Thursday, June 19, 2008

How do I make our SharePoint site stop asking me to login? – Part II


In most environments, SharePoint sites should automatically log you in via your existing Windows credentials without ever asking who you are. So, if you receive the little pop-up login box – it means you have one or more of three separate issues. The symptoms for these three issues are similar, but there are differences to help you figure out which specific issue you are having. Of course, you could have a combination of issues… In my previous post, I detailed how to set the Internet Explorer Security Settings to enable automatic login to sites using the current Windows credentials. In this post, I will attempt to explain how the other two possible issues can be identified and addressed.

ISSUE #2 – Your current user account has not been given permission to the SharePoint site, page, or list you are trying to access.

SYMPTOMS: You have already performed the steps listed in ISSUE #1 – Internet Explorer Security Settings, and you continue to receive the login prompt.

It is likely that your current Windows user account has not been given permission to access the site. This issue is most common if you are working from home (or another external computer) where you are logged into your computer with a non-domain account. There’s not much you can do to prevent this one – you’ll just have to login manually when you first browse to the site. After that you should not be asked to login again until you close Internet Explorer.

This scenario is also common when you are accessing a SharePoint site / page / list for the first time or after the Site Owner has reconfigured security. In this case, you will receive the login prompt 3 times, and then a full-color SharePoint error page will appear telling you that you are not authorized. If you experience this variation, either the Site Owner or the SharePoint Admin will have to verify the SharePoint permissions to make sure that the appropriate permissions are applied for you.

ISSUE #3 – You have checked the little ‘remember my password’ box, and then your password has changed since.

SYMPTOM: The login prompt is coming up every time you click a link within the site. When you enter a valid username and password, the page loads. However, it comes up again on every new page you visit. As a side-effect, sometimes your Windows user account will get locked out after a few pages.

This repeating login box is caused by a stored password that is no longer valid, and happens because the user has at some time checked the box to ‘Remember my password’ when they were logging in. It seems like a good idea at the time, but then it comes back to bite you later when your password expires or is otherwise reset. Windows automatically tries to use the stored credentials to login to the site again and again every time you try to open another page on that site, instead of using your current credentials as it normally would.

Removing these stored passwords is possible, but it can be a challenge if your domain security policies hide some of your Control Panel options. Here are a couple of ways to try:
  1. In Windows Vista, Open the Control Panel, and choose the ‘User Accounts’ applet.


  2. Click the link on the left side of the window that says ‘Manage your network passwords’.
  3. Select and Remove any sites that are related to your new password.

    In Windows XP, the path is slightly different: CONTROL PANEL > STORED USERNAMES AND PASSWORDS.

If you do not have the option you need in the Control Panel, there is a way to bring up the box via the Run box.

  1. Go to START > RUN.
  2. Type the following:

    rundll32.exe keymgr.dll,KRShowKeyMgr

If you are a domain administrator you can make a central setting with Active Directory Group Policy to disable the use of the 'Remember my password' feature, which is a good idea not only for SharePoint login purposes, but also for general network security concerns.

  1. Logon to a domain controller and go to START > ALL PROGRAMS > ADMINISTRATIVE TOOLS > ACTIVE DIRECTORY USERS AND COMPUTERS.

  2. Right-click the domain name (or the Organizational Unit that contains the users you wish to control), and choose Properties.

  3. Go to the 'Group Policy' tab, and edit the policy you created earlier for the IE Security Settings.

  4. Drill down to: COMPUTER CONFIGURATION > WINDOWS SETTINGS > SECURITY SETTINGS > LOCAL POLICIES > SECURITY OPTIONS.

  5. Enable the setting called 'Network Access: Do not allow storage of credentials or .Net Passports for network authentication'.

  6. Close all open windows, and wait for the changes to replicate through your environment.

One or more of these issues has been the culprit in every instance of login problems that I’ve ever had to troubleshoot. If you have domain admin level privileges in your network, you can greatly decrease support calls and increase user adoption by implementing the Group Policy changes detailed in Issues 1 and 3. It is well worth the effort.

If your automatic login is working from Internet Explorer but not from your Office programs, take a look at this post.

Post a Comment