NTLM and Kerberos RRS feed

  • Question

  • Hi

    Could someone help clear-up an understanding of authentication please?

    Whats the relationship between Classic Mode authentication, Claims Based Authentication, NTLM and  Kerberos?

    I found a good article that states:

    SharePoint can delegate claims identities to back-end services, regardless of the sign-in method. For example, suppose your users are authenticated by NTLM authentication. NTLM suffers from a wellknown "double-hop" limitation, which means that a service such as SharePoint cannot impersonate the user to access other resources on behalf of the user, such as SQL Server databases or web services. By contrast, when you use claims-mode authentication, SharePoint can use the claims-based identity token to access resources on behalf of the user. http://www.c-sharpcorner.com/blogs/difference-between-claimsbased-authentication-and-windows-classicmode-authentication-in-sharepoint-2013

    Does this mean NTLM can be used in either classic and claims based authentication methods, however it suffers in classic mode authentication?


    Monday, March 21, 2016 9:21 AM


  • Both NTLM and Kerberos refer to how credentials are retrieved from Active Directory and both will work with either Classic or Claims mode web sites.  Claims refers to how SharePoint manages the credentials once it receives them from AD.  The double hop limitation on NTLM has nothing to do with Claims vs. Classic.  NTLM suffers from it in both cases.  Kerberos is a delegated ticketing system that doesn't suffer from the double hop problem.  The double hop problem of NTLM will exist for both Claims and Classic mode when accessing external data sources.  For internal resources Claims mode can resolve the issue.  But double hop is almost never an issue for internal data sources.

    Paul Stork SharePoint Server MVP
    Principal Architect: Blue Chip Consulting Group
    Blog: http://dontpapanic.com/blog
    Twitter: Follow @pstork
    Please remember to mark your question as "answered" if this solves your problem.

    Monday, March 21, 2016 1:28 PM