I am currently working on a SharePoint 2010 project where the environment is setup with a SharePoint web application using claims based authentication. The web app is created on port 8081 using Windows Authentication for auth, and extended to port 80 using Forms Based Authentication.
The forms authentication provider is setup to use the same active directory as the windows auth based site, using the following entries in the application's web.config (the entries are in the central administration and security token service web.config files as well):
<membership defaultProvider="i">
<providers>
<add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
<add name="FBA_AD_MP" type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="ADFBAConnectionString" enableSearchMethods="true" attributeMapUsername="userPrincipalName" />
</providers>
</membership>
Using this setup works as expected; users who visit the application on port 8081 are presented with a standard windows auth challenge, those on port 80 are directed to the custom login form. When adding users to the site via the out of the box administration tools, a search for a particular user such as [email protected] will return two hits, one from the windows auth provider, one from the forms auth provider. Adding both of these users to a site reveals that SharePoint stores the account name with an identifier appended to the front. The windows auth user is translated to i:0#.w|mydomain\johnsmith, the FBA user is translated to i:0#.f|fba_ad_mp|[email protected].
Here's where the problem comes in. We are creating site collections in bulk using a custom built tool that parses a spreadsheet of input, creates site collections, and adds the appropriate users to the newly created site using the following method:
private static void AddUser(SPSite site, String userName, String spGroupName)
{
try
{
SPUser spUser = site.RootWeb.EnsureUser(userName);
if (spUser != null)
{
site.RootWeb.Groups[spGroupName].AddUser(spUser);
}
}
catch(Exception ex)
{
SharePointManager.Counter.Warnings++;
SharePointManager.Logger.Warn(String.Format("\t\tUnable to add user {0} to group {1} at site {2}: {3}", userName, spGroupName, site.RootWeb.Url, ex.ToString()));
}
}
The userName paramter passed in is, following the example, [email protected]. However, the user added to the site is always the windows auth based user, i:0#.w|mydomain\johnsmith.
How do I specify which authentication provider to poll when calling EnsureUser so I can guarantee that the correct user is added to the site?