Thursday, February 23, 2012

Claims Based Authentication & Classic Mode Authentication in SharePoint 2010

When you are creating a new web application in SharePoint 2010, you will have to select one of these two authentication modes : Claims Based Authentication or Classic Mode Authentication.


I was always selecting the first one not because I knew why I am selecting it, but because it's defaultly selected. So today I thought to learn about these two authentication modes and select the suitable one rather than just selecting the default option. I am writing down what I learned, so anyone who is doing the same thing like me can stop repeating it in the future.

SharePoint 2010 supports variety of authentication methods which will fall into various authentication method categories. Since I am no professional of these and these are some serious topics of their own, I will just write it this way.

Method category Authentication methods
Windows authentication NTLM
Forms-based authentication Lightweight Directory Access Protocol (LDAP)
Microsoft SQL Server database or other database
Custom or third-party membership and role providers
SAML token-based authenticationActive Directory Federation Services (AD FS) 2.0
Third-party identity provider
Lightweight Directory Access Protocol (LDAP)

In SharePoint 2010, authentication modes determine how client computers authenticate with it's resources. SharePoint 2010 supports these two authentication modes,
  1. Claims Based Authentication
  2. Classic Mode Authentication
Authentication is the process of determining whether someone or something is, in fact, who or what it is declared to be based on the user identity.In an Active Directory Domain Services (ADDS) installed environment user identity is based on a user account. You have a user account which will contain all the information of your user name, password, group membership information etc. To authenticate your account what the application would do is, it will match the information that you supplied with the information in the Active Directory.

The nice point is this. If you use Claims Based Authentication, you can use all the supported authentication methods listed in the above table. And if you use Classic Mode Authentication, you will only be able to use methods under Windows authentication category.

In Claims Based Authentication what will happen is, user obtains a security token that is digitally signed by a commonly trusted identity provider and contains a set of claims. Each claim represents a specific item of data about the user such as his or her name, group memberships, and role on the network. Claims-based authentication is user authentication that utilizes claims-based identity technologies and infrastructure. Applications that support claims-based authentication obtain the security token from the user and use the information within the claims to determine access to resources. No separate query to a directory service like ADDS is needed. Claims-based authentication in Windows is built on Windows Identity Foundation (WIF) which is a prerequisite to install SharePoint 2010.

In Classic Mode Authentication, user accounts are treated by SharePoint Server 2010 as Active Directory Domain Services (ADDS) accounts.

Hope you all got a good understanding about Claims Based Authentication & Classic Mode Authentication. Appreciate your feedback.

Happy Coding.