Wednesday, September 15, 2010

Form Based Authentication in SharePoint 2010 and what it has to do with Claim Based Authentication.

Starting from SharePoint Server 2007 it is possible to use the ASP.NET membership and role provider for authentication purposes (meaning you are not limited to pure windows authentication). SharePoint Server 2010 extends on this model by providing claim based authentication.

For authentication 2010 in SharePoint you can choose between 2 models:

  • Classic mode authentication
  • Claims based authentication mode

Classic mode is provided mostly for legacy purposes since claims is the way forward – take a look at Plan Authentication Methods (SharePoint 2010) on Technet for more details.

If you plan to use anything other then plain windows authentication you have to go for claims based authentication (CBA). Claims based authentication in 2010 supports the following underlying authentication mechanisms:

  • Windows claims (when you log on with NTLM or the Kerberos protocol)
  • Forms-based authentication claims (when you use an ASP.NET membership and role provider – so use a SQL Server or Oracle database as back-end store)
  • Security Assertions Markup Language (SAML) claims -when you log on by using a security token service (STS), such as Active Directory Federation Services (AD FS) 2.0.

Claims based authentication in 2010 is implemented on top of Windows Identity Foundation (WIF) – so I recommend that you take a look at this blog post to get you started with a number of resources – Windows Identity Foundation resources for SharePoint 2010 developers.

I wanted to try out Forms-based authentication claims using SQL Server as back-end store and I tried out a number of walkthroughs but this one worked like a charm – Configuring claims and form-based authentication for use with a SQL provider in SharePoint 2010  (Thanks you, Spence for pointing me in the correct direction)

Some additional remarks: