Hi guys,
I'm using SharePoint with FBA enabled, almost everything works fine: i can give permissions to users and roles (both are available on people picker) and users can authenticate if have site permissions, however i can't get authenticate a user through a Role.
Example:
- If i give Edit Permissions to "Homer simpson" user through visitors group -> Homer can sign in ok! (woohooo!).
- Conversely, if i give Edit permissions to "Springfield Nuclear Plant Power Plant employees" role through visitors group -> Homer get Acces denied! (D'oh!!!, and off course , homer belongs to "Springfield Nuclear power plant employees" role)
As you know it's best practice to use roles instead users in order to reduce administrative workload (we'd need to add to Lenny, Carl and the rest of guys) and avoid performance issues(alter ACL can raise search full scans).
When i debug the solution step by step, the RoleProvider's GetRolesForUser operation is alwasy called when i try to authenticate and it returns correct resuts including the role to which the user belongs, however always get "Acces denied".
Is this an unsupported scenario? i've tried a couple or workarrounds whit the same results. I'll try to consolidate followed steps below, something missing?
- Add custom membership provider and role provider assembly to gac(inheriting from MembershipProvider and RoleProvider base clases respectively. it use services, Not SQL Server database or LDAP )
- Enable forms authentication on web application configuring MembershipProvider and RoleProvider. I've tried this using a single web application with mix authentication (Windows and forms) , and extending the web application using extranet zone configured just with Forms Authentication.
- Configure providers (with the same names configured at setp 2) on Service Token application, Central admin, and Web application web.config files, last two includes people picker wildcards to custom providers(membership and role).
- Set Custom role provider as default in web application (without this, Role Provider operation doesn't call during authentication)
Add a FBA user as site collection administrator in order to enable him to give permissions to other users.
Operatinos implemented in Role provider: GetAllRoles,GetRolesForUser,RoleExists,IsUserInRoleand Name property. I've also set the portal super users accounts.
Some refs:
- http://blog.sharedove.com/adisjugo/index.php/2011/01/05/writing-a-custom-membership-provider-and-using-it-for-fba-forms-based-authentication-in-sharepoint-2010-from-the-scratch/
- http://blogs.msdn.com/b/chunliu/archive/2010/08/21/creating-a-custom-login-page-for-fba-in-sharepoint-2010.aspx
- http://vinaybhatia.blogspot.in/2011/04/access-denied-for-fba-user-with-site.html
- http://sivarajan.me/post/SharePoint-2013-Enabling-Custom-Login-Page-and-Mixed-Contents-Part-2
Greetings, I appreciate your feedback.
Jorge.Henao