none
Is it possible to capture successful/unsuccessful authorization attempts in sharepoint? RRS feed

  • Question

  • For auditing purposes I need to capture successful/unsuccessful authorization attempts in SharePoint.  In addition, I need to capture when was a user logged into SharePoint.  I need to display a splash page when a user accesses SharePoint similar to the below.  thanks

    Successfull sign-ins

    The last time you signed in to SharePoint with this account was: Monday,
    09/16/19 1:40:09 PM

    Unsuccessfull sign-in

    There have been no unsuccessful sign-in attempts to SharePoint with this account
    since your last sign-in.


    Evy

    Tuesday, September 17, 2019 8:31 PM

Answers

  • Not quite the case. You simply have pass through auth. If you're using Windows Claims NTLM, what ends up happening is the browser hits that SP URL with anonymous auth, IIS sends back a 401 (please auth), then IE returns your credentials back to IIS. Chrome consumes these settings.

    Now, if you're using Kerberos, it's a bit different. While the above still happens, we submit a Kerberos token and you'll see fewer entries in the security log as a user continues a session. 

    You can search for Event ID 4624 which is for successful logons. Failures fall under 4625.

    You will only find this on the web front end the user is hitting.


    Trevor Seward

    Office Apps and Services MVP



    Author, Deploying SharePoint 2019

    Author, Deploying SharePoint 2016

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    • Marked as answer by Evys Wednesday, September 18, 2019 6:43 PM
    Wednesday, September 18, 2019 6:38 PM
    Moderator

All replies

  • Authorization (AuthZ) or authentication (AuthN)? Sign-in would indicate AuthN, e.g. bad username and password. AuthZ would be a successful sign-in (AuthN), but no access to the target object.

    Which version of SharePoint? If not SPO, what form of authentication are you using on your Web App?


    Trevor Seward

    Office Apps and Services MVP



    Author, Deploying SharePoint 2019

    Author, Deploying SharePoint 2016

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Tuesday, September 17, 2019 10:27 PM
    Moderator
  • Hi Evy,

    You could build a simple HttpModule which does nothing else but records some information we wanted to track user logon.

    And we also could get the last login time of the user by PowerShell script.

    More references:

    SharePoint and HTTP Module.

    Find the Last Login Time of a SharePoint User from AD with PowerShell.

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Best regards,

    Sara Fan


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    SharePoint Server 2019 has been released, you can click here to download it.
    Click here to learn new features. Visit the dedicated forum to share, explore and talk to experts about SharePoint Server 2019.

    Wednesday, September 18, 2019 3:26 AM
    Moderator
  • AuthN. SharePoint 2019 on premises with Kerberos.  thanks

    Evy

    Wednesday, September 18, 2019 12:38 PM
  • You should see this in the local Security event log.

    Trevor Seward

    Office Apps and Services MVP



    Author, Deploying SharePoint 2019

    Author, Deploying SharePoint 2016

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Wednesday, September 18, 2019 3:01 PM
    Moderator
  • Hi Trevor

    As far as I know Security event logs in Event Viewer do not capture users accessing SharePoint.  Are you referring to a different security event log?


    Evy

    Wednesday, September 18, 2019 5:56 PM
  • They indeed are. As it is IIS performing AuthN, IIS will report against the local security event log for that user should they fail to login (and if you've turned on successful logins, that too).

    Trevor Seward

    Office Apps and Services MVP



    Author, Deploying SharePoint 2019

    Author, Deploying SharePoint 2016

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Wednesday, September 18, 2019 6:10 PM
    Moderator
  • thanks for the clarification. in our environment we don't log directly into SharePoint. our ids are authenticated when logging into our pcs. upon opening IE and accessing SharePoint we are not prompted for ids and passwords which is why I don't see it in the event logs.

    Evy

    Wednesday, September 18, 2019 6:14 PM
  • Not quite the case. You simply have pass through auth. If you're using Windows Claims NTLM, what ends up happening is the browser hits that SP URL with anonymous auth, IIS sends back a 401 (please auth), then IE returns your credentials back to IIS. Chrome consumes these settings.

    Now, if you're using Kerberos, it's a bit different. While the above still happens, we submit a Kerberos token and you'll see fewer entries in the security log as a user continues a session. 

    You can search for Event ID 4624 which is for successful logons. Failures fall under 4625.

    You will only find this on the web front end the user is hitting.


    Trevor Seward

    Office Apps and Services MVP



    Author, Deploying SharePoint 2019

    Author, Deploying SharePoint 2016

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    • Marked as answer by Evys Wednesday, September 18, 2019 6:43 PM
    Wednesday, September 18, 2019 6:38 PM
    Moderator
  • Awesome! just want is was looking for. thank you

    Evy

    Wednesday, September 18, 2019 6:44 PM