none
what is the recommended claim based authentication in SharePoint 2013?

    Question

  • There are two claim based authentication: NTLM and Kerberos.

    1.  What method is recommended by Microsoft? pros and cons of each?

    2. we have built SP2013 web app using NTLM method,  and is live in production, what is the risk if we change the method to Kerberos?

    Context:

    We are setting up dual factor authentication which works with Kerberos method,  but the underpinning SP application uses NTLM method, so there is a conflict.

    Appreciate any advice on this!

    Thursday, March 30, 2017 4:44 PM

All replies

  • Kerberos is always recommended. It provides significantly increased security as well performance gains over NTLM. The only restriction for Kerberos is clients must be able to contact the KDC in the environment (Domain Controller(s)). So if users are coming in over the public Internet, that won't happen and they'll fall back to using NTLM, unless you have something like Web Application Proxy + ADFS setup (where WAP proxies the connection and passes back a Kerberos token via credential delegation).

    Always use Kerberos. And SSL for transport security.


    Trevor Seward

    Office Servers and Services MVP



    Author, Deploying SharePoint 2016

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Thursday, March 30, 2017 4:56 PM
    Moderator
  • Thanks for the quick response Trevor.

    We are going to use Proxy and ADFS as well as SSL, in fact.

    Now the question is -

    The underpining Web App in SP 2013 needs to be changed to Kerberos.  since the Web App was built using NTLM, what is the impact on the application if we switch from NTLM to Kerberos?

    Thursday, March 30, 2017 5:06 PM
  • As long as your SPN is set up, you just need to switch it. There will be an outage for the Web App when you change the auth setting in Central Admin.

    Trevor Seward

    Office Servers and Services MVP



    Author, Deploying SharePoint 2016

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Thursday, March 30, 2017 5:07 PM
    Moderator