Wednesday, December 13, 2017

SharePoint web services always use forms authentication when forms-based authentication with an LDAP provider configured

After we configure forms-based authentication with an LDAP provider for a new SharePoint 2013 web application, users could select either window or form login to SharePoint. However, we have issue to use any SharePoint web services through window accounts. The problem is SharePoint is always try to authenticate the user as form based authentication after debugging with Microsoft. Here is one simple Powershell to illustrate the issue.

#########################################
if ( (Get-PSSnapin -Name Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue) -eq $null )
{
            Add-PSSnapin Microsoft.SharePoint.PowerShell
}

$spserver = "mysharepoint.com";
$sharePointAuthUri = "https://$(spserver)/_vti_bin/authentication.asmx?wsdl";

$sharePointAuth = New-WebServiceProxy -uri $sharePointAuthUri
$sharePointAuth.CookieContainer = New-Object System.Net.CookieContainer
$authResult = $sharePointAuth.Login("username","password")
$mode = $sharePointAuth.Mode()  # Always Forms
 ########################################


The login in the dump also indicates SharePoint try to authenticate the user as LDAP users.

  0x0000006866232a38 System.IdentityModel.Tokens.UserNameSecurityToken
  0000  id            : 00000068662329e8  "LdapMember:LdapRole:True" [24] (System.String)
  0008  password      : 00000068662322c0  "********" [8] (System.String)
  0010  userName      : 0000006866232298  "username" [6] (System.String)
  0018  effectiveTime : 0000006866232a58 11/29/2017 6:13:54 PM (System.DateTime)

There are some other discussions also confirmed this behavior. Microsoft support from SSRS team confirmed this is the behaviors for SSRS web service.

We are working with Microsoft try to see if there is way to authenticate window user on SharePoint forms-based authentication web application. The workaround for any web service against SharePoint forms-based authentication web application is to use the from-based account.