Alexander's Blog

Eliminating Authentication Prompts in a SharePoint Environment

By
- On June 14, 2011
Authentication prompts have been a pain in the neck for a lot of SharePoint users over the years both in SharePoint 2007 and SharePoint 2010 environments. There are several reasons for the prompts. I can't cover all the possible solutions but I have documented multiple solutions to different authentication prompt issues. Problem In SharePoint 2010, you have multiple site collections on your intranet that you access on a regular basis. When you access these sites remotely from an external network and connect to the first site you are prompted for authentication. You logon successfully. Then you try to connect to the second, third and fourth Site Collection but you are prompted for authentication each time. You want to have access to all the sites without being prompted for authentication each time. Solution Add the intranet sites to the Local intranet zone in Internet Explorer (IE).
  1. In IE8 or IE9 go to Tools, Internet Options, Security tab, Local intranet, Sites, Advanced and add all the Site Collections to the zone.
  2. Click close three times to close all windows.
  3. Restart Internet Explorer.
Now once you logon to the first intranet site, you should be able to access all the other sites in different Site Collections without entering your username and password. NOTE: There are lots of other scenarios where you may experience multiple authentication prompts and depending on the scenario you may have to use a different solution. One setting that you should be aware of is located in the Internet Explorer's options.
  1. Go to Tools, Internet options, and select the Security tab.
  2. Select the appropriate zone (e.g. Internet zone).
  3. Click Custom level.
  4. In the User Authentication section select the appropriate setting (e.g. Automatic logon with current user name and password).
  5. Click OK twice.
NOTE: You can deploy this setting to client computers using Group Policy. Go to User Configuration -> Policies -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Trusted Sites Zone. In the right-hand pane locate "Logon options" double-click it. First Enable the option and then in the drop-down box select the option "Automatic logon with current username and password." On the client computer run gpupdate /force at the command prompt to refresh the Group Policy. Prompt for Credentials When Accessing FQDN Sites From a Windows Vista or Windows 7 Computer There is another issue that you may run into that is documented in the KB article 943280. Sometimes you may get prompted for authentication when you open a Microsoft Office document in SharePoint. Here are the steps documented in the KB article 943280 to resolve the issue in Windows 7 clients.
  1. Click Start, type regedit in the Start Search box, and then press ENTER.
  2. Locate and then click the following registry subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient\Parameters
  3. On the Edit menu, point to New, and then click Multi-String Value.
  4. Type AuthForwardServerList, and then press ENTER.
  5. On the Edit menu, click Modify.
  6. In the Value data box, type the URL of the server that hosts the Web share, and then click OK.Note You can also type a list of URLs in the Value data box. Here's a sample. https://*.Contoso.com http://*.dns.live.com *.microsoft.com https://172.169.4.6
  7. Exit Registry Editor.
    8. After this registry entry is created, the WebClient service will read the entry value. If the client computer tries to access a URL that matches any of the expressions in the list, the user credential will be sent successfully to authenticate the user, even if no proxy is configured. Note You have to restart the WebClient service after you modify the registry.

    Things to avoid in the URL list

    • Do not add an asterisk (*) character at the end of a URL. When you do this, a security risk may result.
      http://*.dns.live.*
    • Do not add an asterisk (*) before or after a string. When you do this, the WebClient service can send user credentials to more servers. See the following examples:
      • http://*Contoso.comIn this example, the service also sends user credentials to http://extra_charactersContoso.com
      • http://Contoso*.comIn this example, the service also sends user credentials to http://Contosoextra_characters.com
    • In the URL list, do not type the UNC name of a host. For example, do not use the following:
      *.contoso.com@SSL
    • In the URL list, do not include the share name or the port number to be used. For example, do not use the following:
      • http://*.dns.live.com/DavShare
      • http://*dns.live.com:80
    • Do not use IPv6 in the URL list.
    Important This URL list does not affect the security zone settings. This URL list is used only for the specific purpose of forwarding the credentials to WebDAV servers. The list should be created as restrictively as possible to avoid any security issues. Also, because there is no specific deny list, the credentials are forwarded to all the servers that match this list.
NOTE: You can deploy the above setting to clients using Group Policy. Disabling Authentication Prompts in SharePoint 2010 In SharePoint 2010, another thing you can try to disable authentication prompts is to modify the Web.config file.
<system.webServer> <security> <requestFiltering allowDoubleEscaping="true"> <verbs allowUnlisted="true"> <add verb="OPTIONS" allowed="false" /> <add verb="PROPFIND" allowed="false" /> </verbs> </requestFiltering> </security>
Disable "Remember my credentials" Option If the users check the option "Remember my credentials" and then they change their password, they will keep getting prompted for authentication. It is not a good idea to remember passwords for security reasons and when working with SharePoint you might want to disable this feature. You can disable this feature using a Group Policy. Open the Group Policy (e.g. Default Domain Policy) and go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options and enable the setting "Network access: Do not allow storage of passwords and credentials for network authentication." Use Credential Manager in Windows 7 Yet another method to avoid authentication prompt is to use Windows 7's Credential Manager. Go to Control Panel -> User Accounts and in the upper left hand corner select Manage your credentials. Select Add a Windows credential and provide the logon information. There is no need to reboot the computer. You should be able to access the site in your browser without being prompted for logon credentials. Additional References Here are some additional references that you may find useful.
  1. Authentication requests when you open Office documents
  2. Office 2003/2007 Integration and Forms based authentication (FBA) with SharePoint (MOSS)
  3. Unable to “Check Out” a Document in MOSS 2007 Published Through ISA Server 2006
  4. Understand duplicate authentication prompts ISA 2006 publishing MOSS using FBA
Updated: March 22, 2012
http://blogs.technet.com/b/isablog/archive/2009/06/23/understand-duplicate-authentication-prompts-isa-2006-publishing-moss-using-fba.aspx
Copyright ©2011 Zubair Alexander. All rights reserved.
Prev Post
Leave a Comment