LAN user access to Sharepoint

[Raymond Chiu (gatorback]

I am interested in learning more about the mechanism that determines the URL
to invoke sharepoint from PWA.

Specifically, when a LAN user (domain authentication via servername URL
http:\\myserver\projectserver) invokes sharepoint from PWA, the URL used is
the FQDN (www.mydomain.com\projectserver). This results in the user having
to input his \ her credentials again. This is not a big deal in the grand
scheme of things, however,

I would like to learn how to change the invoking URL from the FQDN to the
servername, when PWA's URL is the servername. I suspect that this may
involve proxycfg.exe.

Any insight \ direction is appreciated.

 

[Rolly Perreaux]

I am interested in learning more about the mechanism that determines the URL
to invoke sharepoint from PWA.

Specifically, when a LAN user (domain authentication via servername URL
http:\\myserver\projectserver) invokes sharepoint from PWA, the URL used is
the FQDN (www.mydomain.com\projectserver). This results in the user having
to input his \ her credentials again. This is not a big deal in the grand
scheme of things, however,

I would like to learn how to change the invoking URL from the FQDN to the
servername, when PWA's URL is the servername. I suspect that this may
involve proxycfg.exe.

Any insight \ direction is appreciated.

Hi Raymond,

If you want to change using the servername instead of FQDN, follow these
steps:

Step 1 - Review your PWA server settings:
Admin --> Server Configuration
Change the FQDN to the servername

Step 2 - Review your PWA SharePoint settings:
Admin --> Connect to SharePoint server
Change the FQDN to the servername

Step 3 - Review your DNS settings:
Make sure there are no alias (CNAME) entries in your DNS that point your
servername to an FQDN. Use the NSLOOKUP command-line utility to test

Good Luck

--
Rolly Perreaux, PMP
Project Server Trainer/Consultant

IT Summit Series
Advanced Microsoft Technology Training
http://www.itsummitseries.com

 

[Ray]

If you add the FQDN of the SharePoint URL to Trusted Sites and set Trusted
Sites to the default of Low, the credential prompting should stop. At least
it did for me.

Ra

"Raymond Chiu ([email protected])"

 

[Raymond Chiu (gatorback]

Ray,

Thank you for the suggestion. My Trusted sites was already set to low. I
added the FQDN to the set of Trusted sites and eliminated the credential
prompt. How did you figure this one out?

Raymond

 

[Rolly Perreaux]

Ray,

Thank you for the suggestion. My Trusted sites was already set to low. I
added the FQDN to the set of Trusted sites and eliminated the credential
prompt. How did you figure this one out?

Raymond

Hi Raymond,

The default security setting for Trusted Sites in Internet Explorer is
set to "LOW" and the User Authentication setting is set to "Automatic
logon with current username and password"

However, the default security setting for Internet (using an FQDN) in
Internet Explorer is set to "MEDIUM" and the User Authentication setting
is set to "Automatic logon only in Intranet zone"

You can change this setting in Internet Explorer title menu at:
Tools --> Internet Options --> Security tab
Select your zone and click Custom Level
The User Authentication setting is at the bottom of the list

However it should be noted that unless you use SSL (https) for securing
your communication channel between the IE client and web server, all
communications are using Clear Text, which mean that your username and
password for logging into the Domain will be visible to anyone using a
network analyzer or packet sniffer such as NetMon or Ethereal.

I for one would use SSL using the servername and not the FQDN.
But that's me

Good Luck

--
Rolly Perreaux, PMP
Project Server Trainer/Consultant

IT Summit Series
Advanced Microsoft Technology Training
http://www.itsummitseries.com

 

[Raymond Chiu (gatorback]

Good stuff... thanks for the info Rolly!

Hi Raymond,

The default security setting for Trusted Sites in Internet Explorer is
set to "LOW" and the User Authentication setting is set to "Automatic
logon with current username and password"

However, the default security setting for Internet (using an FQDN) in
Internet Explorer is set to "MEDIUM" and the User Authentication setting
is set to "Automatic logon only in Intranet zone"

You can change this setting in Internet Explorer title menu at:
Tools --> Internet Options --> Security tab
Select your zone and click Custom Level
The User Authentication setting is at the bottom of the list

However it should be noted that unless you use SSL (https) for securing
your communication channel between the IE client and web server, all
communications are using Clear Text, which mean that your username and
password for logging into the Domain will be visible to anyone using a
network analyzer or packet sniffer such as NetMon or Ethereal.

I for one would use SSL using the servername and not the FQDN.
But that's me

Good Luck

--
Rolly Perreaux, PMP
Project Server Trainer/Consultant

IT Summit Series
Advanced Microsoft Technology Training
http://www.itsummitseries.com

 

[Mr.]

Hi all,

I figured it out because I wanted to SSL everything and always use FQDN's
for Project Server and SharePoint on our Intranet as well. We're only using
Windows accounts, so no clear text credentials should be passed, but it's
the principle of the thing. We have people accessing the site via the
Internet SSL and needed to make sure that their email links were always
fully qualified so they would work.

It was a long and arduous task and it's still not totally working right,
involving multiple changes to proxycfg, many of which did not work. .

I suspect my problems are because I'm using self-signed certificates. I have
the Project Server site working OK with SSL but not the SharePoint site.
Whenever I try to use a self-signed certificate for the SharePoint site, it
whines during the validation phase about one or more SSL errors. I think
it's because I have the SharePoint site running under a local account. I did
log in to that account and import the root CA certificate but that didn't
help. I'm also seeing event log entries about an invalid CA. The CA is on
Windows 2000, having been installed for this purpose and it seems to be OK.
What I have right now is:

https://project.ourcompany.com/ProjectServer
http://sharepoint.ourcompany.com and
http://sharepoint:12345 for the admin site.

I just couldn't get FQDN's to work any other way. So today I bit the bullet
and ordered a real SSL certificate for SharePoint to see if that fixes my
issues. I don't know how SQL talks to Project/SharePoint, so I'm wondering
if this is part of the problem (the lack of a real SSL certificate).

I also have another issue where any Windows 2000 computer can use Issues,
Risks and Documents perfectly, but using the same credentials on any Windows
XP SP1 box generates an error dialog that says SharePoint couldn't talk to
the Project server and I should add the two sites to Trusted Sites, which I
have already done. Any guesses on this one would be appreciated. The XP
boxes can get to the project site directly OK.

BTW, none of my computers have had Trusted Sites set to the Default level
for whatever reason.

Ray

"Raymond Chiu ([email protected])"

 

[Raymond Chiu (gatorback]

If you type your DOMAIN credentials: logon (not PWA logon), PW, & domain to
logon remotely, are these sent in plain text?

 

[Raymond Chiu (gatorback]

Did you add SSL functionality after testing all other functionality?

 

[Rolly Perreaux]

If you type your DOMAIN credentials: logon (not PWA logon), PW, & domain to
logon remotely, are these sent in plain text?

Hi Raymond,

Domain credentials are sent in plain text if SSL (https) is not used.

--
Rolly Perreaux, PMP
Project Server Trainer/Consultant

IT Summit Series
Advanced Microsoft Technology Training
http://www.itsummitseries.com

 

[Ray]

Hi Rolly,

I only have Integrated authentication set on the Project & SharePoint sites,
anonymous is disabled and Basic is disabled. It should be passing the
credentials solely by NTLM, shouldn't it? In IE, if a site is set to require
NTLM, IE should never pass Basic credentials. I do recall reading that the
credentials are passed in the clear in the PWA docs, but I thought that
assumes that Basic authentication is being used.

I admit you do have my curiosity piqued, though. If I get a chance today,
I'll run a login with Ethereal on my desktop and see what it shows. This is
the article I was thinking of, first and third bullet points:

http://support.microsoft.com/default.aspx?scid=kb;en-us;264921 - How IIS
authenticates browser clients

"Orders of precedence: When the browser makes a request, it always considers
the first request to be Anonymous. Therefore, it does not send any
credentials. If the server does not accept Anonymous or if the Anonymous
user account set on the server does not have permissions to the file being
requested, the IIS server responds with an "Access Denied" error message and
sends a list of the authentication types that are supported by using one of
the following scenarios:

. If Windows Integrated is the only supported method (or if Anonymous
fails), then the browser must support this method to communicate with the
server. The server tries Kerberos first, and if this fails, then the server
falls back to Windows NT Challenge/Response. If this fails, the server does
not try any of the other methods.

. If Basic is the only supported method (or if Anonymous fails), then
a dialog box appears in the to get the credentials, and then passes these to
the server. It attempts to send the credentials up to three times. If these
all fail, the browser does not connect to the server.

. If both Basic and Windows Integrated are supported, the browser
determines which method is used. If the browser supports Kerberos or Windows
NT Challenge/Response, it uses this method. It does not fall back to Basic.
If Windows NT Challenge/Response and Kerberos are not supported, the browser
uses Basic, Digest, or Fortezza if it supports these. The order of
precedence here is Basic, Digest, and then Fortezza."


Ray

 

[Rolly Perreaux]

Hi Rolly,

I only have Integrated authentication set on the Project & SharePoint sites,
anonymous is disabled and Basic is disabled. It should be passing the
credentials solely by NTLM, shouldn't it? In IE, if a site is set to require
NTLM, IE should never pass Basic credentials. I do recall reading that the
credentials are passed in the clear in the PWA docs, but I thought that
assumes that Basic authentication is being used.

I admit you do have my curiosity piqued, though. If I get a chance today,
I'll run a login with Ethereal on my desktop and see what it shows. This is
the article I was thinking of, first and third bullet points:

Ray

You are absolutely correct Ray, except when you have a Web Pop-up
Authentication asking for username and password. I think that's where I
misunderstood your previous question. So let's review:

A user's domain credentials are encrypted when logging onto the
Windows Server Domain. Done by the Domain Controller (Kerberos V)

When a user logs onto PWA (Windows or Project Server
authenticated) and the IE security setting for User Authentication
is set to "Automatic logon with current username and password"
then the credentials are encrypted

However, if the same user logs onto PWA and the IE security
setting for User Authentication is set to anything else you will
get a Pop-up Authentication (NT Challenge/Response) for username
and password. These credentials are sent in clear text.

I did an SMS NetMon capture based on the last scenario and it shows the
packet data that passes the credential information.

I've enclosed a text file called NetmonCapture.txt that shows the data.
See if you can find the username and password ;-)

Hope this clears things up
Cheers,

--
Rolly Perreaux, PMP
Project Server Trainer/Consultant

IT Summit Series
Advanced Microsoft Technology Training
http://www.itsummitseries.com

 

[Ray]

Whoa, that's scary! No, you didn't misunderstand my question; I apparently
misunderstood how IE works. For all of our internal users, they get an
automatic logon. For the Internet SSL outside companies, they do get a
pop-up. I thought that if I did not enable Basic authentication on the IIS
web site, then IIS would not accept basic credentials and IE would not send
them. They are able to logon OK after they manually input their credentials
into the authentication pop-up, so I guess I need to install Ethereal on a
non-domain computer and see what's going on.

Thanks for taking the time to look at this.

Ray