Before I explain the various problems with forms authentication technology, it’s important to remember that the technology is designed primarily to work with Internet access from public kiosks to front-end servers. Most problems arise when you try to deploy it in other environments.
Single sign-on (SSO) isn’t supported. Forms-based authentication will always redirect invalid requests to the logon form; therefore, you can’t expect to authenticate to your network and then bypass the logon form.
Because Basic authentication is required on the servers that are enabled for forms-based authentication, those servers must be able to authenticate users, which means they must have remote procedure call (RPC) access to the Active Directory (AD). You need to take that into consideration when configuring front-end servers that are in a demilitarized zone (DMZ) because you’ll need to open RPC ports in the firewall to allow authentication to occur.
If you use a load-balanced front-end server farm, you must enable forms-based authentication on all front-end servers. Additionally, you must ensure that users are always directed to the same front-end server during a session. Failure to do so will cause the users to see the logon page much more often than they’d like. This occurs because the symmetric keys are per server, so a cookie encrypted by one server that’s enabled for forms-based authentication can’t be decrypted by another server, even though it, too, is enabled.
Don’t implement forms-based authentication on front-end servers and back-end servers, or you’ll constantly be interacting with a logon page.
The cookie regeneration and encryption/decryption is performed only on the servers that are enabled for forms-based authentication (typically the front-end servers.) You might want to beef up processing on these servers if you support many users and your key-regeneration interval is short.
Although longer key-regeneration intervals will reduce the processing load on the front-end server, they also give a cookie a longer life. This longer life gives malicious users more opportunity to steal the cookie or for a passersby to hijack user sessions accidentally left open on a public computer. Unlike previous OWA versions, clicking Logoff will ensure a clean logout because the cookie is automatically cleared; any subsequent requests are redirected to the logon page. However, users, being users, will still forget to hit the Logoff button.
Forms-based authentication can work even when your back-end servers are still running Exchange 2000 Server. All that’s required is for the front-end servers to be running Exchange Server 2003.
Microsoft on Wednesday shipped the Beta 2 version of its upcoming Internet Explorer (IE) 8 Web browser. This version of the product, which will be made available free to Windows XP, Vista, 2003, and 2008 users, adds many functional advances and some new ...
Master SharePoint with 3 eLearning Seminars Learn how to build a better SharePoint infrastructure and enable powerful collaboration with MVPs Dan Holme and Michael Noel. Register today!
SharePointConnections Conference Fall 2008 Don’t miss the premier event for Microsoft IT Professionals in Las Vegas, November 10-13. Register and book your room by August 25 and receive a FREE room night (based on a three night minimum stay).
VMworld 2008 - Sign Up Today! Join your peers on September 15-18 at The Venetian Hotel in Las Vegas as VMware hosts VMworld 2008, the leading Virtualization event.
Microsoft® Tech•Ed EMEA 2008 IT Professionals Advance your thinking with new ideas and practical real-world solutions at Microsoft’s FIVE day technical infrastructure conference 3-7 Nov., 2008. Register before 26 September 2008 to save €300.
Order Your SQL Fundamentals CD Today! Learn how to use SQL Server, understand Office integration techniques and dive into the essentials of SQL Express and Visual Basic with this free SQL Fundamentals CD.
Are You Really Compliant with Software Regulations? View this web seminar that will help you with compliance best practices and check out a management solution to assure that you won’t be in jeopardy of an audit.
Register
