Forms Based Authentication and Active Directory

I recently had to configure Forms Based Authentication for our website (in my case SharePoint, but the same would apply to a plain ASP.NET website) and I wanted to configure it to use Active Directory for the account storage.  Our website is going to be accessed at the corporate office, using Windows Integrated Authentication and we’ve set up a separate website pointing to the same content for our extranet users.  Both corporate and extranet accounts are going to be stored in AD.

Just for review, FBA uses different providers for different pieces of functionality.  The membership provider gives you user accounts.  For groups, you’ll need a Role Provider.  The third piece can be a profile provider.

The first step I did was to configure the membership provider for Active Directory.  There are plenty of examples on the net, so I won’t cover it again here.  (Microsoft’s documentation is here.)  I got that working fine, so I moved on to the next step, configuring a role provider.

What I soon discovered was that Microsoft doesn’t provide an AD role provider. If you want to pull back group membership, you’ll have to either buy a 3rd party provider, grab an open source one, or build your own. I was pretty skeptical (and am still thinking I must be missing something), but as of January of this year I couldn’t find an MS role provider for AD.


SO, I used this one:

It’s worked well so far.  This provider also has the ability to use a SQL database to cache a user’s roles.  They did this after finding that SQL can provide a faster response than AD.

Next month we are going to stress test our application, and I’ll find out how much of a difference the SQL caching makes.

Print | posted @ Friday, July 17, 2009 8:56 PM