Friday, August 10, 2007

moss forms auth with commerce server provider error

I have been struggling with getting MOSS to use Commerce Server 2007 as the authentication provider and just finally made it work today. The last hurdle I had to get over was one that I solved by luck as much as anything else.

If you follow the Microsoft white paper at it explains how to get this integration done. For the most part it is a good guide except that it uses the typical developer security simplifications where many security accounts are grouped into a few uber-accounts. This can create some security headaches if you actually create all the accounts that are recommended in the official MS installation docs for MOSS and CS.

Once I got all these issues figured out though, I managed to get my portal to show me a login screen. When I logged in with a bad password, I got the expected behavior - a nice error message. When I logged in with a correct user/password combo I got something strange. The page just posted back to itself with no message. Fiddler and the IIS logs were showing that the browser tried to go to the homepage but the server returned a 302. Weird.

After some blind stumbling I fond the solution. The white paper comes with a number of handy snippets for the web.config file that you need to create. One of these snippets is for forms authentication, replacing the windows authentication your portal likely uses. Very handy. The problem lies in the line:

<forms loginUrl="/_layouts/login.aspx" domain="" name=".ASPXFORMSAUTH" />

Notice the domain attribute? That is the domain that is stuck into the cookie your server sends out. So unless you change this, the user authenticates against some other domain and is not seen as authenticated against your domain. Nice huh? Once I changed this to my test domain, my portal worked again.

No comments: