I found a number of articles on the web with similar-but-not-quite-the-same needs. I also found these articles sometimes making things more complicated than it seemed it should be. Well, after a lot of reading and much trial and tribulation and lots of errors, I eventually found something that worked. I will give you step-by-step instructions, but first I will give you with a little background. I have always found it a good idea to try and understand what I am doing rather than blindly following a recipe, so I will try to explain how this works.

Generally speaking, SharePoint is configured to use the authentication mechanisms built in to Windows, i.e. Active Directory integration. There is another supported mechanism called forms based authentication, usually abbreviated as FBA. When using FBA, you can specify custom authentication providers. There are a few built in providers, one of which is Active Directory (AD). Why would you turn on FBA only to use AD? Keep in mind that there is only ever one authentication provider being used within a SharePoint site zone (a URL, this will be explained); you can’t use Windows and Forms authentication at the same time. With Windows authentication, I could not find a straightforward way to override the integrated security to log in as someone other than an actual Windows-authenticated user. Even Microsoft articles pointed me in the general direction of FBA. So the AD provider via FBA is what I have used, and in fact thus far it appears to be working for me just fine.

Now about those SharePoint zones… You can “extend” a SharePoint application from Central Administration. Among other things, when you do this, you must select an unused zone (there are five all together). SharePoint will create a new IIS site for each such zone you extend into, each with its own URL, web.config and app pool process, but serving pages from the same content database. The authentication provider is defined in the web.config for a site (zone). So extending the site into a new zone gives you the option of logging into the site with ‘normal’ integrated Windows authentication using one URL, and having completely different authentication for users coming in through another URL. I recommend you maintain a SharePoint-standard, Windows-integrated zone so you can easily ensure you have administrative access to the site, restorable through Central Administration settings if necessary, without the complications of a custom authentication configuration. It can also simplify problem-solving if you do run into issues with the non-integrated authentication.

Assumptions

• The existing Windows-authenticated site: internal.example.com
• The new FBA-authenticated site: external.example.com

Extend the web application

• Open Central Administration and select Application Management.
• Click Create or extend Web application, and choose Extend an existing Web application.
• Make sure you have the proper Web Application selected, i.e. internal.example.com.
• Choose to create a new (IIS) site called external.example.com.
• You can use the same port 80, but be sure to add the host header for external.example.com.
• Update the path if necessary for your standards. You will need to know the path for later steps.
• Leave NTLM as the provider; leave Allow Anonymous set to No.
• Set Zone to Internet. Note: you can use another zone, just make sure you pick the same one throughout these procedures.
• Click OK and wait for the site to be created.

Set up a new provider for the extended site, and for Central Administration

• Open the web.config for external.example.com (located in the path you set when extending the app).
• Find the <PeoplePicker> element and add this as a child node.

<add key="MyADProvider" value="%" />

• Add the following just above the <system.web> element. You should of course change some-dc to an appropriate domain controller.

<connectionStrings>
  <add name="MyADConnection" connectionString="LDAP://some-dc" />
</connectionStrings>

• Add the following just above the <authentication mode=”Windows” /> element. connectionUsername and connectionPassword are for an account that can read Active Directory. If the application pool identity for this app can already do that, you can omit these attributes. However, be sure to leave the other attributes in place.

<membership defaultProvider="MyADProvider">
<providers>
<add name="MyADProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
     attributeMapUsername="sAMAccountName"
     connectionStringName="MyADConnection"
     connectionUsername="someusername" connectionPassword="somepassword" />
</providers>
</membership>

• Now make all the changes you just made to set up the new provider in the web.config for external.example.com to the web.config for Central Aministration. This will allow Central Administration to find users that belong to the new provider.

Set up forms-based authentication

• Back in Central Administration Application Management and click Authentication providers.
• Make sure internal.example.com is the selected web app (see the upper right part of the page).
• Click the Internet zone.
• Change Authentication Type to Forms.
• Uncheck Enable anonymous access.
• Enter MyADProvider in Membership provider name.
• Click Save.
• Go to Central Administration Application Management and click Policy for Web application.
• Make sure internal.example.com is the selected web app in the upper right.
• Click Add Users.
• Make sure internal.example.com is the selected web app and choose the Internet zone.
• Add an administrative logon and give it Full Control, then click Finish.
• You should now be able to log in to external.example.com and authenticate as the (internal) administrative user you just added.
• You can now add users and grant permissions as always. The difference is that you can now add users from either the Windows or the FBA provider. It can be confusing when the FBA provider is also Active Directory, as in this case. When selecting names use the People Picker as it will show you the account name prefixed with MyADProvider: on the Account Name column.
• You can also modify the User Information List view to display the Account column, which also displays the prefix.
• Note that you cannot use wildcards in the People Picker to locate FBA users – you must enter their full logon username to “find” it.
• Add an FBA user and make sure you can log in as that user.

Override the SharePoint login to use a specific user

• Make sure you have a working FBA-enabled extended site before going any further.
• In Windows Explorer, navigate to TEMPLATE\LAYOUTS inside the 12-hive folder; by default the full path would thus be C:\Program Files\Common Files\Microsoft Shared\web server extensions\12\TEMPLATE\LAYOUTS.
• Create a new folder we will call ext. You should make the name something non-obvious as it will be a valid URL that can be seen in the HTTP headers when a user accesses the site.
• Create a new empty text file in ext and rename it extlogin.aspx. Note the relative URL of this new file is thus /_layouts/ext/extlogin.aspx.

• Now save the following code in extlogin.aspx, substituting somelogon and somepassword with the credentials of the user to be logged in.

<%@ Page Language="C#" MasterPageFile="/_layouts/simple.master" %>
<%@ Import Namespace="Microsoft.SharePoint" %>
<%@ Import Namespace="System.Web.Security" %>
<%@ Import Namespace="System" %>
<script runat="server">
public void Page_Load(object sender, EventArgs e)
{
  if (Membership.ValidateUser("somelogon","somepassword"))
  {
    FormsAuthentication.SetAuthCookie("somelogon", true);
    FormsAuthentication.RedirectFromLoginPage("somelogon", true);
  }
}
</script>
<asp:Content ID="PageTitle" runat="server" contentplaceholderid="PlaceHolderPageTitle" >
Let me see your identification.
</asp:Content>
<asp:Content ID="PageTitleInTitleArea" runat="server" contentplaceholderid="PlaceHolderPageTitleInTitleArea" >
This isn't the page you're looking for.
</asp:Content>
<asp:Content ID="Main" runat="server" contentplaceholderid="PlaceHolderMain" >
Move along.
</asp:Content>

• In the web.config for external.example.com, set this custom page as the default login page, like this:

<authentication mode="Forms">
<forms loginUrl="/_layouts/ext/extlogin.aspx" />
</authentication>

• Close all browsers, then open external.example.com. The site’s default page should open and assuming the site is a standard SharePoint template, should show somelogon in the upper right. If it takes you to the extlogin.aspx page then the login failed and you should double-check all the steps above, and the status of the somelogon account to be sure it is not locked or disabled. Also be sure that you added the MyProvider:somelogon user and not the NT Authority\somelogon user.

That should be all you need to do to get a site to automatically log in a particular user. You’re done!

browser.tabs.closeWindowWithLastTab

If you are not familiar with about:config, just enter that in the address bar. Promise to be careful, then in the Filter box enter the first part of the string above, say browser.tabs and you should see that preference listed. Double-click it to change the value, at which point it will go bold indicating it is no longer at the default setting. You’re done.

For IE, open your site and navigate to the document library. Make sure your view in the upper right is set to All Documents. On the toolbar, under Actions, select Open with Windows Explorer. That should take you straight to Windows Explorer opened to your document library.

If you are using another browser, it is a little extra work. You still navigate to the library and make sure it is set to All Documents view. In your address bar, you should see something like https://yoursite.example.com/sitecollection/bla/bla/bla/DocumentLibraryName/Forms/AllItems.aspx. Copy to the clipboard everything from the URL except for the trailing /Forms/AllItems.aspx.

Now open Windows Explorer. If you are using Windows 7 navigate to Computer and right-click in the right-hand panel and select Add a network location. For XP, navigate to Network Places and open Add Network Place . In either case you’ll now get a wizard. Select Choose a custom network location (XP is Choose another network location) and click Next. Paste in the address you copied earlier, click Next, then accept or modify the descriptive name and click Next. Click Finish and you should see your document library in Windows Explorer. This will also add a shortcut to Computer (or for XP My Network Places) so next time you can just open that directly.

For those still using Vista, I no longer have a working box to test out this process. It should be very similar, since as you can see the process is not much different between Windows 7 and Windows XP.

That’s all there is to it. Enjoy.

You have to love SharePoint error messages. For example, “an error has occurred”. I’m all for not intimidating the user but that is a bit terse. They could at least put the “technical information” somewhere on the screen for the poor guy who has to figure out the problem.  Ah well, fortunately there is a fix to get much more information. You just need a modification to the web.config file for your web app.

Search for <customErrors mode=”on”> and replace it with <customErrors mode=”off“>.

Search for callStack=”false” (it should be in a SafeMode tag) and replace it with callStack=”true“.

Now you should get somewhat more helpful messages. Good luck!

If you’ve never used it before, you simply open a tab and type about:config where you would normally enter a web site address. You may get a warning; that’s ok, just click the I’ll be careful, I promise!! button. You’ll then get a slew of options that control pretty much everything about Firefox. Fortunately, there is that Filter text box – enter ntlm in there. You should now see an entry below named network.automatic-ntlm-auth.trusted-uris; double-click that. Firefox checks this string for a match with the host name portion of the site wanting to authenticate – that’s the part between the http:// or https:// and the first solitary /. You can have multiple sites separated by a comma and space. So let’s say you have two internal sites, https://first.example.com/ and http://last.example.com/. In the text box, you would enter first.example.com, last.example.com. Unfortunately, as far as I know there is no way to specify a wild card such that everything ending in say example.com authenticates.  Update: actually, I just experimented with this a bit. It turns out it only appears to match a substring. So if you use just example.com it would match both first.example.com and last.example.com.

When you have what you need in the text box, click OK. If you want to test it out but have already authenticated to the site, close Firefox and re-open it. Just closing the tab will likely not test it, as Firefox will cache the credentials you provided when prompted. When you re-open the site, you should no longer be prompted to enter your credentials.