It is the process by which the identity of a user who requests access to a SharePoint web application and its contents. Authentication controls whether or not a user has permission to access sites on a SharePoint web application.
It is the process by which a user is granted access to specific resources within a SharePoint site. Authorization controls what documents, lists, libraries, etc. a user can access on a SharePoint site once they have been successfully authenticated.
The result of a claims-based authentication is a claims-based security token, which the SharePoint Security Token Service (STS) generates. The result of a Windows classic mode authentication is a Windows security token. We recommend that you use claims-based authentication for user authentication.
SharePoint 2013 supports the following authentication types:
Windows Authentication is the simplest because it takes advantage of a company’s existing authentication provider (i.e. Active Directory) to validate a user’s credentials and, grant or deny permissions to access to SharePoint sites.
Windows authentication provides the most seamless user experience for users who already have access to Windows-based network resources because once the user has logged onto the domain, they are not required to provide their credentials again to access SharePoint. The two most common types of Windows authentication are NTLM and Kerberos.
Forms-based authentication is a claims-based identity management system that validates users based on credentials that the user provides via a login form on a web page. When the user submits the form, the username and password that were provided are validated against credentials that are stored in a membership provider such as a SQL Server database.
Forms-based authentication allows for credentials to be created and stored for non-domain users who are external to an organization. Forms-based authentication can be used against credentials that are stored in an authentication provider such as the following:
- Active Directory Domain Services
- A database such as a SQL Server database
- An Lightweight Directory Access Protocol (LDAP) data store such as Novell eDirectory,
- Novell Directory Services (NDS), or Sun ONE
SAML token-based authentication
A SAML token-based authentication environment relies on at least one identity provider security token service (IP-STS) to handle the actual authentication of users. Moreover, SAML token-based authentication allows for the authentication of users from multiple attribute stores.
The available types of authentication providers for SAML token-based authentication depends on the IP-STS being used in an environment. If Active Directory Federation Services 2.0 is used, authentication providers (known as attribute stores for AD FS 2.0) can include the following:
- Windows Server 2003 Active Directory and AD DS in Windows Server 2008
- All editions of SQL Server 2005 and SQL Server 2008
- Custom attribute stores
SharePoint 2013 also supports multiple authentication providers for a single web application. If there is only one zone for a web application and multiple authentication methods are configured, users will be presented with a dropdown box prompting them to choose which authentication provider they wish to use.
Another point to consider is that the SharePoint crawl component requires NTLM to access content. Therefore, at least one zone on a web application must be configured to use NTLM authentication. If NTLM authentication is not configured on the default zone, the crawl component can use a different zone that is configured to use NTLM authentication.