I have a web application that utilizes multiple hostnames (see below for an explanation of why it's set up like this - I don't want that to distract from the more general question here).

Basically, there are:

  • Two fixed hostnames (www.domain1.com and www.domain2.com)
  • One or more other hostnames which are not fixed but all share a single domain (abc.domain3.com, def.domain3.com) - these are generated dynamically by a process that is not under our control and is not easy to keep track of (see below for explanation)

We can assume that these are all served from IIS on the same Windows server and that they are all ASP.NET sites, but are not all the same site within IIS. All of them are also using Windows authentication against the same active directory.

Any given user is likely to access three or more of these hostnames in the course of a single session.
The problem is that for every new hostname they access, they are prompted anew for their credentials.

My understanding is that this is by-design browser behavior - browsers prompt people for credentials when they access a Windows Auth site on an FQDN - but this situation is very troublesome for users who have to repeatedly enter their credentials.

I also understand that there are browser settings available to enable "Integrated Windows Authentication" which basically passes credentials right through, but this requires modifying browser settings, which is too much of an ask for the users.

Is there any way to make this situation better? One credential prompt would be fine, but three or more is too much.

The likelihood of being able to switch to a completely different authentication method (e.g. ADFS) is very low, but if there is some kind of "layer" that could be applied to facilitate this process, that may be in the cards.

For context, the reason things are set up like this is that this is the app model for a Provider-Hosted SharePoint app. Basically, SharePoint has its own fixed hostname, the "app" has its own fixed hostname, and there are one or more "app domains" which basically serve as a conduit between the app and SharePoint. The app domains are generated dynamically by SharePoint as the app is installed in different sub-sites within SharePoint.

One reason that my description of the situation above is slightly vague ("We can assume that...") is that I have multiple customers dealing with essentially the same issue in their separate environments, and each has their own unique server configuration.

I have asked a variant of this question on TechNet, but to no avail.

  • 111
  • 5
  • Modifying the browser settings should not be too big an ask for the users' IT staff. – Michael Hampton Jul 20 '20 at 16:21
  • @MichaelHampton The users' browsers are not necessarily under the control of the IT staff, and as far as I can tell, Firefox doesn't even provide the ability to do integrated Windows auth on wildcard hostnames (*.domain3.com), only on specific hostnames. – JLRishe Jul 20 '20 at 16:36
  • Hm, well if it's BYOD then you can't really do that. While this question is on topic here, since this is about SharePoint, you may want to check out our sister site [sharepoint.se] as you might find the SharePoint-specific expertise you need there. – Michael Hampton Jul 20 '20 at 16:44

0 Answers0