none
SS0 vs. basic auth with claims-based Kerberos not working with IE/Edge from internet

    Question

  • Hello,
    we recently have switched from claims-based NTLM to claims-based Kerberos authentication type on our SP2016 on-premise environment. Additionally basic authentication is enabled. From my understanding kerberos will only work in a network environment where the client PC can connect to the KDC (which are my DCs). Therefor Kerberos does not work when accessing SharePoint from the Internet, but it shall then fall back to basic authentication which requires login with uid/pwd, we allow https access to SharePoint from Internet as well.
    Now we have added our SharePoint server website to IE security settings into Local Network area in order to provide SSO (from corporate network), this works good so far.
    But since we enabled Kerberos, when I am located in Internet (without connection to KDC) with IE or Edge I cannot login to SharePoint at all anymore. The point is, that instead of providing a login dialog it just immediately throw a 401 - unauthorized error. This is not true for Chrome, which in corporate network does SSO as well, and from Internet it provides a login dialog in order to to basic authentication. the Chrome behavior would be the one I expect from IE and Edge as well.
    If I remove the SharePoint website from Local Area Network, or switch to User Authentication --> Prompt for User Name and Password in IE Security Settings, I get the login prompt in IE/Edge as well, but this would crash my SSO when in corporate LAN, right?
    I am a bit confused what the right settings in order to provide SSO in corporate LAN and basic auth from Internet with Kerberos in SharePoint are. Or is this a miss-behavior of IE/Edge?

    kind regards,
    Dieter
    mardi 12 juin 2018 09:54

Toutes les réponses

  • > Therefor Kerberos does not work when accessing SharePoint from the Internet, but it shall then fall back to basic authentication which requires login with uid/pwd, we allow https access to SharePoint from Internet as well.

    Fallback is NTLM, not Basic. Basic isn't used and should not be enabled. Can you verify it is disabled as an auth provider?


    Trevor Seward

    Office Servers and Services MVP



    Author, Deploying SharePoint 2016

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    mardi 12 juin 2018 15:20
    Modérateur
  • Hi,

    basic wasn't disabled, actually it was and I have enabled it a few days ago, hoping this will help. But I it disabled agina, but the issues still persist. IE and Edge do not provide a login dialog if outside KDC, just 401. Any idea?

    See my auth settings below:

    mardi 12 juin 2018 16:17
  • What type of firewall/reverse proxy is in between SharePoint and the Internet?

    Trevor Seward

    Office Servers and Services MVP



    Author, Deploying SharePoint 2016

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    mardi 12 juin 2018 16:23
    Modérateur
  • Hi Dieter,

    How is everything going?

    Is there anything update about this issue?

    Best regards,

    Sara Fan


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    mercredi 13 juin 2018 03:03
    Modérateur
  • Well, it is a Sophos firewall, no web proxy, just an incomming firewall rule with NAT for tcp:443. But this was the same always, and just since I switched from NTLM to Kerberos the behavior is like this. Before I got login dialog if I didn't have had websit ein IE Local Intranet. zone. NOw, instantly a 401 is thrown.

    And also re. firewall issues, the problem does nto occur with Chrome or Firefox, though it might not be related to firewall.

    mercredi 13 juin 2018 05:13
  • Hi,

    in the meantime I have done some fiddler debugging and the following is the outcome.

    - initially (no matter if with KDC-access or not) both optoins are presented correectly:

    No Proxy-Authenticate Header is present.
    WWW-Authenticate Header is present: Negotiate
    WWW-Authenticate Header is present: NTLM

    - if KDC is accessible it switches to Kerberos

    WWW-Authenticate Header (Negotiate) appears to be a Kerberos reply:
    A1 81 B1 30 81 AE A0 03 0A 01 00 A1 0B 06 09 2A  ¡±0® ....¡...*
    86 48 82 F7 12 01 02 02 A2 81 99 04 81 96 60 81  †H‚÷....¢™.–`
    93 06 09 2A 86 48 86 F7 12 01 02 02 02 00 6F 81  “..*†H†÷...

    - if KDC is not accesible IE (and Edge) after first 401 where auth modes are presented, nothing else happens. With Chrome or Firefox it goes for NTLM once login dialog is shown and user logs in.

    I have found this thread https://social.technet.microsoft.com/Forums/office/de-DE/9fb0dccf-9019-479e-805f-2784e35257b5/internet-explorer-11-no-fallback-to-ntlm-if-kdc-ist-not-acessible?forum=sharepointadmin which says to disable IWA (integrated Windows authentication). If i do so, IE works, but this leads to the fact that it always uses NTLM, and never kerberos anymore. That's not the solution.

    Meanwhile, I am not sure anymore if Microsoft knows what they do here.

    jeudi 14 juin 2018 07:56
  • Hi Dieter,

    You could consider it as a workaround.

    And you could check if the Kerberos is configured correctly according to the article below.

    Configuring Kerberos Authentication On Share Point 2013 - 2016 Web Application.

    https://www.c-sharpcorner.com/article/configuring-kerberos-authentication-on-share-point-2013-2016-web-application/

    Best regards,

    Sara Fan


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    vendredi 15 juin 2018 09:44
    Modérateur
  • Are there any Group Policies in place for IE?

    Trevor Seward

    Office Servers and Services MVP



    Author, Deploying SharePoint 2016

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    samedi 16 juin 2018 20:16
    Modérateur
  • Hi Dieter,

    How is everything going?

    Is there anything update about this issue?

    If the reply is helpful to you, you could mark the reply as answer. Thanks for your understanding.

    Best regards,

    Sara Fan


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    lundi 18 juin 2018 01:20
    Modérateur
  • Yes, but just a few websites which are added to Local Intraent security zone, one of them is my SharePoint url as well.
    lundi 18 juin 2018 16:07
  • Hi, I have been gone through that post you suggested and everything is configured as described except my web applicatoin service user has only public server solre, not sysadmin. I don't see why it should have sysadmin. But it is db_owner on the SharePoint databases.

    But agian, kerberos works, but IE (and Edge) do not fall back to NTLM, they just give up if kerberos, due to no connecotin to KDC is not possible.

    lundi 18 juin 2018 16:10
  • Hi Dieter,

    Hope the article below will be helpful to you.

    How to configure supported browsers for Kerberos and NTLM.

    https://ping.force.com/Support/PingFederate/Integrations/How-to-configure-supported-browsers-for-Kerberos-NTLM

    Best regards,

    Sara Fan


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    jeudi 21 juin 2018 02:16
    Modérateur
  • Hi Sara,

    I have once more double-checked my IE ocnfiguratoin, I can confirm it is set up according to your link, except that I wirk with Local Intranet instead of Trusted Sites zone. And then my User Authenticatoin/Logon is set to Automatic logon only in Intranet Zone. But I have also switched to Trusted Sites and Automatic logon with username and passsowrd, the IE/Edge behaviour remains the same.

    I want to mentoin oncemore, it is only about IE/Edge, Chrome or Firefox do present a login prompt if no KDC available and login happens via NTLM.

    If I still have a valid http/sharepoint ticket when I am leaving LAN, as long this is vlaid, I can still logon with IE/Edge as well. Just if this expires,or I purge it the issue occurs, which is not true with Chrome or Firefox. The behaviour is the same with min. 3 different users and PCs.

    jeudi 21 juin 2018 12:43
  • Are there any GPOs which might be impacting IE and/or security (e.g. Kerberos GPOs)? If so, is it possible to move the machine/user outside of any GPOs (perhaps create a temporary OU and block inheritance)? You can manually add the URL(s) to Trusted Zone w/ Logon automatically enabled.

    What network device(s)/load balancers/reverse proxies are between SharePoint and the Internet?


    Trevor Seward

    Office Servers and Services MVP



    Author, Deploying SharePoint 2016

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    jeudi 21 juin 2018 15:12
    Modérateur
  • Hi Dieter,

    How is everything going?

    Is there anything update about this issue?


    Best regards,

    Sara Fan

    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    mardi 26 juin 2018 01:28
    Modérateur
  • Hi Trevor, unfortunatelly no progress on this issue. We do not use any LoadBalancer at all, we just do NAT https from public IP to Private IP on the firewall.

    I have now summarized the whole configuration, please see attached documents. I did used an user from an OU with blocked GPO inhertance.

    See ONeDrive shared docs gprestults and Internet Explorer with Negotiate All Settings

    Hope you find any configu issues

    mercredi 27 juin 2018 09:26
  • see last answer to Trevors post, lots of details there, but no progress
    mercredi 27 juin 2018 09:27
  • There's nothing that jumps out at me here as being wrong in terms of config from a client perspective, at least. I would suggest starting to capture network traces from the client and perhaps SharePoint FE(s). Or on the firewall device you have. You could at least see the negitation and perhaps determine if something in the chain of devices isn't functioning properly.

    You might also want to talk with Sophos.


    Trevor Seward

    Office Servers and Services MVP



    Author, Deploying SharePoint 2016

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    jeudi 28 juin 2018 02:45
    Modérateur
  • Just another thing to mention.
    When I open files, e.g. Excel, via the OneDrive for Business workspace, or these files remained open on my computer since some time, it can happen that I need to re-sign in to SharePoint again. This works fine from Internet too, I get the warning that I need to sign in, and then the login screen. So, again, this behaviour is as expected, different to IE/Edge.

    It is just IE/Edge which do not work from internet.

    mercredi 4 juillet 2018 05:17