SharePoint 2013 support claims as default and the best practice is
to migrate to claim based authentication before upgrade as discussed in my
previous blog. Since claims has some characteristics of Kerberos (like
delegation), can we just depend on that and use NTLM over Claims instead of
going through the pain of configuring Kerberos?
The quick answer is NO and you should keep Kerberos over claim base authentication.
There are two major reasons.
1. Identity delegation - SharePoint depends on most of the inter-communications on claims but still have external communications that requires classic authentication we still recommend Kerberos. Kerberos is one of the delegation ways that does not require external system to be claims-aware. Claims on the other hand requires trust between the two services and both two services are claims-aware. Below is the summary of the two delegations.
Here is an important extract from Microsoft technet for your reference.
Delegation of client credentials — The Kerberos protocol allows a client's identity to be impersonated by a service to allow the impersonating service to pass that identity to other network services on the client's behalf. NTLM does not allow this delegation. (This limitation NTLM is called the "double-hop rule"). Claims authentication, like Kerberos authentication, can be used to delegate client credentials but requires the back-end application to be claims-aware.
2. Benefit - Kerberos is still better than NTLM on claims authentication mode as it was on classic authentication mode. The benefit still holds true since not all parties involved in Sharepoint world support claims and because you most likely will use classic for your domain\DC machine authentication. And also because Kerberos will reduce the traffic to domain controllers as well.
1. Identity delegation - SharePoint depends on most of the inter-communications on claims but still have external communications that requires classic authentication we still recommend Kerberos. Kerberos is one of the delegation ways that does not require external system to be claims-aware. Claims on the other hand requires trust between the two services and both two services are claims-aware. Below is the summary of the two delegations.
- Kerberos delegation — If the client
authenticates with the front-end service by using Kerberos
authentication, Kerberos delegation can be used to pass the client's
identity to the back-end system.
- Claims
— claims authentication allows the client's claims to be passed between
services as long as there is trust between the two services and both
are claims-aware.
Here is an important extract from Microsoft technet for your reference.
Delegation of client credentials — The Kerberos protocol allows a client's identity to be impersonated by a service to allow the impersonating service to pass that identity to other network services on the client's behalf. NTLM does not allow this delegation. (This limitation NTLM is called the "double-hop rule"). Claims authentication, like Kerberos authentication, can be used to delegate client credentials but requires the back-end application to be claims-aware.
2. Benefit - Kerberos is still better than NTLM on claims authentication mode as it was on classic authentication mode. The benefit still holds true since not all parties involved in Sharepoint world support claims and because you most likely will use classic for your domain\DC machine authentication. And also because Kerberos will reduce the traffic to domain controllers as well.
The next question is that do we still need C2WTS service?
The quick answer is YES. All
authentication and communication inside SharePoint is through claim on
SharePoint 2010. Any SharePoint service that relies on the Claims to Windows
token service (C2WTS) must use Kerberos constrained delegation to allow the
C2WTS to use Kerberos protocol transition to translate claims into Windows
credentials. Excel Services along with PerformancePoint Services
and Visio Services are the three service applications and products
require the C2WTS and Kerberos constrained delegation as we discussed in
previous blog.
We will plan to keep Kerberos over claim based authentication and C2WTS service best practice.
Thanks Ahmed Garag from Microsoft for the excellent suggestions.
Given article is very helpful and very useful for my admin, and pardon me permission to share articles here hopefully helped:
ReplyDeleteErp In Chennai
IT Infrastructure Services Software
ERP software company
web design company in india
Remote Infrastructure Services Software
College Management System Software
School Management System Software
Cloud Erp Software Company In India
Best web development company
Hi, This article is helpful to me. keep updating...
ReplyDelete"best cloud service providers in chennai
Web development company in chennai
Best DevOps Service company in chennai
"