Sharepoint 2010 Authentication Methods

SharePoint Security – SharePoint Authentication Part 1

Running SharePoint on Windows Server 2008 R2 offers a wealth of possible SharePoint authentication scenarios. You are no longer limited to the basic, often unsecure authentication types.
In this article I will cover the SharePoint authentication methods, which closely mirror Windows Server 2008 R2 authentication scenarios since both SharePoint relies on Windows Server for much of its security. I will start with an overview of the primary authentication methods and then I will demonstrate how to configure authentication.
SharePoint Authentication Methods
There are three general types of authentication for SharePoint. The first two base types of authentication modes in SharePoint 2010 are Claims Based Authentication (which is new in SharePoint Server 2010) and Classic Mode Authentication.

Authentication selection window during SharePoint application setup.
Classic Mode Authentication
This is the native, classic type of authentication for Windows systems. There are several methods of Windows Authentication:
• Anonymous Authentication: this method allows external and unauthorized users to access the resources. No credentials are required in this method. This method is mostly used for Internet-enabled sites in SharePoint for Internet Sites licensing.
• Basic Authentication: This is an inherently insecure method and I recommend not using it. The authorization credentials are sent in clear-text, without any encryption which nowadays is extremely easy to snoop by attacker. This type of authentication should only be used in case of compatibility issues (with browsers, web proxies or firewalls) and only with a secure SSL certificate which encrypt the sensitive network traffic (see SharePoint SSL Authentication). Sometimes, old software deployed in the enterprise requires using Basic Authentication (such as old monitoring software) – if you encounter these situations, try to use SSL with Basic Authentication to encrypt the traffic “manually”.
• Digest Authentication: This is similar to Basic Authentication, but it provides greater security since the credentials are encrypted and there is no way to intercept the credentials along the way in the traffic route.
• Certificate Authentication: This method offers the public key certificate mapping authorization. SSL encryption is used for this authentication method. It is not recommended to use this type of authentication over internet traffic.
• NTLM Authentication: This is the native authentication method for most Microsoft applications (including SharePoint), this method is secure and encrypts credentials before they are sent over the network. If you want to move your entire network authentication to Kerberos, you will have to disable NTLM because on most systems it is default authentication method.
• Negotiate Authentication: You can use it this with either NTLM or Kerberos authentication (with Kerberos is the default). On the client side you have to provide SPN (Service Principal Name) and UPN (User Principal Name) for the account.