Microsoft Office Tutorials and References
In Depth Information
authentication methods). Choosing Claims Based Authentication allows these as well as
forms-based authentication (FBA) and SAML token-based authentication. FBA is
typically used by SQL databases and LDAP, while SAML tokens are used by Active Directory
Federation Services, Windows Live, and other claims-based authentication providers.
2. Because it rarely hurts to have options, let’s choose Claims Based Authentication .
A BRIEF LOOK AT CLAIMS-BASED AUTHENTICATION
Claims-based authentication is a newer approach to authentication that is actually pretty dramatic.
Instead of having an application (such as SharePoint) build multiple connections for user
authentication, claims-based authentication handles things differently. The user authenticates to an issuer,
who verifies their identity and provides them with a signed security token that contains their claims
(credentials). Then, when connecting to the application, the user hands it the signed token. This
saves having to log in again or having the application reverify the user’s account with the issuer. It’s
been compared to an airport boarding pass. The issuer (front desk) handles the validation, confirms
that the user has permission to get on the plane, and then hands them the token (boarding pass)—all
SharePoint needs to do is make sure everyone has a boarding pass, without having to worry about
how it was issued (NTLM, FBA, Kerberos, LDAP, Basic with a username and password login page,
or the like). This is done via Security Assertion Markup Language (SAML)—basically, using XML
and SSL to wrap up a nice boarding pass for use with websites.
Microsoft has been deploying claims-based authentication with its Active Directory Federation
Ser v ices (the chunk of AD that issues the token to the user af ter they log in v ia normal means to AD)
and Windows Identity Foundation (for writing ASP.NET code to support claims-based
authentication in custom code).
Although a detailed discussion of claims-based authentication is beyond the scope of this topic,
there are a couple of things you should know:
If you ever intend to use claims-based authentication, you need to apply it to the web
tion on creation. You can’t create a classic mode web application and then later extend the web
application to use claims-based authentication on a different zone (for more about extended
web applications see the “Creating a New Public URL (by Extending a Web Application)”
section later in the chapter).
If you’re using claims-based authentication, make sure the Default zone uses Windows NTLM
authentication to ensure that the search indexer (also known as a gatherer or crawler ) can log
in and index the site. Otherwise, Search may not function. This is especially true if the web
application is using a custom port.
And if your network ever deploys Active Directory Federated Services, rest assured that SharePoint
Foundation is ready to go.
IIS Web Site We need to specify which IIS Web Site the new web application will use.
On the off chance you already created a Web Site in IIS for this web application, you could
choose it from the list. In this case, we have not, so we need to create a new one.