FBA (Forms Based Auth) has it’s catches

Posted: December 7, 2007 in MOSS 2007

    

I have set up a few farms now with FBA hooked into various sources from SQL to Novell LDAP. I can absolutely say you need to CAREFULLY evaluate your requirements against your need for FBA. A lot of the docs (especially marketing) make this sound like a trivial, just plug and play issue. It is far from the truth. If you are running on a tight timeline and do not have a lot of time to investigate issues you WILL run into you need to stay with AD auth if it is an option.

                While I would have some serious questions for the MS architect(s) who put together the FBA piece with MOSS, the purpose here is not to flame MS, but to make sure you are completely aware of the implications of your choice to utilize non-integrated auth. There are many cases where FBA is the only option, and plenty of examples where it has been used successfully on MOSS implementations. Just be aware, if you have bought into the marketing,  thinking FBA is a simple issue, and have serious non-flexible requirements on at least 2 items on this list, well it is very likely you have grossly underestimated the time required to get the implementation done.

Let’s examine some of the common ones I have run into:

MY Sites

                The word I have gotten from some at MS is this is impossible to have with FBA. I have however found a few blogs which helped me get this up and running. It involves setting up MySites and your SSP site to use FBA however. This creates some serious usability issues with your SSP site that you need to work though.  

 

Search

                At the current time (MS says this may be fixed in SP1), search will not crawl FBA content. Which means even if  you have your sites set up with a second AD enabled zone to allow search to crawl that content, it will not crawl any portion of the  MySites, since they are exclusively set up under FBA.

 

Office Integration

                This is a huge deal for many clients. A lot of the compelling office integration features with MOSS disappear or totally screw up when you keep client integration turned on with FBA. If your company figured they would get MOSS and then invest in upgrading their office suite to 2007 to take advantage of all the cool integration features, then they do NOT want to use FBA. If they do, they might as well not upgrade their office if the MOSS integration was a major part of the upgrade.

Membership and Role Providers

                MOSS ships with some Membership and Role Providers, the problem is once you get out of MS built products they are of limited value. As an example a recent implementation I worked on with FBA, involved a Novell eDirectory system. A quick search will find numerous folks using this with the default LDAP provider.  However, when you have a Novell eDirectory system with SSL enabled, that does not permit anonymous connections, well get ready to sling some custom membership and role provider code.  The good part is, it is relatively easy to do (once you figure out what you are doing) and you get a tremendous amount of control over the auth, and role system.  In terms of security though, one thing that makes managers nervous, the membership provider contains a method “ValidateUser” which passes the username and password for all users into the roleprovider, a perfect place for a retarded coder to place some bad logging code. 

                I could easily fill 5-10 pages on this coding process and all the fun little issues you can run into, if you do run into issues, feel free to post a comment here and I can give you more info.

Profiles

                This is one of those little items that can sting a bit. MOSS needs to have unique names for your user accounts. So unlike the imports you run for AD, it will append the name of your role and membership provider to the beginning of your users names “MembershipProviderName:Username”. This can be one of those little things that bugs you sponsors a bit, especially when they see it on the dropdowns on the top right of the screen or when you see it in the user profile screen.

Profile Import

                Good chance if you have had to go the route of the custom membership and role provider, that the built in profile Import for MOSS won’t work for you either. If this is the case you will be writing your own. Not too bad of a coding effort but by the time you get to coding this you will find you are pretty deep into your timeframe and still have a mess of things to sort through.

 

                Like I said, FBA can and does work. It is just, depending on your specific requirements, it is not always the simple tasks it seems at the get go. If you are in that boat, hopefully you get some guidance on where you need to start researching.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s