Overview
The Windows Authentication type takes advantage of your existing Windows Authentication provider (AD DS) and the authentication protocols that a Windows domain environment uses to validate the credentials of connecting clients.
Windows Authentication can be used by both claims-based authentication and classic mode.
Windows Claims Authentication Process
Windows Claims Authentication is an interaction among a "Client Computer", "SharePoint Server" and "AD DS domain controller" as in the following:
![AD DS Domain Controller]()
- At first an anonymous user initiates a request to a secured SharePoint page as in the following:
![Request Web Page]()
- SharePoint responds and asks for Windows user credentials that can be sent using NTLM or Kerberos as in the following:
![Request Windows Credential]()
- The client computer sends Windows credentials (or the user is prompted to enter them) as in the following:
![Send Windows Credential]()
- SharePoint validates the Windows credentials against AD DC that responds with a Windows Security Token as in the following:
![Validate Windows Credential]()
- The SharePoint server queries the domain controller for the list of security groups that the user is member of as in the following:
![Obtain Group Membership List]()
- The Security token service on the SharePoint server creates a claims-based security token and stores it with the distributed cache service on the SharePoint farm. The IIS web server on the SharePoint server then sends an authorization code to the client computer, if the user is authorized to access the requested webpage through analysis of the claims in the security token then SharePoint sends the contents of the page.
![Create Security Token]()
For more information about other authentication types check my other posts:
Happy coding.
Diagrams source: Microsoft Technet