Alexander’s Blog

Authentication prompts have been a pain in the neck for a lot of SharePoint users over the years both in SharePoint 2007 and SharePoint 2010 environments. There are several reasons for the prompts. I can’t cover all the possible solutions but I have documented multiple solutions to different authentication prompt issues.

Problem

In SharePoint 2010, you have multiple site collections on your intranet that you access on a regular basis. When you access these sites remotely from an external network and connect to the first site you are prompted for authentication. You logon successfully. Then you try to connect to the second, third and fourth Site Collection but you are prompted for authentication each time. You want to have access to all the sites without being prompted for authentication each time.

Solution

Add the intranet sites to the Local intranet zone in Internet Explorer (IE).

1. In IE8 or IE9 go to Tools, Internet Options, Security tab, Local intranet, Sites, Advanced and add all the Site Collections to the zone.
2. Click close three times to close all windows.
3. Restart Internet Explorer.

Now once you logon to the first intranet site, you should be able to access all the other sites in different Site Collections without entering your username and password.

NOTE: There are lots of other scenarios where you may experience multiple authentication prompts and depending on the scenario you may have to use a different solution. One setting that you should be aware of is located in the Internet Explorer’s options.

1. Go to Tools, Internet options, and select the Security tab.
2. Select the appropriate zone (e.g. Internet zone).
3. Click Custom level.
4. In the User Authentication section select the appropriate setting (e.g. Automatic logon with current user name and password).
5. Click OK twice.

NOTE: You can deploy this setting to client computers using Group Policy. Go to User Configuration -> Policies -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Trusted Sites Zone. In the right-hand pane locate “Logon options” double-click it. First Enable the option and then in the drop-down box select the option “Automatic logon with current username and password.” On the client computer run gpupdate /force at the command prompt to refresh the Group Policy.

Prompt for Credentials When Accessing FQDN Sites From a Windows Vista or Windows 7 Computer

There is another issue that you may run into that is documented in the KB article 943280. Sometimes you may get prompted for authentication when you open a Microsoft Office document in SharePoint. Here are the steps documented in the KB article 943280 to resolve the issue in Windows 7 clients.

Click Start, type regedit in the Start Search box, and then press ENTER.

Locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient\Parameters

On the Edit menu, point to New, and then click Multi-String Value.

Type AuthForwardServerList, and then press ENTER.

On the Edit menu, click Modify.

In the Value data box, type the URL of the server that hosts the Web share, and then click OK.Note You can also type a list of URLs in the Value data box. Here’s a sample.

https://*.Contoso.com

http://*.dns.live.com

*.microsoft.com

https://172.169.4.6

Exit Registry Editor.

After this registry entry is created, the WebClient service will read the entry value. If the client computer tries to access a URL that matches any of the expressions in the list, the user credential will be sent successfully to authenticate the user, even if no proxy is configured.

Note You have to restart the WebClient service after you modify the registry.

Things to avoid in the URL list

• Do not add an asterisk (*) character at the end of a URL. When you do this, a security risk may result.
  http://*.dns.live.*
• Do not add an asterisk (*) before or after a string. When you do this, the WebClient service can send user credentials to more servers. See the following examples:
  • http://*Contoso.comIn this example, the service also sends user credentials to http://extra_charactersContoso.com
  • http://Contoso*.comIn this example, the service also sends user credentials to http://Contosoextra_characters.com
• In the URL list, do not type the UNC name of a host. For example, do not use the following:
  *.contoso.com@SSL
• In the URL list, do not include the share name or the port number to be used. For example, do not use the following:
  • http://*.dns.live.com/DavShare
  • http://*dns.live.com:80
• Do not use IPv6 in the URL list.

Important This URL list does not affect the security zone settings. This URL list is used only for the specific purpose of forwarding the credentials to WebDAV servers. The list should be created as restrictively as possible to avoid any security issues. Also, because there is no specific deny list, the credentials are forwarded to all the servers that match this list.

NOTE: You can deploy the above setting to clients using Group Policy.

Disabling Authentication Prompts in SharePoint 2010

In SharePoint 2010, another thing you can try to disable authentication prompts is to modify the Web.config file.

<system.webServer>

<security>

<requestFiltering allowDoubleEscaping=”true”>

<verbs allowUnlisted=”true”>

<add verb=”OPTIONS” allowed=”false” />

<add verb=”PROPFIND” allowed=”false” />

</verbs>

</requestFiltering>

</security>

Disable “Remember my credentials” Option

If the users check the option “Remember my credentials” and then they change their password, they will keep getting prompted for authentication. It is not a good idea to remember passwords for security reasons and when working with SharePoint you might want to disable this feature. You can disable this feature using a Group Policy. Open the Group Policy (e.g. Default Domain Policy) and go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options and enable the setting “Network access: Do not allow storage of passwords and credentials for network authentication.”

Use Credential Manager in Windows 7

Yet another method to avoid authentication prompt is to use Windows 7′s Credential Manager. Go to Control Panel -> User Accounts and in the upper left hand corner select Manage your credentials.

Select Add a Windows credential and provide the logon information.

There is no need to reboot the computer. You should be able to access the site in your browser without being prompted for logon credentials.

Additional References

Here are some additional references that you may find useful.

1. Authentication requests when you open Office documents
2. Office 2003/2007 Integration and Forms based authentication (FBA) with SharePoint (MOSS)
3. Unable to “Check Out” a Document in MOSS 2007 Published Through ISA Server 2006
4. Understand duplicate authentication prompts ISA 2006 publishing MOSS using FBA

Updated: March 22, 2012

The other day I was working on my Microsoft Office SharePoint Server (MOSS) 2007 and discovered that when I clicked on a new content type that I created, it gave me the following error in my browser.

Error Code: 500 Internal Server Error. The request was rejected by the HTTP filter. Contact the server administrator.

First I looked at various settings on my SharePoint server just to make sure that everything was in order. I couldn’t find anything suspicious on the server so I proceeded to the next step and looked into the error message. The error indicated that my request was rejected by the HTTP filter so I knew I have to troubleshoot the problem on my ISA Server 2006 which filters the HTTP requests. After doing a little bit of research I discovered that clearing the option to verify normalization might help solve my problem, and luckily it did. Normalization is the process of decoding URL-encoded requests. By clearing this option, I would not be blocking requests with URLs that contain escaped characters after normalization. Here’s the step-by-step procedure.

1. Start ISA Server 2006 Management Console.
2. Go to the Firewall Policy.
3. Right-click the Web policy rule that allows access to the SharePoint server and select Configure HTTP.
4. Clear the box Verify normalization, as shown below.
   
5. You don’t have to change the option to Block high bit characters as shown in the screen shot. You can leave it to the default option on your server. On my server I have selected the option to specify that URLS with high-bit characters are blocked because it can help block some attacks on Web servers running Internet Information Services (IIS). The downside to selecting this option is that it may also block requests and responses that contain characters from one of several languages that require high-bit characters.
6. Apply the change made to your ISA Server 2006 and the error on your SharePoint server should go away immediately.

If you are curious about the verify normalization option, here’s some more information from Microsoft TechNet.

Web servers receive requests that are URL encoded. This means that certain characters may be replaced with a percent sign (%) followed by a particular number. For example, %20 corresponds to a space, so a request for http://myserver/My%20Dir/My%20File.htm is the same as a request for http://myserver/My Dir/My File.htm. Normalization is the process of decoding URL-encoded requests.

Because the % can be URL encoded, an attacker can submit a carefully crafted request to a server that is basically double-encoded. If this occurs, Internet Information Services (IIS) may accept a request that it would otherwise reject as not valid. When you select Verify Normalization, the HTTP filter normalizes the URL two times. If the URL after the first normalization is different from the URL after the second normalization, the filter rejects the request. This prevents attacks that rely on double-encoded requests.

Note that while we recommend that you use the Verify Normalization function, it may also block legitimate requests that contain a %.

Best Practices

1. As a best practice, always make sure that you document the changes made to your server. Documenting server configuration takes a little bit of your time but it can save you hours or even days or weeks at a later time.
2. When you create a SharePoint site, list or library, make sure that you do not use a space. You can always go back and create spaces in the name after the fact to make it more readable. By using this method, the URL will not contain the extra “garbage” %20 characters and your users will still be able to find your list and library names readable. Spaces in SharePoint URLs causes several potential problems. The space character is replaced with %20. Not only it makes the URL difficult to read, it also increases the length of the URL, which may cause you to go over the upper limit. For example, a file or folder name in a URL cannot contain more than 128 characters in WSS 2.0/3.0 and MOSS. Although SharePoint URLs can be up to 260 characters, as a best practice I discourage people from using more than 256 characters because link list items cannot be more than 256 characters.
3. Keep the names of your SharePoint sites, lists and libraries short. Instead of creating a library called Human Resources, call it HR. After creating the library you can change the name under Title and Description to Human Resources. Moral of the story: Avoid spaces in SharePoint URLs and be happy!

My students are always asking me where to get the evaluation copies of various Microsoft products. I’ve put together a list of some of the latest software evaluation downloads. My goal is to try and keep this list updated but frankly it is going to be challenging because Microsoft is known for changing the URLs without any redirection. Here is a list of either free or trial editions of some of the popular Microsoft products. A typical Microsoft evaluation software includes a 180-day trial but some are limited to 60 or 90 days.

1. Exchange Server 2010 (120-Day Trial)
2. Exchange Server 2013 (180-day Trial)
3. Forefront Threat Management Gateway (TMG) 2010 (180-day Trial)
4. Internet Security and Acceleration (ISA) Server 2006 (180-day Trial)
5. Office 365 Pro Plus Preview
6. Office Communications Server 2007 R2 (180-Day Trial)
7. Office Professional Plus 2010 (60-day Trial)
8. Project Professional 2010 (60-day Trial)
9. Project Professional 2013 (60-day Trial)
10. Project Server 2013 (180-day Trial)
11. SharePoint Foundation 2010 (Free)
12. SharePoint Server 2010 (180-day Trail)
13. SharePoint Server 2013 (180-day Trial)
14. Small Business Server 2008 (60-day Trial)
15. SQL Server 2008 Enterprise (180-day Trial)
16. SQL Server 2008 R2 (180-day Trial)
17. SQL Server 2012 (180-day Trial)
18. System Center Data Protection Manager 2010 (180-day Trial)
19. System Center Essentials 2010 (180-day Trial)
20. System Center Virtual Machine Manager 2008 R2 (180-day Trial)
21. Visio Premium 2010 (60-day Trial)
22. Visio Professional 2013 (60-day Trial)
23. Windows 7 Enterprise (90-day Trial)
24. Windows 8 (90-day Trial)
25. Windows Server 2008 R2 (180-day Trial)
26. Windows Server 2012 (180-day Trial)

WARNING! I should warn you that sometimes when you download a trial software you may think that you are opting out of receiving phone calls and e-mails from Microsoft but you are not. For more information read my blog post: When Microsoft Says No, It May Mean Yes.

Microsoft offers more free products to consumers than any software manufacturer I know. And I am not talking about free evaluation software, I am talking about free tools, utilities and various products and services. Besides software, Microsoft offers these free TechNet and MSDN labs. These are a series of guided, hands-on labs which can be completed in 90 minutes or less. SharePoint Foundation 2010, which I included in the above list for convenience, is a free product from Microsoft. In the past, it was known as Windows SharePoint Services (WSS).

Updated: May 27, 2011

Last Updated: December 12, 2012

Microsoft ISA Server blog has posted an article on this topic that goes into details on how to deal with this issue of not being able to check out a document in MOSS 2007. Here’s an excerpt:

“Troubleshooting SharePoint/MOSS 2007 publishing through ISA Server can be really challenging, mainly because most of the times the argument is: but it works just fine internally. Although this can be a good argument it doesn’t prove that the issue is on ISA Sever. The reason why it doesn’t prove is because most of the time while publishing MOSS 2007 through ISA Server 2006 the Alternate Access Mappings is controlled by MOSS. This is a key element in this type of publishing scenario, so before we move further on this issue I strong recommend you to read the following article: Plan alternate access mappings (Office SharePoint Server). This article has all the concepts that you need to plan your AAM without hurting your publishing rule through ISA Server.”

Read the rest of the article here.

If you’ve configured your SharePoint site with a specific URL (host header), e.g. http://webportal and then later decided that you want to change it to another URL, such as sharepoint.seattlepro.com, you can use the Alternate Access Mapping feature of Microsoft Office SharePoint  Server (MOSS) 2007. Here’s how.

1. Start SharePoint 3.0 Central Administration.

2. Click on the Operations tab.

3. Under Global Configuration section click on Alternate access mappings.

4. Click on Show All in the upper right-hand corner and then click on Change Alternate Access Mapping Collection.

5. From Select An Alternate Access Mapping Collection window, click the URL that you would like to change, e.g. http://webportal.

6. Click Edit Public URLs.

7. Change the URL listed in the Default box to the one you want. For example, change it from http://webportal to http://sharepoint.seattlepro.com.

8. Click Save.

9. The next step is to update the information in Internet Information Services (IIS). Start IIS Manager. In our example, we will assume you are running IIS 7.

10. Highlight the Web site whose URL you want to change.

11. In the Actions pane click Bindings (or right-click the Web site and select Edit Bindings).

12. Highlight the entry in the Edit Site Binding window and then click Edit.

13. In the Host Name box enter the new URL that you would like to use. For example, sharepoint.seattlepro.com.

14. Click OK, then click Close.

15. Go to the command prompt and run iisreset to restart Internet services.

16. You should now be able to use the new host header and access the site with the new URL (e.g. http://sharepoint.seattlepro.com).

NOTE: If your Web site needs to be accessible from the Internet and you are using Microsoft ISA Server, or another firewall, you need to make sure that you update the DNS server and the ISA Server rule that allows you to access the Web site from the external network. For example, you need to add a host record for sharepoint.seattlepro.com in a DNS server that is accessible from the Internet and add the URL sharepoint.seattlepro.com on the Public Name tab of the ISA Server rule that is publishing the Web site.

Using Alernate Access Mapping to Configure a Different URL for Internal Use

If you want to use a different URL for the intranet site internally (e.g. http//intranet), you can add that URL in step 6. On the Alternate Access Mappings page, instead of clicking on Edit Public URLs, click on the link Add Internal URLs. In the Add Internal URL box type the URL that you want to add, e.g. http://intranet, then click Save. You still need to go to IIS Manager and in step 13 add a Site Binding for intranet. Your site bindings will look like this.  Notice that you don’t need to type http:// in the Host Name box. Simply type the host header that you want to use (in our case its intranet).

Make sure you don’t forget step 15 after modifying the bindings. That’s it. Now your users can access the intranet site internally by typing http://intranet and externally by typing http://intranet.seattlepro.com.

This is one of many examples of how Alternate Access Mappings can be used in MOSS 2007. It demonstrates how the end user may type a different URL to access the site then the URL that is received by the Internet Information Services (IIS). With Alternate Access Mapping you can also associate multiple internal URLs with a single public URL, using one of 5 different authentication zones: Default, Intranet, Internet, Custom, and Extranet.