This Article will help you to understand the SharePoint Server 2016 requires authentication for the following types of interactions:
- Users who access on-premises SharePoint resources
- Apps that access on-premises SharePoint resources
- On-premises servers that access on-premises SharePoint resources, or vice versa
SharePoint Server 2016 supports Windows, forms-based and Security Assertion Markup Language (SAML)-based claims authentication.
SharePoint is able to support a variety of authentication methods and providers for the following types of authentications:
- Forms based authentication
- SAML token based authentication
- Windows authentication
One of the claims based identity management systems is forms based authentication (FBA). This is based on ASP.NET membership as well as role provider authentication. It can be used against credentials that are stored in an authentication provider including:
- AD DS
- Databases such as SQL
- Directory Services (NDS)
- Lightweight Directory Access Protocol (LDAP)
Windows authentication methods are used by both claims based and classing mode authentication. They include:
User authentication is nothing, the validation of a user's identity against an authentication provider, which is a directory or database that contains the user’s credentials and can verify that the user submitted them correctly.
User authentication occurs when a user attempts to access a SharePoint resource.
Windows claims authentication in SharePoint Server 2016
The claims-based identity is an identity model in Microsoft SharePoint that includes features such as authentication across users of Windows-based systems and systems that are not Windows-based, multiple authentication types, stronger real-time authentication, a wider set of principal types, and delegation of user identity between applications.
When a user signs in to SharePoint, the user's token is validated and then used to sign in to SharePoint. The user's token is a security token issued by a claims provider
Form Based Authentication;
App authentication is the validation of a remote SharePoint app's identity and the authorization of the app and an associated user of a secured SharePoint resource request.
App authentication occurs when an external component of a SharePoint Store app or an App Catalog app, such as a web server that is located on the intranet or the Internet, attempts to access a secured SharePoint resource.
There are two processes involved with app authentication:
Authentication Verifying the application has registered correctly with a common trusted identity broker.
Authorization Verifying that the application and the associated user requesting have the appropriate permission to perform such an operation. This includes accessing a folder, a list, or completing a query.
In order for app authorization to be performed successfully, the application needs to obtain an access token. This comes from either the Windows Azure Access Control Service (ACS) or by self-signed tokens that are used through a certificate SharePoint 2013 trusts. The access token allows the request for access to the specific SharePoint resource.
This contains data that identifies the app and the associated user rather than validating the credentials of that user. It is important to understand that the access token isn’t the same as a logon token.
With APP Authentication:
For example, suppose that a user opens a SharePoint page that contains an IFRAME of a SharePoint app, and that IFRAME needs an external component, such as a server on the intranet or the Internet, to access a secured SharePoint resource in order to render the page.
The external component of the SharePoint app must be authenticated and authorized so that SharePoint provides the requested information and the app can render the page for the user.
Without APP Authentication:
For example, a SharePoint app that provides weather forecast information and only has to access a weather information server on the Internet does not have to use app authentication.
Server-to-server authentication is the validation of a server's request for resources that is based on a trust relationship established between the STS of the server that runs SharePoint Server 2016 and the STS of another server that supports the OAuth server-to-server protocol, such as on-premises running SharePoint Server 2016, Exchange Server 2016, Skype for Business 2016, or Azure Workflow Service, and SharePoint Server 2016 running in Office 365.
My Article was helpful?
If so, please let us know at the bottom of this page. If not, let us know what was confusing or missing I’ll use your feedback to double-check the facts, add info, and update this article.