A deep dive on SharePointAuthentication

• Authentication & Authorization• Terminology• Classic mode authentication• Claims based authentication• Supported authentication types and methods• Server-to-server authentication• Managing zones

Agenda

Authentication vs Authorization

• Verification of the credentials of the connection attempt

• Validation of a user's identity against an authentication provider

• Verification that the connection attempt is allowed• Process determines which sites, content, and other

features the user can access

Authentication

Authorization

TerminologyTerm DescriptionAuthentication provider

Directory or database that contains the user’s credentials

Authentication type Specific way of validating credentials against one or more authentication providers (e.g Windows, Forms)

Authentication method

Specific exchange of account credentials and other information that assert a user’s identity (e.g NTLM, Kerberos)

Proof The result of the authentication method Token Is the proof which will be used to prove the

identityClaim Represents a specific item of data about a user

such as his or her name, group memberships, and role

Classic mode authentication• Uses Windows authentication• Deprecated in SharePoint 2013 & 2016

Claims based authentication• User obtains a digitally signed security token from a

trusted identity provider• Token contains set of claims

Claims based authenticationInfrastructure• Uses claims-based identity technologies and

infrastructure• Claims aware applications obtain security token from a

user, rather than credentials• Claims-based authentication in Windows is built on

Windows Identity Foundation (WIF)• Relies on standards such as WS-Federation, WS-Trust,

and protocols such as the Security Assertion Markup Language (SAML)

Claims based authenticationInfrastructure• Uses claims-based identity technologies and

infrastructure• Claims aware applications obtain security token from a

user, rather than credentials• Claims-based authentication in Windows is built on

Windows Identity Foundation (WIF)• Relies on standards such as WS-Federation, WS-Trust,

and protocols such as the Security Assertion Markup Language (SAML)

Evolution of SharePoint authentication modesSharePoint 2007

Windows Authentication

Forms based authentication

SharePoint 2010

Classic mode authentication

Claims based authentication

SharePoint 2013

Classic mode authentication –

Only from PowerShell

Claims based authentication

SharePoint 2016

Classic mode authentication –

Only from PowerShell

Claims based authentication

Supported authentication types and methods

Type: Windows authentication• Takes advantage of Windows authentication provider

(AD DS)• Uses authentication protocols that a Windows domain

environment uses to validate the credentials • Supports few authentication methods

Type: Windows authenticationWindows authentication - Process

12

3

4 5

6

1 Request a page2 Request windows credentials3 Send windows credentials4 Validate windows credentials5 Obtain group membership list6 Create security token and send web page

Windows authenticationBasic & Digest

• Basic• User credentials are sent as an MD5 message digest

to IIS

• Digest• User credentials are sent as plain text• You should use SSL to encrypt the traffic

• Older methods : use only if your browsers/applications support only them

Windows authenticationNTLM

• Simplest form of Windows authentication• Does not involve a separate key provider• User directly exchange a hashed credentials, which is

sent to AD DS• Allow only 1-hop, else impersonation is the option

Windows authenticationKerberos

• Uses token exchange with a shared authentication provider for identity validation

• Client sends credentials and get a ticket to access the desired service (e.g. SharePoint)

• It uses a stronger encryption (AES)• Is an open protocol

Windows authenticationKerberos - Delegation

• Supports delegation of client identity• Service can impersonate an authenticated client’s

identity• Impersonation enables a service to pass the

authenticated identity to other network services on behalf of the client

• Back-end service can performs its own authentication, so multiple hops

Windows authenticationKerberos - Process

KDC

SQL Server

12

3

4

5

6

1 Request a page2 Request windows credentials3 Request a ticket for the SPN4 KDC returns the ticket if SPN is found5 Client authenticates with the ticket6 Web application get ticket for SPN created for SQL

7

7 Authenticates with the SQL database using the Web App account ticket and impersonates the user using delegation rights

SPN: HTTP/portal.contoso.com

SPN: MSSqlSvc/sql1.contoso.com:1433

Windows authenticationKerberos - Delegation• Basic Kerberos delegation• Can cross domain boundaries within the same forest

• Kerberos constrained delegation• Cannot cross domain or forest boundaries • Support protocol transition

• Delegation can be used forExcel services PerformancePoint

ServicesInfoPath Forms

services Visio Services

Business Connectivity Services Access Services SSRS Services Project Server

Windows authenticationClaims to Windows Token Service (C2WTS)

• Some service applications in SharePoint 2013 require the translation of claims-based credentials to Windows credentials

• The process of translation uses C2WTS• Service applications that require the C2WTS must use

Kerberos constrained delegation

Type: Forms based authentication• A claims-based identity management system that is

based on ASP.NET membership and role provider authentication

• Credentials can be stored in an authentication provider• AD DS• SQL Server database• LDAP data store

• The system issues a cookie for authenticated requests• Should configure the web.config to add the

membership provider and role provider

Type: Forms based authenticationForms based authentication - Process

12

3

4 5

6

1 Request a page2 Sends forms based login page3 Send credentials4 Validate credentials with membership provider5 Obtain roles from role provider6 Create security token and send web page

Type: SAML token-based authenticationInfrastructure• A trusted authentication provider (IP-STS) issues SAML tokens on behalf of users whose accounts are included in the associated authentication provider• Application accepts SAML(RP-STS)

Type: SAML token-based authenticationComponents• SharePoint security token service• Token signing certificate• Identity claim• Other claims• Realm• SPTrustedTockenIssuer• Identity provider security token service (IP-STS)• Relying party security token service (RP-STS)

Type: SAML token-based authenticationSAML token-based authentication - Process

12

3

4

5

6

1 Request a page2 Obtain login page from ADFS server3 Request a SAML security token4 Validate credentials with identity provider5 Sends SAML security token6 Send request containing the SAML security token

77 Create SharePoint security token and send the webpage

Server-to-server authentication• Allow access and request resources from one server to

another on behalf of users• SharePoint 2013 farm with

• Another SharePoint 2013 farm• Exchange Server 2013• Lync Server 2013• Farms without web applications

• Use ”New-SPTrustedSecurityTokenIssuer” Windows PowerShell cmdlet in receiving farm to add a JavaScript Object Notation (JSON) metadata endpoint

Managing Zones• Zones represent different logical paths to gain access

to the same sites in a web application• Five zones max for web application• Can implement multiple authentication providers on a

single zone.

Questions?

Thank You!http://dinushaonline.blogspot.com@kumarasiri048