SharePoint issues when using a trust with Selective Authentication

If you have some experience with SharePoint, the issue where you get a credential request three times before hitting the 401 Unauthorized is probably not new to you. We all know this happens when you try to navigate to a SharePoint site from the web front-end servers. Resolving this is common knowledge for SharePoint admins… You disable the loopback check in the registry or you use the recommended BackConnectionHostNames registry key. This has been documented in KB896861.

Last week, I was at a customer doing an assessment of a SharePoint implementation and one of their developers approached me with a weird issue on their Extranet. They have a SharePoint farm in a separate extranet domain. Between the internal domain and the extranet domain is a one-way trust to allow users from the internal domain to use their accounts to log on to a site on the Extranet. He was able to do this from the web front-end servers of the Extranet farm but not from his laptop. On his laptop, he had to enter his credentials and this kept failing… seems familiar right?

I double-checked the BackConnectionHostNames on the servers and sure enough, the key and hosts were there.

I tried the same thing on my machine with my account and this worked! I was able to go to the site from my machine. When he tried to do it from my machine with his account, it failed. We tested this on several other clients with several users… ALL of them had the same issue. Nobody was able to sign-in. Only I was able to sign-in from any place.

I will spare you the checks and comparisons we did, but I will tell you that we were able to solve it!

Servers in a domain are, like user accounts, just objects in Active Directory. When you open the properties of such a computer object in AD, and you go to the Security tab, you can specify a lot of permissions which specific AD objects can have on this computer. One of those permissions is “Allowed to authenticate”. For the servers in that Extranet farm, I was explicitly granted that permission, while the “Authenticated Users” group was not…

allowed-to-authenticate

In normal circumstances, this doesn’t pose any issue. If you have 1 domain which contains your users and servers, this permission is not required. Furthermore, if you have multiple domains and a one-way trust and you keep the default trust authentication level (Forest-wide authentication), you will not have any issues with users from the trusted domain authenticating to resources in the trusting domain.

selective-authentication-02

However, when you are using “Selective Authentication”, you need to explicitly grant the “Allowed to authenticate” permission to all users on the resources they need to access. When we verified this authentication level at the customer, we got confirmation that they were using selective authentication. So, we had to give “Authenticated Users” this permission on the SharePoint servers in the AD of the Extranet to resolve this issue.

See following articles for more information on selective authentication on trusts.

4 thoughts on “SharePoint issues when using a trust with Selective Authentication

  • Thursday, 12 January, 2017 at 21:52
    Permalink

    Hi Bart,

    Thanks for the article.

    We ran into a similar problem. We did know that we used Selective Authentication prior to attempting to add users from the trusted domain. So we made sure the service accounts were able to do AD look ups in the trusted domain; so people picker worked. We ran into the problem when a user in the trusted domain tried to logon.

    Just as you experienced they kept getting prompted for logon credentials. We knew we needed to add the Allow to Authenticate permissions so we created a domain local group in the trusting domain (didn’t want to use Authenticated Users) and added that group to the computer object with the Allow to Authenticate permissions. It still didn’t work….

    This leads to my question.
    Q: Do you apply the Allow to Authenticate permissions on ALL SP Farm servers computer object security tab (SQL backend, all Front Ends) or is just the Front End enough?

    • Monday, 16 January, 2017 at 20:13
      Permalink

      The permission was set on all servers in the farm. I can’t confirm if it’s actually needed for all servers. I only know they changed it and the issue was solved. Did you try it using the All Authenticated Users instead of the new group? Just to check if it’s not related to the group you used.

      • Monday, 16 January, 2017 at 20:51
        Permalink

        Hi Bart,

        We got it to work!

        After adding the domain local group from the trusting domain that had the SharePoint service accounts that were assigned to the web applications, we just needed to wait some time for that Allowed to Authenticate permission to apply to the SharePoint farm server. We did only apply it to the Front End in our test server. We will do the same in the production server to see if that works. If not we will apply to all servers and let you know what happens.

        • Tuesday, 17 January, 2017 at 21:48
          Permalink

          That’s great Carlos! Good to know that only the front end servers need that permission. One is never too old to learn, right? 🙂

Comments are closed.