SharePoint Security – SharePoint Authentication Part 1
Running SharePoint on Windows Server 2008 R2 offers a wealth of possible SharePoint authentication scenarios. You are no longer limited to the basic, often unsecure authentication types.
In this article I will cover the SharePoint authentication methods, which closely mirror Windows Server 2008 R2 authentication scenarios since both SharePoint relies on Windows Server for much of its security. I will start with an overview of the primary authentication methods and then I will demonstrate how to configure authentication.
SharePoint Authentication Methods
There are three general types of authentication for SharePoint. The first two base types of authentication modes in SharePoint 2010 are Claims Based Authentication (which is new in SharePoint Server 2010) and Classic Mode Authentication.
Authentication selection window during SharePoint application setup.
Classic Mode Authentication
This is the native, classic type of authentication for Windows systems. There are several methods of Windows Authentication:
- Anonymous Authentication: this method allows external and unauthorized users to access the resources. No credentials are required in this method. This method is mostly used for Internet-enabled sites in SharePoint for Internet Sites licensing.
- Basic Authentication: This is an inherently insecure method and I recommend not using it. The authorization credentials are sent in clear-text, without any encryption which nowadays is extremely easy to snoop by attacker. This type of authentication should only be used in case of compatibility issues (with browsers, web proxies or firewalls) and only with a secure SSL certificate which encrypt the sensitive network traffic (see SharePoint SSL Authentication). Sometimes, old software deployed in the enterprise requires using Basic Authentication (such as old monitoring software) – if you encounter these situations, try to use SSL with Basic Authentication to encrypt the traffic “manually”.
- Digest Authentication: This is similar to Basic Authentication, but it provides greater security since the credentials are encrypted and there is no way to intercept the credentials along the way in the traffic route.
- Certificate Authentication: This method offers the public key certificate mapping authorization. SSL encryption is used for this authentication method. It is not recommended to use this type of authentication over internet traffic.
- NTLM Authentication: This is the native authentication method for most Microsoft applications (including SharePoint), this method is secure and encrypts credentials before they are sent over the network. If you want to move your entire network authentication to Kerberos, you will have to disable NTLM because on most systems it is default authentication method.
- Negotiate Authentication: You can use it this with either NTLM or Kerberos authentication (with Kerberos is the default). On the client side you have to provide SPN (Service Principal Name) and UPN (User Principal Name) for the account.
Configuring Classic Mode Authentication for SharePoint
The configuration of classic mode authentication for SharePoint is very straightforward.
The first step is to choose Classic or Claims authentication mode. You can select this when creating a new web application in Central Administration:
Select Classic mode and on the next sections enter the site name and port for our new application.
IIS Web Site section in SharePoint 2010 New Application window
The next section is important from a security perspective. We can decide to use SSL for our new application, allow or disallow anonymous access to the application, and choose the authentication provider (Windows native NTLM provider or Negotiate – Kerberos provider). For the purposes of our sample SharePoint application, we will use SSL, with default settings for NTLM and anonymous access.
Security Configuration section in SharePoint 2010 New Application Window
The rest of the sections is out of the beyond the scope of this article – simply select a new application pool with some domain account as the application pool account (or select one of default applications pools already created), give your content database a descriptive name (I’ve named my web application – wss_content_classicauthtest) and click OK to create your new application. The last step for creating a new site is to create some site collection within our new web application. Just select whatever you like – Team Site would be fine.
Pages: 1 2