Sharepoint Forum

Ask Question   UnAnswered
Home » Forum » Sharepoint       RSS Feeds

WSS authentication

  Asked By: Beth    Date: Jan 31    Category: Sharepoint    Views: 1349

I am running the Sharepoint Portal and WSS installation tied in with
the Active Directory.

For WSS - if the user does not have permission they are prompted with
the network login screen three times after which they are shown the
access denied screen and the option of mailing to the WSS site admin
request for being given access.

Is there a way to reduce this authentication to two or maybe one time
before they are shown the access denied screen. How would one configure
the settings.



16 Answers Found

Answer #1    Answered By: Peter Peterson     Answered On: Jan 31

On the client pc
Go to Tools Intenet Options|Security|Custom Level|
Scroll down to Logon
Check Automatic logon with current username and password

Answer #2    Answered By: Kalyan Pujari     Answered On: Jan 31

All the browser setting are perfect. If the user  is having access  to
the WSS site  then they do not get any login  prompt.

The issue is when they do not have access rights to a specific WSS team
site, they are prompted  with the network  login prompt(which is right).
What I am trying to see and figure out is if the three times  login
prompt can be brought down to maybe one time before the Access Denied
page is shown.

Answer #3    Answered By: Isidro Berger     Answered On: Jan 31

This is controlled via the Domain Password Policy. Not by

Answer #4    Answered By: Schuyler Le     Answered On: Jan 31

Can you please give some pointers on what needs to be changed in
Domain Password Policy or if there is a link to some documentation
that would explain on how this can be done.

Answer #5    Answered By: Kristina Cox     Answered On: Jan 31

Its a domain level policy that controls how many times  you can
wrongly type in your username and password before you are locked
out. Your AD admins should be able to set you straight for this but
as I recently stated this may not be the issue. Id like to see if
anyone else has seen the issue I described and if it indeed stems
from IIS or AD.

Answer #6    Answered By: Sharonda Mcfarland     Answered On: Jan 31

The problem I am mentioning has got nothing to do with the AD account
getting locked.

The instance of someone not having access  to a WSS site  would prompt
the network  login. When you put the correct username and password
three successive times  is when you are redirected to the access
denied page.

If you click on cancel then also you are directed to the access
denied page.

Answer #7    Answered By: Willard Valenzuela     Answered On: Jan 31

Which is what is leading me to beleive this may be related to IIS. 3
bad logon attempts is a default standard with AD or NT for that
matter. Because Sharepoint is reliant on accounts I have always
tied the two together.

Answer #8    Answered By: Allison Stewart     Answered On: Jan 31

Actually to completely wipe out any credibility from my last
statement.... This may go deeper and I never did find a cause for
this... never looked that deeply at it.

A company I was working with had a domain policy that would lock out
the user  account after 10 bad passwords ( not very secure i know)
Yet the sites would reject you after 3 bad attempts to logon. I
never looked closer at this and it is probably a simple IIS setting
somewhere but what is the fix for this. Is there a true tie in to
AD with regards to site  Access? I always thought that was the
method used for access.

Answer #9    Answered By: Damon Garner     Answered On: Jan 31

If you change the Domain password policy it will effect *everybody* on
your domain whether they use the Portal or not. If they try to access
somewhere they don't have access  to what is the problem with it taking
them three times  to work out they don't have access before the system
spells it out to them?

This IMO is a user  education issue rather than a technology issue.

Answer #10    Answered By: Laura Walker     Answered On: Jan 31

I agree and a good neck slapping at times  is in order for users such
as this but now im on a quest because im curious as to what the
control mechanism is for this.

Answer #11    Answered By: Nina Banks     Answered On: Jan 31

1) 10 is probably too low – not too high as you might first believe. Most logins are processed a few times  and the setting relates to the number of calls made to AD.

2) It’s not really an IIS setting (there might be a registry hack but I doubt it.) It’s most likely IIS trying different approaches to the login. It could even be the browser automatically re-requesting the item with different authentication  types (NTLM, Basic).

3) A web authentication request is an authentication request and is subject to lockout rules. There’s not much to be done.

Answer #12    Answered By: Sharonda Mcfarland     Answered On: Jan 31

As far as the 10 count... That makes sense as
I can recall times  my account would get locked out simply by an
application I would run would make calls to AD and because I was not
actually joined to the Domain via my laptop poof... i was done. I
think coming from my experience in the past doing Sysadmin work it
was considered a best practice to lock down the passwords with less
being better.... Meaning strong passwords and less attempts to crack
them would prevent unwanted entry.

Answer #13    Answered By: Kalyan Pujari     Answered On: Jan 31

But I don’t ‘wanna put it to bed …

One last thought, lower is better, however, the practical difference between a lockout at 3 or 30 is minimal. It’s designed to prevent dictionary attacks primarily. It also helps with social engineering but that’s really a different problem.

Answer #14    Answered By: Christop Mcfadden     Answered On: Jan 31

The three attempts to log in the IIS site  would only lock out the AD
account if you presented three attempts with bad passwords.

IIS or SharePoint will try three times  with good passwords if you do not
have permissions to access  the site before telling you to bug off, you
do not have permissions. This would not lock out your account because AD
validated your identity correctly each time, SharePoint just did not
like you.

If you have Internet Explorer configured to pass through your currently
logged on credentials, you won't even see the three attempts even though
they happen. You also won't get an opportunity to present other
credentials that might actually give you access to the site because IE
tried three times with your current OS credentials.

So IIS asks for your credentials and controls which authentication
methods are acceptable, Active Directory authenticates your identity,
and SharePoint decides what your authorization level is. Presenting
correct credential multiple times will not lock out your AD account but
may not get you where you want to go.

Answer #15    Answered By: Gopal Jamakhandi     Answered On: Jan 31

You mention that IE can be configured in a way that it will do try
the three attempts and redirect the user  to access denied  page
without the user being asked to put in the id and password.

Can you please tell what those IE configurations will be.

Answer #16    Answered By: Chantal Rosa     Answered On: Jan 31

I don't know but I was under the impression that SharePoint's STSFLTR
was controlling the three prompts.

Didn't find what you were looking for? Find more on WSS authentication Or get search suggestion and latest updates.