In this post we will discuss about different authentication mechanism in SharePoint 2010
. A user's identity must be validated before a user trying to use SharePoint application.
Authentication methods determine which type of identity directory is to be used and how users are authenticated by IIS. SharePoint supports below types of authentication:
- Windows Authentication
- Forms Authentication
- Claims-based Authentication
- Web Single Sign-On Authentication
Windows Authentication uses Active Directory to validate users. When Windows Authentication is selected, IIS uses the Windows Authentication protocol that is configured in IIS.
The security policies like account expiration policies, password complexity policies, and password history policies etc that are applied to the user accounts are configured within Active Directory not in SharePoint.
When a user attempts to authenticate to a SharePoint web using Windows Authentication, IIS validates the user against NTFS and Active Directory; once the validation occurs, the user is authenticated and the access levels of that user are applied by SharePoint.
Anonymous access associates unknown users with an anonymous user account(IUSR_machinename). It is commonly used in Internet sites. However, this configuration is disabled by default.
In order to configure anonymous access to a SharePoint application, anonymous access must be enabled in IIS and the SharePoint application, and the anonymous user account must be provisioned.
Anonymous users are only allowed to read, and they are unable to edit, update, or delete content.
Forms-based Authentication method is used against custom authentication provider like custom LDAP directory, SQL Server etc.
Claims-based identity is a security model for authentication and authorization based on the Windows Identity Foundation.
Web Single Sign-On:
The Web Single Sign-On authentication method is used in environments configured for federated identity systems. An independent identity management system integrates user identities across heterogeneous directories and provides the user validation for IIS. This includes Microsoft Identity Information Server with Active Directory Federation Services, Oracle Identity Management with Single Sign-On and Web Access Control, and Sun Microsystems Java System Identity Manager.
In SharePoint it is possible to configure a combination of authentication methods. For instance,
employees and external partners can use different methods, such as Active Directory for internal people and a SharePoint list via Forms Authentication for others. This is achieved by defining two zones and associating authentication methods with the zones. The intranet zone would be configured with Windows Authentication and an extranet zone would be configured with ASP.NET Forms authentication.