Seamless SharePoint Access: Enabling Integrated Windows Authentication in Browsers

Introduction

Recently, many organizations have been migrating their on-premise SharePoint environments. While migrating is a big task itself, we need to ensure the same level of user experience. After migrating our SharePoint Server to a new domain, we encountered an issue where users were repeatedly prompted for their Active Directory (AD) credentials whenever they accessed the SharePoint site or tried to edit documents. This interruption to their workflow was a constant nuisance and impacted productivity.

To resolve this, we implemented a solution using Group Policy to enable Integrated Windows Authentication (IWA) within the most commonly used web browsers. This allows for seamless single sign-on (SSO), eliminating the need for users to manually enter their credentials every time. Here’s how to configure Microsoft Edge, Google Chrome, and Firefox for IWA.

Understanding the Problem

When a SharePoint site resides in a different domain than the user’s computer, browsers often don’t automatically pass the user’s AD credentials for authentication. This requires manual login, and also impacts integrations with Office applications during document editing sessions.

Solution Overview

The solution involves using Group Policy to modify browser settings. This provides a centrally managed approach for enabling Integrated Windows Authentication across your organization.

Microsoft Edge and Google Chrome Configuration

Both Edge and Chrome use similar settings, leveraging the underlying Internet Explorer framework for handling authentication:

Steps:

  1. Create a New Group Policy Object (GPO)
    • Open the Group Policy Management console (gpmc.msc).
    • Create a new GPO, naming it something descriptive (e.g., “Enable Integrated Auth for SharePoint”).
    • Link this GPO to the appropriate Organizational Unit (OU) containing the computers that will access your SharePoint site.
  2. Configure Site to Zone Assignment:
    • Navigate to: Computer Configuration/Policies/Administrative Templates/Windows Components/Internet xplorer/Internet Control Panel/Security Page
    • Locate the policy: Site to Zone Assignment List
    • Set the policy to Enabled.
    • Click Show… to add your SharePoint URL.
      • Under Value Name, enter your SharePoint URL (e.g., https://yoursharepoint.example.com/)
      • Under Value, enter 1 (The value “1” corresponds to the Intranet zone).
      • *Click OK.
  3. Configure Automatic Logon (Intranet Zone):
    • Navigate to: Computer Configuration/Policies/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone
    • Locate the policy: Logon options.
    • Set the policy to Automatic logon with current username and password.

Explanation:

Site to Zone Assignment List: This setting tells Internet Explorer (and Edge/Chrome) to treat your SharePoint URL as part of the Intranet zone.

Automatic logon with current username and password: This setting allows the browser to automatically pass the user’s current Windows credentials when accessing intranet sites (in our case, SharePoint).

Firefox Configuration

Firefox requires its own set of Group Policy settings, and you will need the Firefox ADMX templates installed in your environment.

Steps:

  1. Install Firefox ADMX Templates (If you haven’t already):
    • Download the latest Firefox ADMX template files for your version of Firefox.
    • Copy the .admx files to your central policy store (typically located at %systemroot%\PolicyDefinitions).
    • Copy the appropriate .adml files to the matching language subdirectory (e.g., %systemroot%\PolicyDefinitions\en-US).
  2. Create/Edit the GPO
    Use your existing GPO from above, or create a new one.
  3. Configure Firefox Network Settings:
    • Navigate to: Computer Configuration/Policies/Administrative Templates/Mozilla/Advanced Options/Options/Locked Settings/Network/Policy
    • Configure the following three settings:
      • network.automatic-ntlm-auth.trusted-uris: Set this to Enabled and add your SharePoint URL to the list (e.g., https://yoursharepoint.example.com)
      • network.negotiate-auth.delegation-uris: Set this to Enabled and add your SharePoint URL to the list (e.g., https://yoursharepoint.example.com)
      • network.negotiate-auth.trusted-uris: Set this to Enabled and add your SharePoint URL to the list (e.g., https://yoursharepoint.example.com)

Explanation:

network.automatic-ntlm-auth.trusted-uris: This allows Firefox to automatically use NTLM authentication for the specified URLs.

network.negotiate-auth.delegation-uris: This setting allows Kerberos delegation to be used when the URI is opened in a new window

network.negotiate-auth.trusted-uris: This setting allows Kerberos delegation to be used in HTTP authentication.

Final Thoughts

By applying these Group Policy configurations, users should now be able to seamlessly access your SharePoint site without being prompted for their AD credentials, both in the browser and when opening or editing documents. This improves user experience, enhances productivity, and minimizes the frustrations associated with constant authentication requests. Remember to thoroughly test these changes before deploying them to your production environment.

Key Takeaways:

Integrated Windows Authentication simplifies user access by eliminating the need for manual logins.

Group Policy is the best way to centrally manage browser authentication settings.

Test in a pilot environment before deploying widely.

Leave a Reply