Simple Browser Settings for “Single Sign On”

This is a topic that I’m being asked about more and more frequently, so that’s a great reason to write a post!  There are issues that crop up, multiple annoying authentication prompts, and even issues and errors with MS Office (and InfoPath) integration with SharePoint.  The best part about this browser setting, is that it gets rid of your authentication prompts for SharePoint after the first login. First of all, I’ll show you the quick fix, and then I’ll let you know some of the issues that it solves.

This is really important for end users to know!

  1. First of all, what Internet Explorer (IE) security zone is your SharePoint site in?  Go to your SharePoint site in IE.
  2. Open up the Internet Explorer Internet Options screen.  Go to the Security tab:
    246-image_93b18734-f0b5-44a0-bbcd-21986dbb79aa_0562A80E.png
  3. What zone is selected by default?  Mine has Trusted Sites selected, so that’s how I know that’s the zone my site is in.  I like to leave my internet zone with pretty high security settings, so for any SharePoint site I go to frequently, I usually add them to my Trusted Sites zone.  If you’re on a corporate network, you may notice that your SharePoint site is already in the Local Intranet zone, which makes sense.
  4. For the zone that your SharePoint site is in, click the Custom Level button. (Again, I’m not recommending you do this for the Internet zone, but I’ll show you other options in a minute).
  5. After you click Custom Level, scroll all the way to the bottom.  In the User Authentication section, select Automatic logon with current user name and password.  Click OK.
    246-image_7b59aeae-41b4-4bc1-b927-ecc1550aa519_0562A80E.png
  6. After you’ve done this, close and re-open your browser, then when you go to your SharePoint site, and when you log in at the authentication prompt, be sure to check the box to remember your credentials before clicking OK.
    246-image_06e570a3-883e-46bc-ae09-6d93a1fb0225_0562A80E.png

I use the trusted sites zone for SharePoint sites that I go to which aren’t necessarily on my intranet.  To add sites to it, look at the screenshot at step 1 and click the Sites button there.
246-image_63ce022c-6316-49a2-93e2-c3dea53fd863_0562A80E.png
You don’t need to type the names of every single web app in the farm.  You can simply use an asterisk.  See in the example above, I put an asterisk there, and any site that has something.atrackspace.com will be covered.  Notice that there are a couple of them in my list that I could have consolidated.  So instead of my.contoso.com and rtm.contoso.com, I could just put *.contoso.com.

After you add your site to the list, click Close. Click OK on all screens.  You also may want to go to the IE Compatibility View Settings screen, and add your SharePoint site there as well.

Why would you want to do all of this?  Here are some issues that I’ve seen it fix:

  • Dragging files into SharePoint libraries.  If you’re not able to, this fixes it.
  • This security prompt will go away. “Some files contain viruses that can be harmful to your computer.  It is important to be certain that this file is from a trustworthy source.”
    246-image_3b60a366-348c-4ab7-8695-801484809d5b_0562A80E.png
  • You’ll stop being prompted for credentials every time you open an Office file or create a new one directly from SharePoint.
  • Saving straight from Office programs to SharePoint.  When you start a new file directly in an Office program, you can save it straight to a SharePoint library without having to go to the site in the browser.  I’ve seen this not act properly when browser settings are not correct.  When saving straight to SharePoint, it’s supposed to look like this.  See, you can see the site branding at the top, and you can even navigate up a level, and navigate to another library, using the breadcrumb trail at the top.
    246-image_2afa259a-3937-4b98-bc52-9f071a28c46e_334FFAC6.png

    This may look slightly different depending on your OS and/or version of MS Office.

  • Gets rid of this error when trying to publish an InfoPath form to SharePoint.  I’m trying to reproduce it, to get the exact text, but haven’t been able to.  It’s not a very descriptive InfoPath publishing error.
    246-image_af0cec95-5dab-4d95-a84a-bd7a8225b9d5_719A82FD.png

I’ll update this post if I think of any other issues and errors that this fix solves.  In general, it improves your Office integration with SharePoint, dramatically.

What about those of you who are server administrators, who would like to apply these IE settings globally, using Group Policy?  You can do that!  Lori Gowin and I are actually presenting a session next week at SPTechCon, about ways that the server admin can help improve user adoption, and this is one of the things we talk about.

Group Policy

246-image_10_334FFAC6.png

The value 1 = intranet zone, so intranet zone is selected here:246-image_12_334FFAC6.png

 

Have fun!  I’m interested to see the feedback on this one, and if you server admins have anything to throw in that I missed.

Advertisements

6 comments

  • Any tips for Office 2013 and SharePoint Server 2013 when opening a file from SharePoint and getting the sorry document could not be opened try again error? It seems to be the OneDrive for business having an older version if the file and not grabbing the latest. Happens sometimes randomly.

    Like

  • I have found that using a non-fully qualified domain name for the sharepoint web application eliminates all the problems mentioned above. e.g. – use http://intranet instead of http://intranet.contoso.com or better yet, you can use zones as this will help with PowerShell where FQDN is needed to move site collections to another content database, as an example.

    Like

  • Answering to Leo, above:
    There’s a reason why a non-fully qualified domain name works in this case. Non-fully qualified domain names go by default to the “Local Intranet Zone” which does automatic logon. Fully qualified domain names (or, surprise, any name with a dot (“.”) ) in it will go to the Internet Zone which, by default, doesn’t do automatic logon and requires authentication.

    Like

  • To Laura:
    Another trick: Any address listed in the proxy’s exception list (addresses not required to go through proxy) are considered “Local Intranet zone” addresses and, then, will do automatic authentication. Sometimes it’s easier for network admins to just configure their proxies and proxies exceptions address instead of working on GPO. I do prefer working on GPO anyway.

    Like

  • Thanks Marcos for all of the additional information!

    Like

  • This is brilliant and was causing me and some colleagues a lot of pain! thanks Laura

    Like

Leave a reply or question

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s