Authentication in SharePoint 2013 Learning Roadmap
Microsoft SharePoint 2013 makes it easy for people to work together. SharePoint 2013 enables you and your employees to set up web sites to share information with others, manage documents from start to finish, and publish reports to help everyone make informed decisions. Authentication in SharePoint 2013 defines how users, apps, and servers obtain authenticated access to protected SharePoint resources.
If you are new to authentication in SharePoint 2013, this topic can help you identify what you need to learn to develop expertise about authentication methods for SharePoint 2013. It includes prerequisite topics that cover a variety of web infrastructure fundamentals. You must understand the prerequisite technologies first, because SharePoint 2013 builds upon them and assumes an understanding of them. Afterwards, you can begin learning about authentication in SharePoint 2013 with the resources in the Level 100 (introductory), 200 (intermediate), and 300 (advanced) sections.
We recommend that you read the topics in the order listed.
Prerequisites
This section contains links to a variety of resources that contain the background information you need to fully understand the different authentication methods that SharePoint 2013 supports.
Step 1: Learn about the basic, digest, and anonymous methods of authentication for Internet Information Services (IIS).
In some cases, you might want to use the basic, digest, and anonymous authentication methods for SharePoint web sites. For an explanation of these authentication methods, see IIS Authentication. For configuration steps, see Configuring Authentication in IIS 7.
Your goal is to understand the use, role, and comparative advantages of the basic, digest, and anonymous methods of authentication for IIS and how to configure them for IIS-based web sites.
Step 2: Learn about the NTLM authentication method.
When you use Windows claims or Windows classic user authentication methods, SharePoint 2013 can use the NTLM authentication method. See Microsoft NTLM and NTLM Authentication Scheme for HTTP.
Your goal is to understand how NTLM works to authenticate user access to web sites.
Step 3: Learn about Kerberos protocol and authentication method.
When you use Windows claims or Windows classic user authentication methods, SharePoint 2013 can use the Kerberos protocol and authentication method. For the Kerberos protocol, What Is Kerberos Authentication? and How the Kerberos Version 5 Authentication Protocol Works. For the Kerberos protocol used for web authentication, see How Kerberos Works.
Your goal is to understand how the Kerberos protocol works to authenticate user access to web sites.
Step 4: Learn about claims-based authentication.
Claims-based authentication is recommended for user authentication in SharePoint 2013 and required for app and server-to-server authentication. See the Claims-based Identity for Windows white paper, An Introduction to Claims, and Claims-Based Architectures.
Your goal is to understand the benefits of claims-based authentication, the components of a claims identity infrastructure (identity provider, security token service, account/attribute store, web-enabled client and server applications, federation provider), and how claims-based authentication works to authenticate user access to web sites.
Step 5: Learn about Open Authorization (OAuth).
SharePoint 2013 uses OAuth for app and server-to-server authentication. See OAuth (Wikipedia), OAuth 2.0 Tutorial, and “Section 1. Introduction” of RFC 6749.
Your goal is to understand how OAuth provides an authorization mechanism to obtain access to protected resources.
Step 6: Learn how to create a public key infrastructure (PKI) with Active Directory Certificate Services (AD CS).
Some authentication methods require digital certificates installed on SharePoint servers. These certificates can be purchased from a third-party certification authority or you can deploy your own PKI. You can deploy your own PKI with AD CS. See Designing a Public Key Infrastructure (http://go.microsoft.com/fwlink/?LinkId=169425).
If you need AD CS for your PKI, your goal is to understand how to deploy an AD CS-based PKI and request specific types of certificates from an AD CS server.
Step 7: Learn how to configure Secure Hypertext Transfer Protocol (HTTPS) websites with Internet Information Services (IIS).
Some authentication methods require HTTPS-based communication with SharePoint servers, which use IIS to host their web sites. See How to Set Up SSL on IIS 7.
Your goal is to understand how to configure certificate bindings and enable HTTPS for IIS-based web sites.
Level 100
The following resources contain introductory information about authentication in SharePoint 2013.
Step 1: Learn about the new features of authentication in SharePoint 2013.
See What's new in authentication for SharePoint 2013 and SharePoint 2013 authentication and authorization overview (two videos).
Your goal is to understand the new capabilities of authentication in SharePoint 2013, including app and server-to-server authentication, and enhancements to existing capabilities.
Step 2: Understand the differences between user, app, and server-to-server authentication in SharePoint 2013.
See Authentication overview for SharePoint 2013.
Your goal is to understand how SharePoint 2013 uses user, app, and server-to-server authentication to provide user, app, and server resource access.
Level 200
The following resources contain intermediate information about authentication in SharePoint 2013.
Step 1: Learn how to plan for and deploy user authentication in SharePoint 2013.
See Plan for user authentication methods in SharePoint 2013, Configure forms-based authentication for a claims-based web application in SharePoint 2013, and Configure SAML-based claims-based authentication with AD FS in SharePoint 2013.
Your goal is to understand the various user authentication methods supported by SharePoint 2013, how to plan for their use in web applications and zones, and how to configure forms-based authentication and Security Assertion Markup Language (SAML)-based authentication using Active Directory Federation Services (AD FS) 2.0.
Step 2: Demonstrate forms-based authentication in a test lab.
See Test Lab Guide: Demonstrate forms-based claims-based authentication for SharePoint Server 2013.
Your goal is to configure and demonstrate forms-based authentication using the built-in Lightweight Directory Access Protocol (LDAP) membership provider in a test lab.
Step 3: Demonstrate SAML-based claims-based authentication in a test lab.
See Test Lab Guide: Demonstrate SAML-based Claims-based authentication with SharePoint Server 2013.
Your goal is to configure and demonstrate SAML-based claims-based authentication with AD FS as the identity provider in a test lab.
Step 4: Learn how to plan for and deploy app authentication in SharePoint 2013.
See Plan for app authentication in SharePoint 2013 and Configure app authentication in SharePoint Server 2013.
Your goal is to understand the various types of apps, the design considerations for app authentication, and how to configure SharePoint 2013 to support app authentication.
Step 5: Learn how to plan for and deploy server-to-server authentication in SharePoint 2013.
See Plan for server-to-server authentication in SharePoint 2013 and Configure server-to-server authentication in SharePoint 2013.
Your goal is to understand the design considerations for server-to-server authentication and how to configure SharePoint 2013 to support server-to-server authentication for other SharePoint farms, servers running Microsoft Exchange Server 2013, and servers running Microsoft Lync Server 2013.
Step 6: Learn how to migrate a Windows classic web application to Windows claims.
See Migrate from classic-mode to claims-based authentication in SharePoint 2013.
Your goal is to understand the different ways in which you can convert a web application that uses Windows classic user authentication to use Windows claims-based authentication in SharePoint 2013.
Step 7: Learn how to perform basic troubleshooting for claims authentication.
See Claims authentication does not validate user.
Your goal is to understand the different tools that you use to gather claims authentication error and system state information and the steps to determine the specific claims method being used in an authentication attempt, check configuration requirements, and capture and analyze claims authentication network traffic.
Level 300
The following resources contain advanced information about authentication in SharePoint.
Step 1: Learn how to create custom claims providers for SharePoint.
See Claims Walkthrough: Writing Claims Providers for SharePoint 2010.
Your goal is to understand how to augment claims and provide name resolution in a custom claims provider for SharePoint.
Step 2: Understand claims-based authentication processes in SharePoint.
See Claims Architecture and Scenarios for SharePoint 2010 Developers.
Your goal is to understand the high-level architecture for claims-based authentication in SharePoint and the detailed processes for Windows, forms-based, and SAML-based claims authentication.
Step 3: Understand the browser interaction for claims-based authentication in SharePoint.
See Appendix B of A Guide to Claims-Based Identity and Access Control (2nd Edition).
Your goal is to understand the set of messages and their contents for various types of claims-based user authentication.
Ongoing Learning
Share-n-dipity blog.
See Share-n-dipity.
Your goal is to keep up-to-date with Microsoft Principal Consultant Steve Peschka, a leading expert in SharePoint authentication issues.