Integrated Authentication – Prompted for Credentials Anyway?

Many people have difficulty setting up the connection to SharePoint 2010 such that users are not prompted to enter their username and password. SharePoint does support integrated authentication, but there are a few settings that can interfere.

On the SharePoint side:
Try different configuration options in SharePoint. This is done through the SharePoint Central Administration website:

  • Central Administration > Application Management > Manage Web Applications
  • Choose a Web Application and click the Authentication Providers button.
  • Try switching the IIS Authentication setting from Kerberos to NTLM – both are capable of working, but Kerberos may require additional IIS configuration.

On the client side:

  1. Make SharePoint a Trusted Site
  2. Modify Windows Vista and Windows 7 registry settings
  3. Set Local Security Policy to allow NTLM response

Make SharePoint a Trusted Site

Internet security settings may prevent Windows from passing credentials to the SharePoint site. To properly configure this setting:

Edit: If you haven’t already tried adding the SharePoint site to the Intranet Zone, try that first it is the proper place for a local SharePoint install to appear and already has the correct permissions. If you cannot do so, try the Trusted Sites alternative below.
  • Go to Internet Options
  • Go to the Security tab and select the Trusted Sites zone, then click the Sites button
  • Add the URL for SharePoint to this list and click OK to get back to the Security tab
  • Click the Custom Level button
  • Scroll to the bottom of the list of settings and make sure that User Authentication->Logon is set to Automatic Logon with Current Username and Password
  • Click OK

Modify Windows Vista and Windows 7 registry settings

Windows Vista and Windows 7 have trouble authenticating with WebDAV, which effects SharePoint’s document library explorer view and also effects opening Sharepoint files dirrectly into MS Office applications.
Windows Vista may require a hotfix to be installed as well as following the steps below to edit the registry. See the link at the bottom of the article for the hotfix.

  • Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient\Parameters
  • If there is no parameter called AuthForwardServerList, you will have to create it, otherwise you can just add SharePoint to the list of URLs already there.
  • On the Edit menu, point to New, and then click Multi-String Value.
  • Type AuthForwardServerList, and then press ENTER.
  • On the Edit menu, click Modify.
  • In the Value data box, type all of the URLS used by the SharePoint server, and then click OK.
  • Exit Registry Editor.

Set Local Security Policy to allow NTLM response

A default local security policy in Windows 7 prevents LM and NTLM responses. This may cause credentials to fail and retry because Windows is unable to see the response. To check this setting:

  • Go to Local Security Policy > Security Settings > Local Policies > Security Options
  • Select Network security: LAN Manager Authentication level
  • Change security setting to Send LM & NTLM responses

Links

Advertisements

2 Comments

  1. Posted March 15, 2011 at 12:12 pm | Permalink | Reply

    I never have to do anything else but add the site to Local Intranet zone. This is the correct zone to use since you don’t have to change the default of the Trusted Zone…

    • DeanV at MikeTango
      Posted March 15, 2011 at 12:22 pm | Permalink | Reply

      You are right, of course. I should have made it clear that the Trusted zone should be used only if you cannot use the Local Intranet zone. I’ll edit the post to correct this. Thank you!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: