none
SS0 vs. basic auth with claims-based Kerberos not working with IE/Edge from internet

    Question

  • Hello,
    we recently have switched from claims-based NTLM to claims-based Kerberos authentication type on our SP2016 on-premise environment. Additionally basic authentication is enabled. From my understanding kerberos will only work in a network environment where the client PC can connect to the KDC (which are my DCs). Therefor Kerberos does not work when accessing SharePoint from the Internet, but it shall then fall back to basic authentication which requires login with uid/pwd, we allow https access to SharePoint from Internet as well.
    Now we have added our SharePoint server website to IE security settings into Local Network area in order to provide SSO (from corporate network), this works good so far.
    But since we enabled Kerberos, when I am located in Internet (without connection to KDC) with IE or Edge I cannot login to SharePoint at all anymore. The point is, that instead of providing a login dialog it just immediately throw a 401 - unauthorized error. This is not true for Chrome, which in corporate network does SSO as well, and from Internet it provides a login dialog in order to to basic authentication. the Chrome behavior would be the one I expect from IE and Edge as well.
    If I remove the SharePoint website from Local Area Network, or switch to User Authentication --> Prompt for User Name and Password in IE Security Settings, I get the login prompt in IE/Edge as well, but this would crash my SSO when in corporate LAN, right?
    I am a bit confused what the right settings in order to provide SSO in corporate LAN and basic auth from Internet with Kerberos in SharePoint are. Or is this a miss-behavior of IE/Edge?

    kind regards,
    Dieter
    mardi 12 juin 2018 09:54

Toutes les réponses

  • > Therefor Kerberos does not work when accessing SharePoint from the Internet, but it shall then fall back to basic authentication which requires login with uid/pwd, we allow https access to SharePoint from Internet as well.

    Fallback is NTLM, not Basic. Basic isn't used and should not be enabled. Can you verify it is disabled as an auth provider?


    Trevor Seward

    Office Servers and Services MVP



    Author, Deploying SharePoint 2016

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    mardi 12 juin 2018 15:20
    Modérateur
  • Hi,

    basic wasn't disabled, actually it was and I have enabled it a few days ago, hoping this will help. But I it disabled agina, but the issues still persist. IE and Edge do not provide a login dialog if outside KDC, just 401. Any idea?

    See my auth settings below:

    mardi 12 juin 2018 16:17
  • What type of firewall/reverse proxy is in between SharePoint and the Internet?

    Trevor Seward

    Office Servers and Services MVP



    Author, Deploying SharePoint 2016

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    mardi 12 juin 2018 16:23
    Modérateur
  • Hi Dieter,

    How is everything going?

    Is there anything update about this issue?

    Best regards,

    Sara Fan


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    mercredi 13 juin 2018 03:03
    Modérateur
  • Well, it is a Sophos firewall, no web proxy, just an incomming firewall rule with NAT for tcp:443. But this was the same always, and just since I switched from NTLM to Kerberos the behavior is like this. Before I got login dialog if I didn't have had websit ein IE Local Intranet. zone. NOw, instantly a 401 is thrown.

    And also re. firewall issues, the problem does nto occur with Chrome or Firefox, though it might not be related to firewall.

    mercredi 13 juin 2018 05:13
  • Hi,

    in the meantime I have done some fiddler debugging and the following is the outcome.

    - initially (no matter if with KDC-access or not) both optoins are presented correectly:

    No Proxy-Authenticate Header is present.
    WWW-Authenticate Header is present: Negotiate
    WWW-Authenticate Header is present: NTLM

    - if KDC is accessible it switches to Kerberos

    WWW-Authenticate Header (Negotiate) appears to be a Kerberos reply:
    A1 81 B1 30 81 AE A0 03 0A 01 00 A1 0B 06 09 2A  ¡±0® ....¡...*
    86 48 82 F7 12 01 02 02 A2 81 99 04 81 96 60 81  †H‚÷....¢™.–`
    93 06 09 2A 86 48 86 F7 12 01 02 02 02 00 6F 81  “..*†H†÷...

    - if KDC is not accesible IE (and Edge) after first 401 where auth modes are presented, nothing else happens. With Chrome or Firefox it goes for NTLM once login dialog is shown and user logs in.

    I have found this thread https://social.technet.microsoft.com/Forums/office/de-DE/9fb0dccf-9019-479e-805f-2784e35257b5/internet-explorer-11-no-fallback-to-ntlm-if-kdc-ist-not-acessible?forum=sharepointadmin which says to disable IWA (integrated Windows authentication). If i do so, IE works, but this leads to the fact that it always uses NTLM, and never kerberos anymore. That's not the solution.

    Meanwhile, I am not sure anymore if Microsoft knows what they do here.

    jeudi 14 juin 2018 07:56
  • Hi Dieter,

    You could consider it as a workaround.

    And you could check if the Kerberos is configured correctly according to the article below.

    Configuring Kerberos Authentication On Share Point 2013 - 2016 Web Application.

    https://www.c-sharpcorner.com/article/configuring-kerberos-authentication-on-share-point-2013-2016-web-application/

    Best regards,

    Sara Fan


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    vendredi 15 juin 2018 09:44
    Modérateur
  • Are there any Group Policies in place for IE?

    Trevor Seward

    Office Servers and Services MVP



    Author, Deploying SharePoint 2016

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    samedi 16 juin 2018 20:16
    Modérateur
  • Hi Dieter,

    How is everything going?

    Is there anything update about this issue?

    If the reply is helpful to you, you could mark the reply as answer. Thanks for your understanding.

    Best regards,

    Sara Fan


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    lundi 18 juin 2018 01:20
    Modérateur
  • Yes, but just a few websites which are added to Local Intraent security zone, one of them is my SharePoint url as well.
    lundi 18 juin 2018 16:07
  • Hi, I have been gone through that post you suggested and everything is configured as described except my web applicatoin service user has only public server solre, not sysadmin. I don't see why it should have sysadmin. But it is db_owner on the SharePoint databases.

    But agian, kerberos works, but IE (and Edge) do not fall back to NTLM, they just give up if kerberos, due to no connecotin to KDC is not possible.

    lundi 18 juin 2018 16:10
  • Hi Dieter,

    Hope the article below will be helpful to you.

    How to configure supported browsers for Kerberos and NTLM.

    https://ping.force.com/Support/PingFederate/Integrations/How-to-configure-supported-browsers-for-Kerberos-NTLM

    Best regards,

    Sara Fan


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    il y a 10 heure(s) et 2 minute(s)
    Modérateur