Form Based Authentication in SharePoint VS Windows Authentication

This article compares the differences between the two.

 

Crawling

==============

MOSS and WSS3.0 are designed for Windows authentication. when MOSS was just released, there was no way to use the FBA (form based authentication) authentication method to crawl the network. in SP1, it includes the ability to set special crawling rules, allowing cookie-based authentication, so that the site can be crawled.

However, it can only perform simple crawling of content, and does not capture security information. There are also rich metadata that can be captured by native SharePoint Protocol Handler.

 

For this reason, whether or not you have installed SP1, we recommend that you use SharePoint native protocol handler to index sites protected by FBA.

Note: For more information about configuration, see the original article.

 

Integration with 2007 Office System

==============

MOSS and WSS3.0 have high-level integration with Office client software. many Integrated Feature files depend on Windows authentication. without Windows authentication, many integration points will not work, and the rest will be somewhat different. to help customers minimize confusion, SharePoint provides a mode in which menu items requiring Windows authentication are removed. this mode is set in the management center, on the Authentication Provider pageEnable Client IntegrationCheck box.

 

The following are some projects that can only work with Windows Authentication:

 

Support for remote interfaces is disabled, including WebDAV, SOAP, and Microsoft Office FrontPage remote procedure CALS (RPC ). some functions are unavailable, such as Web folders and Web services for accessing content in that site.

 

Some toolbar items no longer appear:

• New Document
• Open in Outlook
• Open In Windows Explorer
• Export to Spreadsheet
• Open with Database Program

The Explorer View option is hidden.

 

The Create an Access View option is hidden.

 

In the image library, the following functions are removed:

• Upload Multiple
• Edit Picture
• Download
• Send

In the document library, the following drop-down items in the Edit control module menu are removed: Edit in Word

• Edit in Excel
• Edit in PowerPoint
• Discuss
• Connect To Outlook

In the PPT library, the following functions are removed:

• Publish Slide
• Send to PowerPoint

The synchronization between SharePoint data and Outlook is no longer valid.

 

In this mode, users can also use the SharePoint document library, but they must right-click them and choose to save the copy to the disk. They can edit and upload them.

 

Some companies may want to use Form authentication, but they also require integration at the same level as windows authentication. below are some possible workund und in this scenario. They are helpful for us to understand why these restrictions exist.

 

When a user accesses a page on a site through form authentication, the server will find a valid authentication cookie. if the cookie is not found, or the cookie is invalid, the server redirects the browser to the login page by using the HTTP 302 status code. on this page, you can use its credentials information to pass authentication. after the credential has been verified, the server creates a valid authentication cookie and sends it back to the browser together with the page of the original request. the browser stores the cookie in the memory and carries the cookie in the subsequent requests to the web server. in each request, the server checks the validity of the cookie to ensure that it is a good one (not expired, not tampered with), and then processes the request.

 

Because the authentication cookie in the memory is used, the following restrictions are imposed:

• The Cookie can only be saved when the browser is enabled. Once the browser is closed, the cookie will be destroyed along with what the browser uses.
• Cookie belongs to the browser application process (.exe) and cannot be shared by other processes. office applications run in their own processes. For example, msword.exe is the name of the Word process. because of this, a cookie generated when a user logs on to the website cannot be shared by word.

This article explains why the Enable Client Integration option is created: to help end users experience a consistent, predictable environment; however, the user experience is a little different from that of users who are used to windows authentication. even with so many restrictions, there are still some options that allow form authentication, and some or all of the technical points that use windows authentication for deep integration with Office applications.

 

Updates to Form Based Authentication for Office 2007

====================

When MOSS and Office2007 were just released, the Office client application cannot directly open the documents on the site using form authentication. this is because, as explained just now, the 302http response code will be sent back to the application when the program tries to open the document. the Office client application cannot respond to code 302. The result is to display the login form, not the requested document.

The update of Office 2007 allows users to process the 302 Http response code. the affected programs include Word2007, Excel2007, PowerPoint2007, and SahrePoint Designer2007. as a result, the Office application can display the login page form in a pop-up dialog box. to achieve this, the application sends a request to the SharePoint site, and the server sends a response, indicating that the authentication method is form authentication, including the location of the authentication page. the Office application then renders the HTML form, allowing users to enter their credential in the form. credential information is sent to the server through the post method. If the server returns a redirection response to the original request document, the Office application assumes that the identity has been established. it then uses the authorization cookie sent from the server to retrieve the document, add the relevant metadata, and then open the document.

By using this method, you can use form authentication pages for any site, regardless of whether the page is provided by the SharePoint Server.

 

Check "Sign me in automatically" when logging on"

====================

The form logon page contains a statementSign me in automaticallyCheck box, which is not selected by default. if you select this cookie during login, an encrypted authentication cookie will be serialized to the local hard disk of the computer on which the user logs on to the site. users' credential information is not stored in cookies. Instead, cookies store encrypted data that can identify users.

Office applications will find such authentication cookies after receiving authentication requests. if one cookie exists, it will be placed in the response to the authentication request. if the cookie is valid, the cookie authentication succeeds and the document is opened on the Office client.

Some features cannot work even with authenticationcookies. for example, Outlook uses the stssync protocol to synchronize data between SharePoint and outlook. this should work when the authentication cookie is valid. However, by default, authentication will expire 30 minutes later. Then, outlook will ask the user to authenticate again.

User Profile Import

====================

MOSS 2007 Profile Import Tool helps us use the menbership provider included in Asp.net 2.0. the membeship provider you provide provides the GetAllNames method, and you can use Profile Import Tool to register your provider. if your provider wants GetAllProperties, Profile Import Tool can retrieve the attributes of each user.

 

References:

Forms Authentication in SharePoint Products and Technologies (Part 3): Forms Authentication vs. Windows Authentication

Http://msdn.microsoft.com/en-us/library/bb977430.aspx

Office: Authentication prompts when opening Microsoft Office documents

Http://support.microsoft.com/default.aspx? Scid = kb; en-US; 2019105 # appliesto