Thursday, June 19, 2008

How do I make our SharePoint site stop asking me to login? – Part II


In most environments, SharePoint sites should automatically log you in via your existing Windows credentials without ever asking who you are. So, if you receive the little pop-up login box – it means you have one or more of three separate issues. The symptoms for these three issues are similar, but there are differences to help you figure out which specific issue you are having. Of course, you could have a combination of issues… In my previous post, I detailed how to set the Internet Explorer Security Settings to enable automatic login to sites using the current Windows credentials. In this post, I will attempt to explain how the other two possible issues can be identified and addressed.

ISSUE #2 – Your current user account has not been given permission to the SharePoint site, page, or list you are trying to access.

SYMPTOMS: You have already performed the steps listed in ISSUE #1 – Internet Explorer Security Settings, and you continue to receive the login prompt.

It is likely that your current Windows user account has not been given permission to access the site. This issue is most common if you are working from home (or another external computer) where you are logged into your computer with a non-domain account. There’s not much you can do to prevent this one – you’ll just have to login manually when you first browse to the site. After that you should not be asked to login again until you close Internet Explorer.

This scenario is also common when you are accessing a SharePoint site / page / list for the first time or after the Site Owner has reconfigured security. In this case, you will receive the login prompt 3 times, and then a full-color SharePoint error page will appear telling you that you are not authorized. If you experience this variation, either the Site Owner or the SharePoint Admin will have to verify the SharePoint permissions to make sure that the appropriate permissions are applied for you.

ISSUE #3 – You have checked the little ‘remember my password’ box, and then your password has changed since.

SYMPTOM: The login prompt is coming up every time you click a link within the site. When you enter a valid username and password, the page loads. However, it comes up again on every new page you visit. As a side-effect, sometimes your Windows user account will get locked out after a few pages.

This repeating login box is caused by a stored password that is no longer valid, and happens because the user has at some time checked the box to ‘Remember my password’ when they were logging in. It seems like a good idea at the time, but then it comes back to bite you later when your password expires or is otherwise reset. Windows automatically tries to use the stored credentials to login to the site again and again every time you try to open another page on that site, instead of using your current credentials as it normally would.

Removing these stored passwords is possible, but it can be a challenge if your domain security policies hide some of your Control Panel options. Here are a couple of ways to try:
  1. In Windows Vista, Open the Control Panel, and choose the ‘User Accounts’ applet.


  2. Click the link on the left side of the window that says ‘Manage your network passwords’.
  3. Select and Remove any sites that are related to your new password.

    In Windows XP, the path is slightly different: CONTROL PANEL > STORED USERNAMES AND PASSWORDS.

If you do not have the option you need in the Control Panel, there is a way to bring up the box via the Run box.

  1. Go to START > RUN.
  2. Type the following:

    rundll32.exe keymgr.dll,KRShowKeyMgr

If you are a domain administrator you can make a central setting with Active Directory Group Policy to disable the use of the 'Remember my password' feature, which is a good idea not only for SharePoint login purposes, but also for general network security concerns.

  1. Logon to a domain controller and go to START > ALL PROGRAMS > ADMINISTRATIVE TOOLS > ACTIVE DIRECTORY USERS AND COMPUTERS.

  2. Right-click the domain name (or the Organizational Unit that contains the users you wish to control), and choose Properties.

  3. Go to the 'Group Policy' tab, and edit the policy you created earlier for the IE Security Settings.

  4. Drill down to: COMPUTER CONFIGURATION > WINDOWS SETTINGS > SECURITY SETTINGS > LOCAL POLICIES > SECURITY OPTIONS.

  5. Enable the setting called 'Network Access: Do not allow storage of credentials or .Net Passports for network authentication'.

  6. Close all open windows, and wait for the changes to replicate through your environment.

One or more of these issues has been the culprit in every instance of login problems that I’ve ever had to troubleshoot. If you have domain admin level privileges in your network, you can greatly decrease support calls and increase user adoption by implementing the Group Policy changes detailed in Issues 1 and 3. It is well worth the effort.

If your automatic login is working from Internet Explorer but not from your Office programs, take a look at this post.

9 comments:

Steve said...

Thank you. Your two-part post on password changes solved my problem quickly.

I gave you credit for it on my new blog I decided to start: windrockcomputer.wordpress.com

I'll be back, you can be sure.

M Le said...

Sharepoint keeps asking for Username and Password when you try to access some files or when you try to click on Edit Item , Delete Item Button , or some links .
Here might be a solution if all the steps he showed above dont work for you

When You Click a button (eg . Edit Item , Delete Item ,or any link) you are actually request javascript or any resource which located on the server folder not on sharepoint.
The reason you get prompt USER and PASS becuase you dont have permission to those file . For some reason the security setting for those file has been changed. You need to add permission back.

Sharepoint using resource and javascipt from a folder call _layouts ,main javascript located under _layouts/1033 .
Make sure that you have all read and execute permission for each indiviual file in 1033 folder.

Anonymous said...

Thank for your explanation, i could erase my memory of unwanted passwords. This saved my day.

RdJ

Tripwire said...

Perhaps a Part III to this blog is in order. Parts I and II have dealt with the obvious but there are many more reasons why this can occur, not least of all due to SharePoint itself.

Security permissions on core directories as well as the default config settings in various XML files can also be to blame.

Raghu said...

I did a fresh installation of MOSS 2007 180 days trial in a standalone server with NTLM authentication enabled. I followed the instructions given in the Ted Pattison's administration guide. I configured everything, started all services, created a new SSP, MySites etc. Finally i created a new web application and created a Team Site and added the entry in the hosts file. But when i open the site I'm being popped up with the login box three times(even if I enter the user credentials perfectly) and ultimately am being redirected to an error page where it says "you are not authorized to view this page". But the Central Administration site works fine. I've no clue about this problem. Any ideas?

Raghu said...

Got it working..........There is a fix available to eliminate this problem. I downloaded that fix from Microsoft and now am not popped up with the login box three times......

Daniel Williams said...

Ok, so let's assume that you are on a completely different domain, across the country from the sharpeoint site. And you're prompted to log in again and again. maybe you are trying to use SP to actually collaborate.
Why does the person in the other domain keep getting login prompts?

How come MS make this so frustrating and difficult?

BGM said...

Hello! I have a similar, but different problem! I am the admin for the site, and am using a hosted sharepoint services 2007. I have a user on a wireless network who can't even get a login box. I have followed all of your advices on Part I and Part II to no avail. I can login from my own computer (different network) with his login. But he doesn't even *get* a login box. I've spent two weeks on this problem. My host provider says wireless connections are not being blocked, and the network administrators say there is no block. I am at a standstill with no solution! And I'm supposed to be IT. Please advise!

vapcguy said...

You have to make sure that the site security zone (Intranet, Trusted, Internet) does not have to automatically log the person in, if their password is expired or account is locked out (or both). When you flip the radio button to enable it to prompt for login, it should then appear. If the "Custom level" button is greyed out, you'll need to have the Admin create a new temp OU to put the workstation in, then do a "gpupdate /force" on a command line. Might have to reboot for it to take. Then you should be able to gain access to adjust the radio button. Then restart the browser and go to the site - it should prompt.