Recently I’ve been trying to enable Forms-Based Authentication (FBA) in an instance of SharePoint which also has some Apps (SharePoint Add-Ins) installed. The issue was that the calls issued from these apps – which use OAuth2 to authenticate their CSOM calls – were failing with “Access Denied”, even if the same App worked ok when Windows authentication is used.

I found some errors in the ULS log file which pointed me to:

• Claims authentication infrastructure created a claim for the FBA user “username” with both the SMTP and UPN claims set to “username”, even if the user’s email address was correctly set.
• The lookup in the User Profile Service Application is apparently done by matching the users’ SMTP claim against the work email address. Therefore, these two should match.

Based on these observations, all I needed to do to make the FBA work with Apps can be summarized in the following two steps:

• All the usernames must follow an email format (preferably valid emails): username@domain.com
• Each of them need to be added (by hand or via an automated import process) in the User Profile Service Application, and have the username and work email properties set to the FBA username (username@domain.com)

I am not sure if this is a known issue or some limitation which can be overcome by configuration – and comments are welcome.