Solved

SharePoint 2010 SSL and Claims Authentication

Posted on 2014-01-20
7
986 Views
Last Modified: 2016-10-25
I have two questions regarding SharePoint 2010.

Here is our base setup which was in-place long before I started on my company.

- 2 Front-End web servers and one backend MS SQL 2012 server. All server are running windows 2008 R2. THe main site se for claims-authentication. All the main set is load balance using our Citrix Netscaler.  Out Netscaler it set for SSL on the set and IIS is set to encrypt the site is well. Is this correct? Or should be be doing one or the other and using SSL Offloading.  I am concerned that we are double encrypting traffic.

-Our main site is setup to use claims although I have often wonder if it is working correct. You are not getting errors but out site is very slow. I am not the greats with claims and notice that none of the servers accounts have SPN's created for them. I can I for for sure if our site is using NTML, Kerborse or Claims...
0
Comment
Question by:compdigit44
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 38

Expert Comment

by:Justin Smith
ID: 39796777
You should offload SSL, in most cases, to the load balancer.  It's not that the information is getting encrypted twice (as in double secure) but that it's getting processed twice - taking unnecessary time and resource.  You don't need to encrypt your traffic once it is internal.

Claims authentication still uses NTLM or Kerberos.  Claims auth is basically a type of security token.  You still need a security protocol like NTLM or Kerberos to authenticate using the token.  If you haven't set the web app to Kerberos it's using NTLM.
0
 
LVL 20

Author Comment

by:compdigit44
ID: 39797082
thanks for the reply Ach1LLes,

I just want to make sure I am not confusing terms here. On our Netscaler SSL means the connection are secured by the  Netscaler SSL Offload is done by the backend server correct.

If our SharePoint site required SSL, should be only secure it on the Netscaler and not in IIS as well?

I wasn't aware that Claims could use NTLM. When using claims in a tiered setup. I thought the only way to communicate with a backend server is by using SPN and Contrained Delegation???
0
 
LVL 38

Accepted Solution

by:
Justin Smith earned 500 total points
ID: 39797090
Offloading means you are offloading the work required to process SSL communication to the load balancer.  The SSL cert is installed there, not in IIS.  The load balancer in turn requests the information from SHarePoint over HTTP.  SharePoint would respond and send data over HTTP, but would rewrite any URL on the page by making it say HTTPS so when users click a link they request it via HTTPS.  This rewrite is done via Alternate Access Mapping config in SharePoint.

Your assumption is incorrect for the most part.  SharePoint can communicate with it's backend SQL Server (where config and content db's live) via NTLM.  SharePoint can also communicate with outside data sources via NTLM if an account is specified in the connection string or you use an account in the Secure Store.
0
 
LVL 20

Author Comment

by:compdigit44
ID: 39797191
Wow!!!!

 I had everything backwards in my mind. So SSLOffling make the Netscaler handle the secure connection. Does this mean I should remove SSL from my SharePoint IIS site and set it to http?

In regarding to Claims and tiered systems. I was always under the impression anytime you has a tiered setup you need to use Delegation with SPN. Yet I know we do not have SPN inplace now which is why I am confused as to how things are workings. So a tierd setup can use NTLM????
0
 
LVL 38

Expert Comment

by:Justin Smith
ID: 39797219
Yes, you would remove SSL from IIS.

Yes you can use Claims and NTLM with a tiered farm.
0
 
LVL 20

Author Comment

by:compdigit44
ID: 39803748
I have been thinking about your responses and have been doing additional research and want to make sure I am understanding things correctly.

1) Claims Authentication is a framework when can support both ntlm and kerbose authentication.

2) SSL Offline "bridging" should be used on the Netscaler to take additional load off of the web servers.

**If I remove the Cert from the backend web servers doesn't this mean that traffic between the Netscaler to the server is unencrypted?

What is the best persistence type to use with SharePoint 2010 and Claims?
0
 
LVL 38

Expert Comment

by:Justin Smith
ID: 39803954
1. yes
2. I'm not familiar enough with Netscaler to answer


If you remove the cert, yes the traffic from load balancer to web server is unencrypted.  SharePoint 2010 requires single affinity.
0
Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A recent project that involved parsing Tableau Desktop and Server log files to extract reusable user queries for use in other systems. I chose to use PowerShell to gather the data, and SharePoint to present it...
Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question