October 2006 - Posts

• Setup Guide: Search under Forms Authentication WSS 2007 B2TR

  Thanks to Sage Kitamorn (the Sharepoint Search Program Manager) promptly responding to our call for help with search under forms authentication, and a response to our previous blog post from his colleague Avi, we have made some progress implementing WSS Search on a site using Forms Authentication.  Search now returns results and performs UI Trimming as we will show below, but we have one outstanding issue. Anonymous search under forms authentication raises the following error: "Your search cannot be completed because of a service error.  Try your search again or contact your administrator for more information." While we have not found a workaround to fixing search for the anonymous user, below is a step-by-step guide for setting up a site with both anonymous and secure content and a functional search for authenticated users.  This guide assumes that you already have a search server configured correctly. Note: Our custom provider is called "PassportMembershipProvider", not to be confused with other Microsoft authentication providers with the same name. Create a new Web Application in Central Admin and select your Search Server.  We use port 12000. Create a new Site Collection for the newly created Application. Configure your site to support forms authentication.  This must be set correctly in the web.config of the application.  The web.config file in your application should contain the following entries: <!-- Add to the configuration node --> <connectionStrings>   <add name="MembershipProviderDBConn" connectionString="Data Source=servername;    Initial Catalog=dbname; User Id=userid; Password=userpassword;" /> </connectionStrings> <!-- Add to the System.Web node--> <membership defaultProvider="PassportMembershipProvider">    <providers>      <remove name="PassportMembershipProvider" />      <add name="PassportMembershipProvider" type="MyAssembly.PassporMembershipProvider, MyNamespace" applicationName="TestSite" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="true" passwordFormat="Hashed" connectionStringName="MembershipProviderDBConn" commandTimeout="45" />   </providers> </membership> <roleManager defaultProvider="PassportRoleProvider" enabled="true">    <providers>       <remove name="PassportRoleProvider" />       <add name="PassportRoleProvider" type="MyAssembly.PassporRoleProvider, MyNamespace, AppliedPassportMembershipProvider" applicationName="TestSite" connectionStringName="MembershipProviderDBConn" commandTimeout="45" />    </providers> </roleManager> Note: Since our web application is setup to use Forms Authentication, we have to also set up Site Collection Administrators based on users from our custom data store. In order to do so, you would have to include the above entries in the web.config file of your Central Admin Application as well  (Do not include the <roleManager...> node in your Central Admin web.config, or else you will get errors when saving ) We were interested in supporting anonymous content in addition to secure content.  In order to support anonymous content, be sure to go to  Site Actions > Site Settings > Advanced Permissions > Settings > Anonymous Access, then select "Entire Web Site" for your site. At this point, a second zone is needed with NTLM authentication for the search service to index correctly.  To create an extended zone, use the Central Admin > Application Management  > Create or extend Web Application, then select "Extend an existing Web application".  When extending your Web Application, you may select any open port and any available zone.  We selected the Custom zone, port 12001, and Allow Anonymous for our test site. At this point, our settings were as follows: Web Application with Default (forms) and Custom (NTLM) Zone The Default (forms) zone The Custom (NTLM) Zone Confirm that the Search Crawling Account has Full Read policy for your application. Since the search crawler only seems to index applications set up with NTLM authentication, you can also confirm that the search Database contains a Crawl Host List entry in the dbo.MSSCrawlHostList table for the extended zone (12001, in our case).  Sharepoint by design does not seem to index zones/sites with Forms authentication (note that there is no entry in the table for port 12000, which was our DEFAULT zone setup with our custom membership provider).  You should now get search results when logged in to your Forms authenticated site as seen in the image on the right, below. Note:  Our attempt at creating the site in the reverse order (i.e. using NTLM in the Default zone) did not work for us.  - Rajiv Posted Oct 17 2006, 01:29 PM by RChakravarti with 1 comment(s)

• Search not working in WSS 2007 B2TR with Forms Authentication

  After creating a Sharepoint site using Forms Authentication (CustomMembershipProvider), search no longer appeared to work.  Running some analysis yielded the following discoveries: Search was confirmed to work as expected for our site with NTLM authentication mode enabled.  In the WSS_Search database, an entry was added to the dbo.MSSCrawlHostList matching the site's HostName, as expected.  After the service indexed the site, the SuccessCount column reported a nonzero value, and the ErrorCount column reported 0.  Entries were added to the dbo.MSSCrawlUrl table with accurate DisplayURL values. However, after switching the site authentication mode to Forms Authentication using our CustomMembershipProvider and CustomRoleProvider in Central Admin, searches no longer returned results.  After investigating, we noticed that all the entries in the dbo.MSSCrawlUrl table were immediately removed.  The HostName entry remained in the dbo.MSSCrawlHostList table, but the SuccessCount column reported 0, while ErrorCount was positive. Based on these findings, it seems as though search is not available for any site that is not authenticated with Windows authentication. We have not been able to find any other articles with a clear resolution to this issue, and feel that it has something to do with the service account used by the Search Service.   If anyone has had success with enabling search for sites using Forms Authentication, please let us know which solutions you have found to get around this issue.  - Nathan and Rajiv   Posted Oct 12 2006, 01:20 PM by RChakravarti with no comments

• Forms Authentication, Search, and Anonymous in WSS/MOSS 2007

  We have encountered several issues while trying to incorporate CustomMembershipProvider and CustomRoleProvider in WSS 2007 B2TR under Forms Authentication.  Most notably: Search does not work with forms authentication (separate post with more detail here) Forms authentication causes issues in Central Admin Anonymous Access is very difficult to set up for forms authentication. Many similar concerns are discussed in the comments for the MSDN Blogs article "Configuring Multiple Authentication Providers" article so we've made a comment there, and hopefully someone will respond with some answers on the search issue.  In the meantime, these tips may help you with Forms Authentication providers: ISSUE #1: Unknown Error in Central Admin working with Forms Authentication If you have created a role provider, make SURE the <roleManager...> node is NOT in your Central Admin web.config.  This will work in a web.config for a Sharepoint site, but not for the Central Administration site.  Central Admin will only use your authentication provider to verify usernames when you select site administrators, so the role provider would never be used anyway. ISSUE #2: WSS/MOSS throws an Unknown Error when creating a new Web Application or Site Collection under Forms Authentication For creating ANY new website (forms or windows auth), you need to remove the <membership...> node from the Central Admin web.config.  To create a new Forms website, follow these steps: Remove the <membership...> node from the Central Admin web.config. Create your new web application and site collection in Central Admin, and set it to use Windows Authentication.   Replace your Forms Provider's <membership...> node in the Central Admin web.config. Now go back into Central Admin and set the Authentication Provider (Central Administration > Application > Authentication Providers) to Forms on your new site. Your site should now work with your provider. ISSUE #3: Unable to allow Anonymous Users under Forms Authentication Actually, you can, it is just not easy or fun.  Here are all the steps you need to allow anonymous users on your site WITH Forms Authentication. In Central Administration > Application > Authentication Providers, check the "Enable Anonymous Access" checkbox for your site. Make sure the anonymous user (or Everyone if you're lazy) has read and script access to your site's folder using Windows security (the files are usually in inetpub\wwwroot\wss\VirtualDirectories\[port number]).  Be sure to set those permissions on all the child folders as well. Now for the fun part. In Central admin, switch your site back to using Windows authentication.  Then, make sure your NTLM user is the site owner. Log in to your site, and select Site Actions > Site Settings > Advanced Permissions > Settings > Anonymous Access.  If this is on Nothing, change it to "Entire Web Site". Save this setting, then switch your site back to forms authentication in Central Admin.  You can not change the Anonymous Access radio buttons while in Forms authentication mode! Hope this helps.  Good luck! -Nathan and Rajiv Posted Oct 11 2006, 11:08 PM by RChakravarti with 1 comment(s)