Configure Client Certificate Authentication (SharePoint Server 2010)


Applies to: SharePoint Server 2010, SharePoint Foundation 2010

Client Certificate Authentication enables Web-based clients to establish their identity to a server and provides an additional layer of security for your network.


For more information about Client Certificate Authentication, see Certificate-based Authentication Protocols (

Microsoft SharePoint Server 2010 does not provide built-in support for Client Certificate Authentication, but Client Certificate Authentication is available through integration with Active Directory Federation Services (AD FS) 2.0, or any third-party identity management system that supports standard security protocols such as claims-based authentication, WS-Trust, WS-Federation, and SAML 1.1.


For more information about SharePoint Server 2010 protocol requirements, see SharePoint Front-End Protocols (

SharePoint Server 2010 makes it possible to use a variety of Security Token Services (STS) through claims-based authentication. If you use claims-based authentication and you configure AD FS 2.0 as your STS, SharePoint Server 2010 can support any Identity Provider that is trusted by AD FS 2.0, including Client Certificate Authentication.

In the following model, an administrator needs to configure SharePoint Server 2010 as a relying partner for an Identity Provider STS. (This example uses AD FS 2.0 for the STS, but you can also use a third-party STS.) AD FS 2.0 can authenticate user accounts via several different types of authentication methods: forms-based authentication, Active Directory Domain Services (AD DS), client certificates, and smart cards. When you configure SharePoint Server 2010 as a relying partner for an STS, SharePoint Server 2010 trusts the accounts that the STS validates, which is how SharePoint Server 2010 supports Client Certificate Authentication.

SharePoint Server 2010 with ADFS 2.0

Configure Client Certificate Authentication

The following topics explain how to configure SharePoint Server 2010 with Client Certificate authentication or Smart Card authentication by using AD FS 2.0 as your STS.


The required steps will be similar for a third-party STS.

See Also


Configure the security token service (SharePoint Server 2010)
Configure authentication using a SAML security token (SharePoint Server 2010)

Other Resources

Planning and Architecture: AD FS 2.0 (
AD FS 2.0 Deployment Guide (
Using Active Directory Federation Services 2.0 in Identity Solutions (
Configure SharePoint as relying party in ADFS 2.0 or third-party STS (