Configure client certificate authentication for SharePoint 2013
Published: September 25, 2012
Summary: Learn how to configure SharePoint 2013 to support user authentication using a client certificate.
Applies to: SharePoint Server 2013 Enterprise | SharePoint Server 2013 Standard | SharePoint Foundation 2013
Client certificate authentication enables web-based clients to establish their identity to a server by using a digital certificate, which provides additional security for user authentication. SharePoint 2013 does not provide built-in support for client certificate authentication, but client certificate authentication is available through Security Assertion Markup Language (SAML)-based claims authentication. You can use Active Directory Federation Services (AD FS) 2.0 as your security token service (STS) for SAML claims or any third-party identity management system that supports standard security protocols such as WS-Trust, WS-Federation, and SAML 1.1.
For more information about SharePoint 2013 protocol requirements, see SharePoint Front-End Protocols.
Claims-based authentication in SharePoint 2013 allows you to use different STSs. If you configure AD FS as your STS, SharePoint 2013 can support any identity provider or authentication method that AD FS supports, which includes client certificate authentication.
For more information about AD FS, see Active Directory Federation Services Overview.
In the following figure, SharePoint 2013 is configured as a relying partner for an AD FS-based STS.
AD FS can authenticate user accounts for several different types of authentication methods, such as forms-based authentication, Active Directory Domain Services (AD DS), client certificates, and smart cards. When you configure SharePoint 2013 as a relying partner of AD FS, SharePoint 2013 trusts the accounts that AD FS validates and the authentication methods that AD FS uses to validate those accounts. This is how SharePoint 2013 supports client certificate authentication.
Configure client certificate authentication
The following topics explain how to configure SharePoint 2013 with client certificate authentication or smart card authentication when you use AD FS as your STS:
Configure AD FS to support claims-based authentication.
For more information, see AD FS 2.0 - How to change the local authentication type (http://go.microsoft.com/fwlink/p/?LinkId=212513).
Configure SharePoint 2013 to support SAML-based claims authentication using AD FS.
For more information, see Configure SAML-based claims authentication with AD FS in SharePoint 2013.
Create a web application that uses SAML-based claims authentication.
For more information, see Create claims-based web applications in SharePoint 2013.
These steps will be similar for a third-party STS.