Tuesday, April 3, 2012

Authentication in Sharepoint - Kerberos/Negotiate vs NTLM

SharePoint supports a variety of authentication mechanism. “Support” may be a loose term as SharePoint does not really authenticates any asset directly, rather it relies upon IIS and what IIS can support using the provider framework within ASP.NET 2.0. Most of these methods are end user facing.

When a user visits a SharePoint site how the web site will get the users credential validated? In this scenario, browser (e.g., IE, Fire Fox, Chrome, etc) is the client. Here you have a wide variety of selection to choose from.

To fulfill the end user’s for a resource (e.g., link to a file) on a SharePoint site, SharePoint becomes the client (on end user’s behalf) and request ADO.NET to get the file from database. Now .NET runtime installed on Server becomes the client and submits a request to SQL Server to get the requested content from its data-store. The process unwinds and end-user eventually gets what he requested.

Is the user actually entitled to see and get the content is determined by the process of authorization that SharePoint keeps a full control of. Here again it uses the ASP.NET (role) provider framework model to determine the user’s eligibility. Validating a user is “Authentication” that SharePoint outsourced to IIS and determining the user’s eligibility is “Authorization” that SharePoint decide to keep in-house.

When it comes to inner working of SharePoint servers and services running on same server or across different servers it always requires you to choose Integrated Authentication as its plumbing is built into the foundation of Windows Server.
For integrated authentication, there are two methods (protocols) that are available and supported in a SharePoint implementation are NTLM and Kerberos.

NTLM is a lightweight and efficient protocol with its foundation into early networking products that Microsoft built before NT (LAN Manager!! – ring any bell?).

Kerberos is industry de facto with its roots into UNIX based systems.

There have been enough discussions and great write up at various Microsoft & Community Sites discussing the reasoning for one or the other and my intent is not to start that debate again. With time and maturity of product and the increased awareness in community weight is shifting more towards Kerberos than NTLM and there are good reasons for it. A SharePoint implementation might be happier with Kerberos but as a SharePoint practitioner you need to have a holistic view of a customer’s environment where NTLM might be better for simple usage and its low maintenance overheads. For a client project where post implementation support is limited or difficult, I would think twice before deciding for Kerberos. For example, a simple change in a service account context may result in errors or broken functionality. People might not know what the cause is but they will see a product (SharePoint) that stopped working giving a bad repo to product and/or the implementers.
Kerberos vs. NTLM

Those who have networking background from old Novell and NT time may recall IPX vs IPX/SPX ODI or IPXODI, NetBEUI vs. TCP/IP. IPX and NetBEUI were simple to implement non-routable protocols that just worked in small LAN environments where networking begins and ended with simple File & Print Sharing or may be some dumb terminals. Those, who in early days, implemented TCP/IP might recall the overhead of configuring the TCP/IP protocol stack on computers, and running in duplicate IP issues, or maintaining a list of available IP addresses. Configuring was not that straight forward either – install, set & load the vendor provided drivers, configure the IP address, mask, gateway and DNS at the least and it machine is moved to different network go and reconfigure it. Though TCP/IP was much better protocol and de facto in Unix environments but for many implementation it was not worth going through the configuration and maintenance overhead unless interoperability or internetworking is needed. Over the passage of time, story got lot better and now SOHO devices, (like broadband devices for home networking) come with self managed TCP/IP stacks and built-in DHCP servers.

If the SharePoint implementation that you working on is a typical, single farm, simple AD domain with few servers in the farm, and have no other application that requires to know (authenticate) who the end user is you will be just fine with NTLM.

If you have a complex large farm or farms, large number of users on the farm and in AD and integrates with other applications like SSRS you can achieve better results with Kerberos.

Kerberos solves multi hop application domain authentication challenges without requesting user to authenticate again NTLM is chatty, means it talks a lot with your domain controller to check if user credentials have the appropriate permissions (role) to access the resource. Whereas, Kerberos protocol is less chatty but has larger overhead as at authentication time it reads all the groups/roles that user has and use that cached information. The performance characteristics of Kerberos has a lower point of diminishing return if your Directory Service (AD) has lot of users and groups and user is member of many group. How many is too many? I don’t have any matrix or performance test results but in my experience and based on what I know (or I think I know) many users might mean many tens of thousands of users and many groups means few thousand AD groups and many groups for user means few hundred groups that your typical user is member of.

Decision support documentation for Kerberos that we see in SharePoint and many other places like TechNet, informs you to make sure Kerberos is supported in your environment. When you ask IT System Engineer if they support Kerberos many if not most will answer in No – we don’t use Kerberos. In reality Kerberos is extensively used by Windows OS and network Services that windows provides. Windows self-managed these Kerberos registration and deregistration without you ever knowing about. Network objects that you see in AD, like servers and workstations and services running under Local System accounts they all have Kerberos SPN (Service Principal Name) registered with AD. The proper term for what I have been Kerberos registration and deregistration is SPN (de)registration. SPN – Service Principal Name. Where it gets reregistered is KDC – Key Distribution Center; a service that runs on Domain Controller. Once an asset (object like a server host or a service like a web or LDAP Server) a token is issued that that holder carries for the duration. Here it kind of resembles to a DNS record’s TTL (Time to Live) or a commuter train ride pass good for a day. Directory Objects (like hosts and registered services) that windows networking manage maintain these tokens and they get expired and renewed with you ever knowing about it.
The SPN that do not get registered automatically is for configuration setting that you chose to implement as part of your design like SPN registration for a name given to a web server like intranet.example.com or mysite.example.com or the SQL server instance running under a domain user account (opposed to Local System). So the system administrators needs to know how to (un)register a SPN for such user created instance and the implications of duplicate entries or how to go about identifying the problem and resolving it.
Think about SPN like an IP address or email address. It has to be unique on the network or internetwork. Two people cannot have same email address but a person can have more than one email address, or two computers cannot have same IP address but a given computer can have more than one IP address (some wise sys admin might say I have a server that has dual port NICs and both ports have same IP address. This is called teaming, outside world still sees it as a single IP address and it’s the vendor’s provided driver or firmware that is managing them for either redundancy or for increased capacity)
Not everything is Kosher or Halal. So when you implement the Kerberos you still have low level OS components that require NTLM and you cannot block the NTLM traffic and expect things to work as normal. One thing that is going to run into problems is search components and the file or IPC shares that you have for inter-service communications or when index files get copied to query servers.
Unlike duplicate IP address issues, one nice thing about integrated authentication using Kerberos is it will fall back to NTLM if it cannot figure out Kerberos. By figuring out I mean, if Kerberos is not properly configured.
The story has gotten lot better with SharePoint v3 (i.e., WSS v3 and MOSS 2007). When the product was released Web Application Servers were supported on Kerberos and now with Infrastructure Update release (post SP1) SSP, SharePoint Web Services sites are also supported to run with Kerberos. Not to forget about SQL the muscle behind the SharePoint that can be configured to run with Kerberos.

Reference: http://www.agileconcepts.com/Blogs/AQ/

No comments:

Post a Comment