Category: Authentication

SharePoint: Troubleshooting the Security Token Service (STS)

STS Background: In SharePoint 2010, 2013, 2016, etc, the Security Token Service (STS) is a web service hosted under the “SharePoint Web Services” IIS site on HTTP port 32843 and HTTPS port 32844, in a virtual directory called SecurityTokenServiceApplication. In SharePoint 2010, it contains 2 web services:Securitytoken.svcWindowstokencache.svc   In SharePoint 2013 and 2016, it contains

SharePoint: Check Permissions and External Tokens – FBA

This post is a similar to my previous post on Check Permissions, except here, we’ll be talking about Forms-Based Authentication (FBA). The way “Check Permissions” works varies by authentication method. For Windows or Trusted Provider auth, see my other posts: Windows-Claims Authentication: https://joshroark.com/sharepoint-troubleshooting-check-permissions-windows-auth/ Trusted Provider Authentication: https://joshroark.com/sharepoint-check-permissions-and-external-tokens-adfs-saml-auth/   With Forms-Based Authentication, all of the same

SharePoint 2016: Office documents prompt for authentication on anonymous site

  Consider the following scenario: You have a SharePoint 2016 site that has been enabled for anonymous access. You have some Microsoft Office (Word, Excel, PowerPoint, etc) documents in a library that anonymous users also have access to. A user clicks on a (for example) Word document to open it. They receive a credential prompt,

SharePoint: Users forced to re-authenticate unexpectedly

This post covers the scenario where users log in via a trusted provider / SAML-claims  (like ADFS, Ping, Site Minder, etc) and intermittently, they are redirected to the login page to re-authenticate. There are a few pieces of information you need for a scenario like this (beyond the regular scoping): 1. Output of Get-SPSecurityTokenServiceConfig2. A Fiddler trace

SharePoint: Facts and Troubleshooting the Claims To Windows Token Service (C2WTS)

Update: 8/5/19 — Made an amendment to Fact #3. Facts: 1. The Claims to Windows Token Service (from here on denoted as “C2WTS”) is only used when SharePoint needs to get data from an external system that does not understand claims.  Examples of features that can be configured to use C2WTS include, but are not

SharePoint: Issues with profile pictures when MySite uses SAML auth

  There are a couple known issues with user profile pictures when your Mysite web application uses Trusted Provider (ADFS / SAML) authentication. Symptoms There are two different known symptoms with the same cause and solution: #1When running User Profile Synchronization, nothing is imported or exported. In the Forefront Identity Manager (FIM) client, we see

SharePoint: Common NTLM Authentication Issues, aka: Consider Ditching NTLM

NTLM authentication is not great. It’s not the fastest. In most cases, that honor would go to Kerberos. It’s not the most secure. Again, Kerberos. It’s not all that flexible. For example, it doesn’t work well for extranets or anything cross-firewall. In those scenarios, Trusted Provider auth (SAML / WS-Fed) works well.  See: AD FS.