SharePoint issues when using a trust with Selective Authentication

If you have some experience with SharePoint, the issue where you get a credential request three times before hitting the 401 Unauthorized is probably not new to you. We all know this happens when you try to navigate to a SharePoint site from the web front-end servers. Resolving this is common knowledge for SharePoint admins… You disable the loopback check in the registry or you use the recommended BackConnectionHostNames registry key. This has been documented in KB896861.

Last week, I was at a customer doing an assessment of a SharePoint implementation and one of their developers approached me with a weird issue on their Extranet. They have a SharePoint farm in a separate extranet domain. Between the internal domain and the extranet domain is a one-way trust to allow users from the internal domain to use their accounts to log on to a site on the Extranet. He was able to do this from the web front-end servers of the Extranet farm but not from his laptop. On his laptop, he had to enter his credentials and this kept failing… seems familiar right?

I double-checked the BackConnectionHostNames on the servers and sure enough, the key and hosts were there.

I tried the same thing on my machine with my account and this worked! I was able to go to the site from my machine. When he tried to do it from my machine with his account, it failed. We tested this on several other clients with several users… ALL of them had the same issue. Nobody was able to sign-in. Only I was able to sign-in from any place.

I will spare you the checks and comparisons we did, but I will tell you that we were able to solve it!

Servers in a domain are, like user accounts, just objects in Active Directory. When you open the properties of such a computer object in AD, and you go to the Security tab, you can specify a lot of permissions which specific AD objects can have on this computer. One of those permissions is “Allowed to authenticate”. For the servers in that Extranet farm, I was explicitly granted that permission, while the “Authenticated Users” group was not…


In normal circumstances, this doesn’t pose any issue. If you have 1 domain which contains your users and servers, this permission is not required. Furthermore, if you have multiple domains and a one-way trust and you keep the default trust authentication level (Forest-wide authentication), you will not have any issues with users from the trusted domain authenticating to resources in the trusting domain.


However, when you are using “Selective Authentication”, you need to explicitly grant the “Allowed to authenticate” permission to all users on the resources they need to access. When we verified this authentication level at the customer, we got confirmation that they were using selective authentication. So, we had to give “Authenticated Users” this permission on the SharePoint servers in the AD of the Extranet to resolve this issue.

See following articles for more information on selective authentication on trusts.

By Bart

Bart is a certified SharePoint consultant / architect at CTG Belgium NV with a broad professional experience in IT, a background in software development with a specialisation in Microsoft products and technologies and a solid knowledge and experience in Microsoft SharePoint Products and Technologies. He started as a COBOL developer on a mainframe environment and grew into software development for Windows platforms. Participated in projects varying from migrations of existing applications to development of Web applications and Windows applications. Became fascinated by the SharePoint 2007 platform and strongly believed in the added business value of this platform. Is since then fully committed to SharePoint and focuses on SharePoint implementations, migrations, integrations, design and coaching. Stays on top of new developments within the SharePoint technology stack and related technologies.


  1. Hi Bart,

    Thanks for the article.

    We ran into a similar problem. We did know that we used Selective Authentication prior to attempting to add users from the trusted domain. So we made sure the service accounts were able to do AD look ups in the trusted domain; so people picker worked. We ran into the problem when a user in the trusted domain tried to logon.

    Just as you experienced they kept getting prompted for logon credentials. We knew we needed to add the Allow to Authenticate permissions so we created a domain local group in the trusting domain (didn’t want to use Authenticated Users) and added that group to the computer object with the Allow to Authenticate permissions. It still didn’t work….

    This leads to my question.
    Q: Do you apply the Allow to Authenticate permissions on ALL SP Farm servers computer object security tab (SQL backend, all Front Ends) or is just the Front End enough?

    1. The permission was set on all servers in the farm. I can’t confirm if it’s actually needed for all servers. I only know they changed it and the issue was solved. Did you try it using the All Authenticated Users instead of the new group? Just to check if it’s not related to the group you used.

      1. Hi Bart,

        We got it to work!

        After adding the domain local group from the trusting domain that had the SharePoint service accounts that were assigned to the web applications, we just needed to wait some time for that Allowed to Authenticate permission to apply to the SharePoint farm server. We did only apply it to the Front End in our test server. We will do the same in the production server to see if that works. If not we will apply to all servers and let you know what happens.

        1. That’s great Carlos! Good to know that only the front end servers need that permission. One is never too old to learn, right? 🙂

Comments are closed.

%d bloggers like this: