WSS 3.0 FBA Security Issue with "Full Control" in "Policy for Web Application "
I just set up form based authentication using Active Directory. I set the following parameters in the web.config: <connectionStrings> <add name="ADConnectionString" connectionString="LDAP://mydomain.com/DC=mydomain,DC=com" /> </connectionStrings> <membership defaultProvider="ADMembershipProvider"> <providers> <add name="ADMembershipProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider,System.Web,Version=184.108.40.206,Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="ADConnectionString" enableSearchMethods="true" attributeMapUsername="sAMAccountName"/> </providers> I then open the central admin, select “Policy for Web Application”...and I add the users that I want to give access from the outside. So I grant “Full Control” and my problem arose: When I give the user “full control” access....they can now see everything across the entire sharepoint site? Where are all the windows permissions I set across SharePoint? In other words, mydomain\user1 has limited access throughout the environment. Now I add him to the outside, and he is now running as AdMembershipProvider:user1 which apparently has full control to the site. How do I prevent this? Thanks in advance!
October 28th, 2010 11:14am
After looking a little deeper into this, it seems that when you add a user to "Policy for Web Application", it will overide any settings set forth in the site collection (i.e. granular permissions set on a document library). So...why does every writeup for form based authentication end with, "Add user to Policy for Web application"? Is this the only way to allow a user into the sharepoint environment using forms? Is there somewhere else to allow access via forms without giving full control in the "policy for web application"? I know this cannot be by design....what am I missing here?
October 28th, 2010 3:40pm
Well......I got it! I removed all users from "Policy for Web Application" except the ADMembershipProvider:Admin account I then added the ADMembershipProvider:Admin account as a 'secondary' site collection administrator Next, I logged in via forms as the ADMembershipProvider:Admin. I then was able to add granular permissions to a site using ADMembershipProvider:useraccount as opposed to MyDomain\useraccount. (I suppose the only way to grab users from ADMembershipProvder through PeoplePicker is to log in using the ADMembershipProvider:Admin account.) Now, my user account can log in without the "Access Denied" page....and only see the sites where they have access. The only drawback to this....is I have to now add each user twice on each site? One for internal MyDomain\User and one ADMembershipProvider\User....? I was hoping by using Active Directory as a backend database....that I wouldn't have to add a second set of users. Please correct me if I am wrong....?!
October 28th, 2010 5:14pm