Thursday, February 9, 2012

Central Administration Prompts for Credentials

I stumbled across a quirky authentication issue when we enabled Kerberos on our Central Administration Web Applications for SharePoint 2010. Every time we launched Central Administration using the link provided on the start menu we would be prompted for credential entry, and everytime credentials were entered they would fail even if they were entered correctly. After double checking the SPNs it was obvious they were setup properly and Kerberos authentication should have been logging us in automatically.

 It turns out the problem here is somewhat related to another issue I posted about with our CRM environment (http://matthewchurilla.blogspot.com/2012/01/outlook-plugin-is-nice-feature-of.html). At first I looked at the command that was getting executed by the menu link and it was pointing to psconfigui.exe so it was hard to tell what was happening there. Next I opened internet explorer and found the Central Administration URL had been added to trusted sites and trusted sites does not automatically login users, only the intranet zone does this. It occured to me that psconfigui.exe must do something similar to what I discovered the CRM Outlook plugin doing.  In an attempt to be helpful it is adding the Central Administration URL to trusted sites but unfortunately when the URL is in trusted sites kerberos integrated authentication does not work. The solution to this problem is as simple as it was for CRM you just need to follow this process:

  • Find the URL that got added to trusted sites and remove it.
    • Internet Options -> Security -> Trusted Sites -> Sites
  • Open Local Intranet configuration and add the URL you just removed from trusted sites.  Make sure the URL matches exactly.  If you removed http://machine from trusted sites then add http://machine to local intranet sites.  If you removed http://machine.fqdn from trusted sites than add http://machine.fqdn to local intranet sites.
    • Internet Options -> Security -> Local Intranet -> Sites -> Advanced
  • Launch Central Administration using the start menu link; everything should work fine.