2.9 Security

This section describes two core aspects of the Windows SharePoint Services security model: authentication and authorization.

           Authentication is the part of the system that determines the current user's identity. This is the first step in managing the security of the system. Windows SharePoint Services uses the authentication mechanism from an underlying platform, such as Internet Information Services (IIS) and Microsoft ASP.NET, to authenticate users.

Windows SharePoint Services supports all of the authentication modes that IIS and ASP.NET support, including Active Directory, forms authentication, and WebSSO authentication. In Active Directory authentication mode, IIS authenticates the user, using basic authentication scheme, digital certificate, NT LAN Manager (NTLM) Authentication Protocol, or Kerberos. In other authentication modes, Windows SharePoint Services relies on ASP.NET authentication modules to authenticate users, which can also be created by third-party developers, such as FormsAuthenticationModule or ADFSAuthenticationModule. For more information about Active Directory authentication, see section 2.9.2.

Authorization in Windows SharePoint Services identifies which permissions are granted to which users on a given object. When a web request (or some object model API code) attempts to access an object inside Windows SharePoint Services, and the caller has been authenticated, the authorization code is called to identify whether the access can be granted. In a trusted subsystem model, the front-end web server uses the IIS application identity account to access the contents in the content database, on behalf of the user, to access content rather than the account of the user who is using the site. For more information, see section 2.9.2.2. Therefore, the permissions check has to happen before Windows SharePoint Services returns any page content back to the user.

The following sections describe the basic concepts pertaining to authorization.