Create a Web application that uses Windows-claims authentication (SharePoint Foundation 2010)
Applies to: SharePoint Foundation 2010
This article describes how to create a Web application that uses Windows-claims authentication.
Tip
If you want to use Windows-classic authentication instead, see Create a Web application that uses Windows-classic authentication (SharePoint Foundation 2010).
Before you perform this procedure, confirm that:
Your system is running Microsoft SharePoint Foundation 2010.
You have your logical architecture design in place.
You have planned authentication for your Web application. For more information, see Plan authentication methods (SharePoint Foundation 2010), Plan for Kerberos authentication (SharePoint Foundation 2010) and Choose security groups (SharePoint Foundation 2010).
You have selected the service applications that you want to use for your Web application. For more information, see Service application and service management (SharePoint Foundation 2010).
If you use Secure Sockets Layer (SSL), you must associate the SSL certificate with the Web application's IIS Web site after the IIS Web site has been created. For more information about setting up SSL, see How to Setup SSL on IIS 7.0 (https://go.microsoft.com/fwlink/p/?LinkId=187887).
You have read about alternate access mappings.
If you have User Account Control (UAC) turned on in Windows, and you use Windows PowerShell 2.0 to create a Web application, you must right-click the SharePoint 2010 Management Shell and select Run as administrator.
You can create a Web application by using the SharePoint Central Administration Web site or Windows PowerShell. You typically use Central Administration to create a Web application. If you want to automate the task of creating a Web application, which is common in enterprises, use Windows PowerShell. After the procedure is complete, you can create one or several site collections on the Web application that you have created.
To create a Web application with Windows-claims authentication by using Central Administration
Verify that you have the following administrative credentials:
- To create a Web application, you must be a member of the Farm Administrators SharePoint group and a member of the local Administrators group on the computer running Central Administration.
On the Central Administration Home page, in the Application Management section, click Manage web applications.
On the ribbon, click New.
On the Create New Web Application page, in the Authentication section, click Claims Based Authentication.
In the IIS Web Site section, you can configure the settings for your new Web application by selecting one of the following two options:
Click Use an existing web site, and then select the Web site on which to install your new Web application.
Click Create a new IIS web site, and then type the name of the Web site in the Name box.
In the IIS Web Site section, in the Port box, type the port number you want to use to access the Web application. If you are creating a new Web site, this field is populated with a random port number. If you are using an existing Web site, this field is populated with the current port number.
Note
The default port number for HTTP access is 80, and the default port number for HTTPS access is 443. If you want users to access the Web application without typing in a port number, they should use the appropriate default port number.
Optional: In the IIS Web Site section, in the Host Header box, type the host name (for example, www.contoso.com) you want to use to access the Web application.
Note
In general, this field is not set unless you want to configure two or more IIS Web sites that share the same port number on the same server, and DNS has been configured to route requests to the same server.
In the IIS Web Site section, in the Path box, type the path to the IIS Web site home directory on the server. If you are creating a new Web site, this field is populated with a suggested path. If you are using an existing Web site, this field is populated with the current path of that Web site.
In the Security Configuration section, choose whether or not to use allow anonymous access and whether or not to use Secure Sockets Layer (SSL).
Under Allow Anonymous, click Yes or No. If you choose to allow anonymous access, this enables anonymous access to the Web site by using the computer-specific anonymous access account (that is, IIS_IUSRS).
Note
If you want users to be able to access any site content anonymously, you must enable anonymous access for the entire Web application zone before you enable anonymous access at the SharePoint site level; later, site owners can configure how anonymous access is used within their sites. If you do not enable anonymous access at the Web application level, you cannot enable anonymous access later, at the site level. For more information, see Choose security groups (SharePoint Foundation 2010).
Under Use Secure Sockets Layer (SSL), click Yes or No. If you choose to enable SSL for the Web site, you must configure SSL by requesting and installing an SSL certificate. For more information about setting up SSL, see How to Setup SSL on IIS 7.0 (https://go.microsoft.com/fwlink/p/?LinkId=187887).
In the Claims Authentication Types section, select the authentication that you want to use for the Web application.
If you want to enable Windows authentication, select Enable Windows Authentication and, in the drop-down menu, select Negotiate (Kerberos) or NTLM. For more information, see Plan for Kerberos authentication (SharePoint Foundation 2010).
If you do not want to use Integrated Windows authentication, clear Integrated Windows authentication.
If you want users' credentials to be sent over a network in a nonencrypted form, select Basic authentication (password is sent in clear text).
Note
You can select basic authentication or integrated Windows authentication, or both. If you select both, SharePoint Foundation 2010 will offer both authentication types to the client Web browser. The client Web browser then determines which type of authentication to use. If you only select basic authentication, ensure that SSL is enabled; otherwise, the credentials can be intercepted by a malicious user.
If you want to enable forms-based authentication, select Enable Forms Based Authentication (FBA), and then enter the membership provider name and the role manager name in the boxes.
For more information, see Configure forms-based authentication for a claims-based Web application (SharePoint Foundation 2010).
Note
If you select this option, ensure that SSL is enabled; otherwise, the credentials can be intercepted by a malicious user.
If you have set up Trusted Identity Provider authentication in Windows PowerShell, the Trusted Identity provider check box is selected.
For more information, see Configure authentication using a SAML security token (SharePoint Foundation 2010).
You can use one or more claims authentication types. For more information, see Plan authentication methods (SharePoint Foundation 2010).
In the Sign In Page URL section, choose one of the following options to sign into SharePoint Foundation 2010:
Select Default Sign In Page URL if you want users to be redirected to a default sign-in Web site for claims-based authentication.
Select Custom Sign In page URL and then type the sign-in URL if you want users to be redirected to a customized sign-in Web site for claims-based authentication.
In the Public URL section, type the URL for the domain name for all sites that users will access in this Web application. This URL will be used as the base URL in links shown on pages within the Web application. The default URL is the current server name and port, and is automatically updated to reflect the current SSL, host header, and port number settings on the page. If you are deploying SharePoint Foundation 2010 behind a load balancer or proxy server, then this URL may need to be different than the SSL, host header, and port settings on this page.
The Zone value is automatically set to Default for a new Web application.
Note
You can change the zone when you extend a Web application. For more information, see Extend a Web application (SharePoint Foundation 2010).
In the Application Pool section, do one of the following:
Click Use existing application pool, and then select the application pool you want to use from the drop-down menu.
Click Create a new application pool, and then type the name of the new application pool or keep the default name.
Under Select a security account for this application pool, do one of the following:
Click Predefined to use a predefined security account, and then select the security account from the drop-down menu.
Click Configurable to specify a new security account to be used for an existing application pool.
Note
You can create a new account by clicking the Register new managed account link.
In the Database Name and Authentication section, choose the database server, database name, and authentication method for your new Web application as described in the following table.
Item Action Database Server
Type the name of the database server and Microsoft SQL Server instance you want to use in the format <SERVERNAME\instance>. You can also use the default entry.
Database Name
Type the name of the database, or use the default entry.
Database Authentication
Select the database authentication to use by doing one of the following:
If you want to use Windows authentication, leave this option selected. We recommend this option because Windows authentication automatically encrypts the password when it connects to SQL Server.
If you want to use SQL authentication, click SQL authentication. In the Account box, type the name of the account you want the Web application to use to authenticate to the SQL Server database, and then type the password in the Password box.
Note
SQL authentication sends the SQL authentication password to the SQL Server unencrypted. We recommend that you only use SQL authentication if you force protocol encryption to the SQL Server of encrypt your network traffic by using IPsec.
If you use database mirroring, in the Failover Server section, in the Failover Database Server box, type the name of a specific failover database server that you want to associate with a content database.
In the Search Server section, under Select SharePoint Foundation search server, you associate a content database with a server that is running the Microsoft SharePoint Foundation Search service.
In the Service Application Connections section, select the service application connections that will be available to the Web application. In the drop-down menu, click default or custom. You use the custom option to choose the services application connections that you want to use for the Web application.
In the Customer Experience Improvement Program section, click Yes or No.
Click OK to create the new Web application.
To create a Web application that uses Windows-claims authentication by using Windows PowerShell
Verify that you meet the following minimum requirements: See Add-SPShellAdmin. You also need to be a member of the local Administrators group on the computer running Windows PowerShell. In addition, some procedures require membership in the SQL Server fixed server roles dbcreator and securityadmin.
On the Start menu, click All Programs.
Click Microsoft SharePoint 2010 Products.
Click SharePoint 2010 Management Shell.
To create a Windows-claims authentication provider, at the Windows PowerShell command prompt, type the following command:
$ap = New-SPAuthenticationProvider
To create a Web application that uses Windows-claims authentication, at the Windows PowerShell command prompt, type the following command:
$wa = New-SPWebApplication -Name <ClaimsWindowsWebApplication> -ApplicationPool <ClaimsApplicationPool> -ApplicationPoolAccount <ClaimsApplicationPoolAccount> -URL <URL> -Port <Port> -AuthenticationProvider $ap
Note
We recommend that the application pool account is a managed account on the server farm.
Where:
<Name> is the name of the new Web application that uses Windows claims authentication.
<ApplicationPool> is the name of the application pool.
<ApplicationPoolAccount> is the user account that this application pool will run as.
<URL> is the public URL for the Web application.
<Port> is the port on which the Web application will be created in IIS.
Example
$ap = New-SPAuthenticationProvider $wa = New-SPWebApplication -Name "Contoso Internet Site" -ApplicationPool "ContosoAppPool" -ApplicationPoolAccount (Get-SPManagedAccount "DOMAIN\jdoe") -URL "https://www.contoso.com" -Port 80 -AuthenticationProvider $ap
For more information, see New-SPWebApplication and New-SPAuthenticationProvider.
Note
We recommend that you use Windows PowerShell when performing command-line administrative tasks. The Stsadm command-line tool has been deprecated, but is included to support compatibility with previous product versions.
See Also
Concepts
Extend a Web application (SharePoint Foundation 2010)
Create a site collection (SharePoint Foundation 2010)
Configure forms-based authentication for a claims-based Web application (SharePoint Foundation 2010)
Configure authentication using a SAML security token (SharePoint Foundation 2010)
Create a Web application that uses Windows-classic authentication (SharePoint Foundation 2010)Other Resources