none
Why do i see a different user name in Internal Web Site

    Question

  • Greetings folks!

    Someone please educate me.

    I have a curious situation. When I sign into SBS 2011 Internal Web Site using unique user credentials, the name of the last person to login is always displayed. There’s is of course an option to login as a different user, but shouldnt the unique user credentials have taken care of that? I assumed access to Internal We Site is protected by the user credentials. In other words, when I log in as user A, the name of user A should be showing, not the name of the last person to log into the web site? Isn’t this a serious security hole?

    Thanks!

    Tuesday, February 28, 2012 6:13 AM

Answers

  • Martin & others,

    Have I tried the "Form based authentication" Not yet.
    "How to code Forms Share Point and Project Solution" Have you completed the Share Point Learning Tutorials? Specifically code forms? Not yet


    Now that I have thought more about it, logging directly to remote.doman.com:987 is probably just a better way to access SharePoint. Because when I do so, the issue of retaining user credentials doesn't happen. Only accessing the site via RWA causes the issue.
    "You should also change the Firewall to block the custom port 987 along with the Remote Desktop ports."  I am curious though, why would I want to block port 987? and Remote Desktop ports? isn't the whole idea of router configuration to open relevant ports?

    I have found this (retaining previous user credentials) is only an issue when I access Internal Web Site via RWA. When I go directly to the site https://remote.site.com:987, it doesn’t happen.

    I am also going to consider including a custom logout within Internal Web Site.

    I consider (of course further comments, pointers are always welcome) this thread closed. Thanks to everyone for chipping in!
    ------------------------------------------------------------------------
    Regards,
    Sahalu

    • Edited by Sahalu Sunday, March 04, 2012 9:33 PM
    • Marked as answer by Sahalu Sunday, March 04, 2012 9:33 PM
    Sunday, March 04, 2012 8:47 PM

All replies

  • easy, there is no security hole at all:)

    I saw this problem several times. it's only caused by a refresh issue of that user name control. When you refresh the page, everything should be fine!


    Regards, Nighting Liu

    Tuesday, February 28, 2012 1:00 PM
  • Hi Nighting Liu. You mean refresh the browser and deleting browser cache? I tried that and still the same issue.

    Thanks!

    Sahalu

    Tuesday, February 28, 2012 7:54 PM
  • You and other user used the same computer to login the SBS? Can you introduce what's the events happening schedule? Like person A -> Action A, Person B -> Action B...

    Regards, Nighting Liu

    Wednesday, February 29, 2012 1:08 AM
  • Yes, we are using the same computer to access RWA but logged in as different users. When we access RWA and click on Internal Web Site, the name of the last user to log into Internal Web Site appears as the person logged in, not the actual user that has logged into Remote Web Access. So again, User A launches his/her browser and logged into Remote Web Access from a computer. User A clicks on Internal Web Site link and is automatically directed to Internal Web Site, but instead of seeing his/her name on the top right hand corner, the name of the last person to access Internal Web Site appears. As you know, there's an option to logout and login as a different user, but my understanding of security/authentication is that the name of the authenticated user should appear on the site not someone else.

    Again user A has the option to click on the "sign on as a different user" and therefore by default signing out the previous user. If user A signs in with his/her credentials, and then logs out of Internal Web Site, the next person to access Internal Web Site, would see the name of user A, not their name.
    To briefly restate the issue. Internal Web Site retains the name of the first person to log in (access the site) using their credentials not the name of subsequent users, unless they specifically choose log in as another user. To me this is a serious security issue. When a user logs out of Internal Web Site, it should mean that they have actually logged out – but this is not the case. Weird!

    I have seen similar post, but that was for the Admin being logged in as "system account" even when they logged in using their Admin credentials, it shows them logged in as system account or something like that

    Thanks for your help and time!

    Wednesday, February 29, 2012 2:23 AM
  • Let me explain the security mechanism of your scenario:

    There are two credential, Host credential and Web credential.

    • When you login with RWA, you use the host one
    • When you login your web site, you use the Web one (Your browser will reminder you, if you want to save your password. If you SAVE it, next time, browser will use saved credential to communicate with that web site )

    They can be same or different. It means when User A login web, if User B ever login that web and saved his/her password. By default, browser will not ask you again for username and password, it use User B's credential directly. Then, you will see User B's name display on top.

    I suspect is: if in your environment, different user will have change to use same browser?


    Regards, Nighting Liu

    Wednesday, February 29, 2012 2:57 AM
  • Hi Sahalu,

    When using HTTP based authentication (e.g. Basic, NTLM, Digest, Kerberos), Internet Explorer (IE) will continue sending the same credential for each subsequent request to the server. The credential is stored in authentication cache. The cache will be clear when the users close their browswer or the server return 401 status code.

    In this case, the issue may be caused by the first user closed the RWA without log off, the authentication cache was still there, and then the second user will use the cache to access the SharePoint sites again.

    To narrow down the issue, you can:
    1. Clear the IE cache
    2. Close IE
    3. Re-open it, and check now if the display name is correct.

    Thanks,
    Jinchun Chen


    Jinchun Chen
    Forum Support
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff AT microsoft.com(Please replace AT with @)

    Wednesday, February 29, 2012 11:37 AM
  • Hi Jinchun & Nighting,

    Thanks for your suggestions.

    Nopes didn’t work. Still the same problem and I have used 2 different computers and 8 different users. Either way, I see this as a security problem - If one has to go through several steps to completely logout. If I say to my users, hey, these are the steps you must take, in order to logout out of RWA if you ever use a public computer to access the site, they’ll wonder what kind of IT guy I am. I would assume logging out of Internal Web Site and RWA and then closing the browser windows should be sufficient. So far this has not been the case.

    These are the steps I have taken over and over and over with different user name and credentials.

    Log onto RWA (with user name and credentials)

    Click on the Internal Web Site link

    Log onto the Internal Web Site (with user name and credentials)

    Logout of Internal Website

    Clear out IE cache as below and close the browser completely

    Launch IE

    Log back into RWA as a different user

    Click on the Internal Web Site Link and wala, the site opens still showing the name of the last person (In this case me) as still logged in, not the user whose credentials were used to access RWA.

    If you'd like to checkit out for yourselves, I can add you as users and email you the credentials.

    regards,

    Sahalu

    Wednesday, February 29, 2012 8:32 PM
  • Screen shot
    Wednesday, February 29, 2012 8:38 PM
  • Hi Nighting,

    By the way, the issue affects Internal Web Site only, Outlook works fine. As stated earlier, none of the solutions you suggested worked.

    Regards,

    Sahalu

    Wednesday, February 29, 2012 8:52 PM
  • Hi Sahalu,

    Please give me two user credentials, I'm really curious what's the problem. Hope I can provide some help!

    My email: nighting.liu@emc.com


    Regards, Nighting Liu

    Wednesday, February 29, 2012 11:32 PM
  • Hi Sahalu.

    First off, have you made sure that it is a security issue, or is it just a display issue(gui/cosmetic)?

    What I mean is, on the second users access, does he/she access areas where only the first user has access? If that is the case then this is a security issue.
    If the second is true, that access and permissions are ok but the name displayed is wrong, then it's 'just' a cache issue. The cache can be if you are using a proxy, or ISA/TMG, or even if SharePoints cache has been eneabled for better performance.
    Have you also tried to logoff the computer between logins? What effect will that have?

    Check this and get back to us.

    And...do you really want to send login creadentials to a 'stranger' on the web? (no offence Nighting Liu)

    Regards


    Thomas Balkeståhl - Technical Specialist - SharePoint - http://blog.blksthl.com

    Wednesday, February 29, 2012 11:48 PM
  • Hi Sahalu,

    Please give me two credentials too. The reproduce should be helpful to troubleshoot the issue.
    Please mail to spforumdata AT microsoft.com (please replace AT with @)

    Thanks,
    Jinchun Chen

    Thursday, March 01, 2012 1:17 AM
  • Sorry guys, I was out on a support call and just made it back. I did send the info to you Jinchun and Nighting.

    Thanks,

    Sahalu

    Thursday, March 01, 2012 3:21 AM
  • Hi Thomas,

    Thanks for chipping in. I don’t mean to be argumentative, but should a user have to go through the hassle of logging in and logging out of a computer if they are essentially accessing RWA through the Internet? Shouldnt just logging out of SharePoint and RWA and then closing the browser be enough?  Supposing one is using a public computer or a friend's computer, where you are not a user on the computer? Many hotels, airports and other public places just give access to the internet; you have no other user privileges, so logging in and out is not an option.
    Microsoft knows its stuff; I may be just missing something. Nighting and Jinchun are cross-checking to see if I am missing something, which is likely the case, given the amount of testing and QA Microsoft does.

    regards,

    Sahalu

    Thursday, March 01, 2012 3:36 AM
  • Thomas,

    Thanks for your concern regarding allowing access. It is a test server. Haven't done the production installation yet.

    Regards,

    Sahalu

    Thursday, March 01, 2012 3:43 AM
  • Hi Sahalu.

    No worries.
    What I meant was to lo off and back in as a t-shooting step only.

    Regards


    Thomas Balkeståhl - Technical Specialist - SharePoint - http://blog.blksthl.com

    Thursday, March 01, 2012 6:44 AM
  • Hi Sahualu,

    Thank you for your mail. I am able to access the RWA, but unable to access the internal web site with the error "Internet Explorer cannot display the webpage". Is the web site down?

    Thanks,
    Jinchun Chen


    Jinchun Chen
    Forum Support
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff AT microsoft.com(Please replace AT with @)

    Thursday, March 01, 2012 6:51 AM
  • Hi Jinchun,

    I am not sure what is going on, but let me do some trouble shooting. I am able to login, but I am on the same router as the server, so that may have something to do with me being able to login and you were not able to. I will post back here tomorrow when I resolve the problem. Do you or anyone have have any suggestion as to what might be the issue? I have about 12 users and I am able to use all the user names and passwords and access the site.

    Regards,

    Sahalu

    Thursday, March 01, 2012 7:25 AM
  • Hi Sahualu,

    From my site, the URL for the Internal web site is https://remote.ampmit.com/Remote/internalwebsite, is it correct in fact?

    A possible way for me to access the site is using the full URL such as https://remote.ampmit.com/Remote/internalwebsite/XXXX.aspx. Could you please give the full URL, let me have a try.

    Beside that, for this issue, may this issue be caused by Firewall in your domain?

    Thanks,
    Jinchun Chen


    Jinchun Chen
    Forum Support
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff AT microsoft.com(Please replace AT with @)

    Thursday, March 01, 2012 7:31 AM
  • Hi Thomas,

    Alright, I see what you mean, just for the purposes of trouble shooting.

    Jinchun reported they were able to login into RWA, but not Internal Web Site. Any idea what might be going on? I am able to login to both RWA and Internal Web Site, as stated an an earlier post, I am on the same router as the server. I did run sharepoint update, let me run psconfig and see if that has anything to do with it.

    Regards,

    Sahalu

    Thursday, March 01, 2012 7:32 AM
  • Hi Sahalu,

    Please ignore my last reply. I just confirmed with a SBS guy, and he told me we are unable to connect SBS SharePoint site from our corporate network.

    I will try to troubleshoot your issue from home tonight. Appreciate your understanding.

    Thanks,
    Jinchun Chen


    Jinchun Chen
    Forum Support
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff AT microsoft.com(Please replace AT with @)

    Thursday, March 01, 2012 7:41 AM
  • Hi.

    I noticed your last comment: 'I did run sharepoint update, let me run psconfig'.
    After any upgrade, SP, CU or Hotfix, you have to run psconfig in order for the upgrade to be implemented fully. If you do not, you are in a middle state where you do not want to be.

    Also, check your Alternate Access Mapping for the web application(Internal). The reference that it could be accessed using a page i.e. site/default.aspx but not with site/ only tells me that something could be off in your AAM settings.

    Regards


    Thomas Balkeståhl - Technical Specialist - SharePoint - http://blog.blksthl.com

    Thursday, March 01, 2012 7:55 AM
  • Hi Jinchun,

    No sweats. Thanks for letting me know.

    Take care and have a good night. I am going to go catch some zzzzzs. Shall pick up tomorrow.

    regards,

    Sahalu

    Thursday, March 01, 2012 8:26 AM
  • Hi Thomas,

    I did run psconfig right after the sharepoint update couple of days ago, because without running that the server backup won't work and the backups have been running fine. But based on the report I received from Jinchun, that they were not able to log into Internal Web Site, I thought may be I should run it again just in case. I just did psconfig again, ran fix my network, reinstalled SSL and checked that ports 25, 80, 443 and 987 are forwarding. Everything checked out good - as far as I can tell.

    Calling it quits for the night - i do really appreciate all your help.

    Regards,

    Thursday, March 01, 2012 8:37 AM
  • Hi Sahalu,

    Are you testing the issue in same computer with mulitple web browsers(tabs). I can only reproduce the issue in a same computer. If I am in the same scenario with you, then issue is caused by the cached windows authenticaion. While clicking "Intranet site", a login dialog is promptted. After type the login information, it will be keep in session. It will be clear only when you close all web pages(the web browser program).

    All works well in two or more computers.

    Thanks,
    Jinchun Chen


    Jinchun Chen
    Forum Support
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff AT microsoft.com(Please replace AT with @)

    Thursday, March 01, 2012 3:21 PM
  • Hi Jinchun,

    Thanks for the update. As stated earlier, I was and am still having the same problem even after repeatedly clearing the cache on two different computers. Were you able to clear the cache and then log back in without seeing the previous user name? Do you know how to stop this sharepoint behaviour? I don't have the same problem with OWA or RWA even though I am using the same computers, the same browser I use to access sharepoint. Same environment diiferent behaviours.

    regards,

    Sahalu

    Thursday, March 01, 2012 7:40 PM
  • Hi Sahalu,

    It seems to be a network issue rather than a SharePoint issue. Let me detail my reproduce steps:

    1. Able to reproduce the issue in this case:

    • user1 login to RWA, click "Intranet web site", type username and password, keep it opens.
    • user2 login to RWA from the same computer, click the "Intranet web site" too, without require to type username and password, I see the previous user's name in SharePoint site.

    2. Unable to reproduce the issue:

    • user1 login to RWA from computer1, click "Intranet web site", type first username and password and keep it opens. Now the display name in SharePoint site is user1.
    • user2 login to RWA from computer2, click "Intranet web site", type the second username and password, now the display name in the SharePoint site is expected as user2.

    It is a little odd in your scenario. Could you please help to narrow down the issue in this way?

    1. From computer1, open the SharePoint site directly with URL https://yourFQDN:987, (a dialog may be promptted to type username and password), check the display name.
    2. From computer2, open the SharePoint site directly too, (a dialog may be promptted to type username and password), check the display name now.
      Assume the display name will be displayed as expected. I meant the correct one will be displayed.

    Thanks,
    Jinchun Chen


    Jinchun Chen
    Forum Support
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff AT microsoft.com(Please replace AT with @)



    Friday, March 02, 2012 1:23 AM
  • Hi I have finished my investigation. I think the problem is very clear now:

    You have two web environments:

    1. Remote Web Access: http://remote.ampmit.com/
    2. internal  web site: remote.ampmit.com:987 (https://remote.ampmit.com/Remote/internalwebsite)

    On the same computer and same user environment:
    Browser will save the credentials base on the unit of web application, it means: remote.ampmit.com:80 and remote:ampmit.com:987 will be regarded as different web application.

    So what ever your credential used in the web app on 80 port, browser will not forward the same credential to the web app on 987, it will still used last saved credential for web app on 987. That's why you saw the lost login user's name. Yes, you really login as him/her.

    It's a security hole, but not the application, it's the way you use it. So, my suggestion is do not use same user environment with different users. Every user need a different Windows NT credential to login their host.


    Regards, Nighting Liu

    Friday, March 02, 2012 1:35 AM
  • Thanks Nighting,

    I am not trying to be argumentative, but to really understand what is going on, so I can take preventive actions, such as not using a public computer to access Internal Web Site.

    OK, now things are making sense, not completely, but making sense. Because all the computers I use to connect to the Internet are shared/used by multiple users. I assumed signing out of Internal Web Site, signing out of RWA and closing all browser windows will flushout all user credentials from the browser/network/client. The second part is, why is it even after deleting all of the below, I still experience the same problem? Is there another location where Windows cache are stored other than these three areas?

    Also why is it RWA and OWA are not affected? Why only Internal Web Site if this is not an application issue? OWA & RWA use the same credentials, so why not the same behaviour from those applications as well?

    So if two or more users on the same domain use a shared computer (other than signing on, on the local computer with domain credentials) be it on company premises, Internet cafe or hotel to log into Internal Web Site, the first person to logon would still have their session active even when they think they have logged out of Internal Web Site by clicking logout and closing the browser?

    So by implication, no shared computers/devices, no public access points are allowed in the SharePoint environment?

    Thank you!

    Regards,

    Sahalu

    • Edited by Sahalu Friday, March 02, 2012 2:30 AM clarity
    Friday, March 02, 2012 2:08 AM
  • SharePoint store the information in the SQL Server, so you cannot remove it easily. But it's not the core of this problem.

    The problem is: your "Internal Web Site" seems in the security scope of RWA, but it's not. I think your user can login iremote.ampmit.com:987 directly and doesn't need to login RWA firstly.

    They are different site. It's not a kind of user environment like Remote Desktop.

    About why is it RWA and OWA are not affected? Because you are Form based authentication in RWA and OWA.


    Regards, Nighting Liu

    Sunday, March 04, 2012 6:19 AM
  • Hi Sahalu Partner,

    I have been busy checked Alerts for this problem:

    SharePoint store the information in the SQL Server, so you cannot remove it easily. But it's not the core of this problem.

    The problem is: your "Internal Web Site" seems in the security scope of RWA, but it's not. I think your user can login iremote.ampmit.com:987 directly and doesn't need to login RWA firstly.

    They are different site. It's not a kind of user environment like Remote Desktop.

    About why is it RWA and OWA are not affected? Because you are Form based authentication in RWA and OWA.

    I assume The Form based authentication changes worked ;-). Have you and the System Admin checked the Windows Event Security Logs ?

    You should also change the Firewall to block the custom port 987  along with the Remote Desktop ports.

    I assume you changed the Windows Event Security Logons for both sucess and failures. Firewall is working ?

    The best security methods  the Firewall  A) Contact your ISP and have them block port 987 . B) Block port 987  Router C) Internal port 987 

     provide the testing along with the code logs for System Admin Have a Team Meeting:

    "How to code Forms Share Point and Project Solution" Have you completed the Share Point Learning Tutorials ? 

     The Sharepoint 2010 SBS 2011 Teams Project Managers: SRS "Agenda Security Current Events" Setup Upgrade Coding

     Testing Deployment add or modify this and work together Security Holes can be hard to fix later .

    Please update this for the status Team Meeting and results do not post logs or personal information. 

    I worry about security and developers ;D.

    Regards, 


    Martin Rasch




    • Edited by Martin Rasch Wednesday, March 07, 2012 10:40 PM Firewall Router Security your correct
    Sunday, March 04, 2012 7:52 PM
  • Martin & others,

    Have I tried the "Form based authentication" Not yet.
    "How to code Forms Share Point and Project Solution" Have you completed the Share Point Learning Tutorials? Specifically code forms? Not yet


    Now that I have thought more about it, logging directly to remote.doman.com:987 is probably just a better way to access SharePoint. Because when I do so, the issue of retaining user credentials doesn't happen. Only accessing the site via RWA causes the issue.
    "You should also change the Firewall to block the custom port 987 along with the Remote Desktop ports."  I am curious though, why would I want to block port 987? and Remote Desktop ports? isn't the whole idea of router configuration to open relevant ports?

    I have found this (retaining previous user credentials) is only an issue when I access Internal Web Site via RWA. When I go directly to the site https://remote.site.com:987, it doesn’t happen.

    I am also going to consider including a custom logout within Internal Web Site.

    I consider (of course further comments, pointers are always welcome) this thread closed. Thanks to everyone for chipping in!
    ------------------------------------------------------------------------
    Regards,
    Sahalu

    • Edited by Sahalu Sunday, March 04, 2012 9:33 PM
    • Marked as answer by Sahalu Sunday, March 04, 2012 9:33 PM
    Sunday, March 04, 2012 8:47 PM