Sharepoint Forum

Ask Question   UnAnswered
Home » Forum » Sharepoint       RSS Feeds

Trusted Site settings in Internet Explorer affecting log on in Share

  Asked By: Rusty    Date: May 13    Category: Sharepoint    Views: 11402

This may have been addressed before, but I can't find a reference to it.

In Internet Explorer internet options -in the Security Tab where you have
"internet, Local Intranet, Trusted sites, Restricted sites - if you do not
select the Trusted Sites/Custom Level/User Authentication set to; "Automatic
logon only in Intranet zone" - you will get a pop up logon whenever you launch
SHarepoints web page. Furthermore, you will get a pop up logon whenever you try
to open a document stored in the Document Library.

Setting Trusted Sites/custom level/User Authentication to; "Automatic logon with
current user name and password" allows you to open SharePoint and any other
webpage in SharePoint including documents WITHOUT getting a logon pop up.

We use Kerbos authentication active directory and I believe using SharePoint
should be open without all the annoying logon prompts.

Our IT department is reluctant to select the Automatic logon with currrent user
name and password because they believe it will compromise security on the

Can someone enlighten me if it is safe to do this, or what really is the problem
with using this automatic logon approach?

We urgently need a resolution to this. Microsofts documents do not enumeratie on



6 Answers Found

Answer #1    Answered By: Junior Jarvis     Answered On: May 13

Setting it to Automatic logon  with currrent user  name and passwordĂ‚ will only
do that with sites  that you have put in your trusted  sites, correct? Seems it
would be prety easy to test.

Answer #2    Answered By: Sanjay Lohar     Answered On: May 13

The Automatic logon  with current username  and password  merely passes the
username and password of the currently logged on user  in the workstation OS
to the website. It uses the exact same mechanism for sending the
credentials as if you typed them in yourself (which you did when you logged
on to your computer). The only real security  threat this implies is that
anyone getting to your PC while you are logged on can access SharePoint
without being prompted for credentials. If people can come sit at your desk
and work on your PC while you are logged on then you have a much deeper
security issue than just SharePoint. Users need to be trained to lock their
PCs when they are away, or log  off. Doing either of these will prevent
someone from accessing sharepoint  using the automatic  logon. Turning these
settings on is safe  to do if you are in a secure environment. If your
environment isn't secure you have bigger issues.

Answer #3    Answered By: Mason Salazar     Answered On: May 13

But here is what I found further on this subject from Microsoft.

They say that if your intranet site  has any DOTS (.) in the name, Internet
Explorer security  treats it like an INTERNET site - NOT an intranet  site.

So, our internal SharePoint site is http://name.name.org

That name has dots in it and IE thinks it is a INTERNET site, so the Trusted
site settings  will prevail. And, if you do not have the custom setting set  to
automatic logon  with current username....set, it will ask you for your
credentials, even from Outlook if Outlook is linked to SharePoint, or as I
mentioned, just opening SharePoint, or clicking on a word or excel doc in a
document library  will invoke a logon window.

So, setting trusted  sites to the automatic  logon with username....fixes

But, to follow MS convention, I would have to change the name of our SharePoint
site such that it did not have any dots (.) in it. Then I could use the
INTRANET custom setting  of "Automatic logon with user  name and password  checked.

In any event, as you say, we are secure as can be using the Trusted site setting
as described.

At least I think I understand now what's been going on.

Answer #4    Answered By: Jesus Davis     Answered On: May 13

Let me clarify some of the info below.

If your SharePoint address uses just a host header or server name (ie.
Without periods) then the site  will normally default to the Local Intranet

If your SharePoint address uses the Fully Qualified Domain Name (FQDN ie.
With periods) then the site will normally default to the Internet zone.

You can override either of these by adding the address directly to a Zone.
Once added to a zone  it doesn't matter whether there are periods or not it
will show as being in that zone and use that Zone's security  policy. You
can also add the addresses to a Zone using a Group Policy Object (that's
what you normally should do on a LAN).

The default security setting  for the Internet zone doesn't pass the userid
and password. This can't be changed.

The default security setting for the Local Intranet zone does pass the
userid and password.

The default security setting for the Trusted sites  Zone doesn't pass the
userid and password  by default, but can be changed to pass the userid and

So if your site doesn't use the FQDN (ie. Dots) then you don't need to do

If your site does use the FQDN (ie. Dots) then you can set  automatic login
by adding the address to the Trusted Sites Zone and setting a custom
security policy.

FYI, This only works if your computer is a member of the same Domain or
Forest as the SharePoint server. Otherwise the automatic logon  will pass
the wrong domain and you won't be logged in automatically. For example, if
you are logging on from home.

Answer #5    Answered By: Narasimha Kamane     Answered On: May 13

Actually, the simplest solution to get automatic  login for your Intranet site
that uses an FQDN is to add the FQDN to the Intranet zone  in the browser. You
don't need to change the automatic login policy for that.

Answer #6    Answered By: Fidel Crane     Answered On: May 13

That's because the Local Intranet zone  is already set  to use the appropriate
setting. But the Local Intranet Zone is also set to use looser settings  on
things like Active X controls too. So I would still recommend adding it to
the Trusted Sites zone and changing the setting.