- Windows from the internal-facing site, FBA on the internet-facing site -- index server will work. The workaround would be to crawl only the anonymously-accessible pages of the FBA site, indexing it as you would any public internet site.

If configuring multiple authentication, it does not matter whether the default site is configured for FBA or Windows authentication. Andrew and Dan do it different from each other, and both work.

To manage users get the Community Kit Extranet Edition, it adds great login and forgot password web parts, FBA user management and more. The SP&T team's announcement contains screenshots and more. It was based on Stacy's Forms Based Authentication Tools project on Codeplex and takes that great idea a long ways further. 

[Updated 2007-11-19 with the CSK Extranet Edition for Forms-based Authentication] 

No Comments