MOSS Forum

Ask Question   UnAnswered
Home » Forum » MOSS       RSS Feeds

Forms authentication against 2 domains that trust each other

  Asked By: Joseph    Date: Mar 26    Category: MOSS    Views: 2498

I have a MOSS 2007 environment with 2 domains domainA and domainB. I
have MOSS installed on a server in domainA and I have a publishing
portal using forms authentication against domainA. This works fine.
I also want to forms authenticate against domainB. There is a two
way trust between the domains and I have successfully done a profile
import from domainB using a custom source. Users from domainA can
login OK but users from domainB cannot. Things to note:

1. If I switch back to windows authentication then users from either
domain can login.

2. If I change the connection string in the web.config to point at
domainB then user from domainB can login but not users from domainA.

3. When a user login fails we get the following in the app event log:

Event code: 4006
Event message: Membership credential verification failed.
Event time: 7/25/2007 3:16:27 PM
Event time (UTC): 7/25/2007 2:16:27 PM
Event ID: 8ff368d446114f35b4216ccd9f2d03fd
Event sequence: 40
Event occurrence: 4
Event detail code: 0

Application information:
Application domain: /LM/W3SVC/978623740/Root-8-
Trust level: WSS_Minimal
Application Virtual Path: /
Application Path:
Machine name: Server017

Process information:
Process ID: 4336
Process name: w3wp.exe
Account name: domainA\AppPool4

Request information:
Request URL: http://sitename/_layouts/login.aspx?
Request path: /_layouts/login.aspx
User host address:
Is authenticated: False
Authentication Type:
Thread account name: Server017\IUSR_Server017

Name to authenticate: user2



5 Answers Found

Answer #1    Answered By: Jacob Green     Answered On: Mar 26

You would need to write a custom membership provider to be able to
authenticate against two separate domains  within a single WebApplication
(ZONE). However, you could extend the existing WebApplication (that
uses FBA against DomainA) into a separate WebApplicaiton. Then set that
WebApplication to do FBA against DomainB. Then the users can login via
domain A through one URL and domain B through the other. Either URL
goes to the same content and structure.

Answer #2    Answered By: Spencer Bradley     Answered On: Mar 26

Thanks for that. Is this still the case even though there is a 2 way
trust between the 2 domains? It is possible to login to either domain
when the site is set to windows authentication  - is this just due to
a fundamental difference between windows authentication and forms

Answer #3    Answered By: Jay Ruiz     Answered On: Mar 26

If you use 2 way trusts and Windows Authentication you could logon to
either domain. But FBA using LDAP won't see the trusts to be able to
walk them.

Answer #4    Answered By: Graham Ingram     Answered On: Mar 26

The ADProvider uses straight LDAP query then and that
will not traveres the trust? - that makes sense now. Except that I
have an MS engineer (on the phone now!) telling me that an LDAP query
should traverse the trust...!

One last question - a suggested way around this (not tested yet) is
to use ADAM locally to authenticate against. I have not used ADAM but
I take it that ADAM could pull in details from both domains  and the
ADProvider could authenticate via LDAP against that. Does that sound

Answer #5    Answered By: Donte Jefferson     Answered On: Mar 26

LDAP should traverse the trust  if the query is not domain specific. But
I think the query being used in the ADProvider is simply querying one
Domain, not the Forest (check the way your connection string is
established). It should be possible to do the whole forest, but I'm not
enough of an LDAP expert to tell you how it could be done.

ADAM will work. I've done LDAP authentication  against an ADAM
directory. What I haven't tried is synchronizing ADAM against two
domains. That might work but I haven't tried it. I've normally used
ADAM for establishing Extranets where users will not be in the main AD.