Client Certificate authentication and SharePoint 2010

We just had a support case where a customer was trying to use Client Certificate authentication with SharePoint 2010.

Client Certificate authentication was a supported authentication method in SharePoint 2007 but with SharePoint 2010 client certificate authentication it is not supported and there are also certain scenarios where using client certificate authentication will not work (especially when accessing WCF web services internally).

In case you are using certificate authentication currently in SharePoint 2007 ensure to take this into consideration when preparing the migration to SharePoint 2010.

Details about the supported authentication methods for SharePoint 2007 and 2010 can be found below:

 

[Update] Just to clarify: Microsoft SharePoint Foundation 2010 does not provide built-in support for Client Certificate Authentication, but Client Certificate Authentication is available through integration with Active Directory Federation Services (AD FS) 2.0, or any third-party identity management system that supports standard security protocols such as claims-based authentication, WS-Trust, WS-Federation, and SAML 1.1. More details here.

3 Comments


  1. Would it work if an IP-STS used Client Certificate and SharePoint used this STS as a Trusted Identity Provider, this way SharePoint only uses the FedAuth cookie?

    Reply

  2. The "Update" section is a little confusing.

    I understand from your initial post that Client Certificate authentication is not supported by SP2010 OOTB.

    However if we integrate with another identity management system that supports standard security protocols such as claims-based authentication, WS-Trust, WS-Federation, and SAML 1.1, will it work and importantly become a supported implementation from Microsoft’s point of view?

    Reply

  3. Yes. Then it will work and will be supported as long as the system generates valid claims that are understood by SharePoint.

    Reply

Leave a Reply to Stefan Goßner Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.