none
Claims based authentication vs Classic mode authentication and double hops RRS feed

  • Question

  • Hi,

     

    Can someone please confirm/correct my thoughts on double hops that occur on one of my Web Applications?

    I've got a Lab environment (2 server farm) with 2 web apps. One uses claims based authentication and another classic. In the 'old' days, one had to setup Kerberos authentication to not get SharePoint to ask for authentication. My web app with classic mode still (as expected) asks me credentials with every document that I upload, everytime I close and reopen te browser etc but the web app with Claims Based authentication does not!

    I know that claims based authentication is the next best thing to sliced bread when hooked up with ADFS and proper trusts between the authentication stores but I really thought that I had to do a bit more work to get it working...without ADFS to boot.

    Can someone please explain to me what exactly happens when you choose claims based authentication and what SharePoint sets up with AD?

    Regards
    mike

    Thursday, May 26, 2011 7:52 PM

Answers

  • What claims based authentication gives you, is for claims aware applications it will do some like this:

    1. When you enter you credentials these are sent to a Secure Token Service (from a page associated with the this service)  which authenticates who you are. Other applications (that are claims aware trust the token service - believe that it tells them that you are who you are.
    2. You are then redirected back your SharePoint site, along with a token which SP and other claims apps can check against to see what you a authorized to access.

    The key thing here is the double hop is ONLY removed if all the applications you need to access understand / know what to do with the token etc.

    Hope this helps.


    Simon Rennocks | LinkedIn
    • Marked as answer by Pikker1981 Tuesday, May 31, 2011 8:50 AM
    Thursday, May 26, 2011 10:49 PM

All replies

  • What claims based authentication gives you, is for claims aware applications it will do some like this:

    1. When you enter you credentials these are sent to a Secure Token Service (from a page associated with the this service)  which authenticates who you are. Other applications (that are claims aware trust the token service - believe that it tells them that you are who you are.
    2. You are then redirected back your SharePoint site, along with a token which SP and other claims apps can check against to see what you a authorized to access.

    The key thing here is the double hop is ONLY removed if all the applications you need to access understand / know what to do with the token etc.

    Hope this helps.


    Simon Rennocks | LinkedIn
    • Marked as answer by Pikker1981 Tuesday, May 31, 2011 8:50 AM
    Thursday, May 26, 2011 10:49 PM
  • Thanks Simon,

     

    So I can assume that microsoft office 2010 (not sure about 2007) and IE 9 are both claims-aware and thus know how to authenticate? This saves a lot of time not having to set up Kerberos along with it's slew of frustrations when setting up environments for demos.

     

    M

    Friday, May 27, 2011 5:09 AM
  • Correct, Yes.
    Simon Rennocks | LinkedIn
    Friday, May 27, 2011 11:45 AM
  • Hi Simon. Perhaps you can help me too (perhaps with a code example or link).

    Old installation:
    - WSS FBA : http://projects.mydomain.com
    - ASP.NET FBA : http://www.mydomain.com
    ASP.NET App authenticates automatically when calling from the www-App a subsite on the projects host.
    Lean and simple. Great.

    Times have changed - to Claims based.

    We migrated WSS to 2010 with claims-based and FBA configured. But the good old times by authenticating once in the www-app are over and out. As expected SP2010 is not willing to accept the old .NET fba-cookies.

    Do you know about a code sample or how to authenticate in the www-app once and be automatically authenticated at the other 2010-host?

    Greetings Peter

    Friday, May 27, 2011 12:25 PM
  • Hi Peter,

     

    I think what you would need to be is make you ASP.NET app claims aware first and then maybe implement a custom claims provider for SharePoint (this may not be necessary).

    These links may be of some help for the first part:

    http://msdn.microsoft.com/en-us/library/bb736227%28v=vs.85%29.aspx

    http://msmvps.com/blogs/shahed/archive/2010/02/05/implement-custom-claim-based-authorization-in-asp-net-mvc-web-application.aspx

    and this for the latter:

    http://msdn.microsoft.com/en-us/library/gg615945.aspx

     

    Simon


    Simon Rennocks | LinkedIn
    Friday, May 27, 2011 1:59 PM
  • Hi Simon,

    thank you for the links.

    What i allready experienced and expected, it seems to be a quite complex task to make an ASP.NET-App SharePoint-Claims-FBA aware.

    I will invest some more time to find a reasonable solution, else i switch to use and customize the ~/_forms/default.aspx.

    Thank you and greetings Peter

    Wednesday, June 8, 2011 9:17 AM