Tuesday, June 17, 2008

How do I make our SharePoint site stop asking me to login? – Part I


This was one of the most common user requests I got during my system admin days. I was recently asked again by a student in one of my classes, so I thought it would be a good candidate for my first blog post here. In most environments, SharePoint sites should automatically log you in via your existing Windows credentials without ever asking who you are. So, if you receive the little pop-up login box – it means you have one or more of three separate issues. The symptoms for these three issues are similar, but there are differences to help you figure out which specific issue you are having. Of course, you could have a combination of issues… I’ll address the first and most common issue in this post, and then I’ll cover the other two in a later post.

ISSUE #1 – Internet Explorer Security Settings


SYMPTOM: Whenever you browse to your SharePoint site, the little popup dialog box appears asking for your user name and password. If you enter your credentials, it lets you enter the site – it’s just annoying to have to do this again each time you go to your site. If you enter the wrong credentials, leave off the domain name, or type the wrong slash, the box will reappear a total of three times. If you never get it typed correctly, you will receive a generic black and white error message stating that ‘You are not authorized to view this page’ (see example below).



If you are experiencing this combination of symptoms, you probably need to adjust your Internet Explorer Security Settings. Even if you are unsure if your symptoms exactly match – this is a good place to start troubleshooting.

In a nutshell, the SharePoint site(s) must be added to either the Local Intranet zone or to the Trusted Sites zone on the client PC. Most users are familiar with the Trusted Sites zone, and may already use it for some things. However, the default settings in Internet Explorer don’t always allow automatic login in the Trusted Sites zone – especially in IE7. Explorer won’t allow a site to be in both zones, so I recommend a package of settings to make sure that authentication continues to work. The good news is if you have Domain Admin privileges you can control all of these settings centrally by using Active Directory and Group Policy – more on that later.


  1. Open IE on your computer, go to TOOLS > INTERNET OPTIONS, and then choose the Security tab.
  2. Click on the ‘Local Intranet’ zone icon, and then the Sites button.


  3. That will give you a second box, where you must click the Advanced button before entering and adding the site URL(s) – see pictures below.



    If you get an error when you click the Add button, you probably need to uncheck the ‘Require server verification (https:) for all sites in this zone’ box. Then try again.

    You should add each SharePoint portal / web application to this list, or use a domain wildcard entry (http://*.domain) if that is acceptable and relevant in your environment.

    If users are able to type a short NetBIOS style name (without any domain name) for any portal, the short names should also be added.

    If SSL encryption is sometimes used for any portal / web application, you should add the name(s) twice – once with the http: prefix and again with the https: prefix.

  4. Click the Close and OK, and you should find yourself back on the Security tab.
    (If you are looking for a quick fix, this alone might take care of the problem. Again though, I recommend following the rest of these steps to prevent things from ‘breaking’ again later.)

  5. We should now adjust the default security settings for each zone to allow for future user changes. The easiest way to do this is to set the ‘Local Intranet’ and the ‘Trusted Sites’ zones to the Low security level without Protected Mode, the ‘Restricted Sites’ to the High security level with Protected Mode, and the ‘Internet’ zone to the Medium-High level with Protected Mode (click each zone icon and then move the slide all the way down for each – see picture below).



    If you don’t see the slider at all, click the ‘Default level’ button. That should bring the slider back.

    Protected Mode is actually not directly related to the login process, but will simplify the use of some SharePoint integration features. If you uncheck ‘Protected Mode’ for the ‘Local Intranet’ zone, you will likely receive a dire-looking warning box when you click OK. You’ll have to use your own discretion as to whether this setting is appropriate for your end users.

    Some administrators or users may not want to apply the entire package of settings incorporated in the Low setting. You can make a more surgical strike by using the ‘Custom level…’ button. The relevant setting in the Custom box is at the very bottom of the list of options. It’s called ‘Automatic logon with current user name and password (see picture below).


  6. Click OK to exit the Internet Options box, and then close all Internet Explorer windows.

  7. Open a new Explorer window and browse to your SharePoint site. You should be logged in automatically using your Windows credentials.

    If you still receive the login prompt, you apparently have one of the other issues listed at the end of this post.

If you are a Domain Admin, you probably want to apply these settings to all of your users. That way they can quit calling you about it and move on to other problems… This can be done by using Active Directory Group Policies.

  1. Login to your domain controller using an account that has domain admin privileges, and perform the steps listed above to create the appropriate package of settings. The following steps allow you to import that package of settings into Group Policy.

  2. Go to CONTROL PANEL > ADD OR REMOVE PROGRAMS > ADD/REMOVE WINDOWS COMPONENTS > INTERNET EXPLORER ENHANCED SECURITY CONFIGURATION.


  3. Uncheck the Internet Explorer Enhanced Security Configuration option, and click Next until the wizard completes.This option can be re-enabled after step 10??, if you want or if your corporate policy requires it.

  4. Go to START > ALL PROGRAMS > ADMINISTRATIVE TOOLS > ACTIVE DIRECTORY USERS AND COMPUTERS.

  5. Right-click your domain name (or whichever Organizational Unit contains the users to which you wish to apply this fix), and choose Properties.

  6. Click the ‘Group Policy’ tab, and then the New button. Type in a descriptive name for the New Group Policy Object that appears.


  7. Make sure that your new policy is selected and click the Edit button.

  8. Drill down to USER CONFIGURATION > WINDOWS COMPONENTS > INTERNET EXPLORER MAINTENANCE > SECURITY > SECURITY ZONES AND CONTENT RATINGS.


  9. When you click the button labeled ‘Import the current security zones and privacy settings’, you will likely receive a warning about ‘Internet Explorer Enhanced Security Configuration’.



    This is why we disabled the enhanced configuration in step 3, so that this policy would apply to normal workstations. Click Continue.

  10. Close all open windows.

    You can now go back to the ‘Add/Remove Windows Components’ box and re-enable the Internet Explorer Enhanced Security Configuration if you wish.

    The changes will take time to replicate through your entire network or enterprise, depending on your particular Active Directory replication topology. In a single-site network, you may see the changes take effect within 15 to 90 minutes. In multi-site networks, it may take a day or more.

This package of settings could also be rolled out via Microsoft SMS server instead of Group Policy. However, SMS is certainly not my area of expertise, so I’ll just mention that it’s possible. I have personally used the above Active Directory Group Policy method with very good results. Even after all of your desktop clients receive the settings, you may still have a few users report login problems. If that is the case for you, stay tuned for my next post regarding Issues 2 and 3 that relate to login issues.

16 comments:

Anonymous said...

Thank you very much. We were having the same issues in our company. Ever since we put sharepoint server in the DMZ, it started asking for userid and password. I made browser setting changes, just like you said, it fixed our issue. Thanks again.

Brian Pulliam said...

This worked great for us in IE7 but our IE6 installs are not working right....

I checked and sure enough, the site address is in the "intranet" zone, and the rules on the browser say auto login, but no go....really odd...

Unknown said...

Well done!

Will all of your solutions, this was able to handle nearly all of the problems my company had. Even though I implimented the IE intranet site settings through Group Policy, I still had to delete a few conflicting "trusted sites" by hand in order for the changes to work.

Ramesh Krishnan said...

Great Post. Is it possible to this thru a small client that will run on the client machine (which is not connected to the domain, a single workgroup machine) so that they can access with entering multiple time creditentials.

Thanks

Anonymous said...

Thanks for the post. I have been looking for more complex answers, but as always, it is the simple ones that provide the best solutions.

Unknown said...

I have found that something in the affected clients user profile was causing the credential challenge. I have had 3 users recently get challenged and so I renamed their user profile to user_old. Their new profile no longer prompts them. I can't explain though what is cached in the user profile that is causing it.

foothill_warrior said...

Thanks for the tip. This not only solved my Sharepoint logon issue but showed me a bit about the IE Security level slider which I really didn't understand how to use.

Unknown said...

Hello, I have configured my site to allow anonymous access, and we can browse the pages fine. What happens when you open a document (eg: Word document), the system asks for a login. If you click cancel the document opens correctly, so it is confusing and annoying. The login prompt could happen twice, is there anyway to stop this login prompt from happening?

j said...

I am also having the same issue. The site allows anonymous access, and we can browse the pages fine.
Using XP Client has no problem but when using windows 7 client, When we open the word document the system asks for a login. If you click cancel the document opens correctly. How to resolve this issue to stop this login prompt from happening?

Thanks for any advice / help /pointers.

Ricky Spears said...

j - You might be interested in this article (You are prompted to enter your credentials when you access an FQDN site from a computer that is running Windows Vista or Windows 7 and has no proxy configured
):
http://support.microsoft.com/kb/943280/en-us

Caitlin said...

Thanks for this walk-through and for being VERY thorough in your instructions. For some reason it didn't prompt until after I load balanced my WFE...but it's super annoying especially when navigating across site collections.

Caitlin said...

Thank you for this, and for being so detailed in your explanation. We weren't getting prompted until I load balanced our WFE, and it became super annoying especially as you move across site collections. Great work.

TChoice said...

Thanks very much, it working :-)

Unknown said...

Thanks- this was really bugging me. I had added the site to Trusted Sites, not Intranet sites- moved it to Intranet Sites, and all is now well!

Shayeste said...

Ok, this is not working for me. Because I got a sharepoint trial and did not buy it. However it keeps asking me to login. What can I do to stop it?

mag said...

Thanks a lot. I am new to SharePoint and your post solved my issues, when i installed SharePoint in my Windows 7.

Thanks a lot