4.2 Ensure claims-based authentication is used for all web applications and zones of a SharePoint 2016 farm

Information

Claims-based authentication enables systems and applications to authenticate a user without requiring the user to disclose more personal information than necessary. SharePoint continues to offer support for both claims and classic authentication modes. Claims-based identity is an identity model in SharePoint that includes features such as authentication across users of Windows-based systems and systems that are not Windows-based, multiple authentication types, stronger real-time authentication, a wider set of principal types, and delegation of user identity between applications.
When a user signs in to SharePoint, the user's token is validated and then used to sign in to SharePoint. The user's token is a security token issued by a claims provider. When you build claims-aware applications, the user presents an identity to the application as a set of claims. One claim could be the user's name, another might be an email address. The external identity system is configured to give your application all the information that it needs about the user with each request, along with cryptographic assurance that the identity data received by the application comes from a trusted source.
Rationale:
Claims-based identity allows you to factor out the authentication logic from individual applications. Instead of the application determining who the user is, it receives claims that identify the user.
In software, this bundle of claims is called a security token. Each security token is signed by the issuer who created it. A claims-based application considers users to be authenticated if they present a valid, signed security token from a trusted issuer which is a lot more secure than classic authentication.

Solution

1. Navigate to Central Administration website.
2. Click on Manage web applications.
3. Click on the site you're planning to verify Claims Based Authentication.
4. Under Web Applications tab click on the Authentication Providers icon.
5. Under the small window pop-up verify if the default value is set to Windows.
6. Create a PowerShell (.ps1) file and paste the following code into it:
$setcba = Get-SPWebApplication 'http://<YourSiteURL>'
$setcba.UseClaimsAuthentication = 1;
$setcba.Update()
7. Save the Code as SetClaimsBasedAuthentication.ps1 on the SharePoint server.
8. Execute the PowerShell script from the SharePoint Management Shell using the following command ./SetClaimsBasedAuthentication.ps1
Default Value:
Default value is set to Windows.

See Also

https://workbench.cisecurity.org/files/2031

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2, CSCv6|16.9

Plugin: Windows

Control ID: 8e74cea208693b9a54a2db22b49dcb79ab8f3e93a4ec876a9f2f2affb705a88c