Eric Bowden has over 19 years of software development experience around enterprise and departmental business productivity applications.
I recently researched the feasibility of using My Sites for sites using Forms Based Authentication. We are seeing clients who want to leverage My Sites in an extranet scenario where users are not in Active Directory. I thought I would share my experience from what I found when looking into using Forms Based Authentication with My Sites.
I used a handful of blog posts to support this endeavor.
Moving your MySite location in MOSS – Chris Johnson
These posts were very helpful but required a few tweaks for my case.
I first experimented with creating My Sites in a different web application from the public facing site. It is recommended that My Sites be in their own web application to allow for scalability (segregating My Sites across web applications by Audience for example) and so that all of the My Site site collections can be backed up/restored independent of other site collections.
Using help from the blog posts above, I converted my My Sites web application, My SSP, and my public facing site to all three support forms based authentication only (as suggested). The first result I noticed was that the sites required users to authenticate when going from the public facing site over to the My Site. Further, the user had to authenticate if they returned to the public site such as was the case if they invoked a search using the default Search Center.
To enable crawling of My Sites, I had to configure a crawl rule to tell the search engine how to authenticate. Usually you have to use AddRule.exe for this. But thankfully, the recently released Infrastructure Update for Microsoft Office Servers (KB951297) provides updates to the crawl rules user interface to allow you to more easily create a crawl rule for Search of sites requiring forms based authentication.
The steps are:
- Add the URL of the site to crawl to your list of Content Sources
- Create a Crawl Rule for your site including the URL of the site as the selection criteria
- Select the radio button to “Include all items in this path”
- Select “Specify form credentials”, input the Login URL of the site and click Enter Credentials.
- A popup window is supposed to appear with your Login page enclosed.
- You should login to the site and click OK when asked if the login was successful.
This was easier said than done in my case. The form would not pop-up. I only got a nice blue circler next to the Enter Credentials button. I would eventually have to end-task on Internet Explorer.
To remedy, you must use the following login url, http://<yourserver>/_layouts/login.aspx?ReturnUrl=%2f_layouts%2fAuthenticate.aspx%3fSource%3d%252f, instead of the default URL you see when you try to login, http://<yourserver>/_layouts/login.aspx?ReturnUrl=%2f_layouts%2fAuthenticate.aspx%3fSource%3d%252f&Source=%2f. Evidently, that last query string parameter causes the trouble.
In the end though, crawling My Sites using forms based authentication was not viable because the crawling capability depends upon the authorization of the user specified in the crawl rule. The user specified (using forms based authentication) is Site Collection Administrator of his own site (and none others) and does not have a view of all My Site site collections. There are ways to provide the crawler with a view of other My Sites such as adding links to these sites on the My Site page of the crawl user, but this does not work around the fact that this user is not a Site Collection Administrator of each site collection and so will not have access to personal content on other users’ My Sites. Then if you are able to work around this (by adding this user as Site Collection Administrator to all of the My Sites) you will find that the search results are not security trimmed. To solve this last hurdle you’ll need to create a custom security trimmer. At this point I decided to punt and take a different approach.
My second experiment was to configure My Sites to exist in the same web application as my public facing site. See Chris Johnson’s post for details. The only tweak I had to follow was to go to the My Site Host Permissions page from the My Site Settings page and add the user groups who may be creating My Sites to the MySiteHost Members group. I also configured my SSP, public facing site, and My Site to support both Windows Auth and Forms Auth.
Success! With this configuration my users can seamlessly navigate from the public site to their My Site and then back to Search Center. Using the default Local Office SharePoint Server sites content source, the search crawl correctly crawled over My Site contents, security trimmed the results, and included the correct URL in the results. I expected that I would need to implement URL mapping because the crawler had crawled the content from the Windows Auth side but the results were being presented on the Forms Auth side. SharePoint took care of this!