SharePoint Claims Based Authentication Architectures Explained – Part 1 – Intro To Claims Architectures

You will find that the internet offers plenty applications that are interactive. This allows users to be able to access them simply by reading a hyperlink in text and then clicking on it. When this process is initiated, the information they seek more about will come up. The reader anticipates that the websites are going to monitor who is logged into them and for how long. No one wants to have to put in their password over and over again to be able to benefit from such a process though.

Instead they want to be able to enter it once and then to access any of those company based applications from it. It is very important for any such development that is created for the web to be able to support this need from the user’s point of view. It will be referred to here as a process called single sign on. You may hear it referred to out there though as passive federation.

Many people have had experienced with the world of Windows, and that is a single sign on concept that they use. Once you have logged in with your password the first time that day you will have access to all of the resources that are part of that hosted network. Windows is able to authenticate that password for each entity you wish to access. This is why you can avoid having to type it in again and again.

Kerberos is extremely popular but that has also resulted in it losing flexibility as a cross source. The domain controller is the one that has the keys to all of the resources that people within a given organization are able to access. There are firewalls in place that carefully guard such activities. When you aren’t at the office, you can access them through a VPN to the corporate network connection.

Kerbos isn’t very flexible when it comes to the information that is provided either. Many people would love to see it include arbitrary claims including email address access. However, that isn’t something that you are able to find at this point in time. With claims though you have such flexibility present. You are only limited in what you can access by two things your own imagination and the policies that your IT developers for the business have in place.

There are standard entities in place that allow you to cross different boundaries in terms of security. This includes both platforms and firewalls. They reason for this is that it makes it easier for it all to be able to communicate with the others. With this in mind, the application doesn’t have to verify the users.

Instead, the application needs to have a security token that is provided by the issuer trustee. When the IT department needs to increase security then the users have to use a smart card rather than a username and password for access. However, it won’t have to be reconfigured so that isn’t a time consuming process.

Even so, domain controllers will still be in place to offer security when it comes to the various resources of a given organization. There will be various issues for businesses to consider too. For example they will need to figure out how to resolve issues relating to trust. There are legal issues that have to be reviewed before entering into a contract with one is completed. You can be confident that claims based identity won’t change those needs that are already in place relating to such issues.

What will change though based on it is that there will be layers to the claims. Some of the barriers that are now in place will be removed. The result will be a single sign on solution that is also flexible for the needs of the users. Claims work is designed to be able to work within the security that already exists. It will eliminate many of the technical problems that are currently experienced.


Introduction To IPSec

Introduction To IPSec

For most organizations, the C and I of the CIA security model (confidentiality and integrity) when traversing a network medium, or collaboration environment, are exceedingly imperative. Therefore, it is crucial to protect frames as they are funneled during transit between various machines on your SharePoint network.

The protection schemes defined will typically take place at the Layer 2 or Layer 3 of the OSI model which has been detailed in previous articles (please read the OSI model and SharePoint article for a better idea of how the OSI model is structured). Although there is obviously a layer of abstraction between the assorted OSI layers and the ones that SharePoint primarily interacts with (those related to interface transformation), it is nonetheless an important concept to understand in relation to proper security implementation for your SharePoint environment.

IPSec As A Network Security Protocol
IPSec is a principal network layer security protocol, and it allows the idea of multiple as well as concurrent tunneling schemes. The chief purpose of IPSec as a security protocol is to procure functionality that will encrypt and authenticate various IP packets as they are transmitted across an arbitrary medium, particularly those that are involved with your calibration environment.

Although an add-on is obtainable for legacy IP schemes such as the IPv4 standard, IPSec is built directly into the IPv6 standard (which is a common future rollout for organizations), procuring a more uniform, secure transmission security protocol. Although there are other germane network security standards (discussed in other articles) such as PPTP and L2TP, these protocols were mostly targeted at dial-up functionality such as VPN’s, whereas IPsec was built from the ground-up as a networked computing standard for a true associated environment.

Though it is still possible to use IPsec on VPN targeted environments (across IPSec-compatible VPN devices that are implementing on the DMZ a.k.a. a VPN gateway), IPSec is not a multi-protocol based standard and is targeted for strictly for IP encryption, although IPSec is based on a modular framework and allows several levels of flexibility to work with its base characteristics.

Tunnel and Transport Mode
There are two focal operational modes that exist with IPSec, Tunnel Mode and Transport Mode. Tunnel mode means that the complete layer 3 packet is encrypted and packaged in the IPsec packet. Transport mode means that the layer 3 payload is encrypted, however the IP headers are left as they are during a customary transport instantiation.

Authentication Header and Encapsulating Security Payload

There are two security protocols that manufacture IPSec, Authentication Header (AH) and Encapsulating Security Payload (ESP). Authentication Header is the protocol which provides data origin authentication, anti-replay, and connectionless integrity. The overall concept to understand regarding Authentication Header is that it provides no confidentiality services, and is not meant to target this specific faculty by design. Encapsulating Security Payload provides data origin authentication and anti-replay as well, but also provides faculties for confidentiality and connectionless integrity, and therefore has some facets that differentiate it from its former.

Security Associations
A security association in the realm of IPSec is a relationship that is procured between two or more entities, and provides the description as to how the entities will leverage the relevant security services that subsist in order to assemble secure communications.

Internet Key Exchange (IKE)

The security associations that are described in the above section require that there be existent a protocol that can facilitate the negotiations between entities that leverage the various described security associations. The IKE process requires that the relevant IPSec systems authenticate relevantly in order to establish the sharing of pertinent keys. There are two strategic phases that are involved in the key exchange in the IKE progression:

Phase 1
Between two applicable peers, the IKE will generate a secure channel known as the IKE security association, described in the above section more exhaustively. During this process, the Difffie-Hellman key agreement is leveraged.

In phase 1, there are three major methods that are used when authenticating to IPsec cohorts, pre-shared keys where the party will manually enter the key value, RSA signatures which leverage digital certificates sponsored by an RSA signature, and RSA encrypted nonces, which will use RSA encryption to encrypt a nonce value (random numeric).

Phase 2 During Phase 2, IKE will perform handshaking of security associations and engender the relevant key material needed for the IPSec service. The sender of the handshake will present a singular transform set (or more if needed as determined by the IKE process) which are leveraged in order to tolerate a combination of transforms regarding relevant settings. As well, the sender of the handshake will designate the data flow for which the transform set should pertain to.

The receiver of the handshake will transmit one transaction set that will specify the reciprocally arranged transforms and relevant algorithms for the established session. Lastly, there may be a new Diffie-Hellman key agreement established or the one generated from the phase one can be inherited.

The IPsec Process

The IPsec process can commonly broken down into five major steps that generate the overall process, including pertinent handshaking and termination proceedings.

  • Initialization Relevant traffic that deems it is necessary will instantiate the IPSec service. The service can be tripped by constructing an IPSec security policy that will trip the IKE process.
  • Phase 1 of IKE The authentication process that IKE users will authenticate the parties involved and the initial negotiation of the IKE will begin. This negotiation will be leverage by Phase 2 of the IKE process.
  • Phase 2 of IKE IKE will broker the negotiation of the security associations and there will be a generation of security associations of relevant peers.
  • Data Transfer The actual data is transmitted based on IPSec and the relevant IKE settings.
  • Tunnel Drop The IPSec security associations are dropped for any number of reasons as determined by the transaction state

Overview and Features: ISA Server and SharePoint

* This article was written in the context of Internet Security and Acceleration (ISA) 2006, a technology now considered deprecated with the introduction of Forefront Threat Management Gateway (TMG). Variations may exist. *


Microsoft Internet Security and Acceleration (ISA) server can compliment your collaborations and communications environment by providing a SharePoint aware firewall, analyze of possible threats in your SharePoint traffic, and secure VPN architecture, allowing your organization to remain secure while providing robust channels for serving SharePoint. By leveraging ISA server, you can securely provide an extranet implementation, as well as securing possible internal threats. Serving SharePoint externally is a beneficial method of establishing collaboration and communication between business partners, customers, and even for remote divisions. By planning, designing, and implementing a secure environment using ISA server, you can ensure that your SharePoint data is only available to the right people.

The security of your SharePoint environment is only as good as the tools that you give your SharePoint and systems administrators. Through an intuitive user interface, you will be giving the people responsible for the health of your portal security configuration wizards, advanced monitoring tools, and a central location to manage SharePoint network access management.

Protecting your SharePoint environment involves many processes, however using ISA server can help simplify your goals. Serving your SharePoint environment entails controlling the flow of your SharePoint business data and it is moving back and forth between your company and an external partner. ISA server provides faculties where your SharePoint packets can pass to a secured network circuit and application-layer proxy services.

It is important that while you are using SharePoint that it isn’t serving when it doesn’t need to be, that connections are dropped immediately after an employee or customer is done. Using ISA server allows the ports that SharePoint uses to dynamically open and close using the technology described above, ensuring your portal security.

It is increasingly common to use SharePoint to store various file formats and integrate it with several varying technologies, all of which carry their own security implications. Using the advanced circuit filtering provided by ISA server, it is possible to integrate and distribute these varying application files while ensuring that your portal integrity is maintained. While the applications themselves may vary, so will the protocol often times that are associated with the application (such as integrating a pop3 email account access into your SharePoint portal), ISA server provides the method that make it possible to manipulate all types of traffic, giving an ease of availability to ensure only the appropriate systems services are serving the right data.

SharePoint can also prove to be rather slow loading over an external connection, which is for a variety of reasons. However, using the advanced accelerating web cache features in ISA server, it is possible to accelerate the time it takes your SharePoint portal to load and be ready for employee use, increasing overall efficiency.


  • A new, simplified user interface
  • Support for multiple networks
  • Improved VPN support
  • VPN quarantine capabilities
  • Ability to create custom firewall user groups
  • More extensive protocol support
  • Customized protocol definitions
  • OWA Publishing Wizard
  • Improved support for FTP upload/download policy
  • Improved Web publishing
  • Port redirection for server publishing rules
  • Improved cache rules for centralized object storage
  • Path mapping for Web publishing rules
  • RADIUS support for Web proxy client authentication
  • Delegation of basic authentication
  • SecureID authentication
  • Firewall-generated forms (forms-based authentication)
  • Improved SMTP Message Screener
  • Improved HTTP filtering
  • Link translation
  • Improved monitoring and reporting