Kishwaukee
asked on
FBA username not getting correct permissions upon login to Sharepoint
We are using SharePoint 2010 and have Forms Based Authentication setup so that it authenticates off of Active Directory. We've noticed that SharePoint doesn't connect, permission-wise, the Windows Integrated usernames with the FBA usernames. For example, in order to give someone permission to a page, we would need to give them access to both usernames, such as "i:0#.w|domainname\usernam
Since the usernames are the same, is there any way to map those usernames to each other so that if a user uses FBA to log in, it will read the permissions already assigned to the correct Windows Integrated permissions? That way we don't need two permissions assigned for each user.
Also, we are assigning access to certain sites in SharePoint based off of AD groups. However it appears that if someone uses FBA to log in, it does not know to check group permission in Active Directory to see if that username is assigned to that group. So they get access denied when it would work if they logged in using the Windows Integrated login. Is there any way to fix that?
Since the usernames are the same, is there any way to map those usernames to each other so that if a user uses FBA to log in, it will read the permissions already assigned to the correct Windows Integrated permissions? That way we don't need two permissions assigned for each user.
Also, we are assigning access to certain sites in SharePoint based off of AD groups. However it appears that if someone uses FBA to log in, it does not know to check group permission in Active Directory to see if that username is assigned to that group. So they get access denied when it would work if they logged in using the Windows Integrated login. Is there any way to fix that?
if they have AD accounts why do you have them logging in with Forms? The idea with the 2 different authentication providers is exactly that. They are different. The forms membership provider doesn't know the AD users and AD doesn't know the forms users. They are 2 separate accounts.
Hi,
can you please confirm that you have two web applications with different URLs and different authentication providers accessing the same content database?
If this is the fact (and I assume it is) then you will have to maintain security in each application as each web app has its own security context (user identities, principals ...)
I would suggest that every user who has a windows account is using the windows authenticated site (and not the FBA one). Why do they have to use two different web apps/urls?
KR
Rainer
can you please confirm that you have two web applications with different URLs and different authentication providers accessing the same content database?
If this is the fact (and I assume it is) then you will have to maintain security in each application as each web app has its own security context (user identities, principals ...)
I would suggest that every user who has a windows account is using the windows authenticated site (and not the FBA one). Why do they have to use two different web apps/urls?
KR
Rainer
ASKER
We need to have two because one is for on site and one is off site. On site they can use windows auth to get in, but when they are off site they currently only get a popup box that asks for username and password, but they have to add the domain in and the end users do not know the domain.
-We are a community college, so most people will end up connecting to this off site and we are just trying to figure out someway of making a more descriptive login interface.
-We are a community college, so most people will end up connecting to this off site and we are just trying to figure out someway of making a more descriptive login interface.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
That solution will not work for us. Our domain name is way too long. our simple domain is only two chars but the other part is close to 20.
You can add a UPN suffix and change everybody's UPN fairly easily with a script. There will be no impact to users (unless they already login with UPN) and then you can have a very friendly and short UPN suffix for a login address in an email format.
ASKER
Will that solution work even if the half the domain's email addressed are different than the rest? So our students are in @st.x.edu(just an example) and our staff is just @x.edu, would it be able to allow for either and still work or if a student types in their email will it still bounce it.
it wouldn't be the email it would be the UPN address. UPN just has the same format as an email address and most places have a matching UPN address to email.
For example you can change the UPN for all users (students and teachers) so that they could login as yourdomain\username or username@UPNSuffix
You can create a UPN suffix that doesn't match email
So you could add say @sharepoint.com as a suffix and everybody could login as username@sharepoint.com
Or create 2 different UPN Suffixes, one for students and one for teachers. Assign them to them and students would login as username@spstudent.com and teachers would login as username@spteacher.com
For example you can change the UPN for all users (students and teachers) so that they could login as yourdomain\username or username@UPNSuffix
You can create a UPN suffix that doesn't match email
So you could add say @sharepoint.com as a suffix and everybody could login as username@sharepoint.com
Or create 2 different UPN Suffixes, one for students and one for teachers. Assign them to them and students would login as username@spstudent.com and teachers would login as username@spteacher.com
ASKER
I don't think that will fix the issue, we wanted a easy way to just allow for username and password without forcing any other information to be added.
Then you will have to configure windows and forms authentication for the web application and the user will have to pick which one they want to use.