I have an ssl web app with default and internet authentication providers. The default zone is setup to use windows authentication type. I've setup the internet zone to use forms. I'm using Active Directory for my provider. When I try to sign in with a site collection administrator, I get an access denied error that states "you are currently logged in as: user". It's hitting active directory and seeing I'm a legit user, but then it's saying I don't have rights for the site, even though I double/triple check that it's the site admin.
My googling skills are not sufficient for solving this one. Any suggestions?
In case I flubbed the web.config, here's what I have for the site and central administration:
<connectionStrings>
<add name="ADConnectionString"
connectionString="LDAP://000.000.00.0/DC=myDomain,DC=local"/>
</connectionStrings>
<membership defaultProvider="ADProvider">
<providers>
<add name="ADProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider,
System.Web, Version=2.0.0.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="ADConnectionString"
connectionUsername="user" connectionPassword="password"
attributeMapUsername="SAMAccountName" />
</providers>
</membership>
-
Becky,
Even though you're logging in with the site admin account, there isn't account equivalence between zones due to the difference in authentication providers -- even though they have the same backing store (AD).
To get yourself in through your FBA-extended Internet zone to do the work you'll need, I'd recommend setting up a full-access web policy for your admin account:
- Go into Central Admin
- Navigate to Application Management > Policy for Web Application
- Select Add Users
- Make sure the desired web application is selected (upper right)
- Select the Internet zone (at a minimum) or (All zones).
- Specify your account and give it Full Control
- Hit Finish
This approach is commonly needed when you first extend a site to a different backing membership store or leverage a new auth provider. The rights granted through a web application policy supersede any that might be specified in the site collection (if there is a conflict) and give you the first entry point into the desired site collection if no other account/mapping has valid access.
I hope this helps!
Sean McDonough : Another thought, Becky, came to mind when reading your comment: did you extend the central administration site with the additional provider information before granting the admin user full control? Though the admin account/user that you need to add (and grant full control to) already has a policy set, I *believe* you need to setup a second policy that will cover logins through the FBA provider (since username formats differ). To do this, you need to modify the central admin web.config with the additional provider info (which you have) and create a policy using the FBA-based username.Sean McDonough : I believe the reason for this is because there isn't equivalence between the FBA username (which is probably something like "MyUserName") and the standard NTLM-based logon username (which is something like "MyDomain\MyUserName"). Make sense?From Sean McDonough
0 comments:
Post a Comment