Monday, June 10, 2013

Should we keep Kerberos after migrate to claim based authentication?



SharePoint 2013 support claims as default and the best practice is to migrate to claim based authentication before upgrade as discussed in my previous blog. Since claims has some characteristics of Kerberos (like delegation), can we just depend on that and use NTLM over Claims instead of going through the pain of configuring Kerberos? 

The quick answer is NO and you should keep Kerberos over claim base authentication. There are two major reasons.

1. Identity delegation - SharePoint depends on most of the inter-communications on claims but still have external communications that requires classic authentication we still recommend Kerberos. Kerberos is one of the delegation ways that does not require external system to be claims-aware. Claims on the other hand requires trust between the two services and both two services are claims-aware. Below is the summary of the two delegations.
  • Kerberos delegation — If the client authenticates with the front-end service by using Kerberos authentication, Kerberos delegation can be used to pass the client's identity to the back-end system.
  • Claims — claims authentication allows the client's claims to be passed between services as long as there is trust between the two services and both are claims-aware.
Diagram of delegation process

Here is an important extract from Microsoft technet for your reference.

Delegation of client credentials — The Kerberos protocol allows a client's identity to be impersonated by a service to allow the impersonating service to pass that identity to other network services on the client's behalf. NTLM does not allow this delegation. (This limitation NTLM is called the "double-hop rule"). Claims authentication, like Kerberos authentication, can be used to delegate client credentials but requires the back-end application to be claims-aware.

2. Benefit - Kerberos is still better than NTLM on claims authentication mode as it was on classic authentication mode. The benefit still holds true since not all parties involved in Sharepoint world support claims and because you most likely will use classic for your domain\DC machine authentication. And also because Kerberos will reduce the traffic to domain controllers as well.
 
The next question is that do we still need C2WTS service? 
The quick answer is YES. All authentication and communication inside SharePoint is through claim on SharePoint 2010. Any SharePoint service that relies on the Claims to Windows token service (C2WTS) must use Kerberos constrained delegation to allow the C2WTS to use Kerberos protocol transition to translate claims into Windows credentials. Excel Services along with PerformancePoint Services and Visio Services are the three service applications and products require the C2WTS and Kerberos constrained delegation as we discussed in previous blog

We will plan to keep Kerberos over claim based authentication and C2WTS service best practice. 

Thanks Ahmed Garag from Microsoft for the excellent suggestions.



2 comments: