Steve Peschka Sr Principal Architect Microsoft Corporation Authentication Modes SharePoint 2013 continues to offer support for both claims and classic authentication modes However claims authentication is THE default authentication option now ID: 683385
Download Presentation The PPT/PDF document "Claims Based Authentication in SharePoin..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Claims Based Authentication in SharePoint 2013
Steve Peschka
Sr.
Principal
Architect
Microsoft CorporationSlide2
Authentication Modes
SharePoint 2013 continues to offer support for both claims and classic authentication modes
However claims authentication is THE default authentication option now
Classic authentication mode is still there, but can only be managed in PowerShell – it’s gone from the UI
Support for classic mode is deprecated and will go away in a future release, so we recommend moving to Claims
There also a new process to migrate accounts from Windows classic to Windows claimsSlide3
Authentication Migration
The
MigrateUsers
method in SharePoint 2010 is no longer the correct way to migrate accounts – it is now deprecated
A new
cmdlet
has been created called Convert-
SPWebApplication
A simple example – you have a Windows classic web application
Run Convert-
SPWebApplication
-Identity "http://yourWebapp" -To Claims –
RetainPermissions
[-Force]
Your
FIRST
option for migrating from classic to claims is to do so in SharePoint 2010 before you migrate your content to SharePoint 2013Slide4
Other Claims Migration Scenarios
If you don’t migrate from classic to claims in SharePoint 2010, you have these options to migrate a SharePoint 2010 content DB:
Option 1:
Create a web application in SharePoint 2013 that uses Windows classic authentication
Attach the SharePoint 2010 content database to this SharePoint 2013 web app
Attaching it will upgrade it to the SharePoint 2013 database format, so verify that it is working correctly after attach
Run the Convert-
SPWebApplication
cmdlet
on the SharePoint 2013 web app to convert the users from Windows classic to Windows claims
Detach the content database from the SharePoint 2013 Windows classic web app
Attach the content database to it
s
final SharePoint 2013 Windows claims web app
Option 2:
Attach the content DB to an existing Windows claims web application
Run the
MigrateUsersToClaims
method on the content database only (explained next)Slide5
Claims Migration for Content Databases
The
Convert-
SPWebApplication
cmdlet
does migration
at the web application level
SharePoint 2013 also allows you to migrate only a single content database
Very useful during upgrade, since most content will be moved with DB attachA new method has been added to the SPWebApplication class for this purpose - MigrateUsersToClaims
$
wa
= Get-
SPWebApplication
http://yourWebAppUrl
$
arguments = New-Object
Microsoft.SharePoint.Administration.SPWebApplication+SPMigrateUserParameters
$
arguments.AddDatabaseToMigrate
($
wa.ContentDatabases
[
contentDbNumberYouWantToMigrate
])
$wa.MigrateUsersToClaims("domain\user",
$true, $arguments
)Slide6
Authentication Infrastructure
One of the big improvements is that SharePoint tracks
FedAuth
cookies in the new Distributed Cache Service
In SharePoint 2010 each WFE had its own copy
That meant that if you got redirected to a different WFE, you would need to re-authenticate
Having the Distributed Cache service means that sticky sessions are no longer required when using SAML or FBA claims!Slide7
New Claims Features
You can choose the characters for the claim type and there is no enforcement on the ordering of claim
providers
Pre-populate the custom claim types and characters across all farms
Install the claim providers that use those custom claim types in any order
You can add multiple token signing certificates to the SharePoint STS
Useful in S2S scenarios
Use the Set-
SPSecurityTokenServiceConfig
cmdletSlide8
Authentication Logging
There is significantly more logging provided to help troubleshoot authentication issues. You can see things like:
Adding / removing
FedAuth
cookies from the cache
Where authentication requests get redirected
Which claims providers were used and which were not
Reason why a
FedAuth
cookie failed to be used (i.e. expiration, failure to decrypt, etc.)Slide9
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.