No OTB RoleProvider for AD Group Authentication in Claims based FBA (SharePoint Foundation 2010)

Posted on by 2 Comments ↓

This does not hold true for Server (I confirmed it works), but if you are trying to authenticate users via Forms Based Authentication in SharePoint Foundation 2010 to a security group on your AD network, unless you are willing to put the massive effort forward to build your own provider (I’m not that insane personally, yet)… but yeah, you won’t be able to.

Ah, but you’re probably saying right about now… NO!  There is a TechNet article that not only says we can do it… but shows us how! (you’re probably referring to this one).  Well, the documentation is wrong.  

The first thing that caught my attention about that article is that the provider referenced an assembly called “Microsoft.Office.Foundation.Security.LdapRoleProvider”… that didn’t look right to me.  First of all because anything referenced as “Microsoft.Office.Etc” is usually reserved for SharePoint Server.  The other thing, I didn’t recall seeing that assembly ANYWHERE in the system (yes, I’m a little over the top on stuff like that, I have looked). I decided to call out Microsoft on this one, I was determined it was an error… Alas, after they spun their wheels on it for a little over 2 weeks, they gave the official word:

 

So there you have it.  Unless they come out with an out of the box provider, or you’re willing to do the work for them (which could prove obsolete in future updates, and I wouldn’t bet my Production environment… and yes the same holds true for any CodePlex projects), you’re just going to have to find an alternative way to maintaining users that want to authenticate to your environment via Forms… (or implement SharePoint Server 2010 which does come with one!)

Side Note:

Somewhat unrelated, but worth mentioning.  I found the Microsoft documentation so lacking on this subject that it was quite pitiful.  Specifically, the “official” documentation (and as I mentioned previously, “incorrect documentation”) suggests the using of the LDAP provider.  If you are familiar with LDAP, it’s fine and all… it’s somewhat of a standard, but it’s still “Lightweight” and not considered “fully security hardened” (hence the name: “Lightweight Directory Access Provider”).  In my case, I opt to use the standard built in Provider that comes with Windows Server 2008 R2 called “System.Web.Security.ActiveDirectoryMembershipProvider”, and it worked great.  But of course, there is no Role Provider for EITHER of these implementations.  I really wish someone had taken these implementations just a little further because it resulted in significant frustration.

Either way, I hope at least this answers the question for any of you out there facing the same issue.  At least we now know.

Printer Friendly Version (PDF)
  • Ashley Feldon-Lawrence

    Hi Matthew,

    Just spent 3 hours bashing my head, sadly didn’t ask Google the right question soon enough to come across this post.

    Glad someone else

  • http://www.hexanes.com Matthew Workman

    My pleasure man… hope it works out for you. Sometimes just knowing one way or another is a win in itself :)