According to a new blog post from SharePoint Ranger Steve Peschka (I assume) at http://blogs.msdn.com/sharepoint/archive/2009/05/13/update-on-sharepoint-forms-based-authentication-fba-and-office-client.aspx, there are just a few things that have to properly align.
You need to have Service Packs installed on both the SharePoint Farm and the client that Office is installed on (both Office and OS). This may be easy enough for Internal support, but what about Extranets? This is tough to support on external clients hat are part of various domains that you don’t have control over. Also note that you also need to make Registry value changes on the client.
That said, we are getting definitely better integration than was there when MOSS initially launched, so that is great!
This is a direct copy and paste of the steps necessary to implement this support are as follows:
On the Client
1. Download the hotfix for KB 960499 from the December 2008 Cumulative Update for the Office client applications; you can find this download at http://support.microsoft.com/kb/960499/. Please note that even though the documentation primarily describes fixes for the InfoPath client, this is the correct patch to enable support in Microsoft Office applications for FBA.
IMPORTANT: This patch can only be used with Office 2007 running on the Windows XP operating system. A patch that enables this support for Office 2007 running on the Windows Vista operating system is available in the April 2009 cumulative update for the Microsoft Office client. It also requires that Service Pack 2 for Vista be applied.
2. Install this patch on each client computer running Windows XP and Office 2007 from which you wish to use the Office client to open documents in an FBA-secured site.
3. Configure the appropriate set of registry values on each client computer to enable the Office client applications to use the FBA integration features. At a minimum, the FormsAuthEnabled value needs to be created and set 1. More details on the registry values, their location and function are described below.
NOTE: If you are using Internet Explorer, these new features require at least version 7.0 or higher.
On the SharePoint Farm
1. Go to Central Administration, click on the Application Management tab, then click on the Authentication Providers link.
2. In the Web Applications drop down, select the web application that contains an FBA zone and then click on the link for the zone that is configured to use FBA.
3. On the settings page for the zone, check the Enable anonymous access checkbox, and change the Enable Client Integration? setting to Yes.
NOTE: Checking the Enable anonymous access checkbox does not, by itself, grant anonymous access to any content in the web application. It is however, necessary to enable the Office client applications to gather enough information about the site to display the login dialog window.
Registry Values
There are several registry values that can be used to help control how and when the Office client applications will attempt to use the FBA to authenticate a request. All registry values are stored under the key HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\Internet\FormsBasedAuthSettings.
As described above, the FormsAuthEnabled value is required at a minimum for these new features to work. It is a DWORD value and must be set to 1 in order for the Office client to utilize these new FBA features. There are other registry values available for further fine-tuning your implementation that will be explained more fully in the update to the FBA whitepaper. They include settings for things like not allowing cross domain redirects for login, require SSL with the login page, enabling scripts, behaviors, and ActiveX in the login page, etc.
Other Things To Know
There are a few other things to know about the support described here. First, not every Office application will be able to take advantage of these new features. More may come online over time, but for now you should count on the core Office apps (Word, Excel, PowerPoint and Outlook) to support this. Second, adding this feature to the Office client enables some other scenarios that weren’t previously possible. For example, we can also potentially integrate with SharePoint sites secured with ADFS much better than we have previously. After all, ADFS is just FBA with a remote login page. We hope to address the ADFS scenario more specifically in the update to part 3 of the FBA whitepaper, so make sure you download it and take a look when it’s released.
