Objective: To understand how Windows claims-based authentication works in SharePoint 2013.

Windows claims authentication video [2 min] (transcript)

After viewing the video, use the following to practice and review:

	Practice in the SharePoint Server 2013 3-tier farm test lab
	Review questions

Next module in the series (forms-based authentication)

See Fast Learner Modules for Claims Authentication in SharePoint 2013 for all of the modules in this Fast Learner series.

SharePoint 2013 Claims Authentication Resources

• Claims-Based Authentication Portal (http://aka.ms/spclm)
• Plan for user authentication methods
• Configure authentication infrastructure
• Share-n-dipity blog

Review Questions

1. What information does the SharePoint server use to construct the claims-based security token?
   
   
2. Does the SharePoint server send the claims-based security token to the user's computer after it is constructed?
   
   
3. Under what circumstances is a user prompted for credentials when using Internet Explorer?
   
   
4. True or False: For the NTLM or Kerberos authentication protocols, the user computer performs authentication with the AD DS domain controller. For the basic authentication protocol, the user computer performs authentication with the IIS Web Server service on the SharePoint server.
   
   
5. [Extra Credit] For the Kerberos or NTLM authentication protocols, what is the fundamental difference between Windows claims authentication and Windows classic authentication with respect to the passing and verification of user credentials?
   
   

For the answers to these review questions, click here.

Video Transcript

Let’s step through the Windows claims authentication process for SharePoint 2013.

Windows claims authentication is an interaction between a client computer, a SharePoint server, and an Active Directory Domain Services, or AD DS, domain controller.

• Step 1: Assuming that the client computer does not already have a claims-based security token, Windows claims authentication occurs when it makes an initial anonymous request of a secured SharePoint web page.
• Step 2: The SharePoint server responds with a request for the user’s Windows credentials, which can be sent using the NTLM, Kerberos, or basic authentication protocols.
• Step 3: If the user is using Internet Explorer and the web site is listed in the Local Intranet zone, Internet Explorer automatically submits the current user’s logged-on credentials. Otherwise, the user is prompted. In either case, the client computer then sends the user’s Windows credentials.
• Step 4: The SharePoint server then validates the Windows user credentials with an AD DS domain controller, which responds with a Windows security token.
• Step 5: The SharePoint server then queries the domain controller for the list of security groups to which the user account belongs.
• Step 6: The Security Token Service on the SharePoint server then creates a claims-based security token and stores with the Distributed Cache service on the SharePoint farm. Claims in the security token are based on the Windows security token and the group membership of the user account.
• Step 7: The IIS Web server on the SharePoint server then sends an authorization code to the client computer. If the user is authorized to access the requested web page, through analysis of the claims in the security token and the configured permissions, the SharePoint server then sends the contents of the page. For subsequent requests, the client computer uses the authorization code for authentication.

For additional information about claims authentication, go to the SharePoint 2013 claims authentication portal at aka.ms/spclm.

Also visit technet.com/sharepoint.

Answers to Review Questions

1. What information does the SharePoint server use to construct the claims-based security token?

Answer: The Windows security token of the user's credential validation and the AD DS group membership of the user account.

2. Does the SharePoint server send the claims-based security token to the user's computer after it is constructed?

Answer: No. The SharePoint server stores the security token in the distributed cache and sends an authorization code to the user's computer for subsequent authentications.

3. Under what circumstances is a user prompted for credentials when using Internet Explorer?

Answer: If the web site is not listed in the Local Intranet zone.

4. True or False: For the NTLM or Kerberos authentication protocols, the user computer performs authentication with the AD DS domain controller. For the basic authentication protocol, the user computer performs authentication with the IIS Web Server service on the SharePoint server.

Answer: False. For all authentication protocols (NTLM, Kerberos, and basic), the user computer performs authentication with the SharePoint server.

5. [Extra Credit] For the Kerberos or NTLM authentication protocols, what is the fundamental difference between Windows claims authentication and Windows classic authentication with respect to the passing and verification of user credentials?

Answer: With Windows claims authentication, the user computer passes authentication credentials to the SharePoint server, which uses the Security Token Service to create the claims-based security token. With Windows classic authentication, the user computer passes authentication credentials to the AD DS domain controller to obtain a Windows security token or Kerberos ticket.