Conspect is based on articles mentioned below.
Classic vs. Claims based mode
- What’s Claims based identity?
Claims-based identity is based on the user obtaining a security token that is digitally signed by a commonly trusted identity provider and contains a set of claims.
- Why do i need to use Claims based auth mode? Classic mode works fine.
Classical mode works well for Windows environments, it does not scale to third-party authentication protocols and directory providers and multi-vendor environments that support Internet, partner, or cloud-based computing models
- What is the difference?
| Classic mode | Claims-based |
| To determine access to resources, applications might need to query AD DS for account attributes and other information, such as group membership or role on the network. | Applications that support claims-based authentication obtain the security token from the user and use the information within the claims to determine access to resources. No separate query to a directory service like AD DS is needed. |
- Is coexistence of NTLM and claims authentication possible in farm communications?
- Yes. Besides, services and service applications use claims identities for inter-farm communication regardless of the mode that is selected for Web applications and users. That’s why user can get the same search results for different ids (Classic and claims-based)
Implementing Windows authentication methods
Important: Services or applications that access SharePoint Server resources by using Integrated Windows authentication methods will attempt to authenticate by using the credentials of the running thread, which by default is the identity of the process.
- What is impersonation?
Impersonation is a WCF service configuration in which the service will access resources on the same computer using a client’s user identity.
- What is delegation?
Delegation is similar to impersonation except that the service can access resources that are on the same machine or on other machines using the client’s user identity. Delegation flows the original caller’s identity to back-end resources on the computers other than the computer running the service.
The Microsoft Windows Server 2003 operating system provides a more secure form of delegation called constrained delegation. With constrained delegation, you can configure the Microsoft Active Directory directory service to restrict the services and servers that your service application can access with the impersonated identity. Constrained delegation in Windows Server 2003 requires Kerberos authentication.
- When does Kerberos settings need to be done? Before of After Sharepoint installation?
Configuring the Kerberos protocol involves setting up service principal names (SPNs) in AD DS before you install SharePoint Server 2010.
- Is any special Sharepoint settings for Kerberos constrained delegation support?
- For claims-authentication Web applications, the Claims to Windows Token Service (C2WTS) must be configured for constrained delegation.
Authenticated users
SID: S-1-5-11
Name: Authenticated Users
Description: A group that includes all users whose identities were authenticated when they logged on. Membership is controlled by the operating system.
NT AUTHORITY\Authenticated Users and "All Authenticated Users" are one-in-the-same.
Authentication methods in IIS (Video)
To learn more about Anonymous, Basic, Integrated (Kerberos/NTLM) and Digest authenication in IIS server please follow this link: http://blogs.technet.com/b/chrad/archive/2010/05/03/the-inside-out-of-authentication-in-iis-anonymous-basic-integrated-and-much-much-more.aspx
Article links:
- Plan authentication methods (SharePoint Server 2010) ( http://technet.microsoft.com/en-us/library/cc262350(v=office.14).aspx )
- What is constrained delegation? ( http://wcfsecurity.codeplex.com/wikipage?title=What%20is%20constrained%20delegation? )
- Well-known security identifiers in Windows operating systems (http://support.microsoft.com/kb/243330)
- NT Authority\Authenticated Users vs All Authenticated Users (http://social.technet.microsoft.com/forums/en-US/sharepointadminprevious/thread/488856b8-4f81-4c0d-bdfe-ef9bbe6d7167)
- The Inside & Out of Authentication in IIS – Anonymous, Basic, Integrated, and much, much more ( http://blogs.technet.com/b/chrad/archive/2010/05/03/the-inside-out-of-authentication-in-iis-anonymous-basic-integrated-and-much-much-more.aspx )
Image may be NSFW.
Clik here to view.
Image may be NSFW.Clik here to view.
