Scenario One: User launches SharePoint page from inside the domain and they get prompted for credentials.
Scenario Two: User launches SharePoint through VPN and gets prompted for credentials.
Scenario Three: Every resource or new site prompts the user for credentials.
Scenario Four: Extranet SharePoint site continually prompts for credentials.
In this days and age of (SSO) Single Sign On, users expect to log in once and then never be prompted again. Personally I have my Facebook and Google+ connected all over the place so that I can get into just about everything with-out prompting. Unfortunately internal corporate solutions require a little more security. Even more unfortunately SharePoint is extremely sensitive to security configurations, everything from the servers registry to the security on the databases. If you do a quick Google search you will see page after page of possible solutions, and for the most part they are all correct; but. they are correct for different causes. In most cases you are actually being plagued by several issues causing the same problem. So I will do my best to consolidate all of the solutions out there.
Solutions:
1. Internet Security - Ensure that your local security policy, group policy, or basic internet settings have your SharePoint site set in Trusted sites, or Local intranet. This is probably the easiest and least invasive thing you can do.
- Make sure that you have a couple things configured properly for your local intranet, or trusted sites setting. First, ensure that 'Automatic Logon' is enabled. If your SharePoint URL contains periods then IE automatically assumes that it is on the internet. You can read more on the Technet site
2.Verify that you have correctly configured your alternate access mappings in SharePoint - 2013, 2010
3. Modify your Web.Config
<system.webServer>
<security>
<requestFiltering allowDoubleEscaping="true">
<verbs allowUnlisted="true">
<add verb="OPTIONS" allowed="false" />
<add verb="PROPFIND" allowed="false" />
</verbs>
</requestFiltering>
</security>
</system.webServer>
4. In IIS modify the web application to use NTLM instead of Kerboros
5. Dealing with an Extranet requires a little more configuration to your servers if you wish to avoid credential prompting.
From Technet
"Extranet users that want direct editing:
Use Forms Based Authentication (FBA) with persistent cookies – The only way to maintain direct-edit functionality and also not be prompted by the Office application is to implement a proxy/firewall server by using Forms Based Authentication with persistent cookies such as an Internet Security and Acceleration (ISA) server or a Forefront Threat Management Gateway.
Extranet users and direct editing is not needed:
Disable Client Integration or the OPTIONS/PROPFIND Verbs - If the site provides WebDAV functionality through another extension, the provider of that extension should be engaged. For example, to do this with Windows SharePoint Services (WSS), the site should be configured to disable Client Integration, or the OPTIONS and PROPFIND verb should be inhibited. (To inhibit the OPTIONS and PROPFIND verbs on Internet Information Services (IIS) version 6, remove the verbs from the registration line in the web.config file. On IIS 7.0, use the HTTP Verbs tab of the Request Filtering feature to deny the verbs.) Be aware that this approach will open the content in read-only mode because this approach disables direct-edit functionality. "
This is good info. Most of us all around admins manage SharePoint on an infrequent basis. It is great to have an expert that gives specifics to common miss-understood issues. Thanks
ReplyDeleteNot a problem, and if you are ever dealing with a specific issue, or have a question don't hesitate to ask!
ReplyDeleteHarrah's Reno Casino & Hotel - MapYRO
ReplyDeleteHarrah's 충주 출장샵 Reno Casino & Hotel is 인천광역 출장샵 in the historical 광명 출장안마 district of Nevada. The casino and resort is located 여수 출장마사지 just a short 전주 출장안마 drive from Harrahs Reno Casino and the