MCT USE ONLY. STUDENT USE PROHIBITED Planning Authentication 6-23 Authentication Topologies for Multiple Farms Key Points The topology for claims-based authentication in a multiple farm infrastructure consists of a local STS, which is local to the SharePoint farm, and a partner STS, which is in a separate SharePoint farm. There is a trust relationship between the SharePoint farms. The authentication process is as follows: 1. An external user whose credentials are not directly accessible by the local STS requests authentication. 2. The Web application responds to the authentication request with a redirect to the partner STS. 3. The authentication request is submitted to the partner STS. 4. The partner STS creates an IP-STS token for the user and submits it to the local STS. 5. The local STS decrypts the IP-STS token, creates a Relying Partner STS (RP- STS) token, and returns it to the external user. MCT USE ONLY. STUDENT USE PROHIBITED 6-24 Designing a Microsoft® SharePoint® 2010 Infrastructure 6. The RP-STS token is then submitted to the Web application. 7. The Web application authenticates the user. In this example, the Web application returns a cookie to the user. MCT USE ONLY. STUDENT USE PROHIBITED Planning Authentication 6-25 Lesson 3 Selecting Authentication Methods An effective authentication plan incorporates the appropriate authentication methods for each Web application in your SharePoint 2010 architecture. To produce an authentication plan, you must be able to match authentication methods to business requirements. You must evaluate authentication methods and understand how to implement different forms of authentication. Objectives After completing this lesson, you will be able to: • Explain how to match authentication methods to business requirements. • Choose between classic mode and claims-based authentication. • Evaluate authentication methods. • Explain when to implement multi-mode authentication. • Describe how to plan authentication for farm zones. • Explain how to plan authentication testing. MCT USE ONLY. STUDENT USE PROHIBITED 6-26 Designing a Microsoft® SharePoint® 2010 Infrastructure Matching Authentication Methods to Business Requirements Key Points When you design the authentication plan for your SharePoint 2010 architecture, a key task is to match the authentication methods that you will use to the business requirements that you must meet. Business requirements come in many forms, from interviews with stakeholders and reports of end-user usability issues to documentation from previous systems. Part of your task is to interpret this data and reformat it into a consistent format that provides the basis for an authentication plan. When you match authentication methods to business requirements, look for keywords and phrases that indicate who should be able to access SharePoint content. For example, “Internet-facing” and “public” imply that anonymous access should be enabled for certain parts of the SharePoint site. “Private,” “secure area,” and “log on” all imply that valid user credentials must be provided before the content is accessible. MCT USE ONLY. STUDENT USE PROHIBITED Planning Authentication 6-27 You can determine authentication methods from business requirements documentation. Phrases such as “partners,” “external users,” and “customers” all indicate that users who are not members of your internal domain will require some level of access. Often external users will be authenticated through claims-based methods such as forms-based authentication. You must determine how to provide them with access before you begin to create SharePoint Web applications, because you select the authentication method for the Web application at the time that you create it. MCT USE ONLY. STUDENT USE PROHIBITED 6-28 Designing a Microsoft® SharePoint® 2010 Infrastructure Demonstration: Selecting Classic Mode or Claims-Based Authentication Key Points In this demonstration, you will see how to: • Select claims-based or classic mode authentication. • Identify authentication providers for Web applications. MCT USE ONLY. STUDENT USE PROHIBITED Planning Authentication 6-29 Evaluating Authentication Methods Key Points Understanding the advantages, recommendations, and trade-offs for each specific authentication method can help you to determine which methods to use in your environment. The following table highlights the advantages, recommendations, and disadvantages for each authentication method. Authentication method Advantages Trade-offs Windows-based NTLM or Kerberos Enables you to authenticate users by using existing Active Directory accounts. Enables you to take advantage of Active Directory groups when you configure SharePoint Server 2010 authorization. Simplifies user management. Enables you to avoid writing custom code. Some IIS authentication protocols are not supported by all Web browsers. MCT USE ONLY. STUDENT USE PROHIBITED 6-30 Designing a Microsoft® SharePoint® 2010 Infrastructure Authentication method Advantages Trade-offs Client certificates Enables you to authenticate users with digitally signed certificates. Requires you to obtain and distribute certificates for clients. Anonymous Authentication Enables users to find resources in the public areas of Web sites without providing authentication credentials. Enables anonymous access to your SharePoint resources; use with caution. Requires additional planning and configuration. Claims-based Enables you to authenticate users from a system not based on Windows, such as a database. Enables subjects to make claims about themselves. Claims can include a user name, a role, an employee ID, and a variety of other attributes that applications use to determine authorization and permission levels. Configuration and management requires additional planning and training. Forms-based Enables you to set up SharePoint Server 2010 in an environment that does not require Windows accounts. Enables you to authenticate against two or more different identity management systems when you create partner applications. Enables you to implement a custom authentication scheme by using arbitrary criteria. Enables the authentication of users coming from the Internet. Requires customization of the Web.config file. Subject to replay attacks for the lifetime of the cookie, unless you use SSL Transport Layer Security (TLS). MCT USE ONLY. STUDENT USE PROHIBITED Planning Authentication 6-31 Double-Hop Scenario The double-hop scenario in SharePoint 2010 describes a situation that can arise when NTLM authentication is used. In the double-hop scenario, IIS attempts to pass a user’s NTLM credentials to a service that is not running directly on the Web server or is running on a server that is not part of the requesting server’s farm. This type of authentication is not permitted in the Microsoft .NET Framework, because it is not secure. NTLM only authenticates the client, not the server; therefore, the Web server can pass the client credentials to any other service or client without the knowledge of the original requesting client. Kerberos authentication provides a solution to this issue, but it requires some configuration. Kerberos allows for impersonation and delegation, which gives the Web server permission to authenticate to another service on behalf of the user. In addition, Kerberos can authenticate both the client and the server, which ensures that requests are directed only to those servers and services that the end user trusts. This feature is not active by default. You must configure the service accounts running on the Web server to use impersonation by enabling the trust for delegation settings for both the service account and server in Active Directory Users and Computers. MCT USE ONLY. STUDENT USE PROHIBITED 6-32 Designing a Microsoft® SharePoint® 2010 Infrastructure Multi-Mode Authentication Key Points Your logical architecture design may require two different types of users to access the same SharePoint site, for example, internal employees and external partners. In this scenario, you must plan to configure more than one authentication method. You can configure Web applications in SharePoint Server 2010 to be accessed by up to five different authentication methods or identity management systems. The diagram on the slide illustrates a Web application that is configured to be accessed by users from two different identity management systems. Internal employees are authenticated by using one of the standard Windows authentication methods. Partners are authenticated against a separate, forms-based identity management system. If your authentication plan must accommodate this type of scenario, you must plan to perform some additional configuration of the Web application. You must configure additional zones for the Web application for it to be accessed by more than one authentication system. Additional zones provide different logical paths to gain access to the same application. In the scenario on the slide, partners access the application through the Internet, and internal employees access the application . is local to the SharePoint farm, and a partner STS, which is in a separate SharePoint farm. There is a trust relationship between the SharePoint farms. The authentication process is as follows:. management systems. Internal employees are authenticated by using one of the standard Windows authentication methods. Partners are authenticated against a separate, forms-based identity management. the advantages, recommendations, and disadvantages for each authentication method. Authentication method Advantages Trade-offs Windows-based NTLM or Kerberos Enables you to authenticate