Strategize for Windows Authentication In SharePoint 2013
The process involved for planning and implementing Windows authentication methods is very similar for claims based and classic mode authentications. With claims based authentication for a web application, it isn’t any harder than setting up Windows authentication methods. In this section, you will get a summary for the planning involved with Windows authentication methods.
The NTLM & Kerberos protocols are integrated Windows authentication methods. This allows users to authenticate without any prompts given for credentials. For example when a user accesses SharePoint sites from Internet Explorer, they can use the credentials that Internet Explorer is currently running with. These credentials are what the user had to enter to successfully log onto the computer with.
Any services or applications that use Integrated Windows authentication methods for accessing SharePoint resources that attempts to use the credentials on that thread will default to the identity of the process in order to authenticate.
NTLM is a considered to be the simplest of all forms of Windows authentication for implementing. There normally won’t be any additional configuring to complete within the authentication infrastructure.
Ticketing authenticating is supported by the Kerberos protocol. The use of this protocol does involve some additional configuring of the environment. In order to enable Kerberos authentication, a client and server computers need to have a trusted connection to the domain Key Distribution Center (KDC). Configuring the kerberos protocol involves setting up Service Principal Names (SPNs) in AD DS prior to installing SharePoint 2013.
There are many reasons why you should consider using Kerberos authentication including:
- This is the strongest protocol and it has the strongest Integrated Windows authentication protocol.
- It supports advanced security features such as Advanced Encryption Standard (AES) and mutual authentication for both clients and servers.
- It allows for delegation of client credentials.
- Kerberos requires the least amount of network traffic to AD DS domain controllers.
- It reduces page latency in various scenarios.
- It can increase the number of pages that front end web servers are able to serve in various scenarios.
- Kerberos can reduce the loan on domain controllers.
- This is an open protocol that works seamlessly with many platforms and vendor support.
There are also some reasons why the use of Kerberos authentication may not be appropriate to use. They include:
- Kerberos can require additional configuration in the infrastructure and environment than what you will experience with other authentication methods. Domain administrator permission is required for configuration to be done in the Kerberos protocol. The authentication can be difficult to set up as well as to manage. If it isn’t configured correct, you won’t be able to get authentication for your sites.
- This authentication requires client computer connection to a KDC and to AD DS domain controller. When Windows is deployed, the KDC is an AD DS domain controller. This is a common network configuration for an intranet within an organization. However, internet deployments aren’t configured that way.
If you decide to go with Kerberos authentication, these are the steps you need to follow for proper configuration:
- Configure Kerberos authentication for SQL Server Communications by creating SPNs in AD DS for the SQL Server service account.
- Create SPNs for web applications that use Kerberos authentication.
- Install SharePoint 2013 Preview farm.
- Configure services within the farm to be used for specific accounts.
- Create web applications that can use Kerberos authentication.
The Digest authentication method allows the user account credentials to be sent as an MD5 message to the Internet Information Service (IIS). This is on the web server that hosts the web application. With the Basic authentication method, user account credentials are sent as plain text. It isn’t recommended that you use Basic authentication unless you also have SSL for encryption your website traffic.
It may be necessary to use older authentication methods for your environment. This will be the case if your environment uses web browsers or services that only support Digest or Basic authentication. You can configure Digest and Basic authentication methods for the properties of a given website that corresponds to the web application of the IIS. This isn’t possible with Kerberos, Anonymous, or NTLM authentication.