Share via


2.9.2 Authentication

Windows SharePoint Services supports pluggable security authentication, an extensibility mechanism provided by ASP.NET. By default, Windows SharePoint Services uses one of three authentication modes against a Windows domain:

Specific deployments can use a custom authentication provider to authenticate end users against any third-party authentication system.

When used with Active Directory and a Windows domain, Windows SharePoint Services works with Active Directory for authentication of network accounts in the following contexts:

  •            Authentication of the requests from the end-user client. The front-end web server establishes a specific end-user identity for requests from the end-user client. The front-end web server evaluates that end-user identity against permissions associated with objects related to the request, to determine whether to execute the action for that request.

  •            Authentication of the Process Account from the front-end web server. The back-end database server establishes an identity for requests from the front-end web server. The back-end database server evaluates whether that identity has permissions to operate as a Windows SharePoint Services front-end web server for content stored in the back-end database server.

  • Creating a site collection local user record for each logged-in user.

  • Updating the site collection local user record to reflect a change in the user record in Active Directory.

  • Selecting users and groups from the directory for the purposes of setting security access control lists (ACLs), as well as defining SharePoint groups (2).

  • Creating Active Directory user accounts in Active Directory account creation mode to enable the creation of Active Directory accounts for Windows SharePoint Services users.

Section 2.9.2.1 specifies how Windows SharePoint Services uses the Active Directory Protocol [MS-ADTS] for the two types of authentication previously described.