What is Authentication?
"Authentication is the process of obtaining identification credentials such as name and password from a user and validating those credentials against some authority. If the credentials are valid, the entity that submitted the credentials is considered an authenticated identity." (Quoted from MSDN)
What is Authorization?
"Authorization determines whether an identity should be granted access to a specific resource." (Quoted from MSDN)
What Authentication Types are Supported by SharePoint?
In SharePoint 2003, only Active Directory authentication was supported. New to SharePoint 2007 is the extensible ASP.Net 2.0 Provider Model. This allows a range of standard authentication types and the ability to create a custom provider. Listed below are the methods available to authenticate to SharePoint 2007. Another change from SharePoint 2003 to SharePoint 2007 are Zones.
- NTLM (Local Users or Active Directory)
- Kerberos (Requires Active Directory)
- SQL Membership Provider
- Lightweight Directory Access Protocol (LDAP) Provider
- Active Directory Provider
- Active Directory Application Mode (ADAM)
- Custom Provider
Single Sign-On (SSO)
- Active Directory Federation Services (ADFS)
- Other Identity Management Systems (3rd party)
Here is a brief summary of each authentication type listed above.
NTLM - Is a challenge-response authentication protocol, which allows a client to prove its identity without sending a password to the server by creating a shared context between the two involved parties, and using a shared session key. This method is used with Active Directory or local accounts.
Kerberos - Requires a trusted third-party(Active Directory) in order to mediate between two entities that want to authenticate to one another, such as a User and a Resource. This is done through a ticketing system known as a Key Distribution Center(KDC) which in this case is Active Directory. By the way, Kerberos communications are encrypted using symmetric cryptography. Kerberos has some another advantage over NTLM, delegation, it can perform a double-hop which means Entity A can forward(delegate) a ticket to Entity B which can then use Entity A's ticket to authenticate to Entity C. Kerberos also scales better for large environments because one Entity 1 doesn't need to request authentication from another Entity to prove its identity, it just needs to send its ticket to the Entity.
Forms - Uses an authentication ticket created when the user logs on to a site. The ticket can be contained in a cookie or passed in a query string. Each time a request is received, after the initial authentication process, the authentication cookie is retrieved, decrypted and compared with its key. The user credentials are stored in one of the user stores listed above or a custom provider can be created to use another type.
SQL Membership - Accesses user credentials from a SQL Membership Database.Lightweight Directory Access Protocol(LDAP) - Accesses user credentials from a non-Microsoft or Legacy user store.Active Directory - Accesses user credentials from a Microsoft Active Directory user store. Can be used to access Active Directory in a different domain or in a hosting scenario.Active Directory Application Mode(ADAM) - Accesses user credentials from a application specific lightweight version of Active Directory.Custom - Accesses user credentials from a custom defined user store that is not supported by a method above or has specialized features.
Single Sign-On (SSO) - Provides access to resources across domains without the need to provide a credential every time. The simple answer is you login to your domain and through defined trusts you can be granted access to various resources outside of your own domain.
Active Directory Federation Services(ADFS) - Enables secure Single Sign-On between domains to allow Entities from one Domain to access Entities in another Domain. This can allow Company A to grant access to a resource on its Domain to Company B by creating a Trust Relationship between the companies and allow specific Entities access to specific resources.Other Identity Management Systems(3rd Party) - Same concept as ADFS but a 3rd-party solution with a custom SSO module. This would provide support for systems such as those made by Novell, RSA Security, IBM, Sun MicroSystems, SAP and Computer Associates.
What is a Zone?
A zone serves several purposes which include Load Balancing and Authentication boundaries. SharePoint’s authentication model is specified at the Web Application level, which is associated with an IIS web site. Site Collections and sub-sites are expressed as part of the application tier and have no physical presence on the file system. If you choose to implement multiple authentication providers, you can extend the Web Application by extending additional Zones. Zones allow the site to implement additional authentication providers for the same Web Application. Zones available are Default, Intranet, Internet, Extranet and Custom; the default Zone is Default. A Web Application can use any single Zone or extend to any combination of them. When extending a Web Application to a new Zone, a new physical IIS web site is created.
An important thing to note about Zones and Authentication is that the Default Zone needs to use NTLM in order for the Search Index service to crawl content within a Site Collection. A Policy also needs to be created for the Web Application to allow the account for the Index to read all content for the Web Application.
We know the ways to authenticate to SharePoint 2007, so what do all these terms mean? Below are some links on planning your authentication for SharePoint and information about the different types of authentication.
Plan authentication methods for SharePoint 2007
Plan for user accounts and authentication - Authentication Samples
About Microsoft NTLM Authentication
About Microsoft Kerberos Authentication
Understanding LDAP (Light Weight Directory Access Protocol)
LDAP Query Basics
Blog: Jeff Schroeder - Setting up ADFS for a Web Application (maybe even SharePoint 2007...)
Identity & Access Management: Create Custom Directories with ADAM
ASP.NET 2.0 Provider Model: Introduction to the Provider Model
ASP.Net 2.0 Provider Toolkit Samples