locked
Classic, Claims and Kerberos RRS feed

  • Question

  • Hi

    I'd like to understand the difference between classic and claims authentication. With Claims, it’s possible to authenticate and authorize users against external Identity Providers and one is not limited to Active Directory.

    I understand that classic/claims authentication type is setup at the Web Application level when creating a new SharePoint web application, but not sure how does Kerberos and NTLM  fit into this? Is it an Identity Provider?

    Thanks



    Thursday, April 20, 2017 11:52 AM

Answers

  • Hi,

    Classic and Claims are two modes of authentication mechanism. Classic is pretty much simple as it just checks user identity against an identity provider and was the default authentication mode in SP 2010.

    In SP 2013, Claims which offers much better functionality and that makes use of a digitally signed token for establishing user authentication replaced Classic as the default authentication mode. 

    Kerberos and NTLM can be used with both Classic & Claims and is just a windows integrated authentication protocol that is used internally by either classic/claims for authenticating the user.

    You can get detailed information from here :

    https://technet.microsoft.com/en-us/library/cc262350.aspx

    Thanks,

    Priyan


    Please Up Vote and Mark this as Answer if it helps.

    Thursday, April 20, 2017 1:24 PM

All replies

  • Hi,

    Classic and Claims are two modes of authentication mechanism. Classic is pretty much simple as it just checks user identity against an identity provider and was the default authentication mode in SP 2010.

    In SP 2013, Claims which offers much better functionality and that makes use of a digitally signed token for establishing user authentication replaced Classic as the default authentication mode. 

    Kerberos and NTLM can be used with both Classic & Claims and is just a windows integrated authentication protocol that is used internally by either classic/claims for authenticating the user.

    You can get detailed information from here :

    https://technet.microsoft.com/en-us/library/cc262350.aspx

    Thanks,

    Priyan


    Please Up Vote and Mark this as Answer if it helps.

    Thursday, April 20, 2017 1:24 PM
  • Hi,

    Your understanding of Classic and Claims based authentication is absolutely correct.

    Classic would use only Windows Authentication for your site, so if you use Claims based authentication and use Windows Credentials as the Identity Provider for your Claims site then that is same as Classic authentication.

    Just for the record, you should always use Claims based authentication as it gives you the flexibility to choose the Identity Provider. With Classic, you are stuck. And SharePoint 2013 has done away with Classic authentication.

    NTLM and Kerberos are authentication protocols. By default, Windows Servers implement only NTLM authentication. You need specific infrastructure to be able to use Kerberos authentication and just by selecting the radio button for Kerberos doesn't implement Kerberos authentication.

    NTLM and Kerberos work for only windows authentication and are independent of either Classic or Claims based authenticated sites.

    NTLM and Kerberos are relevant outside the context of SharePoint (they are authentication protocols) however, Classic and Claims are specific to SharePoint only.


    Regards, Huzefa Mala, MCPD, MCT Please mark the post that answered your question as the answer, and mark other helpful posts as helpful, so they will appear differently to other users who are visiting your thread for the same problem.

    Thursday, April 20, 2017 1:29 PM
  • Imaging you own a club.

    The authentication provider, Classic or Claims, is the Doorman /bouncer at a pub/club checking ID on the VIP line.

    With classic the Doorman will accept Drivers licenses and Passports (NTLM and Kerberos) to prove who you are.

    With Claims the Doorman is much smarter and will accept anything you as the pub/club owner says is ok. That might be Drivers licenses or it might be a Facebook ID, or either, or both.

    Thursday, April 20, 2017 3:16 PM
  • Classic and Claims aren't SharePoint-specific.

    "Classic" is just Windows authentication only. IIS performs AuthN while SharePoint only performs AuthZ. On the other hand, Claims can come from a variety of sources -- SAML systems, FBA systems, etc. can assert claims to SharePoint, where SharePoint performs AuthZ (the IdP performs AuthN). In the case of Windows Claims, AuthN is performed by IIS.


    Trevor Seward

    Office Servers and Services MVP



    Author, Deploying SharePoint 2016

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Thursday, April 20, 2017 3:18 PM