SharePoint 2010 SSL and Claims Authentication

I have two questions regarding SharePoint 2010.

Here is our base setup which was in-place long before I started on my company.

- 2 Front-End web servers and one backend MS SQL 2012 server. All server are running windows 2008 R2. THe main site se for claims-authentication. All the main set is load balance using our Citrix Netscaler.  Out Netscaler it set for SSL on the set and IIS is set to encrypt the site is well. Is this correct? Or should be be doing one or the other and using SSL Offloading.  I am concerned that we are double encrypting traffic.

-Our main site is setup to use claims although I have often wonder if it is working correct. You are not getting errors but out site is very slow. I am not the greats with claims and notice that none of the servers accounts have SPN's created for them. I can I for for sure if our site is using NTML, Kerborse or Claims...
LVL 20
Who is Participating?
Justin SmithConnect With a Mentor Sr. System EngineerCommented:
Offloading means you are offloading the work required to process SSL communication to the load balancer.  The SSL cert is installed there, not in IIS.  The load balancer in turn requests the information from SHarePoint over HTTP.  SharePoint would respond and send data over HTTP, but would rewrite any URL on the page by making it say HTTPS so when users click a link they request it via HTTPS.  This rewrite is done via Alternate Access Mapping config in SharePoint.

Your assumption is incorrect for the most part.  SharePoint can communicate with it's backend SQL Server (where config and content db's live) via NTLM.  SharePoint can also communicate with outside data sources via NTLM if an account is specified in the connection string or you use an account in the Secure Store.
Justin SmithSr. System EngineerCommented:
You should offload SSL, in most cases, to the load balancer.  It's not that the information is getting encrypted twice (as in double secure) but that it's getting processed twice - taking unnecessary time and resource.  You don't need to encrypt your traffic once it is internal.

Claims authentication still uses NTLM or Kerberos.  Claims auth is basically a type of security token.  You still need a security protocol like NTLM or Kerberos to authenticate using the token.  If you haven't set the web app to Kerberos it's using NTLM.
compdigit44Author Commented:
thanks for the reply Ach1LLes,

I just want to make sure I am not confusing terms here. On our Netscaler SSL means the connection are secured by the  Netscaler SSL Offload is done by the backend server correct.

If our SharePoint site required SSL, should be only secure it on the Netscaler and not in IIS as well?

I wasn't aware that Claims could use NTLM. When using claims in a tiered setup. I thought the only way to communicate with a backend server is by using SPN and Contrained Delegation???
compdigit44Author Commented:

 I had everything backwards in my mind. So SSLOffling make the Netscaler handle the secure connection. Does this mean I should remove SSL from my SharePoint IIS site and set it to http?

In regarding to Claims and tiered systems. I was always under the impression anytime you has a tiered setup you need to use Delegation with SPN. Yet I know we do not have SPN inplace now which is why I am confused as to how things are workings. So a tierd setup can use NTLM????
Justin SmithSr. System EngineerCommented:
Yes, you would remove SSL from IIS.

Yes you can use Claims and NTLM with a tiered farm.
compdigit44Author Commented:
I have been thinking about your responses and have been doing additional research and want to make sure I am understanding things correctly.

1) Claims Authentication is a framework when can support both ntlm and kerbose authentication.

2) SSL Offline "bridging" should be used on the Netscaler to take additional load off of the web servers.

**If I remove the Cert from the backend web servers doesn't this mean that traffic between the Netscaler to the server is unencrypted?

What is the best persistence type to use with SharePoint 2010 and Claims?
Justin SmithSr. System EngineerCommented:
1. yes
2. I'm not familiar enough with Netscaler to answer

If you remove the cert, yes the traffic from load balancer to web server is unencrypted.  SharePoint 2010 requires single affinity.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.