Configure Client Certificate Authentication (SharePoint Foundation 2010)
Applies to: SharePoint Foundation 2010
Client Certificate Authentication enables Web-based clients to establish their identity to a server and provides an additional layer of security for your network.
Note
For more information about Client Certificate Authentication, see Certificate-based Authentication Protocols (https://go.microsoft.com/fwlink/p/?LinkId=212507).
Microsoft SharePoint Foundation 2010 does not provide built-in support for Client Certificate Authentication, but Client Certificate Authentication is available through integration with Active Directory Federation Services (AD FS) 2.0, or any third-party identity management system that supports standard security protocols such as claims-based authentication, WS-Trust, WS-Federation, and SAML 1.1.
Note
For more information about SharePoint Foundation 2010 protocol requirements, see SharePoint Front-End Protocols (https://go.microsoft.com/fwlink/p/?LinkId=212509).
SharePoint Foundation 2010 makes it possible to use a variety of Security Token Services (STS) through claims-based authentication. If you use claims-based authentication and you configure AD FS 2.0 as your STS, SharePoint Foundation 2010 can support any Identity Provider that is trusted by AD FS 2.0, including Client Certificate Authentication.
Note
For more information about AD FS 2.0, see Active Directory Federation Services Overview (https://go.microsoft.com/fwlink/p/?LinkId=212512).
In the following model, an administrator needs to configure SharePoint Foundation 2010 as a relying partner for an Identity Provider STS. (This example uses AD FS 2.0 for the STS, but you can also use a third-party STS.) AD FS 2.0 can authenticate user accounts via several different types of authentication methods: forms-based authentication, Active Directory Domain Services (AD DS), client certificates, and smart cards. When you configure SharePoint Foundation 2010 as a relying partner for an STS, SharePoint Foundation 2010 trusts the accounts that the STS validates, which is how SharePoint Foundation 2010 supports Client Certificate Authentication.
Configure Client Certificate Authentication
The following topics explain how to configure SharePoint Foundation 2010 with Client Certificate authentication or Smart Card authentication by using AD FS 2.0 as your STS.
Note
The required steps will be similar for a third-party STS.
Configure AD FS 2.0 or third-party STS to support CBA, and thereby Client Certificate authentication or Smart Card authentication.
For information on making these configuration changes, see AD FS 2.0 - How to change the local authentication type (https://go.microsoft.com/fwlink/p/?LinkId=212513).
Configure SharePoint Foundation 2010 as relying party in AD FS 2.0 or third-party STS.
For information on making these configuration changes using AD FS 2.0, see Configuring SharePoint 2010 and AD FS v2 End to End (https://go.microsoft.com/fwlink/p/?LinkID=207629).
Configure the Identity Provider STS, for example AD FS 2.0, inside SharePoint Foundation 2010 as a trusted identity provider.
For information on making these configuration changes using AD FS 2.0, see Configure authentication using a SAML security token (SharePoint Server 2010).
Create a Web application that uses Claims-Based Authentication with a SAML security token, and thereby Client Certificate authentication or Smart Card authentication.
For information on creating a Web application that uses SAML security tokens, see Configure authentication using a SAML security token (SharePoint Server 2010).
See Also
Concepts
Configure the security token service (SharePoint Foundation 2010)
Configure authentication using a SAML security token (SharePoint Foundation 2010)
Other Resources
Planning and Architecture: AD FS 2.0 (https://go.microsoft.com/fwlink/p/?LinkId=212521)
AD FS 2.0 Deployment Guide (https://go.microsoft.com/fwlink/p/?LinkId=212520)
Using Active Directory Federation Services 2.0 in Identity Solutions (https://go.microsoft.com/fwlink/p/?LinkID=209776)
Configure SharePoint as relying party in ADFS 2.0 or third-party STS (https://go.microsoft.com/fwlink/p/?LinkID=207629)