locked
LDAPMembershipProvider and multiple AD forests RRS feed

  • Question

  • Just researching some possible solutions for some upcoming domain changes.  Currently we have domain SmallDomain which currently hosts our SP Farm (and all the WFEs) in a W2K3 Active Directory environment.  The farm currently has a web application for internal use using integrated credentials.  This web app has also been extended for FBA authentication using the LDAPMembershipProvider for external use.  All identities are stored in Active Directory.

    Now along comes another domain BigDomain.  SmallDomain will be configured with a one-way trust against BigDomain (that is, SmallDomain trusts BigDomain, but not vice-versa).

    My question is, will the LDAPMembershipProvider (or the ActiveDirectoryMembershipProvider for that matter) find users in BigDomain once the trust has been established?  Or do I have to create another extended web application with a provider that points to BigDomain?

    Friday, November 19, 2010 12:53 AM

Answers

  • Hi Goldmember2,

     

    If you use the LDAP provider with Active Directory, there are scenarios (such as in an extranet) in which trusted forests might be in use. When a site is configured to use Windows authentication, users from either forest can authenticate and use SharePoint resources. The LDAP provider, however, tries to authenticate against only the forest that the membership provider is configured to check. It does not authenticate against a trusted forest and it does not follow LDAP referrals.

     

    If you need to authenticate against multiple forests, you should extend SharePoint Products and Technologies into an additional zone for each forest that is used for authentication. Then configure each zone to use a different forest in the membership and role settings of the zone's web.config file.

     

    For your situation, you have to create another extended web application with a provider that points to BigDomain.

     

    For more information about LDAP Membership and Role Provider Usage Constraints, please refer to the following article:

     

    http://msdn.microsoft.com/en-us/library/bb975136.aspx

     

    Hope this is helpful.

     

    Rock Wang

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com

     

     


    Regards, Rock Wang Microsoft Online Community Support
    • Marked as answer by Wayne Fan Friday, November 26, 2010 5:36 AM
    Monday, November 22, 2010 1:54 AM

All replies

  • Hi Goldmember2,

     

    If you use the LDAP provider with Active Directory, there are scenarios (such as in an extranet) in which trusted forests might be in use. When a site is configured to use Windows authentication, users from either forest can authenticate and use SharePoint resources. The LDAP provider, however, tries to authenticate against only the forest that the membership provider is configured to check. It does not authenticate against a trusted forest and it does not follow LDAP referrals.

     

    If you need to authenticate against multiple forests, you should extend SharePoint Products and Technologies into an additional zone for each forest that is used for authentication. Then configure each zone to use a different forest in the membership and role settings of the zone's web.config file.

     

    For your situation, you have to create another extended web application with a provider that points to BigDomain.

     

    For more information about LDAP Membership and Role Provider Usage Constraints, please refer to the following article:

     

    http://msdn.microsoft.com/en-us/library/bb975136.aspx

     

    Hope this is helpful.

     

    Rock Wang

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com

     

     


    Regards, Rock Wang Microsoft Online Community Support
    • Marked as answer by Wayne Fan Friday, November 26, 2010 5:36 AM
    Monday, November 22, 2010 1:54 AM
  • Hi Goldmember2,

     

    Do you have any questions? If anything is unclear, please feel free to let me know.

     

    I am looking forward to hearing from you.

     

    Rock Wang

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com



    Regards, Rock Wang Microsoft Online Community Support
    Wednesday, November 24, 2010 6:11 AM