Solved

SharePoint 2010 external users required to enter domain name

Posted on 2016-11-04
16
46 Views
Last Modified: 2016-11-12
I've seen this question asked many places, but no definitive answers.

I have a SharePoint web application that is configured for external users to connect to.  It is using basic authentication with SSL.  The default domain is set.

If I use Chrome or firefox I can use only my username and password to authenticate.  However, IE requires the domain name to authenticate.

I've seen many answers that say this is by design, however is there any way around this?  Custom forms based auth my only option?
0
Comment
Question by:delmarvamonkey
  • 8
  • 8
16 Comments
 
LVL 16

Expert Comment

by:Walter Curtis
ID: 41875393
This is difficult to troubleshoot because although the information is good, it does not fit together. Here are a few questions to help me understand:

How is the web application configured for external users? How is that different from the internal users?

It pass through authentication enabled in the browsers? Is it possible that IE has a GPO applied so that it does not allow pass through?

You mention you are thinking about FBA, what are you using now? Windows Authentication?

Thanks
0
 

Author Comment

by:delmarvamonkey
ID: 41877457
Hello,

The web application authentication is Basic authentication over ssl.

The browsers that are being used are being used by external customers, so we can't control how they are configured.  However, default chrome/firefox can login without supplying the domain.

I was thinking over using FBA.  Internally we use Windows auth and have no issues.
0
 

Author Comment

by:delmarvamonkey
ID: 41877459
I should also mention they use IE.
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 16

Expert Comment

by:Walter Curtis
ID: 41877668
Your external users have an Active Directory account?
0
 

Author Comment

by:delmarvamonkey
ID: 41877720
No, we have external customers that login to our environment.  They have their own "unknown" domains.
0
 
LVL 16

Expert Comment

by:Walter Curtis
ID: 41877730
What are they authenticating against. They enter a user name and password. What mechanism says "yes, that is correct let them in" or  "no, incorrect information, access denied". What is the authentication provider?
0
 

Author Comment

by:delmarvamonkey
ID: 41877733
Active directory.  IIS auth is basic over SSL.
0
 
LVL 16

Expert Comment

by:Walter Curtis
ID: 41877746
Sorry, we have a disconnect in terminology I think. I asked if your external users have an Active Directory account, and the answer is no. I then ask how do they authenticate, and you answer Active Directory.

Has nothing to do with Basic Auth over SSL, has to do with what is the Authentication Provider. The authenticating method, protocol, is something different. Not sure what a solution could be because not sure yet what the problem is.

Good luck...
0
 

Author Comment

by:delmarvamonkey
ID: 41877771
Sorry, let me clarify.  They have internal AD accounts, but they are on external environments / domains.
0
 
LVL 16

Expert Comment

by:Walter Curtis
ID: 41877783
Okay, now I see.

I agree somewhat with your original post about the behavior being per design. I have used basic auth over the internet very seldom, probably never in production just for testing because of the security risks. I know there is the SSL layer there, but still something to consider. If you were to switch to AD (Windows Integrated) authentication in IIS the external users would have to enter in the domain name, but your internal users would not need to enter the domain name provided that they are logged in to the same domain that SharePoint is located in. You could even set the browser settings for your internal users so that pass through auth is used. That would be a kind of a trade off.

There is also the possibility to use a web application extension and have two different auth providers, one for internal and a different method for external that you may want to consider, but that is a different topic.

Hope that helps...
0
 

Author Comment

by:delmarvamonkey
ID: 41877806
Actually that's how I have it set up.

The web application is extended:

1.  Internal users use windows auth
2. External users use basic auth over SSL.

Everything is fine for internal users.

External users have to enter domain name.  But not if they use chrome.

When I say external users, I mean, they are using an internal AD account, but are connecting from an external domain over the internet.
0
 
LVL 16

Expert Comment

by:Walter Curtis
ID: 41877816
External users have to enter domain name.  But not if they use chrome.

Makes it sound like your set up is fine. Their IE browsers must be set up for pass through auth, therefore when they connect to any site, be it external or internal for them, their browsers are using their domain name, which is not yours. So they have to enter in your domain name.

As you mention, you can't control their browser, so you might not be able to do anything on this but to recommend to them to not use pass through auth in IE, which they probably won't want to do.
0
 

Author Comment

by:delmarvamonkey
ID: 41877820
The reason I asked was because I wanted to make sure I wasn't missing something.  That's what I thought.

So I will go toward FBA.
0
 
LVL 16

Accepted Solution

by:
Walter Curtis earned 500 total points
ID: 41877825
Maybe review this as part of your considerations for going FBA.

https://www.experts-exchange.com/questions/28261580/Sharepoint-2013-FBA.html

Hope that helps...
0
 

Author Closing Comment

by:delmarvamonkey
ID: 41877840
Answer accepted.
0
 
LVL 16

Expert Comment

by:Walter Curtis
ID: 41877844
Thanks
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

There is one common problem that all we SharePoint developers share: custom solution deployment. This topic can't be covered fully in this short article, so all I want to do in this one is to review it from a development-to-operations perspectiv…
SharePoint Designer 2010 has tools and commands to do everything that can be done with web parts in the browser, and then some – except uploading a web part straight into a page that is edited in SPD. So, can it be done? Scenario For a recent pr…
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question