Microsoft SharePoint. Building Office 2007 Solutions in VB 2005 ...

32CHAPTER 2 ■ SHAREPOINT OVERVIEW, PLANNING, AND INSTALLATIONseveral different authentication providers including NT LAN Manager (NTLM), Kerberos,and Forms authentication, you should give some thought to access and authentication todetermine the best combination.NTLM and KerberosIntegrated Windows Authentication is the simplest form of authentication for browser applicationswhere the end user has a Windows account. Whenever a user browses to a site thatuses Integrated Windows Authentication, the browser sends a token to the server identifyingthe Windows account of the user. If the server can authenticate the user with this information,access is granted. If the server cannot authenticate the user, a login box appears promptingthe user to enter credentials manually. Both NTLM and Kerberos are forms of IntegratedWindows Authentication.NTLM uses a challenge-response protocol to authenticate the client to the server. It beginswhen the client attempts to connect to a secure application. The server sends a challenge to theclient, and the client responds with a hashed value that the server can use to validate the userand password. All of this is seamless to the end user who simply sees the requested web pageopen in the browser.NTLM is simple, works well, and developers have often been able to ignore authenticationconcerns because it was essentially transparent. As security concerns have grown, however, theneed for a more secure authentication provider has become increasingly obvious. This is whereKerberos comes in to the picture.Kerberos is a ticket-based authentication protocol. When a client wants to access asecure application, it requests a ticket from the key distribution center (KDC), which is theserver running Active Directory. The KDC then creates a ticket based on the user credentialsstored in Active Directory. The ticket is then sent back to the client, which can only use theticket if it has the correct password. Once the user is authenticated, the ticket is cachedlocally where it remains until it expires.Kerberos has several advantages over NTLM that SharePoint developers should care about.First, Kerberos has much better performance than NTLM. Because Kerberos caches credentials,servers can respond more quickly than under NTLM. Kerberos is also more secure than NTLMbecause the client can essentially authenticate the server as well as have the server authenticatethe client. The biggest reason for developers to care about Kerberos, however, is delegation.Take a step back and consider the process of connecting to a WSS team site using NTLMauthentication. We know that NTLM will successfully authenticate a user that has a Windowsaccount and grant access to the team site, which will then appear in the browser. While mostof the page content will appear correctly, what if a web part on that page displays informationfrom a line-of-business system with its own separate database? The web part itself must alsoauthenticate against this other database. What credentials does it use? In many cases, we wantthe web part to use the same credentials as the current user. In other words, we want the webpart to impersonate the current user.SharePoint sites are set up so that web parts will initially impersonate the user accessingthem. The user credentials may subsequently be passed to any system residing on the sameserver as SharePoint or on a different server that requires only a single additional authentication.If the data source requires a second authentication—like when you access a web service,which subsequently accesses a database—the impersonation will fail. This is typically referredto as the “double-hop” issue.