Plan for claims-based authentication or classic-mode authentication (SharePoint Server 2010)

 

Applies to: SharePoint Server 2010, SharePoint Foundation 2010

In Microsoft SharePoint Server 2010, you can choose between claims-based authentication and classic-mode authentication when you create a Web application.

For more information about these two authentication modes, see Plan authentication methods (SharePoint Server 2010).

Choosing classic-mode or claims-based authentication

Choosing between classic-mode and claims-based authentication should be based on business needs. For example, if you need to support user accounts in identity providers that are not based on Active Directory Domain Services (AD DS), and you implement forms-based authentication, you must use forms-based authentication with claims-based authentication in SharePoint Server 2010. We recommend that you use claims-based authentication whenever possible.

Note

FAST Search Server 2010 for SharePoint document preview does not work with SharePoint Server 2010 claims-based Web applications.

The following chart summarizes the support for authentication methods by each authentication mode.

Type Classic-mode authentication Claims-based authentication

Windows authentication methods

  • NTLM

  • Kerberos

  • Anonymous

  • Basic

  • Digest

Yes

Yes

Forms-based authentication methods

  • LDAP

  • SQL Server database or other database

  • Custom or third-party membership and role providers

No

Yes

SAML token-based authentication methods

  • AD FS 2.0

  • Third-party identity provider

  • LDAP

N/A

Yes

Upgrading to SharePoint Server 2010

If you are upgrading from Microsoft Office SharePoint Server 2007 to SharePoint Server 2010, you should consider the following information:

  • If you are upgrading an earlier version solution to SharePoint Server 2010 and the solution includes only Windows accounts, you can use either mode of Windows authentication: Windows Claims or Windows Classic. We recommend that you use claims-based authentication whenever possible. For more information about using claims-based authentication, see Implementing Claims-Based Authentication with SharePoint Server 2010 (whitepaper).

  • If you are upgrading a solution that requires forms-based authentication, the only option is to upgrade to claims-based authentication.

  • Custom code that uses Windows identities might have to be updated. If you have custom code that uses Windows identities, you can use classic-mode authentication until your code is updated and tested. For example, if you wrote a custom Web part for Office SharePoint Server 2007 that retrieved the current user identity and you are upgrading to SharePoint Server 2010, you should use SPWeb.CurrentUser() instead of HttpContext.Current.User.Identity() in order to retrieve the identity.

  • The migration time will vary, depending on the number of users that are listed in the UserInfo table in the content database. When you change a Web application from Windows classic mode to Windows claims, you must use Windows PowerShell to convert Windows identities to Windows claims identities. Be sure to allow for enough time during the upgrade process to complete this task.

  • You can search and list names in people picker when you are using SAML token-based authentication, but they cannot be checked for validity unless you write a custom claims provider.

    For more information about how to write a customer claim provider, see Custom claims providers for People Picker (SharePoint Server 2010).

  • If you are using the Outlook social connector, you must use either Windows classic-mode authentication or Windows claims authentication.

The following table illustrates several compatibility considerations when you migrate from Microsoft Office SharePoint Server 2007 to SharePoint Server 2010.

To SharePoint Server 2010
Windows classic mode authentication
To SharePoint Server 2010
Windows claims authentication methods
To SharePoint Server 2010
forms-based authentication methods
To SharePoint Server 2010
SAML token-based authentication methods

From Office SharePoint Server 2007
Windows authentication methods

Supported

Supported

Not supported

Not supported

From Office SharePoint Server 2007
forms-based authentication methods

Not supported

Not supported

Supported1

Supported2

From Office SharePoint Server 2007
Web single sign-on

Not supported

Not supported

Not supported3

Not supported3

Notes for the previous table of compatibility considerations:

  1. This upgrade path is supported by migrating to claims-based authentication.

  2. This upgrade path is supported, but it requires additional configuration in order to complete the migration.

  3. This upgrade path is not supported, but the same level of functionality is provided through SAML token-based authentication.

For additional information about migrating, see the following topics:

Features that do not work with forms-based authentication or SAML security tokens

The following SharePoint Server 2010 features do not work when you switch to a claims-based Web application that uses forms-based authentication or Security Assertion Markup Language (SAML) security tokens. These features do not work because claims-based authentication does not generate a Windows security token, which is necessary for these features.

  • Search Alerts

  • SharePoint Server 2010 Explorer View

  • Claims to Windows Token Service (C2WTS)

  • InfoPath Forms Services

  • Search crawling

    Note

    If you are using forms-based authentication or SAML token-based authentication, you will still need a separate zone that supports Windows authentication to enable Microsoft Search Server 2010 to crawl your content.

  • Certificate Authentication

    Note

    Certificate authentication is not supported in SharePoint Server 2010, but you can configure Unified Access Gateway (UAG) as a front-end to SharePoint Server 2010 to enable certificate authentication by integrating with Active Directory Federated Services (AD FS) and SAML token-based authentication.
    For more information about configuring SharePoint Server 2010 with UAG, see Forefront UAG integration (SharePoint Server 2010).

Features that require additional configuration to work with forms-based authentication or SAML security tokens

There are several SharePoint Server 2010 features that require additional configuration to work with forms-based authentication or SAML security tokens.