SQL Server Pro
Connect With Us
Home > SQL Server > The Differences Between Authentication Modes

The Differences Between Authentication Modes

Sep. 18, 2007 Stacia Misner | SQL Server Pro

To select the appropriate authentication mode for your MOSS Web application configuration, here’s a quick guide to the differences between the available modes.

Trusted Account, Forms Authentication, or Windows Authentication with Trusted Accounts. If you configure the MOSS Web application to use Forms Authentication or Windows Authentication without enabling Kerberos, you must create a domain user account that is authorized to connect to your data source and use stored credentials because the MOSS Web application can’t forward the user’s credentials in this scenario. MOSS still authenticates the user and manages what the user can see and do, but external queries will run in the context of the trusted account.

Windows Authentication. Windows authentication mode works only when you enable Kerberos. When the user connects to the MOSS site, the Web application authenticates the user. When the user requests a report item, the application sends the user’s credentials to the report server to confirm that the user has access to that server. If so, the report server uses the credentials to authorize access to the requested item or operation and allows or denies the request as applicable. If a requested report uses a data source to retrieve data from yet another server, the credentials can be passed to this third server if the data source is configured to use Windows Integrated Security.

Discuss this Article 3

AnneG_editor
on Apr 2, 2008
ckangai, thanks for your feedback. We've forwarded your comment to the author, Stacia Misner. She's currently unavailable this week but said she'll respond to your questions next week. Thanks for reading! Anne Grubb, Web site editor, SQL Server Magazine
Charles (not verified)
on Mar 29, 2008
Useless: the dialog box in Central Administration has two options: Windows Authentication and Trusted Account. Why not have one paragraph describing Windows Authentication and when you use it, and a second paragraph describing Trusted Account and when you use it? Simple. Instead your first paragraph rambles on about Trusted Account, Forms Authentication, or Windows Authentication with Trusted Accounts. I am then left none the wiser.
Stacia (not verified)
on May 15, 2008
Apologies for the late reply - I was traveling a great deal these last many weeks and unable to look at this sooner. You are right that the Reporting Services integration settings in Central Admin's Application Management only allow you to specify Trusted Account or Windows Authentication, but there is another setting that has an impact: Application Management > Authentication Providers - hence the phrasing "MOSS Web application - not RS integration settins. Each Web application can be configured to use Windows, Forms, or Web single-sign on authentication. So if you DO NOT want to use Kerberos - you can do the following: - Trusted Account: Set Auth provider as Windows, set RS integration as Trusted Account, and then you MUST use a data source configured to use stored credentials. - Forms Authentication: Set Auth provider as Forms, set RS integration as Trusted Account, and then you MUST use a data source configured to use stored credentials - Windows Authentication with Trusted Accounts: Set Auth provider as Windows, set RS integration as Trusted Account, and then you MUST use a data source configured to use stored credentials AND selectthe stored credentials' checkbox "use as Windows credentials" If you DO want to use Kerberos (or if RS and data source are on the same server), you do the following: - Set Auth provider as Windows, set RS integration settings as Windows Authentication AND set SharePoint to use delegation (see http://technet.microsoft.com/en-us/library/cc263284.aspx). The above is sufficient if you're using a data source on same box with user credentials because the server isn't forwarding the credentials. If you're passing the credentials to another server, then you must configure Kerberos in your domain for the SharePoint server (a good resource for this is http://blogs.msdn.com/martinkearn/archive/2007/04/23/configuring-kerberos-for-sharepoint-2007-part-1-base-conf iguration-for-sharepoint.aspx).

Please or Register to post comments.

Related Articles
IT/Dev Connections

Las Vegas
September 30th - October 4th

Paul ThurottOur Experts will show you:
• Common SQL Server
Problems
• Best Practices for T-SQL
• SQL Server Integration
Services
• Database Development

Come See Michael Otey & Tim Ford in Person!

Early Registration Now Open

From the Blogs
May 21, 2013
blog

A Common Misconception about MAXDOP

Out of the box, SQL Server is (and has been) able to take advantage of multiple processors/cores without any effort on behalf of administrators....More
May 9, 2013
blog

My ISO 8601-Compliant Signature 2

My family recently just "officially" announced that we're in the process of adopting a child from South Africa. We're quite excited, of course, but there's a ton of paperwork to do—along with the need for gobs of signatures....More
May 8, 2013
blog

Use SSIS for ETL from Hadoop

In this blog post, Mark Kromer walks you through using SSIS as a way to use ETL techniques using Microsoft's Hadoop on Windows (HDInsight) as a source using Hive connectors...More
SQL Server Pro Forums

Get answers to questions, share tips, and engage with the SQL Server community in our Forums.

SQLMag.com
Related Sites
Copyright © 2013 Penton Media, Inc