SharePoint Madness

All about SharePoint and Office365

Posts Tagged ‘SP2013’

16 Key facts on User Authentication methods in SharePoint 2013

Posted by Amit Bhatia on February 7, 2013

I have been working on planning the user authentication methods on SP 2013 and came across few facts which may prevent few headaches later while implementing the user authentication in SP 2013.

  1. Office Web Apps can be used only by SharePoint 2013 web applications that use claims-based authentication –  Office Web Apps rendering and editing will not work on SharePoint 2013 web applications that use classic mode authentication. If you migrate SharePoint 2010 web applications that use classic mode authentication to SharePoint 2013, you must migrate them to claims-based authentication to allow them to work with Office Web Apps.
  2. SharePoint 2013 also supports anonymous authentication – Users can access SharePoint content without validating their credentials. Anonymous authentication is disabled by default. You typically use anonymous authentication when you use SharePoint 2013 to publish content that does not require security and is available for all users, such as a public Internet website. In addition to enabling anonymous authentication, you must also configure anonymous access (permissions) on sites and site resources.
  3. In Forms based authentication, credentials are sent in plain-text format – You should not use forms based authentication unless you are using Secure Socket Layer (SSL) to encrypt the traffic.
  4. Active Directory Federation Services (AD FS) 2.0 is a SAML token-based authentication environment
  5. Kerberos authentication improves performance and page latency – Kerberos requires the least amount of network traffic to AD DS domain controllers. Kerberos can reduce page latency in certain scenarios, or increase the number of pages that a front-end web server can serve in certain scenarios. Kerberos can also reduce the load on domain controllers.
  6. Kerberos should not be used in internet facing deployments – Kerberos authentication requires client computer connectivity to a KDC and to an AD DS domain controller.
  7. In mutiple SAML based authentication providers scenario you can only use one token signing certificate in a farm – This is the certificate that you export from an IP-STS and then copy to one server in the farm and add it to the farm’s Trusted Root Authority list. Once you use this certificate to create an SPTrustedIdentityTokenIssuer, you cannot use it to create another one. To use the certificate to create a different SPTrustedIdentityTokenIssuer, you must delete the existing one first. Before you delete an existing one, you must disassociate it from all web applications that may be using it.
  8. No need for Single affinity in Load balanced Scenarios in SP 2013 – You no longer have to set network load balancing to single affinity when you are using claims-based authentication in SharePoint 2013
  9. People Picker search functionality does not work if the web application uses SAML based authentication – When a web application is configured to use SAML token-based authentication, the SPTrustedClaimProvider class does not provide search functionality to the People Picker control. Any text entered in the People Picker control will automatically be displayed as if it resolves, regardless of whether it is a valid user, group, or claim. If your SharePoint 2013 solution uses SAML token-based authentication, plan to create a custom claims provider that implements custom search and name resolution.
  10. Claims based authentication can have multiple authentication providers in a single zone
  11. Webapplication can only be created with Powershell for Classic mode in SP 2013
  12. Classic Mode authentication can only support one type of authentication per zone – Classic Mode only uses Windows authentication mode.
  13. Forms based and Windows based  authentication can only be used once in a multiple authentication method in a single zone
  14. Atleast one zone must be configured to use Crawl – Crawl component can only use NTLM based authentication. If NTLM authentication is not configured on the default zone, the crawl component can use a different zone that is configured to use NTLM authentication.
  15. Default zone should always be used for most secured settings –  The most secure authentication settings are designed for end-user access. End-users are most likely to access the default zone.
  16. Keep the zones to a minimum – Each zone requires an IIS website and adds overhead.

Posted in Authentication, SP2013 | Tagged: , , | 2 Comments »

Searching For Value

"Helping You Master the Game of Investing"

Ideas with Conviction

The best thing about investing is the ease with which you can move your capital across different businesses, helping you capitalize on every opportunity..

CFA Institute Enterprising Investor

Practical analysis for investment professionals

Journeys of a Bumbling Trader

Learnings and Thoughts on Trading, Macroeconomics, Value Investing, Quantitative Finance, and Accounting

Flirting with Models

Research Library of Newfound Research

Alpha Ideas

Investment Blog for the Indian Markets

Fundoo Professor

Thoughts of a teacher & practitioner of value investing and behavioral economics