Objective: To understand how Windows claims-based authentication works in SharePoint 2013.
Windows claims authentication video [2 min] (transcript)
After viewing the video, use the following to practice and review:
Fast Learner Modules for Claims Authentication in SharePoint 2013 for all of the modules in this Fast Learner series.
For the answers to these review questions, click
Let’s step through the Windows claims authentication process for SharePoint 2013.
Windows claims authentication is an interaction between a client computer, a SharePoint server, and an Active Directory Domain Services, or AD DS, domain controller.
For additional information about claims authentication, go to the SharePoint 2013 claims authentication portal at
Also visit technet.com/sharepoint.
1. What information does the SharePoint server use to construct the claims-based security token?
Answer: The Windows security token of the user's credential validation and the AD DS group membership of the user account.
2. Does the SharePoint server send the claims-based security token to the user's computer after it is constructed?
Answer: No. The SharePoint server stores the security token in the distributed cache and sends an authorization code to the user's computer for subsequent authentications.
3. Under what circumstances is a user prompted for credentials when using Internet Explorer?
Answer: If the web site is not listed in the Local Intranet zone.
4. True or False: For the NTLM or Kerberos authentication protocols, the user computer performs authentication with the AD DS domain controller. For the basic authentication protocol, the user computer performs authentication with the IIS Web Server service
on the SharePoint server.
Answer: False. For all authentication protocols (NTLM, Kerberos, and basic), the user computer performs authentication with the SharePoint server.
5. [Extra Credit] For the Kerberos or NTLM authentication protocols, what is the fundamental difference between Windows claims authentication and Windows classic authentication with respect to the passing and verification of user credentials?
Answer: With Windows claims authentication, the user computer passes authentication credentials to the SharePoint server, which uses the Security Token Service to create the claims-based security token. With Windows classic authentication,
the user computer passes authentication credentials to the AD DS domain controller to obtain a Windows security token or Kerberos ticket.