Solved

SharePoint 2010 SSL and Claims Authentication

Posted on 2014-01-20
7
924 Views
Last Modified: 2016-10-25
I have two questions regarding SharePoint 2010.

Here is our base setup which was in-place long before I started on my company.

- 2 Front-End web servers and one backend MS SQL 2012 server. All server are running windows 2008 R2. THe main site se for claims-authentication. All the main set is load balance using our Citrix Netscaler.  Out Netscaler it set for SSL on the set and IIS is set to encrypt the site is well. Is this correct? Or should be be doing one or the other and using SSL Offloading.  I am concerned that we are double encrypting traffic.

-Our main site is setup to use claims although I have often wonder if it is working correct. You are not getting errors but out site is very slow. I am not the greats with claims and notice that none of the servers accounts have SPN's created for them. I can I for for sure if our site is using NTML, Kerborse or Claims...
0
Comment
Question by:compdigit44
  • 4
  • 3
7 Comments
 
LVL 38

Expert Comment

by:Justin Smith
ID: 39796777
You should offload SSL, in most cases, to the load balancer.  It's not that the information is getting encrypted twice (as in double secure) but that it's getting processed twice - taking unnecessary time and resource.  You don't need to encrypt your traffic once it is internal.

Claims authentication still uses NTLM or Kerberos.  Claims auth is basically a type of security token.  You still need a security protocol like NTLM or Kerberos to authenticate using the token.  If you haven't set the web app to Kerberos it's using NTLM.
0
 
LVL 19

Author Comment

by:compdigit44
ID: 39797082
thanks for the reply Ach1LLes,

I just want to make sure I am not confusing terms here. On our Netscaler SSL means the connection are secured by the  Netscaler SSL Offload is done by the backend server correct.

If our SharePoint site required SSL, should be only secure it on the Netscaler and not in IIS as well?

I wasn't aware that Claims could use NTLM. When using claims in a tiered setup. I thought the only way to communicate with a backend server is by using SPN and Contrained Delegation???
0
 
LVL 38

Accepted Solution

by:
Justin Smith earned 500 total points
ID: 39797090
Offloading means you are offloading the work required to process SSL communication to the load balancer.  The SSL cert is installed there, not in IIS.  The load balancer in turn requests the information from SHarePoint over HTTP.  SharePoint would respond and send data over HTTP, but would rewrite any URL on the page by making it say HTTPS so when users click a link they request it via HTTPS.  This rewrite is done via Alternate Access Mapping config in SharePoint.

Your assumption is incorrect for the most part.  SharePoint can communicate with it's backend SQL Server (where config and content db's live) via NTLM.  SharePoint can also communicate with outside data sources via NTLM if an account is specified in the connection string or you use an account in the Secure Store.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 19

Author Comment

by:compdigit44
ID: 39797191
Wow!!!!

 I had everything backwards in my mind. So SSLOffling make the Netscaler handle the secure connection. Does this mean I should remove SSL from my SharePoint IIS site and set it to http?

In regarding to Claims and tiered systems. I was always under the impression anytime you has a tiered setup you need to use Delegation with SPN. Yet I know we do not have SPN inplace now which is why I am confused as to how things are workings. So a tierd setup can use NTLM????
0
 
LVL 38

Expert Comment

by:Justin Smith
ID: 39797219
Yes, you would remove SSL from IIS.

Yes you can use Claims and NTLM with a tiered farm.
0
 
LVL 19

Author Comment

by:compdigit44
ID: 39803748
I have been thinking about your responses and have been doing additional research and want to make sure I am understanding things correctly.

1) Claims Authentication is a framework when can support both ntlm and kerbose authentication.

2) SSL Offline "bridging" should be used on the Netscaler to take additional load off of the web servers.

**If I remove the Cert from the backend web servers doesn't this mean that traffic between the Netscaler to the server is unencrypted?

What is the best persistence type to use with SharePoint 2010 and Claims?
0
 
LVL 38

Expert Comment

by:Justin Smith
ID: 39803954
1. yes
2. I'm not familiar enough with Netscaler to answer


If you remove the cert, yes the traffic from load balancer to web server is unencrypted.  SharePoint 2010 requires single affinity.
0

Join & Write a Comment

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now