SharePoint Server 2010 on Windows Server 2008 R2 has a lot of possible of authentication scenarios. You are no longer limited to the basic, unfriendly authentication types. The key is to fully understand the possible security scenarios for authentication, so you will be able to plan the every service security in very detail. In this article I will cover the SharePoint authentication methods, which are obviously very based on the Windows Server 2008 R2 since that is the OS SharePoint runs on.
Authentication Methods for SharePoint Sites
There are three general types of authentication for SharePoint you should know about. The first two types of authentication modes in SharePoint 2010 are Claims Based Authentication (which is new in SharePoint Server 2010) and Classic Mode Authentication (known from previous SharePoint and other Microsoft systems as well). I will start with a short overview of them.
Authentication selection window during the new application creation
Windows Authentication
This is the native, classic type of authentication in Windows systems. There are several methods of Windows Authentication we should mention here:
· Anonymous Authentication: this method allows external and unauthorized users to access the resources. No credentials are required in this method. This method is mostly used for Internet-enabled sites in SharePoint for Internet Sites licensing.
· Basic Authentication: It is a basic Windows method of Authentication, which is insecure and I recommend NOT TO use it. The authorization credentials are sent in clear-text, without any encryption which nowadays is extremely easy to snoop by attacker. This type of authentication should only be used in case of compatibility issues (with browsers, web proxies or firewalls) and only with a secure SSL certificate that will encrypt the sensitive network traffic. Sometimes, old software deployed in the enterprise requires using Basic Authentication (like old monitoring software) – if you’ll ever come into similar situation, try to use SSL with Basic Authentication to encrypt the traffic “manually”.
· Digest Authentication: It is a method similar to Basic Authentication, but it gives you more security because the credentials are encrypted and there is no way to intercept the credentials along the way in the traffic route.
· Certificate Authentication: This method offers the public key certificate mapping authorization. SSL encryption is used for this authentication method. It is not recommended to use this type of authentication over internet traffic.
· NTLM Authentication: It is native for most Microsoft applications (including SharePoint) method of authentication, which is secure and encrypts credentials before they are sent in the network. If you want to move your entire network authentication to Kerberos, you will have to disable NTLM because on most systems it is default authentication method.
· Negotiate Authentication: You can use it with either NTLM or Kerberos authentication (with Kerberos as default). On the client side you have to provide SPN (Service Principal Name) and UPN (User Principal Name) for the account.
Forms Based Authentication
This kind of authentication works with the identity management systems. In SharePoint, it will show up as a typical form authentication where you have two fields (login and password) to enter your credentials. This type of authentication is often used by extranet sites. You can get the users credentials to forms from LDAP based containers, SQL Database or custom, external sources of third party software and credential databases. Forms based authentication fully uses ASP .NET role providers.
Basic Forms Based Authentication form in SharePoint application
Now let me give you an overview of Forms-Based authentication types:
· Lightweight Directory Access Protocol (LDAP) – it can be Active Directory, ADAM or ADFS user/security database.
· Database Based (by default SQL) authentication – in this type of authentication you store permissions in a MS SQL database (or other compatible database system – then you have to install the database native client drivers compatible with ASP .NET).
· Custom, Third Party membership / Role Provider – for most external systems you need to register custom membership provider in web.config file of your forms-enabled application. It hasn’t changed much since MOSS 2007.
Forms Based Authentication can only be enabled in Claims-based applications.
SAML Token Based Authentication
It is the authentication known as Claims Based in SharePoint 2010. It supports Windows Identity Foundation and uses .NET framework entities for Claims Based Authentication. SAML Tokens includes Active Directory Federation Services (available in Windows Server 2008 Enterprise), Windows Live ID authentication and most third party providers. SAML token authentication includes an identity provider security token service (IP-STS), which issues SAML tokens for the users and is used for authorization of these users. If you configure your SharePoint application to authenticate using IP-STS, then that application becomes a relying party STS (RP-STS), which can receive SAML tokens.
Implementing SAML token based infrastructure to your SharePoint farm is a difficult task that requires lot of planning. You need to define identity claim for each user (for example e-mail address as user-identifier), define Claim mappings, create authentication providers to import token-signing certificate, specify a realm that is associated with SAML-Token based SharePoint applications, and finally create a SharePoint application configured to use the SAML-Token enabled authentication provider.
SharePoint Application Zones
SharePoint site application zones define the logical paths for accessing the same web applications. Each web application can include up to five zone definitions. By default, when you create a new web application in SharePoint, it uses the zone named “default”. You can add more zones by extending the web application and use the remaining zones called: intranet, extranet, internet or custom.
In the previous SharePoint versions you could use zones to setup Windows Authentication and Forms authentication to one web application. In the SharePoint 2010 you can only create Windows authentication for Classic Mode authentication, so in this mode using multiple zones will give you the possibility to authenticate from up to five different Active Directory stores. In the Claims Mode web applications you can setup multiple authentication methods for different zones, but if you only want to setup Windows Authentication (from one Active Directory store) and one Forms Authentication (for example from SQL Database user store) – you can do this from single web application zone (for example “default” zone) and you don’t need to extend the web application unless you need to use more than one AD store and Forms store.
Windows Management and Scripting 