How does SharePoint 2010 uses the SuperReader/SuperUser accounts?

Question

Have configured the object cache many a times without really thinking about this - How does SharePoint 2010 uses the SuperReader / SuperUser(Object caching) accounts without password? Remember, there is no place to mention the password.

Answer 1

SharePoint doesn't need the password because its not actually authenticating anywhere with these accounts. SharePoint uses administrative and service accounts to fetch information and content from the the SharePoint databases. It checks its own internal access control lists (permissions) to determine the level of access an account has on an object - from no access to full control. If it impersonated the current user when accessing objects, each SharePoint user would need to have permissions to access the content databases (as an example).

When configuring the accounts you modify the SharePoint access control lists in the Policy for Web Application settings when you grant full control or full read. This gives the correct account the level of access to the objects for that site collection. I think the following information from Microsoft does a good job explaining why two accounts are needed and how the object cache works.

In SharePoint Server 2013, querying for items is linked with the user account that makes the query. Various parts of the publishing feature make queries for which the results are cached in the object cache. These results are cached based on the user making the query. To optimize the cache hit rate and memory requirements, the queries must be based on whether a user can see draft items. When a publishing control requests the object cache to make a query to get data for the control, the cache makes the query, not as the user making the request, but instead it makes the query twice: once as the Portal Super User account and once as the Portal Super Reader account. The results of these two queries are stored in the object cache. The results for the Portal Super User account include draft items, and the results for the Portal Super Reader account include only published items. The object cache then checks the access control lists (ACLs) for the user who initiated the request and returns the appropriate results to that user based on whether that user can see draft items. By adding the Portal Super User and Portal Super Reader accounts to the web application, the cache must store results for only two users. This increases the number of results that are returned for a query and decreases the amount of memory that is needed to store the cache.

It also helps to keep in mind that SharePoint doesn't actually authenticate any users. It hands the credentials off to the authentication provider (Windows authentication, Forms-based authentication, or SAML token-based authentication) and the authentication provider tells SharePoint if the credentials are valid.

Administrative and service accounts require passwords because they are authenticating somewhere. For example, the Server farm account is used to access the content databases and therefore authenticates on your SQL Server.

Answer 2

SuperUser and SuperReader accounts are normal account not services accounts that's why these are not managed accounts.

SharePoint use these accounts to cache the data impersonating the App Pool Account. these accounts required Policy of web app level permissions and just grab the data from data base and put it into object cache. So when user make a request, instead going to database information grabbed from Object cache.

Read first 3 paragraph from this technet will explain you.