Friday, 8 April 2011

Removing prompt for credentials when browsing with Internet Explorer

This post isn't intended to be a complete list of solutions to issue when you are unexpectedly prompted for AD credentials when browsing with Internet Explorer, but it gives some rules of thumb regarding where to start looking. The scenario: You try accessing a page using IE, and are prompted by a 'Windows Security' dialog for AD credentials when you don't expect it.

Possible causes: There are many, but the first thing to do is work out if it's a server-side issue, or a client-side issue. A simple test is what happens if you provide valid credentials in the Windows Security dialog:

  • If you can then connect, then this is a client-side issue
  • If you are prompted again, either 2 or 3 times, then get a permission error (normally HTTP 401), then it is a server-side issue

Client-side issues If it's a client-side issue, then look at the client IE settings, and the URL of the web page: If IE considers that you have already logged into the DNS domain (the part of the url prior to the first single / - e.g. http://crm:5555/), then it should reuse these credentials and you won't be prompted to login. However, IE is picky about matching the DNS domain, so if you've already logged into http://crm, then it won't trust other aliases (e.g. http://localhost, http://crm.mydom.com, http://192.168.0.1) and will prompt for credentials.

If you're using CRM 4 and have extension pages in the ISV directory of the CRM web site, then it is best to provide the URL as a relative path (e.g. /ISV/MyCompany/MyPage.aspx) rather than an absolute path, to avoid this issue.

The IE security settings will determine whether IE will try submitting your logged-on credentials. By default, it will only do this if you connect to a site in the Local Intranet Zone, so check the IE security settings, and the zone of the web site you're connecting to

Server-side issues If it's a server-side issue, then there are many possible causes, but most of them come to Kerberos in one way or another

5 comments:

Ooga said...

Hi David,

We are currently experiencing this issue and are finding that the repeated prompts (that you are referring to as Server side) are removed client side by adding the site to Trusted Sites and enabling the security option "Initialise and script Active-X controls not marked as safe for scripting". Once this is done, then we find users only get prompted for credentials once per session (unless they are domain admins, then they do not get prompted at all). It is important to note that we only get these login prompts when opening forms that contain iFrames.

We are still working on how to not make it appear at all for anyone.

vivek said...
This comment has been removed by the author.
vivek said...

Thanks David It really works!
http://www.corporateserve.com/Microsoft_Dynamics_NAV.html

MV said...

Hi All,

I also faced same kind of problem and found the solution by Accident.

I always use "localhost/Org..." connect my on-Premise CRM. but my Web Resources and all Links use "DomainName/Org.."

the Tricky things is Even all those URL point to a Same resource, IE thinks it would try to Access some resource outside it Domain and Asked for the user Credential.

after that I always use "DomainName/Org.." URL to access CRM On-Premise Web Client and prompt will never appear again

Clint Boessen said...

Hi Guys, please see the following fix:

http://clintboessen.blogspot.com.au/2013/09/ie-10-prompting-for-credentials-windows.html