ISA + MOSS: makes life a lot easier for FBA

I have explained this same story couple of times so I thought that I'll write shortly this to my blog and refer to it whenever needed :-) (Side note: I have discussed this topic with my colleagues and I think that we share thoughts on this one)

Web is full of instructions how to set up Forms Based Authentication for MOSS (or FBA as we call it between friends :-). It's not that difficult but you may end up in situations that you just don't want to use that. Let's consider following example... company has intranet (or extranet) that is used with windows authentication and they want to access that same data from mobile phones using FBA (because not all mobile phones support windows authentication). Or if they want to support some other authentication method. Normally you just Extend Web Application and configure it to use FBA. And if you configure FBA to use ADProvider you could think that your're all set... BUT you end up having two different accounts:

  • Windows authentication:
    • DOMAIN \ username
  • FBA:
    • providername : username

SharePoint "sees" those as two separate users => You need to set up user rights for both users => it's not what the company wanted!

To solve this issue you introduce ISA Server to you architecture and make mobile phone users log on to it with FBA. ISA Server then forwards the incoming requests to the SharePoint as windows authentication. With this setup SharePoint only sees one user account (=DOMAIN \ username) and it works nicely. And it's much more easier to maintain the SharePoint with this setup. Just one application and no extra hassle with FBA. To make this more easily understandable I draw picture. In upper picture ISA Server is used in FBA authentication and in lower one SharePoint handles FBA.

So if you really want to support multiple authentication methods you probably want to check out ISA Server.

Anyways... happy hacking!