Authentication in SharePoint 2013

Before a user can get to content, authentication and authorization happens. Authentication which happens before authorization is a process where user credentials are verified to get to the SharePoint server. After a user is authenticated then he/she can view the content for which they have permissions and this is Authorization.

There are two kinds of authentication Claims and Classic.

In Classic based Authentication SharePoint  directly uses windows identity for authentication. But in claims a security token is passed on to the required service for authentication. Meaning you can overcome the double hop limitation using claims while using NTLM (discussed below). Also if you want to use Web Apps server, outlook then you have to use claims.

So we have established that claims is the way to go in SP 2013. Now lets discuss more types in claims.

While creating a new web app using claims you can select different types of claims

  1. Windows authentication : You can using NTLM or Kerberos, basic authentication, digest authentication.
  2. Forms based authentication: This type is usually used for out side user login. It is configured using ASP.NET membership provider. Meaning user with out active directory accounts should be able to authenticate.
  3. SAML token based authentication :  Any service which can issue SAML based tokens can be used to authentication.

SharePoint is a ASP.NET application and it uses Windows Identity Foundation and .NET Framework to implement claims infrastructure. This is accomplished using security token service application which  can validate claims and also acts as identity provider. This service is configured by the SharePoint itself and user has no control to create or configure.

If you choose Windows Authentication while creating a web app then you have to select one of the options below

Integrated windows : NTLM or Kerberos

NTLM is most used authentication here as it is secure and easy to configure. User is a uthenticated in a challenge response fashion and the password in never sent over the network but hash of the password generated using one way hashing algorithm is used.

Kerberos: It is the default authentication used my Microsoft for windows login. This process involves generating encrypted ticket and authenticating using these Ticket granting server session keys. Passwords in any form are never sent across the network and the life time of the tickets is 10 hours by default so user no longer need to be authenticated during this time. This type of authentication would help over come the double hop issue. I would like to talk more about how kerberos works as it helps me understand the process better every time I think about it but there are some really well documented articles already available and I can not present the information any better. Please check out Kerberos explained or MIT, where it was created. Out of all available methods kerberos is the most secured form of authentication but it needs extra configuration steps.

Kerberos can be configured as basic or constrained delegation depending on your domain architecture.  Basic will allow web apps to pass on the kerberos tickets to different domains with in the same AD forest but not across multiple forest boundaries.  You can over come this with constrained delegation provided you have Windows server 2012.

Constrained delegation is not mandatory for SharePoint 2013 but it is highly recommended as the access to different service applications can be controlled.  The following service application do need constrained delegation if you use Kerberos.

Excel services, PerformancePoint Services, InfoPath Forms, Visio Services.

Check out configure Kerberos to know the detailed steps involved in the set up process.

Basic Authentication

Old method where credentials are sent in plain text over the network.

Digest Authentication 

Credentials are hashed and sent to the server for validation

Anonymous Authentication

Anonymous users can access the site. This type is usually used for internet facing sites which disseminates information

Federated Authentication 

It is used to configure a web app to authenticate users using third party credentials. For example you can authenticate clients, partners, etc using their organization credentials by using ADFS. Windows live ID or face book account can also be used to authenticate. As we discussed above SharePoint 2103 primary authentication is claims or you can say it is the only recommended authentication method, It supports multiple authentication methods on a single web application. So you reduce the over head of multiple zones or web applications in some cases.

Anonymous access Site

I want to talk a little bit about accessing a SharePoint website anonymously. Just to keep it simple lets say our website just disseminates content. This might seem simple but majority of the websites in the world just does that. One good  example is Ferrari website which is aesthetically pleasing and does the job well.

  1. Create a new web application and enable anonymous access – Central admin->Application management ->New . Select Allow Anonymous “yes”. If you miss to select this now then you can always come back to this location select the web app and then Authentication provider on the ribbon -> click default and select Allow anonymous access.

2. Create root site collection – Application management – Create Site Collection . Do not forget to select  template as publishing site.

3. Launch the site as administrator (you could use the same account with which you created the web app above) . Go to Settings -> Site permissions -> anonymous access->Entire website.

You should be able to launch the website from the internet. Of course do not forget the DNS settings to resolve the website.

SharePoint Accounts

While there are many articles explaining accounts needed to install and maintain SharePoint, this is my two cents.

I think below accounts are must no matter what kind of model you are looking to install. Technically you can always use a single account with admin rights everywhere but  it will end up with some issues later on. For instance, what if that account gets locked up for some reason then your entire farm will go down.

  1. Setup User Account: Account with which you will install SharePoint. Meaning you login to your server with this account and run the set up. It must be a securityadmin and dbcreator on the SQL Server, and it must be a member of the local Administrators group. I call it SPadmin. 
  2. Farm Account : You will use this account during the installation where it asks you for the credential to create content database. It is also the identity used by the Central Administration site’s application pool, and the identity used by the Timer service. It should be dbcreater, dbowner and security admin. I call this SPfarm
  3. Application pool account. Depending on how you want to maintain webapplications and service applications you can create these accounts. Usually they are least privileged accounts.

SharePoint 2013 Installation

  1. Install on a single server with built in DB : This installation is a good platform for learning and testing. It installs SQL Server 2008 R2 with SP1 Express edition. Which means you cannot go beyond 10 GB for database size. You can download SharePoint Foundation which is a free edition and use this model to install it on a personal computer.
  2. Install on a single server with SQL server : Using this model you can install all the components of SharePoint on one machine. Advantage here is that this model is scalable and you can use full version of SQL where is no 10 GB restriction on DB size. Microsoft do recommends not to go beyond 200 GB for one content DB. I will talk about this in a different article.
  3. Multi-tear installation: This model usually consists of web, application and database layers. There could be multiple servers on each layer sharing the requests and load. Web tier consists of WFE servers which directly respond to customer requests. Application layer consists of search and service applications. DB layer consists of SQL server hosting config, content ,etc databases.
  4. Hosted solution from Microsoft : I have not personally used this model. More information about this can be found at SharePoint Online.