A deep dive on SharePointAuthentication
• Authentication & Authorization• Terminology• Classic mode authentication• Claims based authentication• Supported authentication types and methods• Server-to-server authentication• Managing zones
Agenda
Authentication vs Authorization
• Verification of the credentials of the connection attempt
• Validation of a user's identity against an authentication provider
• Verification that the connection attempt is allowed• Process determines which sites, content, and other
features the user can access
Authentication
Authorization
TerminologyTerm DescriptionAuthentication provider
Directory or database that contains the user’s credentials
Authentication type Specific way of validating credentials against one or more authentication providers (e.g Windows, Forms)
Authentication method
Specific exchange of account credentials and other information that assert a user’s identity (e.g NTLM, Kerberos)
Proof The result of the authentication method Token Is the proof which will be used to prove the
identityClaim Represents a specific item of data about a user
such as his or her name, group memberships, and role
Classic mode authentication• Uses Windows authentication• Deprecated in SharePoint 2013 & 2016
Claims based authentication• User obtains a digitally signed security token from a
trusted identity provider• Token contains set of claims
Claims based authenticationInfrastructure• Uses claims-based identity technologies and
infrastructure• Claims aware applications obtain security token from a
user, rather than credentials• Claims-based authentication in Windows is built on
Windows Identity Foundation (WIF)• Relies on standards such as WS-Federation, WS-Trust,
and protocols such as the Security Assertion Markup Language (SAML)
Claims based authenticationInfrastructure• Uses claims-based identity technologies and
infrastructure• Claims aware applications obtain security token from a
user, rather than credentials• Claims-based authentication in Windows is built on
Windows Identity Foundation (WIF)• Relies on standards such as WS-Federation, WS-Trust,
and protocols such as the Security Assertion Markup Language (SAML)
Evolution of SharePoint authentication modesSharePoint 2007
Windows Authentication
Forms based authentication
SharePoint 2010
Classic mode authentication
Claims based authentication
SharePoint 2013
Classic mode authentication –
Only from PowerShell
Claims based authentication
SharePoint 2016
Classic mode authentication –
Only from PowerShell
Claims based authentication
Supported authentication types and methods
Type: Windows authentication• Takes advantage of Windows authentication provider
(AD DS)• Uses authentication protocols that a Windows domain
environment uses to validate the credentials • Supports few authentication methods
Type: Windows authenticationWindows authentication - Process
12
3
4 5
6
1 Request a page2 Request windows credentials3 Send windows credentials4 Validate windows credentials5 Obtain group membership list6 Create security token and send web page
Windows authenticationBasic & Digest
• Basic• User credentials are sent as an MD5 message digest
to IIS
• Digest• User credentials are sent as plain text• You should use SSL to encrypt the traffic
• Older methods : use only if your browsers/applications support only them
Windows authenticationNTLM
• Simplest form of Windows authentication• Does not involve a separate key provider• User directly exchange a hashed credentials, which is
sent to AD DS• Allow only 1-hop, else impersonation is the option
Windows authenticationKerberos
• Uses token exchange with a shared authentication provider for identity validation
• Client sends credentials and get a ticket to access the desired service (e.g. SharePoint)
• It uses a stronger encryption (AES)• Is an open protocol
Windows authenticationKerberos - Delegation
• Supports delegation of client identity• Service can impersonate an authenticated client’s
identity• Impersonation enables a service to pass the
authenticated identity to other network services on behalf of the client
• Back-end service can performs its own authentication, so multiple hops
Windows authenticationKerberos - Process
KDC
SQL Server
12
3
4
5
6
1 Request a page2 Request windows credentials3 Request a ticket for the SPN4 KDC returns the ticket if SPN is found5 Client authenticates with the ticket6 Web application get ticket for SPN created for SQL
7
7 Authenticates with the SQL database using the Web App account ticket and impersonates the user using delegation rights
SPN: HTTP/portal.contoso.com
SPN: MSSqlSvc/sql1.contoso.com:1433
Windows authenticationKerberos - Delegation• Basic Kerberos delegation• Can cross domain boundaries within the same forest
• Kerberos constrained delegation• Cannot cross domain or forest boundaries • Support protocol transition
• Delegation can be used forExcel services PerformancePoint
ServicesInfoPath Forms
services Visio Services
Business Connectivity Services Access Services SSRS Services Project Server
Windows authenticationClaims to Windows Token Service (C2WTS)
• Some service applications in SharePoint 2013 require the translation of claims-based credentials to Windows credentials
• The process of translation uses C2WTS• Service applications that require the C2WTS must use
Kerberos constrained delegation
Type: Forms based authentication• A claims-based identity management system that is
based on ASP.NET membership and role provider authentication
• Credentials can be stored in an authentication provider• AD DS• SQL Server database• LDAP data store
• The system issues a cookie for authenticated requests• Should configure the web.config to add the
membership provider and role provider
Type: Forms based authenticationForms based authentication - Process
12
3
4 5
6
1 Request a page2 Sends forms based login page3 Send credentials4 Validate credentials with membership provider5 Obtain roles from role provider6 Create security token and send web page
Type: SAML token-based authenticationInfrastructure• A trusted authentication provider (IP-STS) issues SAML tokens on behalf of users whose accounts are included in the associated authentication provider• Application accepts SAML(RP-STS)
Type: SAML token-based authenticationComponents• SharePoint security token service• Token signing certificate• Identity claim• Other claims• Realm• SPTrustedTockenIssuer• Identity provider security token service (IP-STS)• Relying party security token service (RP-STS)
Type: SAML token-based authenticationSAML token-based authentication - Process
12
3
4
5
6
1 Request a page2 Obtain login page from ADFS server3 Request a SAML security token4 Validate credentials with identity provider5 Sends SAML security token6 Send request containing the SAML security token
77 Create SharePoint security token and send the webpage
Server-to-server authentication• Allow access and request resources from one server to
another on behalf of users• SharePoint 2013 farm with
• Another SharePoint 2013 farm• Exchange Server 2013• Lync Server 2013• Farms without web applications
• Use ”New-SPTrustedSecurityTokenIssuer” Windows PowerShell cmdlet in receiving farm to add a JavaScript Object Notation (JSON) metadata endpoint
Managing Zones• Zones represent different logical paths to gain access
to the same sites in a web application• Five zones max for web application• Can implement multiple authentication providers on a
single zone.
Questions?
Thank You!http://dinushaonline.blogspot.com@kumarasiri048