MCT USE ONLY. STUDENT USE PROHIBITED
Planning Authentication 6-23
Authentication Topologies for Multiple Farms

Key Points
The topology for claims-based authentication in a multiple farm infrastructure
consists of a local STS, which is local to the SharePoint farm, and a partner STS,
which is in a separate SharePoint farm. There is a trust relationship between the
SharePoint farms.
The authentication process is as follows:
1. An external user whose credentials are not directly accessible by the local STS
requests authentication.
2. The Web application responds to the authentication request with a redirect to
the partner STS.
3. The authentication request is submitted to the partner STS.
4. The partner STS creates an IP-STS token for the user and submits it to the local
STS.
5. The local STS decrypts the IP-STS token, creates a Relying Partner STS (RP-
STS) token, and returns it to the external user.
MCT USE ONLY. STUDENT USE PROHIBITED
6-24 Designing a Microsoft® SharePoint® 2010 Infrastructure
6. The RP-STS token is then submitted to the Web application.
7. The Web application authenticates the user. In this example, the Web
application returns a cookie to the user.


MCT USE ONLY. STUDENT USE PROHIBITED
Planning Authentication 6-25
Lesson 3
Selecting Authentication Methods

An effective authentication plan incorporates the appropriate authentication
methods for each Web application in your SharePoint 2010 architecture. To
produce an authentication plan, you must be able to match authentication
methods to business requirements. You must evaluate authentication methods and
understand how to implement different forms of authentication.
Objectives
After completing this lesson, you will be able to:
• Explain how to match authentication methods to business requirements.
• Choose between classic mode and claims-based authentication.
• Evaluate authentication methods.
• Explain when to implement multi-mode authentication.
• Describe how to plan authentication for farm zones.
• Explain how to plan authentication testing.
MCT USE ONLY. STUDENT USE PROHIBITED
6-26 Designing a Microsoft® SharePoint® 2010 Infrastructure
Matching Authentication Methods to Business
Requirements

Key Points
When you design the authentication plan for your SharePoint 2010 architecture, a
key task is to match the authentication methods that you will use to the business
requirements that you must meet.
Business requirements come in many forms, from interviews with stakeholders
and reports of end-user usability issues to documentation from previous systems.
Part of your task is to interpret this data and reformat it into a consistent format
that provides the basis for an authentication plan.
When you match authentication methods to business requirements, look for
keywords and phrases that indicate who should be able to access SharePoint
content. For example, “Internet-facing” and “public” imply that anonymous access
should be enabled for certain parts of the SharePoint site. “Private,” “secure area,”

and “log on” all imply that valid user credentials must be provided before the
content is accessible.
MCT USE ONLY. STUDENT USE PROHIBITED
Planning Authentication 6-27
You can determine authentication methods from business requirements
documentation. Phrases such as “partners,” “external users,” and “customers” all
indicate that users who are not members of your internal domain will require some
level of access. Often external users will be authenticated through claims-based
methods such as forms-based authentication. You must determine how to provide
them with access before you begin to create SharePoint Web applications, because
you select the authentication method for the Web application at the time that you
create it.

MCT USE ONLY. STUDENT USE PROHIBITED
6-28 Designing a Microsoft® SharePoint® 2010 Infrastructure
Demonstration: Selecting Classic Mode or Claims-Based
Authentication

Key Points
In this demonstration, you will see how to:
• Select claims-based or classic mode authentication.
• Identify authentication providers for Web applications.

MCT USE ONLY. STUDENT USE PROHIBITED
Planning Authentication 6-29
Evaluating Authentication Methods

Key Points
Understanding the advantages, recommendations, and trade-offs for each specific
authentication method can help you to determine which methods to use in your

environment. The following table highlights the advantages, recommendations,
and disadvantages for each authentication method.
Authentication method Advantages Trade-offs
Windows-based
NTLM or Kerberos
Enables you to authenticate
users by using existing Active
Directory accounts.
Enables you to take advantage
of Active Directory groups
when you configure SharePoint
Server 2010 authorization.
Simplifies user management.
Enables you to avoid writing
custom code.
Some IIS authentication
protocols are not supported
by all Web browsers.
MCT USE ONLY. STUDENT USE PROHIBITED
6-30 Designing a Microsoft® SharePoint® 2010 Infrastructure
Authentication method Advantages Trade-offs
Client certificates Enables you to authenticate
users with digitally signed
certificates.
Requires you to obtain and
distribute certificates for
clients.
Anonymous
Authentication
Enables users to find resources

in the public areas of Web sites
without providing
authentication credentials.
Enables anonymous access
to your SharePoint
resources; use with caution.
Requires additional
planning and configuration.
Claims-based Enables you to authenticate
users from a system not based
on Windows, such as a
database.
Enables subjects to make claims
about themselves. Claims can
include a user name, a role, an
employee ID, and a variety of
other attributes that
applications use to determine
authorization and permission
levels.
Configuration and
management requires
additional planning and
training.
Forms-based Enables you to set up
SharePoint Server 2010 in an
environment that does not
require Windows accounts.
Enables you to authenticate
against two or more different

identity management systems
when you create partner
applications.
Enables you to implement a
custom authentication scheme
by using arbitrary criteria.
Enables the authentication of
users coming from the Internet.
Requires customization of
the Web.config file.
Subject to replay attacks for
the lifetime of the cookie,
unless you use SSL
Transport Layer Security
(TLS).

MCT USE ONLY. STUDENT USE PROHIBITED
Planning Authentication 6-31
Double-Hop Scenario
The double-hop scenario in SharePoint 2010 describes a situation that can arise
when NTLM authentication is used. In the double-hop scenario, IIS attempts to
pass a user’s NTLM credentials to a service that is not running directly on the Web
server or is running on a server that is not part of the requesting server’s farm. This
type of authentication is not permitted in the Microsoft .NET Framework, because
it is not secure. NTLM only authenticates the client, not the server; therefore, the
Web server can pass the client credentials to any other service or client without the
knowledge of the original requesting client.
Kerberos authentication provides a solution to this issue, but it requires some
configuration. Kerberos allows for impersonation and delegation, which gives the
Web server permission to authenticate to another service on behalf of the user. In

addition, Kerberos can authenticate both the client and the server, which ensures
that requests are directed only to those servers and services that the end user
trusts. This feature is not active by default. You must configure the service accounts
running on the Web server to use impersonation by enabling the trust for
delegation settings for both the service account and server in Active Directory
Users and Computers.

MCT USE ONLY. STUDENT USE PROHIBITED
6-32 Designing a Microsoft® SharePoint® 2010 Infrastructure
Multi-Mode Authentication

Key Points
Your logical architecture design may require two different types of users to access
the same SharePoint site, for example, internal employees and external partners. In
this scenario, you must plan to configure more than one authentication method.
You can configure Web applications in SharePoint Server 2010 to be accessed by
up to five different authentication methods or identity management systems.
The diagram on the slide illustrates a Web application that is configured to be
accessed by users from two different identity management systems. Internal
employees are authenticated by using one of the standard Windows authentication
methods. Partners are authenticated against a separate, forms-based identity
management system.
If your authentication plan must accommodate this type of scenario, you must plan
to perform some additional configuration of the Web application. You must
configure additional zones for the Web application for it to be accessed by more
than one authentication system. Additional zones provide different logical paths to
gain access to the same application. In the scenario on the slide, partners access the
application through the Internet, and internal employees access the application