[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3405
  • Last Modified:

Sharepoint Authentication - How to keep it from constantly asking for user's credentials

WSS Sharepoint site.

i have two issues, and i believe they are related.

issue #1:  i set up a new user in the WSS Manage Users area.  i then go to that user's computer and attempt to log in with their credentials.  i have to continuously supply the username and password (3 or 4 times) for every page load.  they can eventually view the page, but they have to constantly submit their username & password.  to fix this, i change the IE Internet Options->Security-?Custom Level  to "User Authentication = Automatic logon with current username and password"... but that's not enough.  i then have to use a WSS Administrator username and password to log into the site, and then delete the cookies and offline content in IE, and have the user supply their username & password one more time.  then they are ok and can view the site without constantly having to authenticate.  question:  how do i set up a new user and get them to be able to view the WSS site without having to log in as an Administrator first?

issue #2: for some new users, changing the IE setting and logging in as an Administrator does not resolve the problem.  they still have to supply their username and password about 3 times for every page load.  how do i resolve this?

thanks
0
zephyr_hex (Megan)
Asked:
zephyr_hex (Megan)
  • 10
  • 6
  • 3
  • +1
1 Solution
 
mirek11Commented:
See my post here:

http://www.experts-exchange.com/Networking/Sharepoint/Q_21992015.html

I solve the problem a little way down myself and then a few other people repeat the solution.
0
 
mirek11Commented:
To sum it up, if your envirenment is like mine (domain with intergrated windows authentication) you will have to reinstall and select Kerberos authentication and all will be well.

0
 
zephyr_hex (Megan)DeveloperAuthor Commented:
if i reinstall sharepoint, will i have to totally set the site up again?  that really isn't practical...
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
mirek11Commented:
No, you can back up and restore your current site...

I believe there is also an option on a new install to connecto to an existing database.

I agree though that this is not at all practical even with these options (thank microsoft)  I looked for other solutions but couldn't find any.  You may be able to change over to Kerberos from NTLM, but the process is a bit complicated and I never got it to work correctly with a sharepoint site.


Mirek
0
 
zephyr_hex (Megan)DeveloperAuthor Commented:
i use the stsadm to do a nightly backup of the site.   so i would do the following:

uninstall WSS
reinstall WSS
use the stsadm to restore the backup

does this sound right?

also, i did some changes to the code for Document Libraries.  do you know if those changes will restore or will i have to redo the coding?

thanks
0
 
glbtCommented:
Just a thought, on the user's workstation, in IE, add the URL of the portal site to the user's trusted local sites.
0
 
zephyr_hex (Megan)DeveloperAuthor Commented:
qlbt:  i have tried adding it to the trusted local sites.  it did not work.
0
 
boomer4dCommented:
I would look in IIS manager and make sure that the security settings at the root level of your SharePoint instance "cascade" down to the subdirectories. I ran into something similar a while back where users were repeatedly prompted for a username/password and still allowed to access the SHarePoint site after the usual three shots at getting the username/password correct.

Come to find out that one of the sub-directories (in this case the _images directory) didn't have the same permissions as the parent. SSLDIAG is an excellent tool to help assess your permissions in IIS





0
 
zephyr_hex (Megan)DeveloperAuthor Commented:
boomer4d:
i launched IIS manager... and by going to the Web Sites folder and selecting properties, i see a directory secuity tab.  is this what you are referring to?  what should i look for?

thanks
0
 
boomer4dCommented:
zephyr that is where you set your security settings for your web site in IIS. You may have seen at some point that when you make a change at the topmost web site a box pops up asking you if you would like to apply your changes to some sub directories. Most folks assume that by clciking yes and going on about their business the changes are applied throughout the website.

Unfortunately this isn't the case (this is what happened to me) You have to click the "Select All" button on the right hand side of the box so that your changes are applied throughout the website. If you don't your security settings will mismacth at some point and you may get continually prompted for authentication because something on the page you are trying to access is in that sub-directory. In my case it was the images sub-directory and with all the images on a SharePoint site you can imagine how all those little red X's looked!

Here's an example of what I would do;

1. Right click on your SharePoint virtual server and select properties.
2. Click on the Directory Security tab.
3. Under "Anonymous access and authentication control" click the "Edit" button and write down your settings. Settings on my SharePoint sites are Anonymous - Off and Windows Integrated Authentication - On
4. Close the Authentication Methods box and under secure communications click the "Edit" button.
5. This is where you set up SSL. Again write down your settings and close the box.
6. Repeat the process for each sub-directory under your SharePoint virtual server and make sure the security settings match the top level exactly.

An easier way to find out if there is a mismatch would be to download the SSLDIAG tool and run it. After you have run it look through the results and you should see somewhere if there are any security settings that don't match or aren't correct.

Download link;

http://www.microsoft.com/downloads/details.aspx?FamilyID=cabea1d0-5a10-41bc-83d4-06c814265282&displaylang=en

Hope that helps you some.
0
 
zephyr_hex (Megan)DeveloperAuthor Commented:
ok...
i ran the SSLDIAG and i'm not sure what i'm looking for.  so i also went through all of the subdirectories and checked the directory security....  my main dir has the following:
enable anonymous access = true, username: IUSR_SERVERNAME, some default password
integrated windows authentication = true
and under secure communications, ignore client certificates = true

there is one subdirectory that was installed by a 3rd party vendor (it's a web reporting tool).  for the anonymous access, the username is different.  it is domain\domainUsernameForThe3rdPartyVendor.  and the password has 10 dots like the default one for the IUSR_SERVERNAME, but i have no idea if it really is the same password, or if it might be that domain user's password.

all of the subdirectories below this particular folder have this setting... but this tool is also not on the main sharepoint page... so i am not sure why it would by trying to load.  by the way, the login issue does NOT happen when trying to access this tool...

so should i change the anonymous access value?  if so, should i change it for the main site, or for the directory for that tool?

also, what is the default password for the anonymous access?  i am thinking about disabling the anonymous access for the site and seeing if that resolves the problem, but i want to be sure i know the password in case it gets wiped out when it is disabled.

and here is the report from SSLDIAG:
System time: Mon, 08 Jan 2007 16:47:51 GMT
ModuleFileName: C:\Program Files\IIS Resources\SSLDiag\SSLDiag.exe
OS: Windows 2003 Service Pack 1
IIS6 - World Wide Web Publishing (W3SVC) service is installed

[ HKLM\System\CurrentControlSet\Services\HTTPFilter ]
ImagePath = C:\WINDOWS\system32\lsass.exe
Parameters\CertChainCacheOnlyUrlRetrieval = True(default)
strmfilt.dll loaded into process 664 (lsass.exe)
strmfilt.dll loaded into process 7572 (w3wp.exe)
strmfilt.dll loaded into process 8036 (w3wp.exe)

[ SChannel Info ]
ServerCacheEntries = 0
ServerActiveEntries = 0
ServerHandshakes = 0
ServerReconnects = 0
CacheSize = 10000

[ W3SVC/1 ]
ServerComment = Default Web Site
ServerAutoStart = True
ServerState = Server started

[ W3SVC/1/ROOT/_layouts ]
AccessSSLFlags = 0 (0x0)

[ W3SVC/1/ROOT/_layouts/images ]
AccessSSLFlags = 0 (0x0)

[ W3SVC/1/ROOT/_vti_bin ]
AccessSSLFlags = 0 (0x0)

[ W3SVC/1/ROOT/_wpresources ]
AccessSSLFlags = 0 (0x0)

[ W3SVC/2 ]
ServerComment = Windows Media Administration Site
ServerAutoStart = True
ServerState = Server started

[ W3SVC/87257622 ]
ServerComment = SharePoint Central Administration
ServerAutoStart = True
ServerState = Server started

[ W3SVC/87257622/Root/_vti_adm ]
AccessSSLFlags = 0 (0x0)

[ W3SVC/87257622/Root/help ]
AccessSSLFlags = 0 (0x0)

[ W3SVC/87257622/Root/images ]
AccessSSLFlags = 0 (0x0)
0
 
boomer4dCommented:
I'd try disabling anonymous access and set your sites to Windows Integrated Authentication. If that works then you can make a change in the security settings of IE that will allow all your users to "Login automatically only in the intranet zone" or to "login automatically with the current username and password"

On the 3rd party app, it is possible it is jacking something up. In most cases when you run another web application on your SharePoint server you have to exclude the path to that application in the SharePoint Central Administration page. Try disabling the application and see if that makes any difference.

On the anonymous password, it is set by the system and changing it can wreak havoc on your system, I'd leave it alone if you can.
0
 
zephyr_hex (Megan)DeveloperAuthor Commented:
if i disable the anonymous access, will it keep the default password in case i need to re-enable it?
0
 
boomer4dCommented:
If you are referring to the IUSR account it should yes. The onkly that password should change is if someone hacks your machine or an admin changes it manually.
0
 
zephyr_hex (Megan)DeveloperAuthor Commented:
ok, i think disabling the anonymous access is helping...
i cleared temp files and cookies from IE, and now the user can access the page without inputting credentials.  the only exception is in the document library.  when the user saves a document, it is asking for the credentials.  so i probably need to go and verify i have the anonymous access disabled everywhere on the site, except on that 3rd party tool.
0
 
boomer4dCommented:
That's normal behavior. When you open a document for editing from within SharePoint, save to a doc library etc...Office has to renegotiate a session with the SharePoint server and as part of the renegotiation you have to provide credentials. I'm not aware of any way to stop that but could be wrong.
0
 
zephyr_hex (Megan)DeveloperAuthor Commented:
i wouldn't mind it if it prompted only once for the credentials, but you have to hit OK 3 times, every time you save.  same kind of thing it was doing for the page loads before.  hmmmm... seems like we are close to having it fixed.
0
 
boomer4dCommented:
Has the path for the 3rd party tool been excluded in the Central Administration pages?

1. Log into your server and access the SharePoint Central Administrator page.
2. Under "Portal Site and Virtual Server Configuration" click the "Configure virtual server settings from the virtual server list page"
3. Select the virtual server that is hosting your SharePoint instance
4. Under "Virtual Server Management" click the "Define Managed Paths" link

On this page you'll want to "Add a new path" (enter the path to yoru ASP application) and under "Type" select "Excluded"
0
 
zephyr_hex (Megan)DeveloperAuthor Commented:
i checked the excluded paths and the 3rd party tool is listed there already.
0
 
zephyr_hex (Megan)DeveloperAuthor Commented:
ok, i finally tracked down the problem.

i used the IIS log to troubleshoot.  i compared what files are being accessed when authentication fails to those being accessed when authentication succeeds.  this helped me track down the issue to OWS.JS

i went to that file on the C drive and added domain users to the permissions... and now users no longer get the multiple prompts
0

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

  • 10
  • 6
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now