ISSUE #1 – Internet Explorer Security Settings
SYMPTOM: Whenever you browse to your SharePoint site, the little popup dialog box appears asking for your user name and password. If you enter your credentials, it lets you enter the site – it’s just annoying to have to do this again each time you go to your site. If you enter the wrong credentials, leave off the domain name, or type the wrong slash, the box will reappear a total of three times. If you never get it typed correctly, you will receive a generic black and white error message stating that ‘You are not authorized to view this page’ (see example below).
If you are experiencing this combination of symptoms, you probably need to adjust your Internet Explorer Security Settings. Even if you are unsure if your symptoms exactly match – this is a good place to start troubleshooting.
In a nutshell, the SharePoint site(s) must be added to either the Local Intranet zone or to the Trusted Sites zone on the client PC. Most users are familiar with the Trusted Sites zone, and may already use it for some things. However, the default settings in Internet Explorer don’t always allow automatic login in the Trusted Sites zone – especially in IE7. Explorer won’t allow a site to be in both zones, so I recommend a package of settings to make sure that authentication continues to work. The good news is if you have Domain Admin privileges you can control all of these settings centrally by using Active Directory and Group Policy – more on that later.
- Open IE on your computer, go to TOOLS > INTERNET OPTIONS, and then choose the Security tab.
- Click on the ‘Local Intranet’ zone icon, and then the Sites button.
- That will give you a second box, where you must click the Advanced button before entering and adding the site URL(s) – see pictures below.
If you get an error when you click the Add button, you probably need to uncheck the ‘Require server verification (https:) for all sites in this zone’ box. Then try again.
You should add each SharePoint portal / web application to this list, or use a domain wildcard entry (http://*.domain) if that is acceptable and relevant in your environment.
If users are able to type a short NetBIOS style name (without any domain name) for any portal, the short names should also be added.
If SSL encryption is sometimes used for any portal / web application, you should add the name(s) twice – once with the http: prefix and again with the https: prefix.
- Click the Close and OK, and you should find yourself back on the Security tab.
(If you are looking for a quick fix, this alone might take care of the problem. Again though, I recommend following the rest of these steps to prevent things from ‘breaking’ again later.)
- We should now adjust the default security settings for each zone to allow for future user changes. The easiest way to do this is to set the ‘Local Intranet’ and the ‘Trusted Sites’ zones to the Low security level without Protected Mode, the ‘Restricted Sites’ to the High security level with Protected Mode, and the ‘Internet’ zone to the Medium-High level with Protected Mode (click each zone icon and then move the slide all the way down for each – see picture below).
If you don’t see the slider at all, click the ‘Default level’ button. That should bring the slider back.
Protected Mode is actually not directly related to the login process, but will simplify the use of some SharePoint integration features. If you uncheck ‘Protected Mode’ for the ‘Local Intranet’ zone, you will likely receive a dire-looking warning box when you click OK. You’ll have to use your own discretion as to whether this setting is appropriate for your end users.
Some administrators or users may not want to apply the entire package of settings incorporated in the Low setting. You can make a more surgical strike by using the ‘Custom level…’ button. The relevant setting in the Custom box is at the very bottom of the list of options. It’s called ‘Automatic logon with current user name and password (see picture below).
- Click OK to exit the Internet Options box, and then close all Internet Explorer windows.
- Open a new Explorer window and browse to your SharePoint site. You should be logged in automatically using your Windows credentials.
If you still receive the login prompt, you apparently have one of the other issues listed at the end of this post.
If you are a Domain Admin, you probably want to apply these settings to all of your users. That way they can quit calling you about it and move on to other problems… This can be done by using Active Directory Group Policies.
- Login to your domain controller using an account that has domain admin privileges, and perform the steps listed above to create the appropriate package of settings. The following steps allow you to import that package of settings into Group Policy.
- Go to CONTROL PANEL > ADD OR REMOVE PROGRAMS > ADD/REMOVE WINDOWS COMPONENTS > INTERNET EXPLORER ENHANCED SECURITY CONFIGURATION.
- Uncheck the Internet Explorer Enhanced Security Configuration option, and click Next until the wizard completes.This option can be re-enabled after step 10??, if you want or if your corporate policy requires it.
- Go to START > ALL PROGRAMS > ADMINISTRATIVE TOOLS > ACTIVE DIRECTORY USERS AND COMPUTERS.
- Right-click your domain name (or whichever Organizational Unit contains the users to which you wish to apply this fix), and choose Properties.
- Click the ‘Group Policy’ tab, and then the New button. Type in a descriptive name for the New Group Policy Object that appears.
- Make sure that your new policy is selected and click the Edit button.
- Drill down to USER CONFIGURATION > WINDOWS COMPONENTS > INTERNET EXPLORER MAINTENANCE > SECURITY > SECURITY ZONES AND CONTENT RATINGS.
- When you click the button labeled ‘Import the current security zones and privacy settings’, you will likely receive a warning about ‘Internet Explorer Enhanced Security Configuration’.
This is why we disabled the enhanced configuration in step 3, so that this policy would apply to normal workstations. Click Continue.
- Close all open windows.
You can now go back to the ‘Add/Remove Windows Components’ box and re-enable the Internet Explorer Enhanced Security Configuration if you wish.
The changes will take time to replicate through your entire network or enterprise, depending on your particular Active Directory replication topology. In a single-site network, you may see the changes take effect within 15 to 90 minutes. In multi-site networks, it may take a day or more.
This package of settings could also be rolled out via Microsoft SMS server instead of Group Policy. However, SMS is certainly not my area of expertise, so I’ll just mention that it’s possible. I have personally used the above Active Directory Group Policy method with very good results. Even after all of your desktop clients receive the settings, you may still have a few users report login problems. If that is the case for you, stay tuned for my next post regarding Issues 2 and 3 that relate to login issues.