Well, by know everybody living in the SharePoint world are sitting with their best tin foil hats on and installing, configuring and fiddling with SharePoint 2013 Preview, which was announced today by mister Steve. I’ve been fortunate to be a part of the (debated) closed beta for some time and have been trying out the new version of our favorite product. You probably will be overwhelmed with blog posts over the next couple of months, up until the SharePoint Conference 2012, and continuing after that. And I aim to be a part of the flooding (at least partly)…starting with a topic that I think is profoundly important - Authentication.

Note: this is written for SharePoint 2013 Preview.

Claims-based authentication is now the default authentication method

In SharePoint 2010 we had to choose between two options when creating a Content Web Application - to use Classic mode Authentication or Claims-based Authentication. Classic mode used the same model as SharePoint 2007 and previous versions used and Claims-based authentication was all new and shiny. Initially the recommendation was to use Claims-based content applications, but after a while we discovered the limitations of Claims-based authentication in 2010, so we went back to using Classic for most implementations. Examples of limitations was PowerPivot, Reporting Services etc. There was/is also quite a few limitations with SAML claims.

Now in SharePoint 2013, Claims-based authentication mode is the default authentication method. You cannot from the web interface create content web applications using Classic mode. If you need to create a Classic web application you need use PowerShell - but you should not do that (unless you have some specific requirement) since Classic mode is now considered deprecated, and will likely be removed in future releases of SharePoint.

No Classic in sight…

In SharePoint 2013 it is also required to use Claims-based authentication mode since there are lots of features that relies on it, such as app authentication and the new server-to-server (S2S) authentication.

So from now on always use Claims-based authentication in SharePoint 2013 and SharePoint 2010.

Claims-based authentication improvements!

Since Claims-based authentication now is the default (and only one in the UI) you can expect a number of improvements of Claims-based authentication. First and foremost the SharePoint team has put an effort into the underlying infrastructure. I guess over the last few years with 2010 they have learned from customers, partners and Office 365 how to tune and improve the infrastructure and logging pieces. One significant improvement is the usage of the Distributed Cache (aka Velocity, which is now built into 2013) to store the FedAuth cookies - which means that you do not need sticky sessions, that is sweet! One really cool feature is that the SharePoint STS publishes its own metadata endpoint now. Unfortunately not using the standard XML format but a JSON format, which pretty much makes it useless (as of now). Also the new features in 2010 (June 2012 CU) I blogged about earlier - to choose your own vanity encoding characters is also there. And there are probably tons more that I have not discovered yet…

How do I convert/upgrade my Web Applications?

So if you have a Web Application in Classic mode (2010) today, how do I update it to a Claims-based Web Application for 2013. This change is a big change! You might have customizations in your farm that are not Claims compatible. For instance, they might not understand the claims encoding format. The best recommendation I have now is to upgrade your web applications to Claims, before upgrading to 2013. Yes, that’s true. If you do the two upgrades at once and you run into trouble, the likelihood of finding the issue is lower and will consume more time. The second best option is to create a Classic Web Application in 2013 and attach (and upgrade) your Classic content databases to that web application and then (after testing) utilize the new Convert-SPWebApplication cmdlet to convert it. (Note: ye olde MigrateUsers method is deprecated in 2013, thank godness!).

More details can be found in the TechNet article “What’s new in authentication for SharePoint 2013 Preview”.

So, where do I go next?

Now is the time to start testing all this. Test SharePoint 2013, start migrating your web applications (in 2010 and in 2013 - find which method suits you the best) and test your customizations! As I said, the best environment to start with is your current 2010 domains. It is still plenty of time until 2013 will go gold, and you cannot go from beta to RTM anyways…

Also make sure you do learn WIF, WS-Trust, SAML and what an STS is. Here is a good starter guide. Did I mention test? And have fun! I do!