When managing users and groups within a SharePoint Web application configured to use Windows Integrated Authentication, cialis there is a convenient “Add all authenticated users” link that adds a special Active Directory group - NT AUTHORITYauthenticated users - to the Users/Groups People Editor. This group refers to any non-anonymous user, site which if you ask me, seems like a pretty common group to have around. However, when working within a SharePoint Web application configured to use Forms Based Authentication (FBA), this convenient group is no longer available.
When using FBA, the only “non-SharePoint” groups available to us are the roles exposed by an ASP.Net Role Provider. If you are already using a custom Role Provider and are not able to make changes to it, then you can stop here. This post is not for you. If you are like me though, and are using FBA merely for authentication and are leveraging SharePoint for all authorization, then the single “All Authenticated Users” role is all I need from my Role Provider. As a result, there is no need to use a heavy weight Role Provider (i.e., the SQL Role Provider) to accomplish this, but rather roll your own very dumb role provider. There is only a single method that you will need to implement - GetRolesForUser - in which you can assume the user is already authenticated and always return the “All Authenticated Users” role for the user. Here is the Role Provider I am currently using:
using System; using System.Web.Security; namespace Trentacular.Web.Security { public class SimpleAllAuthenticatedUsersRoleProvider : RoleProvider { public const string AllAuthenticatedUsersRoleName = "All Authenticated Users"; public override string ApplicationName { get; set; } public override string[] GetRolesForUser(string username) { return new[] { AllAuthenticatedUsersRoleName }; } #region Methods Not Implemented public override string[] GetAllRoles() { throw new NotImplementedException(); } public override bool IsUserInRole(string username, string roleName) { throw new NotImplementedException(); } public override bool RoleExists(string roleName) { throw new NotImplementedException(); } public override void AddUsersToRoles(string[] usernames, string[] roleNames) { throw new NotImplementedException(); } public override void CreateRole(string roleName) { throw new NotImplementedException(); } public override bool DeleteRole(string roleName, bool throwOnPopulatedRole) { throw new NotImplementedException(); } public override string[] FindUsersInRole(string roleName, string usernameToMatch) { throw new NotImplementedException(); } public override string[] GetUsersInRole(string roleName) { throw new NotImplementedException(); } public override void RemoveUsersFromRoles(string[] usernames, string[] roleNames) { throw new NotImplementedException(); } #endregion } } |
After rolling your own role provider, you will need to register it in the web.config inside the <system.web> section as such:
<roleManager enabled="true" defaultProvider="SimpleAllAuthenticatedUsersRoleProvider"> <providers> <add name="SimpleAllAuthenticatedUsersRoleProvider" type="Trentacular.Web.Security.SimpleAllAuthenticatedUsersRoleProvider, Trentacular.Web, Version=1.0.0.0, Culture=neutral, PublicKeyToken=aaaaaaaaaaaaaaaa" /> </providers> </roleManager> |
I am trying to use FBA to perform Windows authentication and then rely on SharePoint for all authorization.
Can you help here?
Here’s a quick summary of what I have:
* I have a SP web app with Windows authentication enabled (assume the URL is http://spserver01)
* I have extended the SP web app and have enabled FBA (assume the URL is http://spserver01:1234)
* I have created Windows users on SP server (e.g., user1, user2, etc)
* I have made these Windows users “Team Site Members” in SP.
* When I use Windows authentication, all works great.
* When I use FBA authentication, I can get authentication to work (I’ve implemented my own MembershipProvider) but I still get “Access Denied” errors, even when using your “All Authenticated Users” role provider above.
Basically, I think I’m trying to do exactly what you’ve accomplished above. Any thoughts/guidance here as to what I could be missing?
Thanks!
* I have a SP site collection that has Windows authentication enabled. This works great.
* I have extended that SP site collection
get this exact thing working but am running into issues:
If you are like me though, and are using FBA merely for authentication and are leveraging SharePoint for all authorization, then the single “All Authenticated Users” role is all I need from my Role Provider.
This does not work for MOSS/ SP2007. Any thoughts would be highly appreciated. Bryan, were you able to resolve this?