One of the things that I’m currently working on at the moment is implementing MOSS 2007 for a customer which will act as the main website and also provide extranet capabilities to those users who register for the site. One of the authentication methods I’ve been looking at is Forms Based Authentication where the login details of a user are stored in the backend SQL Server. Sounds straighforward doesn’t? One of the enhancements of WSS 3.0 (upon which MOSS 2007 is based) over WSS 2.0 is the multiple authentication providers you can have. The obvious ones are NTLM or Kerberos and when in a domain environment then this is the easiest. If you’re going to be authenticating from the Internet then using AD is going to mean that you’re going to get that grey box popping up for username and password - not very pretty and not considered best practice for a web application. Implementing FBA is a non-trivial task (as I have found out), as it’s not documented in detail when coming from the Internet Zone (zones are a WSS 3.0 term).
I’m pleased to say that I have finally got this working and intend to document this more fully at a later stage as there are some good blog posts out there defining the process but miss a few key points. Whilst doing things like this can be like banging your head against a brick wall, it’s taught me a lot about how MOSS 2007 is configured and works. It is an amazing product and the job done on the Central Administration is fantastic. I’m only scratching the surface of MOSS 2007 but it’s an amazingly flexible product and I can see why larger organisations are falling over themselves to deploy it.
![[This is a SBS Community blog you are reading. Are you subscribed to the Official SBS blog?]](http://www.sbslinks.com/images/sbsblogweb.jpg "This is a SBS Community Blog you are reading. Are you subscribed to the Official SBS blog?")
September 5th, 2007 at 11:02 pm
Hello!
That is interesting! specially because I think that there is no problem with licensing.. yoou could have hundreds of users and you don/t need to pay a lic.
Am I right?
Cheers!
September 5th, 2007 at 11:26 pm
Hi Jose, you could be right in the fact that the user isn’t directly connecting to the SQL Server so that a single device CAL might be sufficient. A device CAL allows for access by multiple users through a single shared device. Obviously, MOSS 2007 has to be licensed and we’re doing this using SPLA.
September 6th, 2007 at 10:55 am
Hi
I was also browsing a lot looking for FBA, but didn’t find much usefull info! Hope that you’ll publish the documentation about this soon
Looking forward to read about it.
September 6th, 2007 at 3:33 pm
Hi Boris,
Take a look at the following info which I used as a starting point
http://devcow.com/blogs/jdattis/archive/2007/03/01/Office_SharePoint_Server_2007_Forms_Based_Authentication_FBA_w_MySites_Walkthrough_Part_2.aspx
Follow Parts 1 and 2 of the above
This is the best guide I found but there were a couple of issues I had to resolve when trying to authenticate from an Internet zone. If there is a particular aspect you’re stuck on then email me and I’ll see if I can help.
September 7th, 2007 at 5:16 pm
What about CAL for Windows Server?
We are not using MOSS but Windows Sharepoint Services. There is a big grey area because we could be using AD or local users. So I don’t really know which is the best Lic. scheme. For sure the FBA is a great solution to avoid paying for Windows Server CALS. What do you think?
September 8th, 2007 at 11:39 am
If you’re authenticating against AD using WSS, then you’re right you have to take into account Windows Server CALs. Using FBA is an alternative scheme which shouldn’t require additional Windows Server CALs but it depends what you’re trying to achieve? If you want to discuss it in more detail we could do it over Skype or email me directly.
September 8th, 2007 at 12:55 pm
Umm.. Nope, thats not how it works. Every connection to the server that authenticates through any means requires a Windows CAL, regardless of the multiplexing/authentication technology you use.
That is why Microsoft has processor licenses for people that have no way to account for the number of connections to the server.
-Vlad
September 8th, 2007 at 9:10 pm
Thanks for the clarification Vlad.
I looked at the licensing definition of authentication and it says the “passing of user credentials”, so as you say it is irrespective of the authentication method used.
…and that’s why people chose Linux. CALs are just a pain in the arse!
October 4th, 2007 at 6:06 pm
Sharepoint Guru’s
I need help in forms authentication, I want to validate a login and password against a existing sql db table. If the user exists in Sql table then let him into site. Also i want to use the Unique # attached to the loginID to passit on to a sharepoint web part, how can i acheive this.
I have around 12000 users, how can i do this?
Neel
Neel
November 26th, 2007 at 11:03 am
Hi, Sharepoint admins!
I wanted to point some interesting questions that have been posted here about Forms Authentication.
When someone authenticates via Forms, user validation doesn’t require an AD User. It really make a lookup on Users Table of SQL Server “aspnet” standard database, in the same way a Custom Developed application in ASPNET 2.0.
The tricky question about it is that Windows CAL accounting system only takes care of AD users. From IIS point of view, all access is anonymous, and there is no “impersonation” after users authenticate themselves. So, technically, there is only need for 1 CAL.
On the other hand, from legal point of view, CAL definition is “number of authenticated users that access your server”. So, as Sharepoint Services is part of Windows Server System, you would need to buy a user CAL for each user. The other posibility is to but an external connector for Windows Server, which only costs about 600€.
I’m currently asking Microsoft directly about this issue, because as Jose Antonio and Vijay said, there is a gray thin line…
Any of you have some information about it? I will post soon as I have more info.