FBA username not getting correct permissions upon login to Sharepoint

We are using SharePoint 2010 and have Forms Based Authentication setup so that it authenticates off of Active Directory.  We've noticed that SharePoint doesn't connect, permission-wise, the Windows Integrated usernames with the FBA usernames.  For example, in order to give someone permission to a page, we would need to give them access to both usernames, such as "i:0#.w|domainname\username" for Windows Integrated and "i:0#.f|admembers|username" for FBA.

Since the usernames are the same, is there any way to map those usernames to each other so that if a user uses FBA to log in, it will read the permissions already assigned to the correct Windows Integrated permissions?  That way we don't need two permissions assigned for each user.

Also, we are assigning access to certain sites in SharePoint based off of AD groups.  However it appears that if someone uses FBA to log in, it does not know to check group permission in Active Directory to see if that username is assigned to that group.  So they get access denied when it would work if they logged in using the Windows Integrated login.  Is there any way to fix that?
KishwaukeeAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

sharepointguru14Commented:
if they have AD accounts why do you have them logging in with Forms? The idea with the 2 different authentication providers is exactly that. They are different. The forms membership provider doesn't know the AD users and AD doesn't know the forms users. They are 2 separate accounts.
0
Rainer JeschorCommented:
Hi,
can you please confirm that you have two web applications with different URLs and different authentication providers accessing the same content database?
If this is the fact (and I assume it is) then you will have to maintain security in each application as each web app has its own security context (user identities, principals ...)

I would suggest that every user who has a windows account is using the windows authenticated site (and not the FBA one). Why do they have to use two different web apps/urls?

KR
Rainer
0
KishwaukeeAuthor Commented:
We need to have two because one is for on site and one is off site.  On site they can use windows auth to get in, but when they are off site they currently only get a popup box that asks for username and password, but they have to add the domain in and the end users do not know the domain.  

-We are a community college, so most people will end up connecting to this off site and we are just trying to figure out someway of making a more descriptive login interface.
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

sharepointguru14Commented:
For that what I'd recommend is educating your user community to sign in with UPN rather than NetBIOS name. The difference is this.

You are correct that users accessing the site externally are probably not on domain joined machines so they will need to login as domain\username
On the network they could just use username

What they can also do and I have found that users are much more receptive to this format is use their UPN name instead which would be username@domain.com
If your domain name just happens to be your email domain and you give them email then you can just tell them to login with their email address and you have to do nothing.
If you don't have your domain as a supported email domain it still works but you would have to communicate to login as username@domain.com

Hope that made sense and helps.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
KishwaukeeAuthor Commented:
That solution will not work for us.  Our domain name is way too long.  our simple domain is only two chars but the other part is close to 20.
0
sharepointguru14Commented:
You can add a UPN suffix and change everybody's UPN fairly easily with a script. There will be no impact to users (unless they already login with UPN) and then you can have a very friendly and short UPN suffix for a login address in an email format.
0
KishwaukeeAuthor Commented:
Will that solution work even if the half the domain's email addressed are different than the rest?  So our students are in @st.x.edu(just an example) and our staff is just @x.edu, would it be able to allow for either and still work or if a student types in their email will it still bounce it.
0
sharepointguru14Commented:
it wouldn't be the email it would be the UPN address. UPN just has the same format as an email address and most places have a matching UPN address to email.

For example you can change the UPN for all users (students and teachers) so that they could login as yourdomain\username or username@UPNSuffix
You can create a UPN suffix that doesn't match email

So you could add say @sharepoint.com as a suffix and everybody could login as username@sharepoint.com
Or create 2 different UPN Suffixes, one for students and one for teachers. Assign them to them and students would login as username@spstudent.com and teachers would login as username@spteacher.com
0
KishwaukeeAuthor Commented:
I don't think that will fix the issue, we wanted a easy way to just allow for username and password without forcing any other information to be added.
0
sharepointguru14Commented:
Then you will have to configure windows and forms authentication for the web application and the user will have to pick which one they want to use.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft SharePoint

From novice to tech pro — start learning today.