Win Auto SignIn

Claims based authentication in SharePoint 2010 and SharePoint 2013 works with a FedAuth token that can be kept on the local machine for a configurable amount of time. This leads to an effective Single Sign On even between client reboots, as long as the cookie and the token aren't expired yet. The SSO experience also works for Microsoft Office and Explorer View, so the user can transparently open and edit documents and workbooks from the SharePoint environment.

When configuring the Web Application with only Windows Authentication, the FedAuth cookie isn't written and the Windows handshake will need to redone when the browser is closed or when opening documents from Office applications. If the client cannot automatically authenticate the Windows user, it will present a credential prompt which may be undesired.

The Win Auto SignIn component is a sign in page for a Claims Authentication Web Application that automatically redirects all requests to do Windows (NTLM, Kerberos, BASIC) sign in for SharePoint 2010 and SharePoint 2013. It has the benefit that it will generate a FedAuth cookie for the Windows user as well.

Installation

Add and deploy the SharePoint Solution Package (.wsp) using PowerShell:

Add-PSSnapin "Microsoft.SharePoint.PowerShell" -ErrorAction SilentlyContinue
Add-SPSolution Ventigrate.Shared.WinAutoSignIn.wsp -ErrorAction SilentlyContinue
Install-SPSolution Ventigrate.Shared.WinAutoSignIn.wsp -GACDeployment -Force

Configuration

Configure the Authentication for you SharePoint Web Application to use the custom sign in page. You need to enable Windows Authentication (because that will be the single authentication used by users) and Forms Based Authentication as well. You can provide a dummy value for the Membership Provider since we won't be using it. You need to check FBA because otherwise the custom login page will just be ignored.

Web Application Authentication Settings

Use

Once you have the dual authentication (Windows and FBA) and custom sign in page configured, your users will automatically be redirected to use Windows authentication for the SharePoint Web Application, but with the benefit of having a FedAuth cookie.

Cookie and Token Lifetime

Cookie and token lifetime can be configured for the SharePoint Security Token Service using PowerShell:

$sts = Get-SPSecurityTokenServiceConfig
$sts.WindowsTokenLifeTime = (New-TimeSpan -Days 1)
$sts.Update()
iisreset

Last edited May 13, 2013 at 10:38 AM by vandest, version 2

Comments

No comments yet.