Category: Authentication

SharePoint 2016: Office documents prompt for authentication on anonymous site

  Consider the following scenario: You have a SharePoint 2016 site that has been enabled for anonymous access. You have some Microsoft Office (Word, Excel, PowerPoint, etc) documents in a library that anonymous users also have access to. A user clicks on a (for example) Word document to open it. They receive a credential prompt,

SharePoint: Users forced to re-authenticate unexpectedly

This post covers the scenario where users log in via a trusted provider / SAML-claims  (like ADFS, Ping, Site Minder, etc) and intermittently, they are redirected to the login page to re-authenticate. There are a few pieces of information you need for a scenario like this (beyond the regular scoping): 1. Output of Get-SPSecurityTokenServiceConfig2. A Fiddler trace

SharePoint: Facts and Troubleshooting the Claims To Windows Token Service (C2WTS)

Update: 8/5/19 — Made an amendment to Fact #3. Facts: 1. The Claims to Windows Token Service (from here on denoted as “C2WTS”) is only used when SharePoint needs to get data from an external system that does not understand claims.  Examples of features that can be configured to use C2WTS include, but are not

SharePoint: Issues with profile pictures when MySite uses SAML auth

  There are a couple known issues with user profile pictures when your Mysite web application uses Trusted Provider (ADFS / SAML) authentication. Symptoms There are two different known symptoms with the same cause and solution: #1When running User Profile Synchronization, nothing is imported or exported. In the Forefront Identity Manager (FIM) client, we see

SharePoint: Common NTLM Authentication Issues, aka: Consider Ditching NTLM

NTLM authentication is not great. It’s not the fastest. In most cases, that honor would go to Kerberos. It’s not the most secure. Again, Kerberos. It’s not all that flexible. For example, it doesn’t work well for extranets or anything cross-firewall. In those scenarios, Trusted Provider auth (SAML / WS-Fed) works well.  See: AD FS.