Kerberos VS NTLM Authentication

NTLM Authentication: Challenge- Response mechanism.

In the NTLM protocol, the client sends the user name to the server; the server generates and sends a challenge to the client; the client encrypts that challenge using the user’s password; and the client sends a response to the server. If it is a local user account, server validate user's response by looking into the Security Account Manager; if domain user account, server forward the response to domain controller for validating and retrieve group policy of the user account, then construct an access token and establish a session for the use.

Kerberos authentication: Trust-Third-Party Scheme.

Kerberos authentication provides a mechanism for mutual authentication between a client and a server on an open network. The three heads of Kerberos comprise the Key Distribution Centre (KDC), the client user and the server with the desired service to access. The KDC is installed as part of the domain controller and performs two service functions: the Authentication Service (AS) and the Ticket-Granting Service (TGS). When the client user log on to the network, it request a Ticket Grant Ticket (TGT) from the AS in the user's domain; then when client want to access the network resources, it presents the TGT, an authenticator and Server Principal Name (SPN) of the target server, contact the TGS in the service account domain to retrieve a session ticket for future communication w/ the network service, once the target server validate the authenticator, it create an access token for the client user.

SharePoint 2010 - Claims-based authentication

Claims-based authentication (CBA) is based on concept of identity that works with any identity system. An Identity is represented by a security token. The security token is presented to an application which user is trying to get access. CBA provides a trust-based system between applications and a centralized provider that issues the token. Application trusts the user because it trusts the provider. Therefore, in addition to providing single sign-on environment, this eliminates each application authenticate the user individually.

Also CBA answers two important questions:

1. How users will gain access to the enterprise`s applications regardless to their locations?
• Claim-based identity provides a common way for applications to acquire identity information from users, irrespective of whether they are inside the organization, in other organization or on the internet.
2. How different types of user information will be retrieved by the applications so that applications can accomplish their required functions?
• Identity information is stored in token. A token may contain one or more claims (identity information) about the user. We can think Claim as metadata of a user which stays with the token.

Implementing Claims-based identity generally requires using and understanding a set of core technologies:

1. Windows Identity Foundation (WIF):
• WIF is a set of application programming interfaces (API) that can be used to develop custom applications that uses claims and capable of creating federation with other systems.
2. Active Directory Federated Services 2.0:
• ADFS 2.0 is a security token service (STS) responsible of issuing tokens. ADFS provides both identity federation and single sign-on services.
3. Windows CardSpace 2.0:
• CardSpace stores users` digital identities, and represents the identity information in visual information Cards. Users can exchange these Cards between systems like a real business cards. 

SharePoint 2010 Authentication Options:

There are two options:

1. Classic Mode:
• This authentication refers to the Integrated Windows authentication model supported in SharePoint 2007. Classic mode does not utilize any of the claims infrastructure, and therefore none of the claims features are available.
2. Claims-Based:
• CBA supports 3 different authentication providers out of the box
• Windows Authentication: Includes all the same authentication that Classic Mode Authentication.
• Form Based Authentication: This method includes LDAP, database or custom membership and or role providers.
• SAML Token-Based Authentication: This includes ADFS 2.0, Windows Live ID, and third party providers.

 

SharePoint 2013 Search Architecture Overview

SharePoint 2013 Search Architecture overview along with end-to-end component interaction @ http://dl.dropbox.com/u/89399945/Search%20Component%20Overview.docx

SharePoint 2013 - Search Interface Improvements

The users can quickly identify useful results without opening each search result in ways such as the following:

• Users can rest the pointer over a search result to preview the document content in the hover panel to the right of the result.
• Users can quickly distinguish search results based on their type. For example, Microsoft Office documents display the application icon in front of the title of the search result. Newsfeed conversation results display the number of replies and the number of likes to the right. Site results list the top links that users often click on the site. People in results show the picture and the Lync availability status to the left.
• By default, certain types of related results are displayed in groups called result blocks. A result block contains a small subset of results that are related in a particular way. For example, results that are PowerPoint documents appear in a result block when the word "presentation" is one of the search terms. Administrators and site owners can also create result blocks to group other results. Like individual search results, you can promote result blocks or rank them with other results.

Search helps users quickly return to important sites and documents by remembering what they have previously searched and clicked. The results of previously searched and clicked items are displayed as query suggestions at the top of the results page.

In addition to the default manner in which search results are differentiated, site collection administrators and site owners can create and use result types to customize how results are displayed for important documents. A result type is a rule that identifies a type of result and a way to display it.

Site collection administrators and site owners can use display templates to customize the appearance of search results by using an HTML editor, and they can customize the behaviour of search results by using JavaScript. They can specify display templates that determine how result types appear.