MCT USE ONLY. STUDENT USE PROHIBITED
Planning Authentication 6-3
Lesson 1
Overview of Authentication

You must be familiar with the relevant authentication methods before you can
design an authentication plan. This lesson provides an overview of the
authentication methods that you can use in a SharePoint 2010 infrastructure.
Objectives
After completing this lesson, you will be able to:
• Describe NT LAN Manager (NTLM) authentication.
• Describe Kerberos authentication.
• Describe client certificate authentication.
• Describe anonymous authentication.
• Describe claims-based authentication.


MCT USE ONLY. STUDENT USE PROHIBITED
6-4 Designing a Microsoft® SharePoint® 2010 Infrastructure
• Describe forms-based authentication.
• Describe how the Secure Store Service provides single sign-on (SSO)
authentication.


MCT USE ONLY. STUDENT USE PROHIBITED
Planning Authentication 6-5
NTLM Authentication

Key Points
NTLM is a secure protocol that supports user credential encryption and
transmission over a network. NTLM encrypts user names and passwords before it

sends the encrypted credentials over the network.
NTLM authentication is required in networks where the server receives requests
from client computers that do not support Kerberos authentication. NTLM is the
authentication protocol that is used in Windows® NT and Windows 2000 server
workgroup environments, which have no Active Directory® directory service
domain controller. NTLM is used in mixed Windows 2000 Active Directory
domain environments that must authenticate Windows NT systems. In domains
where no Windows NT domain controllers exist, you can raise the domain
functional level. NTLM is thereby disabled, and Kerberos becomes the default
authentication protocol for the enterprise.
If your environment includes computers that require NTLM authentication, you
must incorporate it into your authentication plan.
MCT USE ONLY. STUDENT USE PROHIBITED
6-6 Designing a Microsoft® SharePoint® 2010 Infrastructure
Kerberos Authentication

Key Points
Kerberos is the core authentication protocol in Active Directory domains. A
Kerberos authentication server grants a ticket in response to a client computer
authentication request, if the request contains valid user credentials and a valid
service principal name (SPN). The client computer then uses the ticket to access
network resources. To enable Kerberos authentication, the client and server
computers must be able to access a Key Distribution Center (KDC), which
distributes shared secret keys to enable encryption. The client and server
computers must be able to access Active Directory Domain Services. An important
consideration for enterprises with multiple forests is that the KDC cannot be
accessed across forest boundaries. Further planning and configuration is required
if client and server are in different forests to the KDC.
To implement Kerberos authentication, the client application must provide an
SPN, a user principal name (UPN), or a NetBIOS account name as the target name.

If the client application cannot provide this information, it may be necessary to
plan for the use of NTLM authentication. SharePoint farms typically use Kerberos
and NTLM; if Kerberos authentication fails, SharePoint will automatically attempt
to use NTLM authentication.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning Authentication 6-7
If you deploy a SharePoint 2010 farm that uses Kerberos authentication
exclusively, you must configure Kerberos authentication to support the following
functionality:
• Communication between SharePoint 2010 and Microsoft SQL Server®
database software.
• Access to the SharePoint Central Administration Web application.
• Access to other Web applications such as a portal site Web application or
a My Site Web application.

Question: What must the client provide in a Kerberos authentication request?
Additional Reading
For more information about how to configure Kerberos authentication, see

For more information about how to use Kerberos for SharePoint authentication,
see />

MCT USE ONLY. STUDENT USE PROHIBITED
6-8 Designing a Microsoft® SharePoint® 2010 Infrastructure
Client Certificate Authentication

Key Points
Client-certificate authentication supports the exchange of public key certificates by
using Secure Sockets Layer (SSL) encryption over HTTP.
Client certificates are issued by a Certificate Authority (CA), which may be internal

or external, and they must conform to the public key infrastructure (PKI).
To implement client certificate authentication, you must select Windows
authentication in Central Administration, configure Internet Information Services
(IIS) for certificate authentication, enable SSL, and obtain and configure certificates
from a CA.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning Authentication 6-9
Anonymous Authentication

Key Points
Anonymous authentication enables users to find resources in the public areas of
Web sites without providing authentication credentials. Anonymous authentication
enables anyone with an Internet connection to browse a Web site; therefore, you
must plan for anonymous access extremely carefully.
Anonymous authentication is enabled at the Web application level at the time of
creation. Site administrators for sites in the Web application can then grant or
block anonymous access to their site. Anonymous access relies on the anonymous
user account on the Web server; IIS creates and manages this account, not the
SharePoint site. Allowing anonymous access to a site grants permissions to the
anonymous user account.
Review your business requirements, your logical architecture design
documentation, and your security plan to determine which sites should be
configured for anonymous authentication. You must ensure that your
authentication plan maps anonymous authentication to only those Web
applications that contain sites that require anonymous access.
MCT USE ONLY. STUDENT USE PROHIBITED
6-10 Designing a Microsoft® SharePoint® 2010 Infrastructure
Claims-Based Authentication

Key Points

SharePoint 2010 supports claims-based authentication, which enables SharePoint
applications to authenticate a user without requiring the user to disclose more
information than necessary. If SharePoint 2010 trusts the authentication authority
that validates the claims of a user, it will allow the user to be authenticated.
Your SharePoint authentication plan will include claims-based authentication if:
• You need to enable authentication across Windows-based systems and
systems that are not based on the Windows operating system.
• Your SharePoint infrastructure must support delegation of user identity
between applications.
• Your SharePoint infrastructure requires multiple forms of authentication on a
single zone.


MCT USE ONLY. STUDENT USE PROHIBITED
Planning Authentication 6-11
In SharePoint Server 2010, you must choose between claims-based authentication
and classic-mode authentication when you create a Web application. If you choose
classic-mode authentication, and later want to convert to claims-based
authentication, you can use Windows PowerShell™ to reconfigure the Web
application. Alternatively, you can delete the Web application, without deleting the
supporting application pool or database, and then re-create it by using claims-
based authentication.

MCT USE ONLY. STUDENT USE PROHIBITED
6-12 Designing a Microsoft® SharePoint® 2010 Infrastructure
Forms-Based Authentication

Key Points
Your SharePoint 2010 infrastructure may call for users who do not belong to a
Windows-based identity management system, or who belong to an external

system, to be authenticated. Forms-based authentication provides this
functionality. Forms-based authentication is an identity management system that is
based on ASP.NET membership and role provider authentication methods. You
can use forms-based authentication to authenticate user accounts. However, the
SharePoint 2010 service accounts that you use to connect to SQL Server database
software and run the farm must be Windows accounts, even when you use
alternative methods of authentication to authenticate users. In SharePoint 2010,
forms-based authentication is only available when you use claims-based
authentication.
Authenticating Against Credentials
The forms-based authentication provider supports authentication against
credentials stored in Active Directory, in a database such as a SQL Server database,
or in a Lightweight Directory Access Protocol (LDAP) data store such as Novell
eDirectory, Novell Directory Services (NDS), or Sun ONE. Forms-based