I've been researching the combination of Forms Based Authentication (FBA) with Active Directory. It took me some time to get it al working. Here's my story:
First of all i was trying to enable forms authentication using the ActiveDirectoryMembership Provider and the WindowTokenProvider within the system.web.security namespace for SPS 2007. Getting the users to resolve was fairly simple. However, i was unable to get groups to resolve. Since we used active directory groups for setting permissions in SharePoint, this was a serious issue.
Finally i found a tutorial by Jason Flowers and you can read it
here. The trick is to use the LdapMembershipProviders and the LdapRoleProvider in stead of the ActiveDirectoryMembership Provider.
Additional tips:
- Be sure you get the right connectionstring to the active directory.
- Use active directory query utilties for this or ask your local system admin guy!
- Backup all web.configs before you start editing. You might end up with not working SharePoint sites due to web.config errors.
- You need to re-add the users and groups to SharePoint. Your users and groups will have the prefix "LdapMembership" or "LdapRole" when re-added to SharePoint. Otherwise users still won't get authenticated the right way.
- Extend your webapplication to another port and use Windows Authentication for this extended version. This way you still can use the SharePoint Designer to tweak your SharePoint site. With only FBA it's a bit of a challenge to get the SharePoint designer to work!
If you have additionals tips, please comment and i will add these to this post!