Difference between Claims-based Authentication and Windows Classic-mode Authentication in SharePoint 2013

In previous versions of SharePoint, when you created a new web application in Central Administration, you were able to choose between claims-based authentication and Windows classic-mode authentication.

In SharePoint 2013, Windows classic-mode authentication is deprecated and is no longer available as an option in Central Administration. You can still create a web application that uses classic-mode authentication by using Windows PowerShell, but this is not recommended. Creating a web application that uses Windows authentication in claims-mode requires no additional configuration compared to creating a web application that uses Windows classic-mode authentication. The authentication experience is the same in both cases for Windows credential users. In each case, users are authenticated in the same way by Active Directory Domain Services (AD DS).

In classic-mode, SharePoint uses the Windows identity of the user directly. In claims-mode, SharePoint converts the Windows identity into a claims-based identity token that it can pass to other services as appropriate.

Using claims-based authentication has several advantages over using Windows classic-mode authentication: 
  • App authentication and server-to-server authentication rely on claims-based authentication. If you use Windows classic-mode authentication, you will be unable to use external SharePoint apps. You will also be unable to use any services that rely on a trust relationship between SharePoint and other server platforms, such as Office Web Apps Server 2013, Exchange Server 2013, and Lync Server 2013.

  • SharePoint can delegate claims identities to back-end services, regardless of the sign-in method. For example, suppose your users are authenticated by NTLM authentication. NTLM suffers from a wellknown "double-hop" limitation, which means that a service such as SharePoint cannot impersonate the user to access other resources on behalf of the user, such as SQL Server databases or web services. By contrast, when you use claims-mode authentication, SharePoint can use the claims-based identity token to access resources on behalf of the user.

  • When you create a web application in claims-based authentication mode, you can associate multiple authentication providers with the web application. For example, you can support Windows-based sign in and forms-based sign in without creating additional Microsoft Internet Information Services (IIS) websites and extending your web application to additional zones.

  • Claims-based authentication is based on well-known open web standards and is supported by a broad range of platforms and services.