Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, January 24, 2012 5:00 PM
I am interested in opinions on the pros and cons of using Windows Authentication versus a Trusted Identity Provider, which is using AD FS 2.0 to authenticate users against the default AD backed user store.
The scenario:
A SharePoint extranet web application hosted in a perimeter network. The web application is set up in claims-based authentication mode. An AD FS 2.0 server is installed and configured on the corporate domain. An AD FS 2.0 Proxy server is installed and configured on the perimeter network. The AD FS server is configured as a trusted identity provider (AD FS 2.0) within SharePoint. In addition, a one-way trust exists between the corporate domain and the perimeter domain.
Two possibilities therefore exist by which we can authenticate corporate domain users. We could enable Windows authentication, which would work for both access from the corporate network and from a remote location via the internet. Or we could authenticate domain users via SAML tokens issued by the AD FS server, since the trusted identity provider is enabled as the AD FS server federates authentication from trusted partners and Azure ACS. This would also work for both internal and remote access.
Anyone have any opinions on why one option is better than the other? All opinions welcome!
Ceej
www.3guysonsharepoint.com
All replies (4)
Wednesday, January 25, 2012 10:38 PM âś…Answered
Claims auth with ntlm for local domain users, and sql fba or another managed auth store for non-local domain users. Alternatively if the third party company has a sharepoint instance you can delegate trust to that third party sharepoint instance and accept there domain auth without having to make local users :)My CodePlex - My Blog - My Twitter
Tuesday, January 24, 2012 6:17 PM | 1 vote
I'm personally not a big fan of AD FS when it's used as the source of record for users, but if you're just using it for the tokens and trusting the third party providers I see no issue with that method.
My issues with AD FS are primarily around the backup/restore/dr story for it which in my experience is really poor. Doing basic things like copying the adfs instance to another server and bringing it back live just have never worked right or take forever with a long manual process.
My CodePlex - My Blog - My Twitter
Wednesday, January 25, 2012 8:34 AM
Thanks for your reply. Useful information on the backup/restore/dr story.
So in a nutshell you would use Windows authentication via AD DS/NTLM for your domain users, rather than a Trusted Identity Provider via AD FS?
Ceej
www.3guysonsharepoint.com
Thursday, January 26, 2012 1:05 PM
I'll take that as an answer! My requirement also has to include the use of Windows Live ID, Google accounts (hence the use of Azure ACS) and from a custom user store.Ceej
www.3guysonsharepoint.com