Differentiate between Windows Auth and Forms Auth users when authenticating against same AD with SharePoint 2010 using claims based authentication

Question

I am currently working on a SharePoint 2010 project where the environment is setup with a SharePoint web application using claims based authentication. The web app is created on port 8081 using Windows Authentication for auth, and extended to port 80 using Forms Based Authentication.

The forms authentication provider is setup to use the same active directory as the windows auth based site, using the following entries in the application's web.config (the entries are in the central administration and security token service web.config files as well):

    <membership defaultProvider="i">
  <providers>
    <add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
    <add name="FBA_AD_MP" type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="ADFBAConnectionString" enableSearchMethods="true" attributeMapUsername="userPrincipalName" />
  </providers>
</membership>

Using this setup works as expected; users who visit the application on port 8081 are presented with a standard windows auth challenge, those on port 80 are directed to the custom login form. When adding users to the site via the out of the box administration tools, a search for a particular user such as john.smith@mydomain.com will return two hits, one from the windows auth provider, one from the forms auth provider. Adding both of these users to a site reveals that SharePoint stores the account name with an identifier appended to the front. The windows auth user is translated to i:0#.w|mydomain\johnsmith, the FBA user is translated to i:0#.f|fba_ad_mp|john.smith@mydomain.com.

Here's where the problem comes in. We are creating site collections in bulk using a custom built tool that parses a spreadsheet of input, creates site collections, and adds the appropriate users to the newly created site using the following method:

    private static void AddUser(SPSite site, String userName, String spGroupName)
    {
        try
        {
            SPUser spUser = site.RootWeb.EnsureUser(userName);

            if (spUser != null)
            {
                site.RootWeb.Groups[spGroupName].AddUser(spUser);
            }
        }
        catch(Exception ex)
        {
            SharePointManager.Counter.Warnings++;
            SharePointManager.Logger.Warn(String.Format("\t\tUnable to add user {0} to group {1} at site {2}: {3}", userName, spGroupName, site.RootWeb.Url, ex.ToString()));
        }
    }

The userName paramter passed in is, following the example, john.smith@mydomain.com. However, the user added to the site is always the windows auth based user, i:0#.w|mydomain\johnsmith.

How do I specify which authentication provider to poll when calling EnsureUser so I can guarantee that the correct user is added to the site?

Answer 1

The problem is that both membership providers recognize the email address, and the first result (AD) gets used. Try FBA_AD_MP:john.smith@mydomain.com - that syntax works in the standard username controls (using check name rather than the search dialog), and I believe EnsureUser works the same way.

Answer 2

In short you need to convert SPUser to an SPClaim using the SPClaimProviderManager