Thursday, July 17, 2008

Integrated Windows Authentication and SharePoint

According to Wikipedia, Integrated Windows Authentication (which even MS sometimes calls "Windows Integrated Authentication") "refers to the SPNEGO, Kerberos, and NTLMSSP authentication protocols with respect to SSPI functionality..." However, Wikipedia goes on to say "The term is used more commonly for the automatically authenticated connections between Microsoft Internet Information Services and Internet Explorer."

<http://en.wikipedia.org/wiki/Integrated_Windows_Authentication>

The "automatically authenticated" connections use the workstation login credential. This means that the workstation login must use an AD domain that is trusted by the server. The chief advantage is that every application which needs a connection to the server can use the same credential – single signon heaven, if you are using Windows, IE, Office, and SharePoint (there's a pattern here… <g>)

In SharePoint terms, in the Central Administration site, for each web application you can select authentication providers. If you select the "Windows" authentication provider, then under "IIS Authentication" you can select "Integrated Windows Authentication" and/or "Basic Authentication". If you select "Integrated", you can then choose "Kerberos" or "NTLM", but not both.

MS says "If Active Directory is installed on a domain controller running Windows 2000 Server or Windows Server 2003, and the client browser supports the Kerberos v5 authentication protocol, Kerberos v5 authentication is used; otherwise, NTLM authentication is used." I don't know if that works in a SharePoint setting.

http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/523ae943-5e6a-4200-9103-9808baa00157.mspx?mfr=true

Via testing, I have determined that the current versions of Safari (both on Mac and on Windows) support NTLM, but do not support the automatic login feature which is often called Integrated Windows Authentication. A site that is set (via SharePoint Central Admin or via IIS Manager) to use only "Integrated Windows Authentication" can be accessed via a login prompt from Safari 3.x (or, for that matter, Mozilla browsers later than November 2003). However, only Internet Explorer automatically sends the desktop login credential to the server (as far as I know).

Note that the "login prompt for every Office doc" is not an issue for browsers other than IE, because other browsers do not establish their own authenticated connection to SharePoint. They just download Office docs, then pass the file path of the temporary file to the Office app. This method does not require an authentication for the download (the browser is already authenticated), but it does require that if the file is modified, the new version must be saved, then uploaded manually.

Be aware that NTLM login problems have been reported where Safari is used with the Mac OS X 10.5 ("Leopard") system and an authenticating proxy server (such as ISA) is involved:

http://discussions.apple.com/message.jspa?messageID=6102379

-- Joshua

1 comment:

Chris Strolia-Davis said...

Hey Josh,

I know this is an older post, but I thought I would share some information that you might find useful.

You mention in your article that "...only Internet Explorer automatically sends the desktop login credential to the server (as far as I know)."

Firefox actually does support integrated authentication, it just requires a bit of knowledge. I think for security reasons, they make this more difficult, so that only savvy users will change it.

Anyway, in firefox, if you type "about:config" in the address bar, you will get a list of configuration settings for firefox. type in "-auth" into the filter bar to narrow them down to the 3 we need.
They are:
"network.automatic-ntlm-auth.trusted-uris"
"network.negotiate-auth.delegation-uris" AND
"network.negotiate-auth.trusted-uris"

In each of these, put a comma separated list of domains you want to be able to use integrated authentication with. In all likelihood, these will be Intranet sites at your place of business.

There is no need to put in the entire URL, "mybiz.com" or "myserver.biz" will usually work fine.

I hope this information is useful to you.

Bye for now,

Chris