Forms-Based Authentication: Problems and Points Worth Noting

Before I explain the various problems with forms authentication technology, it’s important to remember that the technology is designed primarily to work with Internet access from public kiosks to front-end servers. Most problems arise when you try to deploy it in other environments.

1. Single sign-on (SSO) isn’t supported. Forms-based authentication will always redirect invalid requests to the logon form; therefore, you can’t expect to authenticate to your network and then bypass the logon form.



2. Because Basic authentication is required on the servers that are enabled for forms-based authentication, those servers must be able to authenticate users, which means they must have remote procedure call (RPC) access to the Active Directory (AD). You need to take that into consideration when configuring front-end servers that are in a demilitarized zone (DMZ) because you’ll need to open RPC ports in the firewall to allow authentication to occur.



3. If you use a load-balanced front-end server farm, you must enable forms-based authentication on all front-end servers. Additionally, you must ensure that users are always directed to the same front-end server during a session. Failure to do so will cause the users to see the logon page much more often than they’d like. This occurs because the symmetric keys are per server, so a cookie encrypted by one server that’s enabled for forms-based authentication can’t be decrypted by another server, even though it, too, is enabled.



4. Don’t implement forms-based authentication on front-end servers and back-end servers, or you’ll constantly be interacting with a logon page.



5. The cookie regeneration and encryption/decryption is performed only on the servers that are enabled for forms-based authentication (typically the front-end servers.) You might want to beef up processing on these servers if you support many users and your key-regeneration interval is short.



6. Although longer key-regeneration intervals will reduce the processing load on the front-end server, they also give a cookie a longer life. This longer life gives malicious users more opportunity to steal the cookie or for a passersby to hijack user sessions accidentally left open on a public computer. Unlike previous OWA versions, clicking Logoff will ensure a clean logout because the cookie is automatically cleared; any subsequent requests are redirected to the logon page. However, users, being users, will still forget to hit the Logoff button.



7. Forms-based authentication can work even when your back-end servers are still running Exchange 2000 Server. All that’s required is for the front-end servers to be running Exchange Server 2003.