Solved

Sharepoint Authentication - How to keep it from constantly asking for user's credentials

Posted on 2007-01-03
21
3,390 Views
Last Modified: 2013-12-08
WSS Sharepoint site.

i have two issues, and i believe they are related.

issue #1:  i set up a new user in the WSS Manage Users area.  i then go to that user's computer and attempt to log in with their credentials.  i have to continuously supply the username and password (3 or 4 times) for every page load.  they can eventually view the page, but they have to constantly submit their username & password.  to fix this, i change the IE Internet Options->Security-?Custom Level  to "User Authentication = Automatic logon with current username and password"... but that's not enough.  i then have to use a WSS Administrator username and password to log into the site, and then delete the cookies and offline content in IE, and have the user supply their username & password one more time.  then they are ok and can view the site without constantly having to authenticate.  question:  how do i set up a new user and get them to be able to view the WSS site without having to log in as an Administrator first?

issue #2: for some new users, changing the IE setting and logging in as an Administrator does not resolve the problem.  they still have to supply their username and password about 3 times for every page load.  how do i resolve this?

thanks
0
Comment
Question by:zephyr_hex (Megan)
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 6
  • 3
  • +1
21 Comments
 
LVL 2

Expert Comment

by:mirek11
ID: 18237786
See my post here:

http://www.experts-exchange.com/Networking/Sharepoint/Q_21992015.html

I solve the problem a little way down myself and then a few other people repeat the solution.
0
 
LVL 2

Expert Comment

by:mirek11
ID: 18237815
To sum it up, if your envirenment is like mine (domain with intergrated windows authentication) you will have to reinstall and select Kerberos authentication and all will be well.

0
 
LVL 43

Author Comment

by:zephyr_hex (Megan)
ID: 18238020
if i reinstall sharepoint, will i have to totally set the site up again?  that really isn't practical...
0
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

 
LVL 2

Expert Comment

by:mirek11
ID: 18239263
No, you can back up and restore your current site...

I believe there is also an option on a new install to connecto to an existing database.

I agree though that this is not at all practical even with these options (thank microsoft)  I looked for other solutions but couldn't find any.  You may be able to change over to Kerberos from NTLM, but the process is a bit complicated and I never got it to work correctly with a sharepoint site.


Mirek
0
 
LVL 43

Author Comment

by:zephyr_hex (Megan)
ID: 18244461
i use the stsadm to do a nightly backup of the site.   so i would do the following:

uninstall WSS
reinstall WSS
use the stsadm to restore the backup

does this sound right?

also, i did some changes to the code for Document Libraries.  do you know if those changes will restore or will i have to redo the coding?

thanks
0
 

Expert Comment

by:glbt
ID: 18245603
Just a thought, on the user's workstation, in IE, add the URL of the portal site to the user's trusted local sites.
0
 
LVL 43

Author Comment

by:zephyr_hex (Megan)
ID: 18245670
qlbt:  i have tried adding it to the trusted local sites.  it did not work.
0
 
LVL 5

Expert Comment

by:boomer4d
ID: 18253696
I would look in IIS manager and make sure that the security settings at the root level of your SharePoint instance "cascade" down to the subdirectories. I ran into something similar a while back where users were repeatedly prompted for a username/password and still allowed to access the SHarePoint site after the usual three shots at getting the username/password correct.

Come to find out that one of the sub-directories (in this case the _images directory) didn't have the same permissions as the parent. SSLDIAG is an excellent tool to help assess your permissions in IIS





0
 
LVL 43

Author Comment

by:zephyr_hex (Megan)
ID: 18255876
boomer4d:
i launched IIS manager... and by going to the Web Sites folder and selecting properties, i see a directory secuity tab.  is this what you are referring to?  what should i look for?

thanks
0
 
LVL 5

Accepted Solution

by:
boomer4d earned 500 total points
ID: 18258467
zephyr that is where you set your security settings for your web site in IIS. You may have seen at some point that when you make a change at the topmost web site a box pops up asking you if you would like to apply your changes to some sub directories. Most folks assume that by clciking yes and going on about their business the changes are applied throughout the website.

Unfortunately this isn't the case (this is what happened to me) You have to click the "Select All" button on the right hand side of the box so that your changes are applied throughout the website. If you don't your security settings will mismacth at some point and you may get continually prompted for authentication because something on the page you are trying to access is in that sub-directory. In my case it was the images sub-directory and with all the images on a SharePoint site you can imagine how all those little red X's looked!

Here's an example of what I would do;

1. Right click on your SharePoint virtual server and select properties.
2. Click on the Directory Security tab.
3. Under "Anonymous access and authentication control" click the "Edit" button and write down your settings. Settings on my SharePoint sites are Anonymous - Off and Windows Integrated Authentication - On
4. Close the Authentication Methods box and under secure communications click the "Edit" button.
5. This is where you set up SSL. Again write down your settings and close the box.
6. Repeat the process for each sub-directory under your SharePoint virtual server and make sure the security settings match the top level exactly.

An easier way to find out if there is a mismatch would be to download the SSLDIAG tool and run it. After you have run it look through the results and you should see somewhere if there are any security settings that don't match or aren't correct.

Download link;

http://www.microsoft.com/downloads/details.aspx?FamilyID=cabea1d0-5a10-41bc-83d4-06c814265282&displaylang=en

Hope that helps you some.
0
 
LVL 43

Author Comment

by:zephyr_hex (Megan)
ID: 18268344
ok...
i ran the SSLDIAG and i'm not sure what i'm looking for.  so i also went through all of the subdirectories and checked the directory security....  my main dir has the following:
enable anonymous access = true, username: IUSR_SERVERNAME, some default password
integrated windows authentication = true
and under secure communications, ignore client certificates = true

there is one subdirectory that was installed by a 3rd party vendor (it's a web reporting tool).  for the anonymous access, the username is different.  it is domain\domainUsernameForThe3rdPartyVendor.  and the password has 10 dots like the default one for the IUSR_SERVERNAME, but i have no idea if it really is the same password, or if it might be that domain user's password.

all of the subdirectories below this particular folder have this setting... but this tool is also not on the main sharepoint page... so i am not sure why it would by trying to load.  by the way, the login issue does NOT happen when trying to access this tool...

so should i change the anonymous access value?  if so, should i change it for the main site, or for the directory for that tool?

also, what is the default password for the anonymous access?  i am thinking about disabling the anonymous access for the site and seeing if that resolves the problem, but i want to be sure i know the password in case it gets wiped out when it is disabled.

and here is the report from SSLDIAG:
System time: Mon, 08 Jan 2007 16:47:51 GMT
ModuleFileName: C:\Program Files\IIS Resources\SSLDiag\SSLDiag.exe
OS: Windows 2003 Service Pack 1
IIS6 - World Wide Web Publishing (W3SVC) service is installed

[ HKLM\System\CurrentControlSet\Services\HTTPFilter ]
ImagePath = C:\WINDOWS\system32\lsass.exe
Parameters\CertChainCacheOnlyUrlRetrieval = True(default)
strmfilt.dll loaded into process 664 (lsass.exe)
strmfilt.dll loaded into process 7572 (w3wp.exe)
strmfilt.dll loaded into process 8036 (w3wp.exe)

[ SChannel Info ]
ServerCacheEntries = 0
ServerActiveEntries = 0
ServerHandshakes = 0
ServerReconnects = 0
CacheSize = 10000

[ W3SVC/1 ]
ServerComment = Default Web Site
ServerAutoStart = True
ServerState = Server started

[ W3SVC/1/ROOT/_layouts ]
AccessSSLFlags = 0 (0x0)

[ W3SVC/1/ROOT/_layouts/images ]
AccessSSLFlags = 0 (0x0)

[ W3SVC/1/ROOT/_vti_bin ]
AccessSSLFlags = 0 (0x0)

[ W3SVC/1/ROOT/_wpresources ]
AccessSSLFlags = 0 (0x0)

[ W3SVC/2 ]
ServerComment = Windows Media Administration Site
ServerAutoStart = True
ServerState = Server started

[ W3SVC/87257622 ]
ServerComment = SharePoint Central Administration
ServerAutoStart = True
ServerState = Server started

[ W3SVC/87257622/Root/_vti_adm ]
AccessSSLFlags = 0 (0x0)

[ W3SVC/87257622/Root/help ]
AccessSSLFlags = 0 (0x0)

[ W3SVC/87257622/Root/images ]
AccessSSLFlags = 0 (0x0)
0
 
LVL 5

Expert Comment

by:boomer4d
ID: 18270384
I'd try disabling anonymous access and set your sites to Windows Integrated Authentication. If that works then you can make a change in the security settings of IE that will allow all your users to "Login automatically only in the intranet zone" or to "login automatically with the current username and password"

On the 3rd party app, it is possible it is jacking something up. In most cases when you run another web application on your SharePoint server you have to exclude the path to that application in the SharePoint Central Administration page. Try disabling the application and see if that makes any difference.

On the anonymous password, it is set by the system and changing it can wreak havoc on your system, I'd leave it alone if you can.
0
 
LVL 43

Author Comment

by:zephyr_hex (Megan)
ID: 18270547
if i disable the anonymous access, will it keep the default password in case i need to re-enable it?
0
 
LVL 5

Expert Comment

by:boomer4d
ID: 18275761
If you are referring to the IUSR account it should yes. The onkly that password should change is if someone hacks your machine or an admin changes it manually.
0
 
LVL 43

Author Comment

by:zephyr_hex (Megan)
ID: 18276633
ok, i think disabling the anonymous access is helping...
i cleared temp files and cookies from IE, and now the user can access the page without inputting credentials.  the only exception is in the document library.  when the user saves a document, it is asking for the credentials.  so i probably need to go and verify i have the anonymous access disabled everywhere on the site, except on that 3rd party tool.
0
 
LVL 5

Expert Comment

by:boomer4d
ID: 18277475
That's normal behavior. When you open a document for editing from within SharePoint, save to a doc library etc...Office has to renegotiate a session with the SharePoint server and as part of the renegotiation you have to provide credentials. I'm not aware of any way to stop that but could be wrong.
0
 
LVL 43

Author Comment

by:zephyr_hex (Megan)
ID: 18285365
i wouldn't mind it if it prompted only once for the credentials, but you have to hit OK 3 times, every time you save.  same kind of thing it was doing for the page loads before.  hmmmm... seems like we are close to having it fixed.
0
 
LVL 5

Expert Comment

by:boomer4d
ID: 18289468
Has the path for the 3rd party tool been excluded in the Central Administration pages?

1. Log into your server and access the SharePoint Central Administrator page.
2. Under "Portal Site and Virtual Server Configuration" click the "Configure virtual server settings from the virtual server list page"
3. Select the virtual server that is hosting your SharePoint instance
4. Under "Virtual Server Management" click the "Define Managed Paths" link

On this page you'll want to "Add a new path" (enter the path to yoru ASP application) and under "Type" select "Excluded"
0
 
LVL 43

Author Comment

by:zephyr_hex (Megan)
ID: 18302976
i checked the excluded paths and the 3rd party tool is listed there already.
0
 
LVL 43

Author Comment

by:zephyr_hex (Megan)
ID: 18455209
ok, i finally tracked down the problem.

i used the IIS log to troubleshoot.  i compared what files are being accessed when authentication fails to those being accessed when authentication succeeds.  this helped me track down the issue to OWS.JS

i went to that file on the C drive and added domain users to the permissions... and now users no longer get the multiple prompts
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently found myself in a Corporate Situation where the client had requested blocking access to any and all websites except his own Domain? Easy? I am sure this would be your answer but their requirement was, this has to be done without using…
Do you come here a lot? Are you lazy like me and don't want to go through the "trouble" of having to click your Dock's Safari icon and then having to click your Experts Exchange Favorites bookmark to get here? Well then this article is for you.
Google currently has a new report that is in beta and coming soon to Webmaster Tool accounts. This Micro Tutorial will highlight new features for Google Webmaster Tools.
Shows how to create a shortcut to site-search Experts Exchange using Google in the Chrome browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch the Search Engine Menu: In chrome, via you…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question