In SharePoint, the out-of-the-box path to happiness is for your SharePoint users to also be Windows users. But what if you want an Internet-facing SharePoint site to serve outsiders, people who are not members of your organization, who do not have a Windows account with you, and whom you don’t want to give a Windows account? The answer is to implement Forms Based Authentication (“FBA”). I recently did this for a client and found it to be intricate; not so much difficult as, well, involved. Fortunately, other bloggers have documented the steps, but that’s “bloggers” plural — you’ll hit snags or want to do something a bit special, and that will send you scouring the net for tips. I thought it might be useful to pull together the tricks I needed (with references to where I found them, of course) to get my FBA implementation working. This will be a series of posts.
For starters, let’s do a quick terminology orientation — what is meant by “Forms Based Authentication?” If you aren’t a Windows development jockey (and I am not), you may think that every time a system prompts you to login, you’re filling out a form, so describing an authentication method as “forms based” sounds like a pointless thing to say. I just filled in my username and password — wasn’t that a form? Well, no. “Form” here refers to an HTML form displayed by an Internet browser, the kind of thing with text boxes and a “submit” button. It doesn’t refer to the dialog box that Windows pops up to gather your login credentials for a site. If you were going to see one of those, you’d be expected to have a Windows account, and the whole idea here is handling users who don’t have a Windows account on your servers.
What makes the authentication “forms based” is that you need to create (and get the system to display) an HTML form for gathering user credentials, and further, when that form is submitted to the web server, some special logic (not the Windows operating system) will have to look up the credentials in some repository of user information (not the one where Windows stores its user information). So this kind of authentication isn’t just “forms based;” the form is at the front end collecting the username and password, but there are other required parts — a separate repository of users, and some logic for looking up users in that repository.
In subsequent posts, I’ll talk about the basics of getting FBA working. I’ll point out some of the problems I had to solve, and I’ll give references to bloggers whose work I relied upon. For starters, anyone wishing to implement FBA should read HOWTO: Configuring a Office SharePoint Server 2007 Publishing Site with Dual Authentication Providers and Anonymous Access by Andrew Connell. This is a wonderful and indispensable reference on how to set up FBA. At the top of the article, he says it was updated in December 2006, but don’t think it’s too old to be useful — it isn’t.