Welcome: Guest!

MOSS Forum

 
Home » Forum » MOSS       Ask a questionRSS Feeds

Forms authentication against 2 domains that trust each other

  Asked By: Joseph Petty         Date: Mar 26, 2007      Category: MOSS      Views: 986
 

I have a MOSS 2007 environment with 2 domains domainA and domainB. I
have MOSS installed on a server in domainA and I have a publishing
portal using forms authentication against domainA. This works fine.
I also want to forms authenticate against domainB. There is a two
way trust between the domains and I have successfully done a profile
import from domainB using a custom source. Users from domainA can
login OK but users from domainB cannot. Things to note:

1. If I switch back to windows authentication then users from either
domain can login.

2. If I change the connection string in the web.config to point at
domainB then user from domainB can login but not users from domainA.

3. When a user login fails we get the following in the app event log:

Event code: 4006
Event message: Membership credential verification failed.
Event time: 7/25/2007 3:16:27 PM
Event time (UTC): 7/25/2007 2:16:27 PM
Event ID: 8ff368d446114f35b4216ccd9f2d03fd
Event sequence: 40
Event occurrence: 4
Event detail code: 0

Application information:
Application domain: /LM/W3SVC/978623740/Root-8-
128298460579446990
Trust level: WSS_Minimal
Application Virtual Path: /
Application Path:
F:\Inetpub\WWWRoot\wss\VirtualDirectories\sitename80\
Machine name: Server017

Process information:
Process ID: 4336
Process name: w3wp.exe
Account name: domainA\AppPool4

Request information:
Request URL: http://sitename/_layouts/login.aspx?
ReturnUrl=/_layouts/Authenticate.aspx?Source=%252FPages%252Fdefault%
252Easpx&Source=/Pages/default.aspx
Request path: /_layouts/login.aspx
User host address: 10.44.76.106
User:
Is authenticated: False
Authentication Type:
Thread account name: Server017\IUSR_Server017

Name to authenticate: user2

Tagged:                

 

5 Answers Found

 
Answer #1       Answered By: Jacob Green          Answered On: Mar 26, 2007       

You would need to write a custom membership provider to be able to
authenticate against two separate domains  within a single WebApplication
(ZONE). However, you could extend the existing WebApplication (that
uses FBA against DomainA) into a separate WebApplicaiton. Then set that
WebApplication to do FBA against DomainB. Then the users can login via
domain A through one URL and domain B through the other. Either URL
goes to the same content and structure.

 
Answer #2       Answered By: Spencer Bradley          Answered On: Mar 26, 2007       

Thanks for that. Is this still the case even though there is a 2 way
trust between the 2 domains? It is possible to login to either domain
when the site is set to windows authentication  - is this just due to
a fundamental difference between windows authentication and forms
authentication?

 
Answer #3       Answered By: Jay Ruiz          Answered On: Mar 26, 2007       

If you use 2 way trusts and Windows Authentication you could logon to
either domain. But FBA using LDAP won't see the trusts to be able to
walk them.

 
Answer #4       Answered By: Graham Ingram          Answered On: Mar 26, 2007       

The ADProvider uses straight LDAP query then and that
will not traveres the trust? - that makes sense now. Except that I
have an MS engineer (on the phone now!) telling me that an LDAP query
should traverse the trust...!

One last question - a suggested way around this (not tested yet) is
to use ADAM locally to authenticate against. I have not used ADAM but
I take it that ADAM could pull in details from both domains  and the
ADProvider could authenticate via LDAP against that. Does that sound
plausible?

 
Answer #5       Answered By: Donte Jefferson          Answered On: Mar 26, 2007       

LDAP should traverse the trust  if the query is not domain specific. But
I think the query being used in the ADProvider is simply querying one
Domain, not the Forest (check the way your connection string is
established). It should be possible to do the whole forest, but I'm not
enough of an LDAP expert to tell you how it could be done.

ADAM will work. I've done LDAP authentication  against an ADAM
directory. What I haven't tried is synchronizing ADAM against two
domains. That might work but I haven't tried it. I've normally used
ADAM for establishing Extranets where users will not be in the main AD.

 


Your Answer
  • Answer should be atleast 30 Characters.
  • Please put code inside [Code] your code [/Code].

 
Hall of Fame  |  Facebook  |  Twitter  |  LinkedIn  |  Terms of Use  |  Privacy Policy  |  Contact us
RSS Feeds: Articles |  Forum |  New Users |  Activities |  Interview FAQ |  Poll |  Hotlinks


Go4Sharepoint, is a Microsoft Featured Community. Microsoft, Windows, Sharepoint, Sharepoint logo, Windows logo, etc are trademarks of the Microsoft Corporation. All product names, logos, copyrights, and trademarks mentioned are acknowledged as the registered intellectual property of their respective owners. This site is not in any way affiliated with, nor has it been authorized, sponsored, or otherwise approved by, Microsoft Corporation.

Copyright © 2008-2011