locked
Multiple logon boxes when logging on to sharepoint RRS feed

  • Question

  • Hi,

    Currently we decided to make our intranet based on Windows Sharepoint services 3.0 available to users who want to logon via internet.
    We pointed the url to the internet zone which is configured to use Windows authentication (AD).

    When a user opens the site, not one but multiple Windows authentication popups appear. (Random 4-10)
    If I enter the domain\username and the password I am able to logon.

    Every time a user logs on multiple popups appear and clicking an other link causes the same behavior.
    When you just logon to the first logon box and cancel the rest of it,
    some images or a part of the custom web style is not shown or mutaded.(This seems to be random)

    How the connection is established:
    We are using a Astaro web proxy server.
    The users use port 443 to connect to and then when it arrives at the web proxy,
    the web proxy converts this to port 80 for the internal communication with the webserver on which sharepoint is hosted.

    What have we tried to solve this issue so far:

    Does it depend on the browser we use?
    For Internet explorer 8 and 9, Firefox and Chrome there are multiple login boxes.
    Even if the site is added to the trusted security zones in Internet explorer.
    On Internet explorer 7 it seems to work better somehow, there are fewer logon boxes.
    But working with this old browser is not an option and its still not one logon.

    Another way to authenticate:(Not preferred)
    When I switch to form authentication(LDAP/AD) instead of the Windows authentication on the internet zone, I face another problem.
    When I log on to the portal it says I am logged on but with the error: Acces denied.
    The account is created on the zone with full control!

    I also tried to create an Exrtranet but at the Extranet i cannot even log on.
    It says unexpected error.

    Error messages found:
    In the application log of the server the following error is listed like a 100 times or more.
    Event ID ( 8214 ) in Source ( Windows SharePoint Services 3 )

    Any advise on how tackle this problem would be very much appreciated.

    If any more information is needed please ask.



    Friday, August 12, 2011 1:46 PM

Answers

  • Hi,

     

    How do you set the authentication methods between the proxy and the client browsers ?  The authentication method  includes Basic, Anonymous, and Windows NT Challenge/Response (NTLM) authentication .I suggest using the basic authentication .

     

    For more detailed information, please refer to this site:

    Authentication Options and Limitations Using Proxy Server 2.0: http://support.microsoft.com/kb/198116

     

    Thanks,


    Entan Ming
    • Marked as answer by Ben 1989 Tuesday, August 16, 2011 12:22 PM
    Tuesday, August 16, 2011 10:56 AM
    Moderator

All replies

  • Hi,

    First what does "We pointed the url to the internet zone which is configured to use Windows authentication (AD)." mean? Did you extend the Intranet to the internet or did you configure the public urls AAM settngs? Please be specific..

    Also, the EventId 8214 Description should describe the URLs that are not configured properly...

     

     

    -Ivan


    Ivan Sanders My LinkedIn Profile, My Blog, @iasanders.
    Friday, August 12, 2011 2:45 PM
  • Hi,

    Thanks for your reply.

    I have extended the intranet zone with a new internet zone.

    Then I configured the public URL to use the internet zone for authentication in the alternative access mappings page.

     

    Ben

     

    Sunday, August 14, 2011 8:54 AM
  • Hi ,

     

    Would you provide more information about you issue:

    1.       How do you set the Security part for you Internet Explorer ?You can open the Internet Options>Security>Internet>custom level.

    2.       In the User Authentication part choose ’Automatically log with current user and password ’ .

    3.        Check whether the Internet Explorer is in the Protected Mode in the security part .Uncheck the  ‘Enable Protected Mode’ .

     

    Thanks,


    Entan Ming
    Tuesday, August 16, 2011 7:37 AM
    Moderator
  • Hi Entan,

    Thanks for your reply.

    1. I can open the internet Explorer custom level. It is on the default setting(medium-High).

    2. I've tried to enable the ’Automatically log with current user and password ’ setting. I am not sure if it has any effect, there are still a lot of logon boxes popping up.

    3. Internet Explorer is not in protected mode.

    Tuesday, August 16, 2011 8:00 AM
  • Hi,

    I wanted to get a little moire information prior to providing the following information and Ibthought I asked but I dont see the post. How did you extend the Intranet Zone, dont you mean you extended the default Zone.

    1. You shouold add the FQDN to the Intranet Zone Options>Security>Intranet>Advanced>Add, The Intranet Zone is Configured by Default to Login using the current logged on credentials.

    The issue occurs:
    Refernce http://support.microsoft.com/kb/943280 
     
    ·         On a computer that is running Windows Vista or Windows 7, you do not configure a proxy in Windows Internet Explorer.
    ·         You use Web Distributed Authoring and Versioning (WebDav) to access a fully qualified domain names (FQDN) site.
     
    To resolve the issue for a single user
     
    1.     Click Start, type regedit in the Start Search box, and then press ENTER.
    2.     Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient\Parameters
    3.     On the Edit menu, point to New, and then click Multi-String Value.
    4.     Type AuthForwardServerList, and then press ENTER.
    5.     On the Edit menu, click Modify.
    6.     In the Value data box, type the URL of the server that hosts the Web share, and then click OK.
     
    However, in larger organizations it would be difficult to visit every desk and create the AuthForwardServerList Parameter. Instead you have two choices 1) Export the AuthForwardServerList MutiValued String with the FQDNs added to the value and add the resulting .reg file to your login scripts or 2) Create a GPO to push the changes down to the desktops, option 2 is a more elegant solution and can be more easily maintained
     
    To enable all users within an organization to Open Document Libraries in Explorer without being prompted to Authenticate.
     
    1.     On the machine where you have Added the AuthForwardServerList Multistring Values to the registry.
    2.     Open GPO Manager > Right Click on the Domain, Site, or OU and choose Create GPO in this Domain or if you have an IE GPOP then edit the existing GPO
    3.     Go to Computer Configuration > Preferences > Windows Settings > Right Click on Registry
    4.     Choose New > Registry Wizard > Local Computer, Next > Use the tree View to expand down to where the AuthForwardServerList Multistring Values were added  to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient\Parameters
    5.     Enter a Check into the Box next to the entries you made earlier, Click Finish, and close GPO manager
    6.     All that’s left is to link it to the domain, site or URL and QA
    7.     The GPO is completed  http://bit.ly/d4ji0L and you can view The Value Data or the websites you were mentioning earlier…
    8.     Using the Wizard to Create the GPO…… http://bit.ly/bE8V62


    Cheers,

    -Ivan

     


    Ivan Sanders My LinkedIn Profile, My Blog, @iasanders.
    Tuesday, August 16, 2011 8:18 AM
  • Hi Ivan,

    About the creation of the zone... You are right I didnt say it right. I have indeed extended the default zone with an internet zone that uses the same sharepoint database.

    I have tried the solution you gave me, but unfortunately it did not solve my problem.

    What I did was the following.

    1. I lowered the security level to medium, which is the lowest level I can put it on.
    2. I added the *.domainname.com the https://myintranetsite.com and to be sure servername.domainname.com to the intranet zone in internet explorer
    3. I enabled automatic authentication for intranet sites. (Automatic logon with username and password)

    Thanks for your help so far!

    Tuesday, August 16, 2011 8:58 AM
  • Hi,

     

    How do you set the authentication methods between the proxy and the client browsers ?  The authentication method  includes Basic, Anonymous, and Windows NT Challenge/Response (NTLM) authentication .I suggest using the basic authentication .

     

    For more detailed information, please refer to this site:

    Authentication Options and Limitations Using Proxy Server 2.0: http://support.microsoft.com/kb/198116

     

    Thanks,


    Entan Ming
    • Marked as answer by Ben 1989 Tuesday, August 16, 2011 12:22 PM
    Tuesday, August 16, 2011 10:56 AM
    Moderator
  • Hi Entan,

    Thanks!

    That was the setting that was causing the problems! :)

    I now have the following settings on the sharepoint central administration:

    1. Zone Internet
    2. Verification type Windows
    3. Annonymous access enabled
    4. integrated Windows Authentication is OFF
    5. Basisverification is on
    6. Client integration is also on.

    The web browser connects to my proxy using https, the internal connection uses http.

     

    Thanks a lot!

    Ben


    • Edited by Mike Walsh FIN Tuesday, August 16, 2011 1:19 PM Thread already closed by OP. Incorrect therefore to add a new question to it. Post any new questions in a new thread.
    Tuesday, August 16, 2011 12:21 PM