Force sharepoint to ask for authentication - sharepoint

Is there a way to force sharepoint 2010 to popup the dialog to ask the user for a username and password and not use the computers logged in user, if that user doesn't have access.
We need an internal sharepoint website to not use the windows credentials, since these are computers used by many people. The windows user doesn't have access to the site, so currently it shows an access denied, click here to log in as another user. We would prefer if it just asked for credentials in a more graceful manner.

There is a way to configure Internet Explorer to do this. In Internet Explorer(IE),
Go to Tools
Click Internet Options
Click on the Security tab
Click on the button labeled Custom Level.
Scroll to the very bottom of the list
Select the option labeled Prompt for user name and password.
The default option Automatic logon only in Intranet zone' is what is causing IE to send the credentials to SharePoint. This of course would force everyone to log in on that computer.

Forms Based Authentication is the answer. You can modify the Login page and even where the users credentials (username/password) are stored (e.g. a SQL database rather then AD).

Use browser other than IE to access the SharePoint site from the community computers.

I am guessing you work in a corporate environment, which would mean your computers are probably managed by your IT department and part of your domain. Because they are part of your company's AD (Active Directory), your systadmins Should be able to modify the existing policy (i say existing, because in IE, the defaults for the settings relating to logging on are by default set so that you WOULD have gotten a logon prompt, i am guessing a group policy is already in effect). If it does not exist, have your admins create one.
The setting Jeremy mentions is one option. It could also be that the site is in included in your IE's "Local Intranet Zone". If it is, or, more probable, there is a wildcard *.yourdomainname.yourdomainextension).
Use the setting mentioned by jeremy to override the default logon behavior (automatic logon) associated with sites listed in the intranet zone.
A group policy can be applied to a group of computers or all the computers in the domain. If the policy should be applied to a small group of computers only, put those computers in a separate OU (Organisation Unit) in AD and apply the policy to that OU.

What about creating a new zone, secured with FBA, for those community computers? As long as the users of the community computers are given only URL for the new zone, you should be OK.

You can create 2 registry files to turn this behavior on and off for the Internet Explorer. Use Notepad to paste the values below, ensure that Windows Registry Editor Version 5.00is the first line, and that you're appending 2 blank lines at the end of the file (press 2x Enter).
To turn it on (i.e. always ask for credentials): AlwaysAsk.reg
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\1] "1A00"=dword:00010000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\1] "1A00"=dword:00010000
To turn it off (automatically use credentials, only ask if necessary): AutomaticLogon.reg
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\1] "1A00"=dword:00020000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\1] "1A00"=dword:00020000
This is useful for testing, espcecially if you're a developer in a corporate environment where you can't easily change the policy settings on your PC (but you need elevated rights, i.e. you have to run it as Administrator).
Note that the 1st key is for the local machine, the 2nd key is for the current user (currently logged in), which is needed to activate it immediately.
If you need more details about the values, check out this link:
Internet Explorer security zones registry entries for advanced users

Related

How to access softwares installed by local user in domain user account

I have installed a lot of application and utility software on my laptop using my local windows 8.1 account. recently i have joined a company where i got a domain account, when i joined the company domain and logged in using domain account i couldn't find most of my application that is available when log in using local account. how can i make those software applications available in my domain account as well rather than to re-install all of them.
Another question is that I have administrative rights and even then when try to install any software on any client pc i need to provide the administrative user password. how can I make it so it do not ask me administrative user password when i install any software on any client.
I have the administrative rights with domain user account and i can modify my domain user account easily.
Thanks in Advance
You don't specify, I am assuming you are using the start menu & desktop (and NOT the metro tiles).
First task, make programs available to both local and domain logins. (Substitute your actual login names for local-user and domain-user.)
While logged in as domain-user, use Windows Explorer to browse to C:\Users\local-user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
You will see there the shortcuts (and folders for shortcuts) for the programs you can't find logged in as domain-user. You should be able to double-click these shortcuts to launch the programs, no harm in trying it to verify.
You can then move these shortcuts (and shortcut folders) to be available to "all users" on the laptop by moving them to the folder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs.
Second task, eliminate the annoying the administrator prompts.
Open Control Panel > Users > Change User Account Control settings (middle of window) --- move the slider at left all the way to the bottom "Never notify".
You will be prompted for administrator credentials to confirm you want to do this.

Multiple logins for opening office documents saved in document library in SharePoint 2010 using Claims Based Authentication

Our environment is Sharepoint 2010, with a web application created (and site collection on top), using claims based authentication. The first site is using port 881. It is using integrated windows authentication. Another web application is created, extending the first application, using port 882. This site is using Forms Based Authentication, the membership provider is System.Web.Security.ActiveDirectoryMembershipProvider, named admembers. I have turned off Client Integration on both sites.
When I login to the 881 site, on my corporate network, logged into the machine with the same domain account that sharepoint uses, I can open an Office file saved in a document library, and it subsequently opens in the appropriate Office application, without asking me login again. But, If I login to Sharepoint from a computer that is not on our network, or login to the computer with an account that is not a domain account, I get prompted again to login when openning an Office document. If I choose the option to save, it does not prompt, but if I choose open in the dialog window, I am forced to enter my domain credentials again.
When I login to the 882 site, which uses FBA, I experience the same problem. If I open an Office document, the appropriate Office application opens, and asks me for my credentials, by showing me a dialog window with the sign in page loaded. If I choose to save the file, then I am not prompted to login, and the file saves to a local folder.
I can't expect my users that are off site to login again everytime they open an Office document, like Work, Excel, Powerpoint, etc. I have tried numerous fixes, including disabling client integration, changing the browser handling mode (strict/permissive), changing internet explorer settings (for integrated windows authentication), changing the integrated windows authentication site to use basic authentication, even hacking the page using jquery to call the sharepoint javascript function that execute the "download a copy" function. None of them work: when choosing to "open" the Office document in the browser, the user has to login again, or just close the dialog window without logging in (as long as client integration for the zone is turned off).
I'm looking to get this accomplished using windows authentication or forms based authentication.
Help!
I found this answer in a similar post which seemed to fix the problem for me when I tested it. The gist of it is you need to deny the HTTP Verbs OPTIONS and PROPFIND in IIS. Having said this, I'm not an IIS guru and am not exactly sure what this means or what else it might affect. Can anyone else shed some light on this?
A bit of background, I'm using SharePoint 2010, on an FBA site.
You have the standard three use cases:
Employee intranet access
Employee remote access
Partner remote access
Employee intranet access
This normally always works out of the box, and it looks like it is working for you.
Employee remote access
The only way that i have seen this work (and i have tried many ways) is to get TMG or ISA. Basically ISA is setup in FORMS auth with SSL, it captures the auth details, and then passes them to the sharepoint server. (and other servers if you have them eg OWA for sharepoint mail web parts)
If you select the "Is private computer" option on the ISA login screen, then Office documents share the auth cookie and don't prompt for another login. I had so many problems, but as soon as i installed TMG, they all went away. I would not recommend any other approach now.
The added bonus of this method, is that remote employees are treated as the same account as the intranet user. The way you are setup with a seperate web application, means that they will be different accounts, so things like [checkout/modifiedby/createdby/personalisation] will be different accounts (though they look the same)
Partner remote access
This may never ever work on some clients (especially Vista), as IE needs to share the authentication with Office
If this is sharepoint 2010, try this.
Get-SPSecurityTokenServiceConfig
Look at your UseSessionCookies value in the output. If True, apply the powershell below.
$sts = Get-SPSecurityTokenServiceConfig
$sts.UseSessionCookies = $false
$sts.Update()
If UseSessionCookies is true, you will have to login to any docs u want to download...

iis: Integrated Windows authentication still pops up account info login

I have a website running on a Windows 2003 server on IIS 6, serving pages for a LAN where everybody is working with a domain account. On other machines this works fine, no-one has to login to the website, the dynamic scripts pick-up the account-name from the HTTP request.
Only, when browsing from the server itself (via remote desktop e.g.), Internet Explorer still pops up the domain-login-dialog when navigating to this site. (both the usual URL and http://localhost/). This was no problem on the Windows 2000 server we recently migrated the website from.
I had this problem or similar and solved it by:
adding http://localhost to list of Intranet sites, via IE > Tools > options > security > Local intranet > Sites > advanced > add http://localhost. (This is necessary if you have IE Enhanced Security installed which assigns all intranet Web sites and all UNC paths that are not explicitly listed in the Local intranet zone to the Internet zone, even localhost or other domains that don't contain '.' symbol which would normally be considered intranet by default.)
also on Security > Local Intranet > see what level of security you're on, to ensure that logon details are passed through. If it's Custom then click the Custom Level... button, scroll right to the bottom, under User Authentication > logon > for me it's 'Automatic logon only in Intranet zone', which works.
Did you configure IE on your Windows 2003 box for "Enable Integrated Windows Authentication"? This needs to be configured in IE6 to automatically use the logged-in user credentials.
You'll probably have better luck on ServerFault for this issue, as it's probably down to server configuration. Take a look at this KBAlertz.com article, yes it's specific to SharePoint, but some bits are more general. I suspect (given that you've said you've migrated to a new machine), that the issue is around the new machine not being "trusted for delegation" so look at the part titled "Configure trust for delegation for Web parts"
Configure trust for delegation for Web
parts To configure the IIS server to
be trusted for delegation, follow
these steps:
Start Active Directory Users and Computers.
In the left pane, click Computers.
In the right pane, right-click the name of the IIS server, and then
click Properties.
Click the General tab, click to select the Trust computer for
delegation check box, and then click
OK.
Quit Active Directory Users and Computers.
If the application pool identity is
configured to use a domain user
account, the user account must be
trusted for delegation before you can
use Kerberos authentication. To
configure the domain account to be
trusted for delegation, follow these
steps:
On the domain controller, start Active Directory Users and Computers.
In the left pane, click Users.
In the right pane, right-click the name of the user account, and then
click Properties.
Click the Account tab, under Account Options, click to select the
Account is trusted for delegation
check box, and then click OK.
Quit Active Directory Users and Computers.
If the application pool identity is a
domain user account, you must
configure an SPN for that account. To
configure a SPN for the domain user
account, follow these steps:
Download and install the Setspn.exe command-line tool. To do
so, visit the following Microsoft Web
site:
http://www.microsoft.com/downloads/details.aspx?FamilyID=5fd831fd-ab77-46a3-9cfe-ff01d29e5c46&DisplayLang=en
(http://www.microsoft.com/downloads/details.aspx?FamilyID=5fd831fd-ab77-46a3-9cfe-ff01d29e5c46&DisplayLang=en)
Use the Setspn.exe tool to add an SPN for the domain account. To do
so, type the following line at the
command prompt, and then press ENTER,
where ServerName is the fully
qualified domain name (FQDN) of the
server, Domain is the name of the
domain, and UserName is the name of
the domain user account:
Setspn -A HTTP/ServerName Domain\UserName

SharePoint caches incorrect credentials

Every morning when i fire up my VM and IE (in my host OS) and go to my SP site it always logs me on automatically as DOMAIN\george which is a user I created for testing permissions.
So every morning after that I click "sign in as a different user" to sign in as my sys admin user instead and most days that is the only user I use. Any idea why george's credentials are being cached?
Part of "firing up my VM" is running a script that starts IIS as well as some services. I'm not entirely sure SharePoint is responsible for this, could very well be ASP.Net.
EDIT: I've already tried clearing my cookies.
Had a very similar problem! To solve it, go to 'User Accounts' under the Windows Control panel.
Navigate to 'Manage your network passwords'. Select the domain you wish to clear and select 'Remove'.
You should now have a clean login dialogue box and when you check the 'remember me' box, this will be stored as the login default for that domain.
I was able to remove the test login credentials using the User Account control panel applet in Windows 7
Open the Manage Credentials link.
Find the Sharepoint Login in the Windows Vault.
Expand the address for the site
Remove the test login for this site.
After doing this I am no longer prompted for the login and login as different user prompt.
Have you checked that there are no logins and passwords being stored by the browser? Assuming you are using IE, see this article on how to clear them.
If DOMAIN\george is same user ID you are logging in to the VM ? If that is the case try changing the Setting in IE that dictates what user name is send to the Server. Just go to Tools - > Settings - > Security and Click on Custom Level, scroll down to bottom and you will find User Authentication option Select the Prompt for User name and Password.
It could also be that you are using IE8, that caches my credentials as well it seems.
IE8 stores credentials for favourites it seems, don't ask me why. What you should do is log in as the needed user, then save a new favourite (or add it to the favourites bar by dragging it). Then use that link to go to your site.

Sharepoint popup login windows

After I log into my sharepoint website, I have to login everytime I access a document from the library. Is there a way to fix this?
Thanks
User Level:
If your SharePoint site always prompts for username/password on accessing it you can set your browser to not prompt
In Internet Explorer, go to Tools
Click Internet Options
add your site URL to Internet Explorers "Local Intranet Sites" section.
Open Security tab
Click Custom Level button
Scroll down to this screen and select "Automatic logon with current username and password" radio button
Click OK.
Administrator Level:
you can add your site's internal zone URL in Alternate Access Mappings section on Central Administration>Operations site, The SharePoint server always does not prompt for username/password and you can enjoy.
When using Windows Vista or Windows 7 the office tools (e.g. Word) do not look at the Local Intranet list of Internet Explorer. But they look at the following registry location:
HKEY__LOCAL__MACHINE\SYSTEM\CurrentControlSet\Services\WebClient\Parameters\AuthForwardServerList
If your sharepoint site is located at share.myserver.com you can set the above registry entry to *.myserver.com (including the *) so that all addresses ending with myserver.com are trusted by the office applications. This will prevent the login popup box from appearing.
For more info see this microsoft article. It solved the problem for me.
Add the SharePoint site to your trusted sites or local intranet in Internet Options.
This is to do with the way Word does the request for a file It sends an anonymous request first. What solves this is setting the session cookie to be valid for a year.
Are you using AD for the Authentication ?
Are you browsing the site from same network where it is hosted or on a Different N/W ?
If in the Same new work "Add the SharePoint site to your trusted sites or local intranet in Internet Options" and in the Trusted Sites Security Custom Level , User Authentication Section select the Option Automatically Login with the Current User Name and Password.
If you are browsing from Different n/w its bit tough to get it .
I experience this every day. My local machine is on a different domain to the SharePoint server so I have to log in every time I access SharePoint with a different application. This includes IE, Word, InfoPath, etc...
There is no way I've found to avoid it as it's simply part of using Windows authentication. Saving your password can help but still shows a dialog.
There are quite a few things that could cause this and you don't give much detail on your setup in the Q to give you an answer but...
The most comprehensive article I've found for troubleshooting this is
Unwanted Authentication Prompts
This issue is familiar to me and I've previously used the upvoted solution to the problem. However, recently I discovered that using Google Chrome rather than Internet Explorer makes this problem go away!
Solution: Use Chrome.
Switching to Basic Authentication will resolve this issue at a cost of passing credentials in clear text.

Resources