2

This question really relates to allowing to logon to a SharePoint installation from home but I guess it's a general IIS security question.

When the login box pops up to collect the windows credentials the user can just type in their user name on Safari/Chrome/FF and they can login correctly. On IE authentication fails as it seems to pass their local machine name by default and the user needs to replace this with domain\user. Not a big problem in some cases but we'd prefer it if the users didn't have to enter the domain name portion.

Is this simply a feature of IE that we can't control or is their something we can do with IIS/AD etc that will allow us to provide a default domain if one isn't specified?

Chris W
  • 2,670
  • 1
  • 23
  • 32
  • @Chris W: what kind of authentication are you using? (Basic/Forms/NTLM?) – MattB Mar 31 '10 at 13:44
  • NTLM at the moment. I guess I could roll my own forms provider which hands off the authentication back to AD but I'd like to avoid that if possible. – Chris W Mar 31 '10 at 14:17

4 Answers4

1

Another option is to install an ISA server in front of SharePoint and let it handle the authentication. You can provide single-sign on through the ISA, and serve up the webmail, sharepoint, and any other web applications you have running on the backend.

ISA can be configured to accept forms based login, that it will translate to NTLM for the end user, giving you the flexibility to add the domain in for them.

Goyuix
  • 3,164
  • 5
  • 28
  • 37
  • Interesting, I'll have a look at this since I think our networks team are looking at ISA anyway. – Chris W Apr 01 '10 at 08:21
1

Another option is to train users a little differently. For some reason users typically see domain\username as some egregious miscarriage of justice, but if they can use their email address that is fine.

In AD, users have what is called a UPN (user principal name) - which is typically @domain.com - which typically matches their email address. Luckily enough, you can use the UPN to login to an NTLM authenticated website.

So - assuming the default UPN for your users is the same as your email domain, you can tell users to login with user@domain.com and it will work, and possibly be less of a headache for you.

MattB
  • 11,124
  • 1
  • 29
  • 36
  • If this was an option I'd go with it but it's a quite a complex environment so the e-mail domains don't all match up with the UPNs. – Chris W Apr 01 '10 at 08:20
0

I ran into this a while back. I don't remember which one you need but if you open up IE and go to "tools", "internet options", "security tab", "custom level". Go all the way to the bottom of the list and there are four options for user authentication. Try changing those and see what happens.

  • Any options I pick there is no help. Annonymous simply doesn't work. If I ask it to prompt I get the usual blank login box except when I click OK it fails to authenticate and pops up machinename\username which is what I presume it tried to helpfully submit on the first attempt. – Chris W Mar 31 '10 at 13:14
0

Considering you have MOSS default installation, the default authentication is NTLM. If a Web site is configured to authenticate a User i.e. using "Authentication and Access Control" in IIS or Authentication configured in an application like MOSS. Internet Explorer by default will pass the login user's credentials. Now, since you said these are home users they must be login on their machines using "MACHINE_NAME\User_NAME" hence the credentials passed by IE is MACHINE_NAME\USER_NAME. You will have to manually add the DOMAIN\USER_NAME if you want to authenticate yourself using your domain credentials.

Alternately, if you are using Forms/Basic Authentication, you can write a code which would authenticate a user with the default domain as what ever you want to.

Vivek Kumbhar
  • 3,063
  • 1
  • 17
  • 13
  • That's pretty much what I thought. It's an IE thing hence I'll need to go with a custom authentication process. – Chris W Mar 31 '10 at 15:50