ISA + MOSS: makes life a lot easier for FBA

I have explained this same story couple of times so I thought that I'll write shortly this to my blog and refer to it whenever needed 🙂 (Side note: I have discussed this topic with my colleagues and I think that we share thoughts on this one)

Web is full of instructions how to set up Forms Based Authentication for MOSS (or FBA as we call it between friends :-). It's not that difficult but you may end up in situations that you just don't want to use that. Let's consider following example... company has intranet (or extranet) that is used with windows authentication and they want to access that same data from mobile phones using FBA (because not all mobile phones support windows authentication). Or if they want to support some other authentication method. Normally you just Extend Web Application and configure it to use FBA. And if you configure FBA to use ADProvider you could think that your're all set... BUT you end up having two different accounts:

  • Windows authentication:
    • DOMAIN\username
  • FBA:
    • providername:username

SharePoint "sees" those as two separate users => You need to set up user rights for both users => it's not what the company wanted!

To solve this issue you introduce ISA Server to you architecture and make mobile phone users log on to it with FBA. ISA Server then forwards the incoming requests to the SharePoint as windows authentication. With this setup SharePoint only sees one user account (=DOMAIN\username) and it works nicely. And it's much more easier to maintain the SharePoint with this setup. Just one application and no extra hassle with FBA. To make this more easily understandable I draw picture. In upper picture ISA Server is used in FBA authentication and in lower one SharePoint handles FBA.

So if you really want to support multiple authentication methods you probably want to check out ISA Server.

Anyways... happy hacking!


Comments (6)

  1. Kevin says:

    One problem we have is how to allow ISA FBA with Kerberos and still integrate with Office clients.  Thus far, we’ve been unable to get ISA and MOSS to delegate client credentials back to the desktop – no matter what, the client still gets an IIS logon challenge when opening a document in a desktop client like Office.  With NTLM, pass-through credentials worked just fine, but now, users are constantly challenged.  Now, things are more like when we had Basic Auth set up in IIS.  

    FWIW, we have one primary AD on campus (authoritative), but only about 25% of client machines are part of the domain.  The rest are scattered across literally a dozen other domains across the institution (this is a legacy of the previous IT infrastructure).  Having to force non-central AD users to know to type the domain name/user name is just a huge headache.  

  2. Mahendra says:

    I have a problem while connecting from the internet to my FBA site, its been configured on the ISA Server, but the error I get is a Forbidden error, any thoughts on how to resolve this.

  3. Ben says:

    Nice post. We managed to configure ISA Server 2006 with MOSS – some of the lessons we learnt can be found here for those that are interested:

  4. Brij says:

    Is it possible to authenticate external users against SQL Database (ASP.NET membership provider)?

    We have intranet application with NTLM authentication and it is extended for external users to use ASP.NET forms authentication with the external users’ credentials stored in SQL Database.

    Now, we want to publish external SharePoint site to the internet using ISA 2006. What authentication can we use in ISA 2006 for allowing external users to access external SharePoint site? Once again, we want to keep all internal users in AD (NTLM) and all external users in SQL Database for forms-based authentication in MOSS 2007.

    Looks like we need to configure ISA 2006 for "No Authentication" and "No Delegation" and pass authentication request to SharePoint server, which will authenticate external users using ASP.NET forms-based authentication and against their credentials stored in SQL Database.

  5. Harish says:

    Hey Brij, We have a similar situation in our organization (almost same). Were you able to configure ISA for this purpose. If so, can you guide me or direct me in the right direction with the necessary information ( like links etc..). I appreciate your help in advance.

Skip to main content