Authentication options

Submitted by Tristan on Sat, 05/02/2009 - 16:20

Authentication is the process of determining who someone is.

The drivers behind the use of authentication include providing personalised functionality, capturing useful metadata, and meeting compliance and security needs. From a user's point of view, authentication allows for the targetted presentation and use of information. From a security point of view, authentication is a key part of ensuring the application of access controls and audit logs. And finally from a compliance point of view, authentication is necesssary across the board, from things like ensuring the evidential correctness of audit logs (who did what and when?) to applying appropriate controls regarding the release and authoring of sensitive information.

Authentication options

SharePoint provides the architect with a number of authentication design options.

  • Windows authentication, including Active Directory authentication (supporting both Kerberos and NTLM protocols), anonymous and basic authentication. This functionality is provided by IIS and utilised by SharePoint.
  • Forms-based authentication, which is implemented by the ASP.NET pluggable authentication provider model. SharePoint provides an LDAP membership provider which can talk to Active Directory, Active Directory Application mode (ADAM), Active Directory Lightweight Directory services (AD LDS). Forms-based authentication can also use the SQL Server provider included with ASP.NET.
  • Web single sign on (SSO) , which provides for integration with Active Directory Federated Services.

These options are described in more detail below. The choice of which solution to use will depend largely on the constraints of the environment under consideration.

Windows authentication

Generally, windows-based environments will use the windows authentication option. If your environment is a "windows shop", with users running windows operating systems and Active Directory used for authentication, Windows authentication is clearly the easiest option.

Forms-based authentication

The Forms-based authentication option is generally selected when an environment does not use Active Directory, or needs to support external access. Forms based authentication draws on the ASP.NET2.0 provider model. Implementing the FBA model typically both configuration and development activity.

Reasons against using FBA include increased difficulty of implementing single sign-on, and its impact on other applications integrating in to SharePoint. Even the Microsoft Office suite, including Word and PowerPoint, has difficulties authenticating against FBA sites which results in a degraded user experience and reduced functionality.

Microsoft have improved this situation in SharePoint 2007 SP2 combined with Office 2007 SP2, but we are unaware of any improvements in integration with the Office 2003 suite, and at the time of writing most organisations have not rolled out 2007 SP2, indeed a large number are still using Office 2003 with no plans to upgrade. And Outlook 2007 SP2, perhaps the most important tool in the Office suite for many users, was not fixed in this regard. Microsoft needs to be careful in ensuring that their rapid new release schedules do not move too far ahead of its customers, who fear increasing likelihood of support ("this doesn't work on my work laptop") and internal and external synchronisation issues ("our partners can't open our sales presentations").

The user experience, then, will depend on both

  • which service pack of SharePoint you are running; and
  • which version and service pack of Office. 

Microsoft Office SharePoint Server 2007 SP2 with Office 2007 SP2 => Best user experience; Office supports FBA.

Microsoft Office SharePoint Server 2007 SP2 with Office 2007 SP1 or below => MOSS/Office does not support FBA very well. User likely to need to enter credentials over and over.

Microsoft Office SharePoint Server 2007 SP1 or below with Office 2007 SP2 or below => MOSS/Office does not support FBA very well. User likely to need to enter credentials over and over.

 

Web single sign on (Web SSO)

Web SSO is used to integrate SharePoint authentication with Active Directory Federated Services (ADFS). It suffers the same client application integration problems as discussed above.

Other options

Anonymous access is used to allow unidentified people ("Joe Public") to interact with SharePoint sites. For internal deployments,we discourage enabling anonymous access The scenario in which anonymous authentication should be considered is on public-facing websites - so that people can browse your sites without having to create accounts. Anonymous access does not provide item-level control, prevents document authoring, and does not provide access to remote interfaces.

Federated authentication is supported through the use of Active Directory federated services. Microsoft are also working on what they call a claims-based authentication model, which we expect to be incorporated in to future versions of SharePoint. Microsoft currently refer to this work as codename Geneva. The general principle here is that a user will authenticate to another party, who will then give you some trusted information about the user, for example the name of the company the user works for. You will then in turn decide whether to allow access to resources based on this claim, not on the specific identity (like username) of the person making the request.

A Single sign on service is provided by SharePoint. It utilises the Windows SSO service and aids with credential delegation. It provides encrypted storage of account names and passwords. Key management is a challenge in addressing this kind of solution and often requires the application of procedural and personnel controls. The SSO services is configured through "enterprise application definitions" presented through the SharePoint Central Administration web site.

Future directions

Microsoft is gradually introducing a more advanced federated authentication solution, provided by "Geneva", which was based on ADFS. Other vendors offer broad identity management solutions, of which authentication services are a part. Microsoft is now calling this "claims based authentication".

Relationship to Authorization

Authentication is followed by Authorization, which is about determining what a given user is and is not permitted to do.

Guidance

  • For internal sites, disable anonymous authentication as it may prevent compliance with your business's accountability requirements and policies.
  • Use Windows authentication with the Kerberos protocol where this is possible, as it offers better integration and ease of use.
  • For planning purposes, consider Microsoft's identity management roadmap and projects, including code name "Geneva". 

Most Popular

Using Office Outlook 2010 with Lotus Notes backend connector (DAMO) on Windows 7.
25 weeks 1 day ago
Introduction to Claims-based Authentication in SharePoint 2010 in plain English
40 weeks 22 hours ago
Firewall rules and protocol usage
1 year 7 weeks ago
Access Control with SharePoint Groups
1 year 9 weeks ago
Using the People Picker Editor picker control
1 year 4 weeks ago
Section 508 Compliance with SharePoint
1 year 1 week ago
Authentication options
1 year 2 weeks ago
SharePoint Templates
48 weeks 4 days ago