Whats new in Authentication in SharePoint 2013 Preview

Taken from the documentation:


What's new in authentication for SharePoint 2013 Preview




Authentication enhancements in SharePoint 2013 Preview make the use of claims-based authentication easier and enable new scenarios and functionality for Exchange Server 2013 Preview, Lync Server 2013 Preview, and apps in the SharePoint Store or App Catalog. SharePoint 2013 Preview introduces support for server-to-server authentication and app authentication by utilizing and extending the Open Authorization 2.0 (OAuth 2.0) web authorization protocol. OAuth is an industry standard protocol that provides temporary, redirection-based authorization. A user or a web application that acts on behalf of a user can request authorization to temporarily access specified network resources from a resource owner. For more information, see OAuth 2.0.
Support for OAuth in SharePoint 2013 Preview allows users to grant apps in the SharePoint Store and App Catalog access to specified, protected user resources and data (including contact lists, documents, photographs, and videos) without requiring the app to obtain, store, or submit the user's credentials. OAuth allows app and services to act on behalf of users for limited access to SharePoint resources. For example, a user might approve permissions to an app to grant access to a specific folder of a document library. This enables an app, such as a third-party photo printing app, to access and copy the files in the specific folder upon user request, without having to use or verify the user's account credentials.

User authentication and authorization in SharePoint 2013 Preview

User authentication in SharePoint 2013 Preview is the process that verifies the identity of a user who requests access to a SharePoint web application. An authentication provider issues the authenticated user a security token that encapsulates a set of claims-based assertions about the user and is used to verify a set of permissions that are assigned to the user. User authorization in SharePoint 2013 Preview is the process that determines the users who can perform defined operations on a specified resource within a SharePoint web application. SharePoint 2013 Preview supports user authentication based on the following methods:

• Windows claims
• Security Assertion Markup Language (SAML)-based claims
• Forms-based authentication claims

These claims-based authentication methods are now the recommended authentication methods for SharePoint 2013 Preview.
The app authentication and server-to-server authentication features of SharePoint 2013 Preview require claims-based authentication. Because of this, claims-based authentication is the default for new web applications in SharePoint 2013 Preview. When you create a web application in Central Administration, you can only specify authentication methods for claims-based authentication. Although Windows Classic mode authentication is still available in SharePoint 2013 Preview and can be configured through Windows PowerShell, we recommend that you use claims-based authentication. Windows Classic mode authentication is deprecated in SharePoint 2013 Preview.

Improvements in claims infrastructure

SharePoint 2013 Preview also includes the following improvements in claims authentication infrastructure:

• Easier migration from classic mode to Windows-based claims mode with the new Convert-SPWebApplicationWindows PowerShell cmdlet
  Migration can be run against each content database and each web application. This is in contrast to SharePoint 2010 Products, in which the migration was run against each web application. For more information, see Migrate from classic-mode to claims-based authentication in SharePoint 2013 Preview.
• Login tokens are now cached in the new Distributed Cache Service
  SharePoint 2013 Preview uses a new Distributed Cache Service to cache login tokens. In SharePoint 2010 Products, the login token is stored in the memory of each web front-end server. Each time a user accesses a specific web front-end server, it needs to authenticate. If you use network load balancers in front of your web front-ends, users need to authenticate for each web front-end server that is accessed behind the load balancer, causing possible multiple re-authentications. To avoid re-authentication and its delay, it is recommended to enable and configure load balancer affinity (also known as sticky sessions). By storing the login tokens in the Distributed Cache Service in SharePoint 2013 Preview, the configuration of affinity in your load balancing solution is no longer required. There are also scale-out benefits and less memory utilization in the web front-ends because of a dedicated cache service.
• More logging makes the troubleshooting of authentication issues easier
  SharePoint 2013 Preview has much more logging to help you troubleshoot authentication issues. Examples of enhanced logging support are the following:
• Separate categorized-claims related logs for each authentication mode
• Information about adding and removing FedAuth cookies from the Distributed Cache Service
• Information about the reason why a FedAuth cookie could not be used, such as a cookie expiration or a failure to decrypt
• Information about where authentication requests are redirected
• Information about the failures of user migration in a specific site collection

Server-to-server authentication

SharePoint 2013 Preview extends OAuth to implement a server-to-server authentication protocol that can be used by services such as SharePoint 2013 Preview to authenticate other services such as Exchange Server 2013 Preview or Lync Server 2013 Preview or services that are compliant with the server-to-server authentication protocol.
SharePoint 2013 Preview has a dedicated local server-to-server security token service (STS) that provides server-to-server security tokens that contain user identity claims to enable cross-server authenticated access. These user identity claims are used by the other service to lookup the user against its own identity provider. A trust established between the local STS (the SharePoint 2013 Preview server-to-server STS) and other server-to-server compliant services (the Exchange Server 2013 Preview or Lync Server 2013 Preview server-to-server STS) is the key functionality that makes server-to-server possible. For on-premises deployments, you configure the JavaScript Object Notation (JSON) metadata endpoint of the other server-to-server compliant service to establish this trust relationship. For online services, an instance of the Windows Azure Access Control Service (ACS) acts as a trust broker to enable cross-server communications among the three types of servers.
The new server-to-server STS in SharePoint 2013 Preview issues access tokens for server-to-server authentication. In SharePoint 2013 Preview (and also in SharePoint 2010 Products), trusted identity providers that are compliant with the WS-Federation protocol are supported. However, the new server-to-server STS in SharePoint 2013 Preview performs only the functionality that enables temporary access tokens to access other services such as Exchange Server 2013 Preview and Lync Server 2013 Preview. The server-to-server STS is not used for user authentication and is not listed on the user sign-in page, the Authentication Provider UI in Central Administration, or in the People Picker in SharePoint 2013 Products.

App authentication

SharePoint 2013 Preview uses OAuth 2.0 to authorize requests by apps in the SharePoint Store and App Catalog to access SharePoint resources on behalf of a user. The user grants permission to apps in the SharePoint Store and App Catalog to access SharePoint resources on the user's behalf when they are installed. For example, a user installs an app from the SharePoint Store. A SharePoint site contains an embedded HTML inline frame (IFRAME) that the app renders and that requires the app to access a user list. When a Web browser displays the site, the app then calls back to the server running SharePoint 2013 Preview to access the list on behalf of the user. After the app obtains the data from the list, it displays the contents of the IFRAME.
The app authentication process in SharePoint 2013 Preview uses OAuth to verify a claim that an app makes and assert that the app can act on behalf of an authenticated user. In SharePoint 2013 Preview, an instance of the Windows Azure ACS acts as the app identity provider. You can also use app authentication without ACS. The authorization process verifies that an authenticated app has permission to perform a defined operation or to access a specified resource.

Whats new in Authentication in SharePoint 2013 Preview

Whats new in Authentication in SharePoint 2013 Preview

Taken from the documentation:


What's new in authentication for SharePoint 2013 Preview




Authentication enhancements in SharePoint 2013 Preview make the use of claims-based authentication easier and enable new scenarios and functionality for Exchange Server 2013 Preview, Lync Server 2013 Preview, and apps in the SharePoint Store or App Catalog. SharePoint 2013 Preview introduces support for server-to-server authentication and app authentication by utilizing and extending the Open Authorization 2.0 (OAuth 2.0) web authorization protocol. OAuth is an industry standard protocol that provides temporary, redirection-based authorization. A user or a web application that acts on behalf of a user can request authorization to temporarily access specified network resources from a resource owner. For more information, see OAuth 2.0.
Support for OAuth in SharePoint 2013 Preview allows users to grant apps in the SharePoint Store and App Catalog access to specified, protected user resources and data (including contact lists, documents, photographs, and videos) without requiring the app to obtain, store, or submit the user's credentials. OAuth allows app and services to act on behalf of users for limited access to SharePoint resources. For example, a user might approve permissions to an app to grant access to a specific folder of a document library. This enables an app, such as a third-party photo printing app, to access and copy the files in the specific folder upon user request, without having to use or verify the user's account credentials.

User authentication and authorization in SharePoint 2013 Preview

User authentication in SharePoint 2013 Preview is the process that verifies the identity of a user who requests access to a SharePoint web application. An authentication provider issues the authenticated user a security token that encapsulates a set of claims-based assertions about the user and is used to verify a set of permissions that are assigned to the user. User authorization in SharePoint 2013 Preview is the process that determines the users who can perform defined operations on a specified resource within a SharePoint web application. SharePoint 2013 Preview supports user authentication based on the following methods:

• Windows claims
• Security Assertion Markup Language (SAML)-based claims
• Forms-based authentication claims

These claims-based authentication methods are now the recommended authentication methods for SharePoint 2013 Preview.
The app authentication and server-to-server authentication features of SharePoint 2013 Preview require claims-based authentication. Because of this, claims-based authentication is the default for new web applications in SharePoint 2013 Preview. When you create a web application in Central Administration, you can only specify authentication methods for claims-based authentication. Although Windows Classic mode authentication is still available in SharePoint 2013 Preview and can be configured through Windows PowerShell, we recommend that you use claims-based authentication. Windows Classic mode authentication is deprecated in SharePoint 2013 Preview.

Improvements in claims infrastructure

SharePoint 2013 Preview also includes the following improvements in claims authentication infrastructure:

• Easier migration from classic mode to Windows-based claims mode with the new Convert-SPWebApplicationWindows PowerShell cmdlet
  Migration can be run against each content database and each web application. This is in contrast to SharePoint 2010 Products, in which the migration was run against each web application. For more information, see Migrate from classic-mode to claims-based authentication in SharePoint 2013 Preview.
• Login tokens are now cached in the new Distributed Cache Service
  SharePoint 2013 Preview uses a new Distributed Cache Service to cache login tokens. In SharePoint 2010 Products, the login token is stored in the memory of each web front-end server. Each time a user accesses a specific web front-end server, it needs to authenticate. If you use network load balancers in front of your web front-ends, users need to authenticate for each web front-end server that is accessed behind the load balancer, causing possible multiple re-authentications. To avoid re-authentication and its delay, it is recommended to enable and configure load balancer affinity (also known as sticky sessions). By storing the login tokens in the Distributed Cache Service in SharePoint 2013 Preview, the configuration of affinity in your load balancing solution is no longer required. There are also scale-out benefits and less memory utilization in the web front-ends because of a dedicated cache service.
• More logging makes the troubleshooting of authentication issues easier
  SharePoint 2013 Preview has much more logging to help you troubleshoot authentication issues. Examples of enhanced logging support are the following:
  • Separate categorized-claims related logs for each authentication mode
  • Information about adding and removing FedAuth cookies from the Distributed Cache Service
  • Information about the reason why a FedAuth cookie could not be used, such as a cookie expiration or a failure to decrypt
  • Information about where authentication requests are redirected
  • Information about the failures of user migration in a specific site collection

Server-to-server authentication

SharePoint 2013 Preview extends OAuth to implement a server-to-server authentication protocol that can be used by services such as SharePoint 2013 Preview to authenticate other services such as Exchange Server 2013 Preview or Lync Server 2013 Preview or services that are compliant with the server-to-server authentication protocol.
SharePoint 2013 Preview has a dedicated local server-to-server security token service (STS) that provides server-to-server security tokens that contain user identity claims to enable cross-server authenticated access. These user identity claims are used by the other service to lookup the user against its own identity provider. A trust established between the local STS (the SharePoint 2013 Preview server-to-server STS) and other server-to-server compliant services (the Exchange Server 2013 Preview or Lync Server 2013 Preview server-to-server STS) is the key functionality that makes server-to-server possible. For on-premises deployments, you configure the JavaScript Object Notation (JSON) metadata endpoint of the other server-to-server compliant service to establish this trust relationship. For online services, an instance of the Windows Azure Access Control Service (ACS) acts as a trust broker to enable cross-server communications among the three types of servers.
The new server-to-server STS in SharePoint 2013 Preview issues access tokens for server-to-server authentication. In SharePoint 2013 Preview (and also in SharePoint 2010 Products), trusted identity providers that are compliant with the WS-Federation protocol are supported. However, the new server-to-server STS in SharePoint 2013 Preview performs only the functionality that enables temporary access tokens to access other services such as Exchange Server 2013 Preview and Lync Server 2013 Preview. The server-to-server STS is not used for user authentication and is not listed on the user sign-in page, the Authentication Provider UI in Central Administration, or in the People Picker in SharePoint 2013 Products.

App authentication

SharePoint 2013 Preview uses OAuth 2.0 to authorize requests by apps in the SharePoint Store and App Catalog to access SharePoint resources on behalf of a user. The user grants permission to apps in the SharePoint Store and App Catalog to access SharePoint resources on the user's behalf when they are installed. For example, a user installs an app from the SharePoint Store. A SharePoint site contains an embedded HTML inline frame (IFRAME) that the app renders and that requires the app to access a user list. When a Web browser displays the site, the app then calls back to the server running SharePoint 2013 Preview to access the list on behalf of the user. After the app obtains the data from the list, it displays the contents of the IFRAME.
The app authentication process in SharePoint 2013 Preview uses OAuth to verify a claim that an app makes and assert that the app can act on behalf of an authenticated user. In SharePoint 2013 Preview, an instance of the Windows Azure ACS acts as the app identity provider. You can also use app authentication without ACS. The authorization process verifies that an authenticated app has permission to perform a defined operation or to access a specified resource.

Changes from SharePoint 2010 to 2013

Taken from Documentation release for SharePoint 2013 Preview......


Features deprecated in SharePoint 2013 Preview

The following features and functionality have been deprecated or changed in SharePoint 2013 Preview.

Visual upgrade

 

Description: The visual upgrade feature in SharePoint Server 2010 is not available in SharePoint 2013 Preview. For the upgrade from Office SharePoint Server 2007 to SharePoint Server 2010, you could choose to use the visual upgrade feature to give site collection owners and site owners the opportunity to preserve the previous user interface temporarily while still upgrading the infrastructure and databases, site collections, and features to the latest version. This allowed site collection owners and site owners to update customizations to work in the new user interface. Once the database and site collection upgrade was complete, the user had the option to upgrade the user interface on a more granular level of the website (SPWeb object).
Reason for change: The visual upgrade feature is replaced with deferred site collection upgrade. The site collection upgrade process is not reversible. The deferred site collection upgrade is a more comprehensive upgrade process than visual upgrade.
Visual upgrade preserved only the old master pages, CSS files, and HTML files. Deferred site collection upgrade preserves much more, including SPFeature functionality. To achieve the deferred site collection upgrade, major changes in the architecture were required, including the removal of visual upgrade.
With deferred site collection upgrade, you can continue to use the UI from the previous version (SharePoint Server 2010) more seamlessly than is possible with visual upgrade. The master page, CSS, JScript, and SPFeatures will remain in SharePoint Server 2010 mode. One key difference is that the granularity of upgrading the user interface is per site collection (SPSite) instead of site (SPWeb). Users can still preview their site in the new SharePoint 2013 Preview user interface before committing. However, this is accomplished by creating and upgrading a temporary copy of their site collection instead of a preview in the existing instance of the site collection. The reason for previewing a copy of the site collection is because of the complexity of what occurs during site collection upgrade. Once a site collection is upgraded, it cannot be rolled back. Therefore, performing a preview would not be possible except in a copy of the site collection.

Migration path: Site collection administrators who are using visual upgrade to continue to use SharePoint Server 2007 must move to the SharePoint Server 2010 user interface before upgrading to SharePoint 2013 Preview. After the content database is upgraded, users can use deferred site collection upgrade to continue to use the SharePoint Server 2010 experience for their site collections. Site collection administrators can be notified by their farm administrator when a site collection is ready for upgrade and the site collection administrators can then choose to either perform the upgrade of their site collection or optionally first preview the new functionality in a temporary copy of their site collection.
Any SharePoint user interface might have dependencies on visual upgrade. The main dependency was getting the user interface version and then outputting the correct user interface (new or legacy). The visual upgrade API feature is updated so that the user interface version is remapped to the new site collection compatibility level property. This returns the same information about which version the site uses as before. Therefore, dependent code does not need to change.

Document Workspace site template

Description: When you create a site in SharePoint 2013 Preview, the Document Workspace site template is not available.
Reason for change: The scenario of collaborating on a document is now provided by the Team Site site template. The Document Workspace site template was removed from SharePoint 2013 Preview to simplify the list of templates that are available when a user creates a new site collection.
Migration path: Existing sites that were created by using the Document Workspace site template will continue to operate in SharePoint 2013 Preview. The Document Workspace site template will be removed completely from the next major release of SharePoint and sites that were created by using the Document Workspace site template will not be supported.

Personalization Site site template

Description: When you create a site in SharePoint 2013 Preview, the Personalization Site site template is not available.
Reason for change: The Personalization Site site template was not a widely used site template. The Personalization Site site template was removed from SharePoint 2013 Preview to simplify the list of templates that are available when a user creates a new site collection.
Migration path: Existing sites that were created by using the Personalization Site site template will continue to operate in SharePoint 2013 Preview. The Personalization Site site template will be removed completely from the next major release of SharePoint and sites that were created by using the Personalization Site site template will not be supported.

 Meeting Workspace site templates

Description: When you create a site in SharePoint 2013 Preview, all five of the Meeting Workspace site templates are not available. This includes the Basic Meeting Workspace, Blank Meeting Workspace, Decision Meeting Workspace, Social Meeting Workspace, and Multipage Meeting Workspace.
Reason for change: SharePoint 2013 Preview and Office 2013 Preview provide other features that support meetings and collaboration. For example, you can use Lync to conduct live meetings, OneNote to take notes during meetings, and a SharePoint team site or My Site to store shared meeting notes.
Migration path: Existing sites that were created by using the Meeting Workspace site templates will continue to operate in SharePoint 2013 Preview. The Meeting Workspace site templates will be removed completely from the next major release of SharePoint and sites that were created by using the Meeting Workspace site templates will not be supported.

Group Work site template and Group Work solution

Description: When you create a site in SharePoint 2013 Preview, the Group Work site template is not available. This Group Work site template provides a groupware solution that teams can use to create, organize, and share information. The Group Work site template includes the Group Calendar, Circulation, Phone-Call Memo, document library, and other basic lists. The Group Work site template and the Group Work solution are discontinued and not available in SharePoint 2013 Preview.
Reason for change: The Group Work site template was not a widely used site template. The Group Work site template was removed from SharePoint 2013 Preview to simplify the list of templates that are available when a user creates a new site collection.
Migration path: Existing sites that were created by using the Group Work site template will continue to operate in SharePoint 2013 Preview. The Group Work site template will be removed completely from the next major release of SharePoint and sites that were created by using the Group Work site template will not be supported.

Visio Process Repository site template

Description: When you create a site in SharePoint 2013 Preview, the Visio Process Repository site template will continue to be available. However, the Visio Process Repository site template will be removed in the next major release of SharePoint.
Reason for change: The Visio Process Repository site template is not a widely used site template. The Visio Process Repository site template was removed from SharePoint 2013 Preview to simplify the list of templates that are available when a user creates a new site collection.
Migration path: Not required. The Visio Process Repository site template is available in SharePoint 2013 Preview.

Unghosting and customizing CSS files

Description: The following methods are included in SharePoint 2013 Preview, but will be removed from the next major release of SharePoint:

• Microsoft.SharePoint.SoapServer.Webs.CustomizeCss
• Microsoft.SharePoint.SoapServer.Webs.RevertCss

The Webs.CustomizeCss method applies style sheet customization to a particular file.
The Webs.RevertCss method reverts style sheet customization of a file to the default style sheet.
These two methods are stored in Webs.asmx.cs and are defined in Webswsdl.asps.
Reason for change: The methods are outdated and are no longer needed.
Migration path: None.

Imaging Web service

Description: The Imaging Web service provides functionality for creating and managing picture libraries. The Imaging Web service will be removed from the next major release of SharePoint. The Imaging Web service is included and supported in SharePoint 2013 Preview.
Reason for change: The Imaging Web service is not widely used. The only client application for the Imaging Web service, Office Picture Manager, is no longer included with SharePoint 2013 Preview. The Imaging Web service is being removed to reduce security vulnerabilities and to simplify the number of ways to connect to SharePoint 2013 Preview.
Migration path: All the functionality of the Imaging Web service is available through the client-side object model (CSOM). The CSOM provides client-side applications with access to a subset of the SharePoint Foundation server object model, including core objects such as site collections, sites, lists, and list items. Also, Web Distributed Authoring and Versioning (WebDAV) provides clients with key functionality of the Imaging Web service (for example, upload, download, and rename).

Excel Services — Can't edit workbooks in the browser that have external data connections

Description: Workbooks with external data connections that use Windows authentication cannot be refreshed in the browser. Instead, you are prompted to open the workbook in the Excel client program. Workbooks that have database or Windows credentials stored either in the Secure Store Service or in the connection string can still be edited in the browser. This change applies only when Excel Web App Preview in Office Web Apps Server Preview is used to view workbooks, not when Excel Services in SharePoint Server 2013 Preview is used.
Reason for change: This is a design limitation in SharePoint 2013 Preview.
Migration path: You can still refresh these workbooks in the Excel client program. Additionally, a service application administrator can configure that workbooks are viewed in SharePoint 2013 Preview instead of Office Web Apps Server Preview.

Web Analytics in SharePoint Server 2010

Description: Web Analytics in SharePoint Server 2010 has been discontinued and is not available in SharePoint 2013 Preview. Analytics processing for SharePoint 2013 Preview is now a component of the Search service.
Reason for change: A new analytics system was required for SharePoint 2013 Preview that included improvements in scalability and performance, and that had an infrastructure that encompasses SharePoint Online. The Analytics Processing Component in SharePoint 2013 Preview runs analytics jobs to analyze content in the search index and user actions that are performed on SharePoint sites.
SharePoint 2013 Preview still logs every click in SharePoint sites and still provides a count of hits for every document. User data is made anonymous early in the logging process and the Analytics Processing Component is scalable to the service.
This analytics data is used in SharePoint 2013 Preview to provide new item-to-item recommendation features, to show view counts that are embedded in SharePoint 2013 Preview and Search Server user interface, to provide a report of the top items in a site and list, and to influence the relevancy algorithm of search.
What happens to Web Analytics after upgrade: The Web Analytics Service is not upgraded to the Analytics Processing Component in SharePoint 2013 Preview. When you upgrade to SharePoint 2013 Preview, the databases that contain the data from Web Analytics in SharePoint Server 2010 are not removed. These databases are not used by or maintained by the Analytics Processing Component in SharePoint 2013 Preview. This means that documents on sites in SharePoint Server 2010 that are upgraded will show a hit count of 0.
When you upgrade to SharePoint 2013 Preview, do not attach and upgrade the databases that contain the data from Web Analytics in SharePoint Server 2010. We recommend that you turn off Web Analytics in the SharePoint Server 2010 environment before you copy the content databases that you want to upgrade to SharePoint 2013 Preview.
Reports from Web Analytics for the top items in a site are carried forward. Reports that show browser traffic, top users of a site, and referring URL are not carried forward and are not used by the Analytics Processing Component in SharePoint 2013 Preview.
Administrative reports for the quota usage of site collections in the farm are not available in SharePoint 2013 Preview.
SharePoint 2013 Preview does not support the Web Analytics Web Part. After a farm is upgraded to SharePoint 2013 Preview, all instances of a Web Analytics Web Part will not function. The page that includes the Analytics Web Part will render and a message appears that informs the user that the Web Part is no longer supported.
Migration path: None. Data collection for Analytics Processing in SharePoint 2013 Preview starts immediately for sites, including SharePoint Server 2010 sites.