Thanks to Sage Kitamorn (the Sharepoint Search Program Manager) promptly responding to our call for help with search under forms authentication, and a response to our previous blog post from his colleague Avi, we have made some progress implementing WSS Search on a site using Forms Authentication. 

Search now returns results and performs UI Trimming as we will show below, but we have one outstanding issue. Anonymous search under forms authentication raises the following error:

"Your search cannot be completed because of a service error.  Try your search again or contact your administrator for more information."

While we have not found a workaround to fixing search for the anonymous user, below is a step-by-step guide for setting up a site with both anonymous and secure content and a functional search for authenticated users.  This guide assumes that you already have a search server configured correctly.

Note: Our custom provider is called "PassportMembershipProvider", not to be confused with other Microsoft authentication providers with the same name.

1. Create a new Web Application in Central Admin and select your Search Server.  We use port 12000.
2. Create a new Site Collection for the newly created Application.
3. Configure your site to support forms authentication.  This must be set correctly in the web.config of the application.  The web.config file in your application should contain the following entries:
   

   <!-- Add to the configuration node -->
   <connectionStrings>
     <add name="MembershipProviderDBConn" connectionString="Data Source=servername;
      Initial Catalog=dbname; User Id=userid; Password=userpassword;" />
   </connectionStrings>
   
   <!-- Add to the System.Web node-->
   <membership defaultProvider="PassportMembershipProvider">
      <providers>
        <remove name="PassportMembershipProvider" />
        <add name="PassportMembershipProvider" type="MyAssembly.PassporMembershipProvider, MyNamespace" applicationName="TestSite" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="true" passwordFormat="Hashed" connectionStringName="MembershipProviderDBConn" commandTimeout="45" />
     </providers>
   </membership>
   
   <roleManager defaultProvider="PassportRoleProvider" enabled="true">
      <providers>
         <remove name="PassportRoleProvider" />
         <add name="PassportRoleProvider" type="MyAssembly.PassporRoleProvider, MyNamespace, AppliedPassportMembershipProvider" applicationName="TestSite" connectionStringName="MembershipProviderDBConn" commandTimeout="45" />
      </providers>
   </roleManager>

   Note: Since our web application is setup to use Forms Authentication, we have to also set up Site Collection Administrators based on users from our custom data store. In order to do so, you would have to include the above entries in the web.config file of your Central Admin Application as well  (Do not include the <roleManager...> node in your Central Admin web.config, or else you will get errors when saving )
   
4. We were interested in supporting anonymous content in addition to secure content.  In order to support anonymous content, be sure to go to  Site Actions > Site Settings > Advanced Permissions > Settings > Anonymous Access, then select "Entire Web Site" for your site.
   
5. At this point, a second zone is needed with NTLM authentication for the search service to index correctly.  To create an extended zone, use the Central Admin > Application Management  > Create or extend Web Application, then select "Extend an existing Web application".  When extending your Web Application, you may select any open port and any available zone.  We selected the Custom zone, port 12001, and Allow Anonymous for our test site.
   
   At this point, our settings were as follows:

   
   Web Application with Default (forms) and Custom (NTLM) Zone

   
   The Default (forms) zone

   
   The Custom (NTLM) Zone

6. Confirm that the Search Crawling Account has Full Read policy for your application.

   

7. Since the search crawler only seems to index applications set up with NTLM authentication, you can also confirm that the search Database contains a Crawl Host List entry in the dbo.MSSCrawlHostList table for the extended zone (12001, in our case).  Sharepoint by design does not seem to index zones/sites with Forms authentication (note that there is no entry in the table for port 12000, which was our DEFAULT zone setup with our custom membership provider). 

   

   You should now get search results when logged in to your Forms authenticated site as seen in the image on the right, below.

   

   
   
   Note:  Our attempt at creating the site in the reverse order (i.e. using NTLM in the Default zone) did not work for us. 

- Rajiv