Solved

SharePoint 2010 external users required to enter domain name

Posted on 2016-11-04
16
33 Views
Last Modified: 2016-11-12
I've seen this question asked many places, but no definitive answers.

I have a SharePoint web application that is configured for external users to connect to.  It is using basic authentication with SSL.  The default domain is set.

If I use Chrome or firefox I can use only my username and password to authenticate.  However, IE requires the domain name to authenticate.

I've seen many answers that say this is by design, however is there any way around this?  Custom forms based auth my only option?
0
Comment
Question by:delmarvamonkey
  • 8
  • 8
16 Comments
 
LVL 14

Expert Comment

by:SneekCo
ID: 41875393
This is difficult to troubleshoot because although the information is good, it does not fit together. Here are a few questions to help me understand:

How is the web application configured for external users? How is that different from the internal users?

It pass through authentication enabled in the browsers? Is it possible that IE has a GPO applied so that it does not allow pass through?

You mention you are thinking about FBA, what are you using now? Windows Authentication?

Thanks
0
 

Author Comment

by:delmarvamonkey
ID: 41877457
Hello,

The web application authentication is Basic authentication over ssl.

The browsers that are being used are being used by external customers, so we can't control how they are configured.  However, default chrome/firefox can login without supplying the domain.

I was thinking over using FBA.  Internally we use Windows auth and have no issues.
0
 

Author Comment

by:delmarvamonkey
ID: 41877459
I should also mention they use IE.
0
 
LVL 14

Expert Comment

by:SneekCo
ID: 41877668
Your external users have an Active Directory account?
0
 

Author Comment

by:delmarvamonkey
ID: 41877720
No, we have external customers that login to our environment.  They have their own "unknown" domains.
0
 
LVL 14

Expert Comment

by:SneekCo
ID: 41877730
What are they authenticating against. They enter a user name and password. What mechanism says "yes, that is correct let them in" or  "no, incorrect information, access denied". What is the authentication provider?
0
 

Author Comment

by:delmarvamonkey
ID: 41877733
Active directory.  IIS auth is basic over SSL.
0
 
LVL 14

Expert Comment

by:SneekCo
ID: 41877746
Sorry, we have a disconnect in terminology I think. I asked if your external users have an Active Directory account, and the answer is no. I then ask how do they authenticate, and you answer Active Directory.

Has nothing to do with Basic Auth over SSL, has to do with what is the Authentication Provider. The authenticating method, protocol, is something different. Not sure what a solution could be because not sure yet what the problem is.

Good luck...
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:delmarvamonkey
ID: 41877771
Sorry, let me clarify.  They have internal AD accounts, but they are on external environments / domains.
0
 
LVL 14

Expert Comment

by:SneekCo
ID: 41877783
Okay, now I see.

I agree somewhat with your original post about the behavior being per design. I have used basic auth over the internet very seldom, probably never in production just for testing because of the security risks. I know there is the SSL layer there, but still something to consider. If you were to switch to AD (Windows Integrated) authentication in IIS the external users would have to enter in the domain name, but your internal users would not need to enter the domain name provided that they are logged in to the same domain that SharePoint is located in. You could even set the browser settings for your internal users so that pass through auth is used. That would be a kind of a trade off.

There is also the possibility to use a web application extension and have two different auth providers, one for internal and a different method for external that you may want to consider, but that is a different topic.

Hope that helps...
0
 

Author Comment

by:delmarvamonkey
ID: 41877806
Actually that's how I have it set up.

The web application is extended:

1.  Internal users use windows auth
2. External users use basic auth over SSL.

Everything is fine for internal users.

External users have to enter domain name.  But not if they use chrome.

When I say external users, I mean, they are using an internal AD account, but are connecting from an external domain over the internet.
0
 
LVL 14

Expert Comment

by:SneekCo
ID: 41877816
External users have to enter domain name.  But not if they use chrome.

Makes it sound like your set up is fine. Their IE browsers must be set up for pass through auth, therefore when they connect to any site, be it external or internal for them, their browsers are using their domain name, which is not yours. So they have to enter in your domain name.

As you mention, you can't control their browser, so you might not be able to do anything on this but to recommend to them to not use pass through auth in IE, which they probably won't want to do.
0
 

Author Comment

by:delmarvamonkey
ID: 41877820
The reason I asked was because I wanted to make sure I wasn't missing something.  That's what I thought.

So I will go toward FBA.
0
 
LVL 14

Accepted Solution

by:
SneekCo earned 500 total points
ID: 41877825
Maybe review this as part of your considerations for going FBA.

https://www.experts-exchange.com/questions/28261580/Sharepoint-2013-FBA.html

Hope that helps...
0
 

Author Closing Comment

by:delmarvamonkey
ID: 41877840
Answer accepted.
0
 
LVL 14

Expert Comment

by:SneekCo
ID: 41877844
Thanks
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

SharePoint Designer 2010 has tools and commands to do everything that can be done with web parts in the browser, and then some – except uploading a web part straight into a page that is edited in SPD. So, can it be done? Scenario For a recent pr…
Lync server 2013 Backup Service Error ID 4049 – After File Share Migration
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now