Plan authentication methods (Windows SharePoint Services)
Applies To: Windows SharePoint Services 3.0
Topic Last Modified: 2009-04-15
In this article:
About authentication
Supported authentication methods
Configure authentication
Plan authentication for crawling content
Planning zones for your authentication design
Choose methods of authentication allowed in your environment
Worksheet
This article describes the authentication methods that are supported by Windows SharePoint Services 3.0. After reading this article, you will be able to:
Understand how authentication is implemented in Windows SharePoint Services 3.0.
Identify the authentication methods that are appropriate for your environment.
About authentication
Authentication is the process of validating a user's identity. After a user's identity is validated, the authorization process determines which sites, content, and other features the user can access.
In Windows SharePoint Services 3.0, the authentication process is managed by Internet Information Services (IIS). After IIS performs authentication of users, the security features in Windows SharePoint Services 3.0 perform the authorization process.
For more information about implementing Windows SharePoint Services 3.0 authorization, see Plan site and content security (Windows SharePoint Services).
Planning for authentication is important not only to protect your solution by validating users' identities, but also to secure user credentials over the network.
Supported authentication methods
Windows SharePoint Services 3.0 provides a flexible and extensible authentication system, which supports authentication for identity management systems that are based or are not based on the Microsoft Windows operating system. By integrating with ASP .NET pluggable authentication, Windows SharePoint Services 3.0 supports a variety of forms-based authentication schemes. Authentication support in Windows SharePoint Services 3.0 enables a variety of authentication scenarios, including:
Using standard Windows authentication methods.
Using a simple database of user names and passwords.
Connecting directly to an organization's identity management system.
Using two or more methods of authentication for accessing partner applications (for example, connecting to your partner company's identity management system for authenticating partner employees while using Windows authentication methods to authenticate your internal employees).
Participating in federated identity management systems.
The following table lists the supported authentication methods:
Authentication method | Description | Examples |
---|---|---|
Windows |
The standard IIS Windows authentication methods are supported. |
|
ASP.NET forms |
Windows SharePoint Services 3.0 adds support for identity management systems that are not based on Windows by integrating with the ASP.NET forms authentication system. ASP.NET authentication enables Windows SharePoint Services 3.0 to work with identity management systems that implement the MembershipProvider interface. You do not need to rewrite the security administration pages or manage shadow Active Directory directory service accounts. |
|
Web Single Sign-On (SSO) |
Windows SharePoint Services 3.0 supports federated authentication through Web SSO vendors. Web SSO enables SSO in environments that include services running on disparate platforms. You do not need to manage separate Active Directory accounts. |
|
Authentication of system accounts
ASP.NET forms authentication and Web SSO can be used to authenticate only user accounts. The process accounts used to connect to Microsoft SQL Server database software and run the Web farm must be Windows accounts, even when using alternative methods of authentication to authenticate users.
Windows SharePoint Services 3.0 supports SQL Server authentication and local computer process accounts for farms that are not running Active Directory. For example, you can implement local accounts by using identical user names and passwords across all servers within a farm.
Configure authentication
Although configuring Windows authentication is a straightforward process, configuring authentication to use ASP.NET forms or Web SSO requires more planning. This section provides a summary of how authentication is configured in Windows SharePoint Services 3.0. This information will help you understand how to put together an authentication strategy for your solution and determine who in your organization needs to be involved in planning for authentication.
Configure authentication for SharePoint Web applications
Authentication in Windows SharePoint Services 3.0 is configured at the SharePoint Web application level. The following diagram illustrates a Windows SharePoint Services server farm that is configured to host sites for multiple companies. Authentication is configured separately for each company.
When you initially create or extend a Web application, you are presented with a limited number of authentication options (Kerberos, NTLM, and anonymous). If you are using one of these methods, you can configure authentication when you create or extend the Web application.
The following illustration shows the limited authentication choices that are available when you initially create or extend a Web application:
However, if you are using different authentication settings, select the default authentication options, and then configure authentication after the Web application is created or extended. (To do so, in Central Administration, on the Application Management page, in the Application Security section, select Authentication providers, and then click the zone to open the Edit Authentication page.) The settings that are configured on this page depend on the type of authentication that is selected: Windows, forms, or Web SSO.
The following illustration shows the Edit Authentication page:
Depending on the authentication choices that you select in Central Administration, additional configuration might be necessary. The following table summarizes the configuration steps based on the authentication method. This table also indicates if specialized roles in addition to SharePoint Administrator are needed.
Authentication method | Additional configuration | Specialized roles |
---|---|---|
Anonymous, |
None |
None |
Basic |
None |
None |
Digest |
Configure digest authentication directly in IIS. |
None |
Certificates |
|
Windows Server 2003 administrator, to obtain and configure certificates |
NTLM (Integrated Windows) |
None |
None |
Kerberos (Integrated Windows) |
|
IIS administrator |
Forms |
|
|
Web SSO |
In addition to configuration steps required for ASP.NET forms authentication, register an HTTP module for the Web SSO provider. |
|
Connect to identity management systems that are external or not based on Windows
To use ASP.NET forms or Web SSO to authenticate users against an identity management system that is not based on Windows or that is external, you must register the membership provider in the Web.config file. In addition to registering a membership provider, you can register a role manager as well. Windows SharePoint Services 3.0 uses the standard ASP.NET role manager interface to gather group information about the current user. Each ASP.NET role is treated like a domain group by the authorization process in Windows SharePoint Services 3.0. You register role managers in the Web.config file the same way you register membership providers for authentication.
If you want to manage membership user or roles from the Central Administration site, you can optionally register the membership provider and the role manager in the Web.config file for the Central Administration site (in addition to registering these in the Web.config file for the Web application that hosts the content).
Ensure that the membership provider name and role manager name that you registered in the Web.config file is the same as the name that you entered in the Central Administration Authentication.aspx page. If you do not enter the role manager in the Web.config file, the default provider specified in the machine.config file might be used instead.
For example, the following string in a Web.config file specifies a SQL membership provider:
<membership defaultProvider="AspNetSqlMembershipProvider">
For additional information about using ASP.NET forms authentication to connect to a SQL Server authentication provider, see Authentication samples (Windows SharePoint Services).
Finally, if you are using Web SSO to connect to an external identity management system, you must also register an HTTP module for the Web SSO. An HTTP module is an assembly that is called on every request made to your application. HTTP modules are called as part of the ASP.NET request pipeline. For more information, see Introduction to HTTP Modules (https://go.microsoft.com/fwlink/?LinkId=77954&clcid=0x409).
Integrating with ASP.NET forms authentication places additional requirements on the authentication provider. In addition to registering the various elements in the Web.config file, the membership provider, role manager, and HTTP module must be programmed to interact with Windows SharePoint Services 3.0 and ASP.NET methods, as indicated in the following table:
Category | Description |
---|---|
Membership provider |
To work with Windows SharePoint Services 3.0, the membership provider must implement the following methods:
|
Role manager |
The role manager must implement the following methods:
|
HTTP module |
The HTTP module must handle the following events:
|
Enabling Anonymous Access
You can enable anonymous access for a Web application in addition to configuring a more secure authentication method. With this configuration, administrators of sites within the Web application can choose to allow anonymous access. If anonymous users want to gain access to secured resources and capabilities, they can click a logon button to submit their credentials.
Using different authentication methods to access a site
You can configure Web applications in Windows SharePoint Services 3.0 to be accessed by up to five different authentication methods or identity management systems. The following figure illustrates a partner application that is configured to be accessed by users from two different identity management systems. Internal employees are authenticated by using one of the standard Windows authentication methods. Employees of the partner company are authenticated against their own company's identity management system.
To configure a Web application to be accessed by two or more different authentication systems, you must configure additional zones for the Web application. Zones represent different logical paths of gaining access to the same physical application. With a typical partner application, employees of a partner company access the application through the Internet, while internal employees access the application directly through the intranet.
To create a new zone, extend the Web application. On the Extend Web Application to Another IIS Web Site page, in the Load Balanced URL section, specify the URL and zone type. The zone type is simply a category name applied to the zone and does not affect the configuration of the zone.
After extending the Web application, you can configure a separate authentication method for the new zone. The following figure shows the Authentication Providers page for a Web application that is configured by using two different zones. The default zone is the zone used by internal employees. The Internet zone is configured for partner access and uses ASP.NET forms to authenticate partner employees against the partner identity management system.
Plan authentication for crawling content
To perform successful crawls of content in a Web application, you must understand the authentication requirements of the index component of the search server (also known as the crawler). This section describes how to configure authentication for Web applications to ensure that the content in those Web applications can be successfully crawled.
When a farm administrator creates a Web application by using all default settings, the default zone for that Web application is configured to use NTLM. The farm administrator can change the authentication method for the default zone to any authentication method supported by Windows SharePoint Services 3.0.
The farm administrator can also extend a Web application one or more times to enable additional zones. Up to five zones can be associated with a particular Web application, and each zone can be configured to use any authentication method supported by Windows SharePoint Services 3.0.
Order in which the crawler accesses zones
When planning the zones for a Web application, consider the polling order in which the crawler accesses zones when attempting to authenticate. The polling order is important, because if the crawler encounters a zone configured to use basic, digest, or Kerberos authentication, authentication fails and the crawler does not attempt to access the next zone in the polling order. If this occurs, the crawler will not crawl content on that Web application.
Tip
Ensure that a zone configured for NTLM is earlier in the polling order than a zone configured for basic, digest, or Kerberos authentication.
The crawler polls the zones in the following order:
Default zone
Intranet zone
Internet zone
Custom zone
Extranet zone
The following figure shows the decisions that are made by the authentication system when the crawler attempts to authenticate:
The following table describes the actions associated with each callout in the figure:
Callout | Action |
---|---|
1 |
Crawler attempts to authenticate by using the default zone. Note The crawler always attempts to use the default zone first when attempting to authenticate for a particular Web application. |
2 |
If the zone is configured for NTLM, the crawler is authenticated and proceeds to the authorization phase. |
3 |
If the zone is configured for basic, digest, or Kerberos authentication, authentication fails and the crawler does not attempt to authenticate by using another zone. This means the content is not crawled. |
4 |
If there are no more zones in the polling order, authentication fails and the content is not crawled. |
5 |
Crawler attempts to authenticate by using the next zone in the polling order. |
If you configure the default zone to use an authentication method that the crawler does not support — for example, forms authentication or Web SSO — you must create at least one additional zone and configure this zone to use NTLM authentication. Consider the following scenario.
Authentication scenario
The farm administrator creates a Web application and configures it to use forms authentication. Because the farm administrator wants the content in the Web application to be crawled and indexed, and because she knows that the crawler requires a zone configured with NTLM, the farm administrator extends the Web application and configures the intranet zone to use NTLM.
When the crawler attempts to authenticate by using the default zone, the authentication system determines that the crawler and the zone are not configured to use the same authentication method. Because the zone is not configured for basic, digest, or Kerberos authentication and there is at least one additional zone in the polling order, the crawler attempts to authenticate by using the intranet zone. Because the intranet zone is configured to use NTLM and the crawler also uses NTLM, authentication succeeds.
In addition to properly configuring the authentication method, you must ensure that the crawler is authorized to crawl content within the Web application. To do this, you must ensure that the credentials used for the content access account have the Full Read permission level or higher on the Web application that you want to crawl. Farm administrators can use the Policy for Web Application page in Central Administration to create a policy that gives the content access account the Full Read permission level on a particular Web application.
Crawling host-named site collections
The process and rules illustrated in the previous figure do not apply to host-named site collections. This is because host-named site collections are available only through the default zone. If you do not configure the default zone to use NTLM when deploying host-named site collections, you must configure an alternate method for the index component to access content.
For more information about crawling host-named site collections that are not configured for NTLM authentication, see the following articles:
Prepare to crawl host-named sites that use forms authentication
Prepare to crawl host-named sites that use Basic authentication
Planning zones for your authentication design
If you plan to implement more than one authentication method for a Web application by using zones, use the following guidelines:
Use the default zone to implement your most secure authentication settings. If a request cannot be associated with a specific zone, the authentication settings and other security policies of the default zone are applied. The default zone is the zone that is created when you initially create a Web application. Typically, the most secure authentication settings are designed for end-user access. Consequently, the default zone will likely be the zone that is accessed by end users.
Use the minimum number of zones that is required by the application. Each zone is associated with a new IIS site and domain for accessing the Web application. Only add new access points when these are required.
If you want content within the Web application to be included in search results, ensure that at least one zone is configured to use NTLM authentication. NTLM authentication is required by the index component to crawl content. Do not create a dedicated zone for the index component unless necessary.
Choose methods of authentication allowed in your environment
In addition to understanding how authentication is configured, planning for authentication includes:
Considering the security context or environment of your Web application in Windows SharePoint Services 3.0.
Evaluating the recommendations and tradeoffs for each method.
Understanding how user credentials and related identity data are cached and consumed by Windows SharePoint Services 3.0.
Understanding how user accounts are managed.
Ensuring that authentication methods are compatible with browsers that are used by your users.
Worksheet action |
---|
Use the Authentication methods worksheet (https://go.microsoft.com/fwlink/?LinkId=77970&clcid=0x409) to identify which authentication methods you are willing to support in your environment and to record your decisions and recommendations for each. This worksheet will be used when planning authentication methods for individual Web applications in Windows SharePoint Services 3.0. |
Recommendations for specific security environments
Your choice of authentication methods will primarily be driven by the security context of your application. The following table provides recommendations based on the most common security environments:
Environment | Considerations |
---|---|
Internal intranet |
At a minimum, protect user credentials from plain view. Integrate with the user management system that is implemented in your environment. If Active Directory is implemented, use the Windows authentication methods built into IIS. |
External secure collaboration |
Configure a separate zone for each partner company that connects to the site. Use Web SSO to authenticate against each partner’s own identity management system. This eliminates the need to create accounts in your own identity management system and also ensures that contributor identities continue to be maintained and validated by partner employers. If a contributor is no longer employed by a partner company, the contributor cannot continue to gain access to your partner application. |
External anonymous |
Enable anonymous access (no authentication) and allow Read-Only permissions for users who connect from the Internet. If you want to provide targeted or role-based content, you can use ASP.NET forms authentication to register users by using a simple database of user names and roles. Use the registration process to identify users by role (such as doctor, patient, or pharmacist). When users log on, your site can present content that is specific to the user role. In this scenario, authentication is not used to validate credentials or to limit who can access the content; the authentication process simply provides a method of targeting content. |
Recommendations and tradeoffs for authentication methods
Understanding the advantages, recommendations, and tradeoffs for each specific authentication method can help you to determine which methods to use in your environment. The following table highlights the recommendations and tradeoffs for each authentication method. For more information about each of the Windows authentication methods supported by IIS, see IIS Authentication (https://go.microsoft.com/fwlink/?LinkId=78066&clcid=0x409).
Authentication method | Advantages and recommendations | Tradeoffs |
---|---|---|
Windows |
|
|
ASP.NET forms |
|
|
Web SSO |
|
|
Management of user identity information
How user credentials and other identity information is processed and used by Windows SharePoint Services 3.0 can influence your decision about which of the authentication options is best for your intended purpose. This section details how user identity information is processed in the following categories:
Binary IDs How user binary identifiers (IDs) are created or used by Windows SharePoint Services 3.0.
Caching The process of retaining a user's identity for a period of time to avoid repeating the authentication process for each request.
Role and group membership In addition to determining who users are, the authentication process also determines which groups or roles a user belongs to. This information is used during the authorization process to determine which actions a user has permissions to perform. For the purpose of authorization, Windows SharePoint Services 3.0 treats Active Directory groups and ASP.NET roles as the same type of entity.
The following table details how Windows SharePoint Services 3.0 manages user binary IDs, cached user data, and role and group membership data depending on which authentication method is used:
Item | Windows authentication | ASP.NET forms and Web SSO |
---|---|---|
Binary IDs |
Windows SharePoint Services 3.0 uses the Windows security identifier (SID). |
Windows SharePoint Services 3.0 creates a unique binary ID by combining the provider name with the user name. |
Caching |
User credentials are cached and managed by IIS, Internet Explorer, and Windows. |
ASP.NET uses an encrypted cookie to keep the user's credentials for the duration of a session. |
Role and group membership |
Windows maintains the list of Active Directory domain groups the user belongs to in the access token. Windows SharePoint Services 3.0 uses information stored in the access token. |
When a role manager is registered, Windows SharePoint Services uses the standard role manager interface to gather group information about the current user. Each ASP.NET role is treated like a domain group by the authorization process. ASP.NET can cache the roles the user belongs to in a cookie, depending on the settings that are configured in the Web.config file. |
Management of user accounts
Understanding how Windows SharePoint Services 3.0 handles typical user account management tasks can also influence which authentication method you choose. Generally, users who are members of an authentication provider in one zone can manage accounts across all zones as long as they are granted permissions. The information in the following list applies regardless of which authentication method is implemented:
Adding and inviting new users You can add or invite a new user from any zone and all authentication methods that are configured if the membership provider and role manager are registered in the current Web.config file. When you add a new user, Windows SharePoint Services 3.0 resolves the user name against the following sources in the following order:
The UserInfoList table stored by Windows SharePoint Services 3.0. User information will be in this list if users have already been added to another site.
The authentication provider that is configured for the current zone. For example, if a user is a member of the authentication provider that is configured for the default zone, Windows SharePoint Services 3.0 first checks this associated membership provider.
All other authentication providers.
Deleting users User accounts are marked as deleted in the Windows SharePoint Services 3.0 database. However, the user record is not removed.
Some user account management behaviors within Windows SharePoint Services 3.0 differ, depending on the authentication provider. The following table highlights several common user account tasks that differ depending on the authentication method that is implemented:
Task | Windows authenticated accounts | ASP.NET forms–authenticated and Web SSO-authenticated accounts |
---|---|---|
Adding and inviting new users |
Windows SharePoint Services 3.0 validates user identities by using Active Directory. |
Windows SharePoint Services 3.0 calls the membership provider and the role manager to verify that the user and roles exists. |
Changes to logon names |
Updated user names are automatically recognized by Windows SharePoint Services 3.0. New entries are not added to the UserInfoList table. |
You must delete the old account name and then add the new account name. Permissions cannot be migrated. |
Logging on |
If Integrated Windows authentication (Kerberos or NTLM) is used and the browser is configured to automatically log on, users do not need to manually log on to SharePoint sites. By default, Internet Explorer is configured to automatically log on to intranet sites. If a logon is required (for example, sites that require a different set of credentials), users are prompted only for a user name and password. However, if basic authentication is used, or the user is using a browser that is not configured to automatically log on, users might be prompted for logon credentials when they access a SharePoint site. |
Windows SharePoint Services 3.0 provides a standard logon page for use with forms authentication. This page includes the following fields: user name, password, sign in automatically (to persist the cookie). You can create your own logon page to add additional logon controls (for example, create a new account, or reset password). |
Browser support
Not all browsers work with each of the authentication methods that are supported. Before selecting authentication methods to allow in your environment, determine which browsers you need to support. Then, determine which authentication methods are supported by the browsers. Internet Explorer works with each of the supported authentication methods. Additional browsers that are supported by Windows SharePoint Services 3.0 include:
Netscape 8.0
Netscape 7.2
Mozilla 1.7.12
Firefox 1.5
Safari 2.02
Worksheet
Use the following worksheet to record which authentication methods are appropriate for your environment:
The following table represents an example of a completed worksheet:
Authentication method | Allow | Don't allow | Notes and recommendations |
---|---|---|---|
Anonymous |
x |
||
Basic |
x |
||
Digest |
x |
||
Certificates |
x |
||
NTLM (Integrated Windows) |
x |
"Use NTLM for all department sites except finance." |
|
Kerberos (Integrated Windows) |
x |
"Use Kerberos authentication for sites with a high security service level agreement." |
|
ASP.NET forms |
x |
"Use forms authentication to allow partner company access to sites hosted in the partner extranet. We currently allow authentication against the following identity management systems: Active Directory, LDAP. Work with Sidney Higa to develop authentication settings for use with forms authentication." |
|
Web SSO |
x |
"Use this method for partner applications only if a partner company is participating in federated identity management systems. See David Jones for more information." |
Additional Notes: "Work with Denise Smith to sign off on all authentication settings for SharePoint Web applications prior to implementing."
Download this book
This topic is included in the following downloadable book for easier reading and printing:
Planning and architecture for Windows SharePoint Services 3.0, part 2
Planning an Extranet Environment for Windows SharePoint Services
See the full list of available books at Downloadable books for Windows SharePoint Services.