MCT USE ONLY. STUDENT USE PROHIBITED Planning Authentication 6-3 Lesson 1 Overview of Authentication You must be familiar with the relevant authentication methods before you can design an authentication plan. This lesson provides an overview of the authentication methods that you can use in a SharePoint 2010 infrastructure. Objectives After completing this lesson, you will be able to: • Describe NT LAN Manager (NTLM) authentication. • Describe Kerberos authentication. • Describe client certificate authentication. • Describe anonymous authentication. • Describe claims-based authentication. MCT USE ONLY. STUDENT USE PROHIBITED 6-4 Designing a Microsoft® SharePoint® 2010 Infrastructure • Describe forms-based authentication. • Describe how the Secure Store Service provides single sign-on (SSO) authentication. MCT USE ONLY. STUDENT USE PROHIBITED Planning Authentication 6-5 NTLM Authentication Key Points NTLM is a secure protocol that supports user credential encryption and transmission over a network. NTLM encrypts user names and passwords before it sends the encrypted credentials over the network. NTLM authentication is required in networks where the server receives requests from client computers that do not support Kerberos authentication. NTLM is the authentication protocol that is used in Windows® NT and Windows 2000 server workgroup environments, which have no Active Directory® directory service domain controller. NTLM is used in mixed Windows 2000 Active Directory domain environments that must authenticate Windows NT systems. In domains where no Windows NT domain controllers exist, you can raise the domain functional level. NTLM is thereby disabled, and Kerberos becomes the default authentication protocol for the enterprise. If your environment includes computers that require NTLM authentication, you must incorporate it into your authentication plan. MCT USE ONLY. STUDENT USE PROHIBITED 6-6 Designing a Microsoft® SharePoint® 2010 Infrastructure Kerberos Authentication Key Points Kerberos is the core authentication protocol in Active Directory domains. A Kerberos authentication server grants a ticket in response to a client computer authentication request, if the request contains valid user credentials and a valid service principal name (SPN). The client computer then uses the ticket to access network resources. To enable Kerberos authentication, the client and server computers must be able to access a Key Distribution Center (KDC), which distributes shared secret keys to enable encryption. The client and server computers must be able to access Active Directory Domain Services. An important consideration for enterprises with multiple forests is that the KDC cannot be accessed across forest boundaries. Further planning and configuration is required if client and server are in different forests to the KDC. To implement Kerberos authentication, the client application must provide an SPN, a user principal name (UPN), or a NetBIOS account name as the target name. If the client application cannot provide this information, it may be necessary to plan for the use of NTLM authentication. SharePoint farms typically use Kerberos and NTLM; if Kerberos authentication fails, SharePoint will automatically attempt to use NTLM authentication. MCT USE ONLY. STUDENT USE PROHIBITED Planning Authentication 6-7 If you deploy a SharePoint 2010 farm that uses Kerberos authentication exclusively, you must configure Kerberos authentication to support the following functionality: • Communication between SharePoint 2010 and Microsoft SQL Server® database software. • Access to the SharePoint Central Administration Web application. • Access to other Web applications such as a portal site Web application or a My Site Web application. Question: What must the client provide in a Kerberos authentication request? Additional Reading For more information about how to configure Kerberos authentication, see http://go.microsoft.com/fwlink/?LinkID=200882&clcid=0x409. For more information about how to use Kerberos for SharePoint authentication, see http://go.microsoft.com/fwlink/?LinkID=201237&clcid=0x409.  MCT USE ONLY. STUDENT USE PROHIBITED 6-8 Designing a Microsoft® SharePoint® 2010 Infrastructure Client Certificate Authentication Key Points Client-certificate authentication supports the exchange of public key certificates by using Secure Sockets Layer (SSL) encryption over HTTP. Client certificates are issued by a Certificate Authority (CA), which may be internal or external, and they must conform to the public key infrastructure (PKI). To implement client certificate authentication, you must select Windows authentication in Central Administration, configure Internet Information Services (IIS) for certificate authentication, enable SSL, and obtain and configure certificates from a CA. MCT USE ONLY. STUDENT USE PROHIBITED Planning Authentication 6-9 Anonymous Authentication Key Points Anonymous authentication enables users to find resources in the public areas of Web sites without providing authentication credentials. Anonymous authentication enables anyone with an Internet connection to browse a Web site; therefore, you must plan for anonymous access extremely carefully. Anonymous authentication is enabled at the Web application level at the time of creation. Site administrators for sites in the Web application can then grant or block anonymous access to their site. Anonymous access relies on the anonymous user account on the Web server; IIS creates and manages this account, not the SharePoint site. Allowing anonymous access to a site grants permissions to the anonymous user account. Review your business requirements, your logical architecture design documentation, and your security plan to determine which sites should be configured for anonymous authentication. You must ensure that your authentication plan maps anonymous authentication to only those Web applications that contain sites that require anonymous access. MCT USE ONLY. STUDENT USE PROHIBITED 6-10 Designing a Microsoft® SharePoint® 2010 Infrastructure Claims-Based Authentication Key Points SharePoint 2010 supports claims-based authentication, which enables SharePoint applications to authenticate a user without requiring the user to disclose more information than necessary. If SharePoint 2010 trusts the authentication authority that validates the claims of a user, it will allow the user to be authenticated. Your SharePoint authentication plan will include claims-based authentication if: • You need to enable authentication across Windows-based systems and systems that are not based on the Windows operating system. • Your SharePoint infrastructure must support delegation of user identity between applications. • Your SharePoint infrastructure requires multiple forms of authentication on a single zone. MCT USE ONLY. STUDENT USE PROHIBITED Planning Authentication 6-11 In SharePoint Server 2010, you must choose between claims-based authentication and classic-mode authentication when you create a Web application. If you choose classic-mode authentication, and later want to convert to claims-based authentication, you can use Windows PowerShell™ to reconfigure the Web application. Alternatively, you can delete the Web application, without deleting the supporting application pool or database, and then re-create it by using claims- based authentication. MCT USE ONLY. STUDENT USE PROHIBITED 6-12 Designing a Microsoft® SharePoint® 2010 Infrastructure Forms-Based Authentication Key Points Your SharePoint 2010 infrastructure may call for users who do not belong to a Windows-based identity management system, or who belong to an external system, to be authenticated. Forms-based authentication provides this functionality. Forms-based authentication is an identity management system that is based on ASP.NET membership and role provider authentication methods. You can use forms-based authentication to authenticate user accounts. However, the SharePoint 2010 service accounts that you use to connect to SQL Server database software and run the farm must be Windows accounts, even when you use alternative methods of authentication to authenticate users. In SharePoint 2010, forms-based authentication is only available when you use claims-based authentication. Authenticating Against Credentials The forms-based authentication provider supports authentication against credentials stored in Active Directory, in a database such as a SQL Server database, or in a Lightweight Directory Access Protocol (LDAP) data store such as Novell eDirectory, Novell Directory Services (NDS), or Sun ONE. Forms-based . information than necessary. If SharePoint 2 010 trusts the authentication authority that validates the claims of a user, it will allow the user to be authenticated. Your SharePoint authentication. 2 010 , forms-based authentication is only available when you use claims-based authentication. Authenticating Against Credentials The forms-based authentication provider supports authentication. PROHIBITED Planning Authentication 6 -11 In SharePoint Server 2 010 , you must choose between claims-based authentication and classic-mode authentication when you create a Web application. If you