GPO Question.

TechJunky

Our company has a quite a few corporate SharePoint Sites.

My goal is force every authenticated user in the domain to use integrated logins when they access any internal websites that require authentication.

I know I can set this up per IIS site using realms.

Is there a way to go about doing this using GPMC?

Thanks!

TechJunky

Ok, I tried this..

Created a policy called EnableAuth.ADM. EnableAuth.adm consisted of the following code.

Class USER
Category "Custom Policies"
Keyname "Software\Microsoft\Windows\CurrentVersion\Internet Settings"
Policy "IE: Enable Integrated Windows Authentication"
#if version >= 4
SUPPORTED !!SUPPORTED_IE6
#endif
Explain !!SetEnableNegotiate_Help
VALUENAME "EnableNegotiate"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
End Policy
End Category
[strings]
SetEnableNegotiate_Help="Enabling this policy is equivalent to checking the Enable Integrated Windows Authentication checkbox located on the advanced tab under internet options in Internet Explorer. IF REMOVING THIS POLICY: Reset to original setting and let policy propegate before deleting policy."
SUPPORTED_IE6="Internet Explorer v6.0 and newer"

I then enabled it.

I forget what the heck is the command to display the effective group policy's that have been applied to computers.

I already did gpupdate.

Thanks!

Nm, Just remembered it was gpresult.

Long day...

TechJunky

Ok, any other ideas?

It doesn't seem like it works on IE7. Even when I manually check the integrated login through the browser it still doenst have the same effect as when I force it on the actual IIS Server. It is still asking me for username/password.

Slowhand

What versions of SharePoint, Windows Server, and IIS are we talking about here? I've seen similar woes to what you're talking about when dealing IIS 7 permissions, but that may not be the case here.

TechJunky

Ok, so it seems like I have figured the fix out.

I went under my local browser and did the following..

Tools>Internet Options>Security>Local Intranet

Sites>Advanced.. Typed in the websites that I want the users to use for local sites that require authentication login

Then,

Tools>Internet Options>Security>Local Intranet

Custom Level>User Authentication>Use Current Username/Password

Now I just need to figure out how to do that in a GPO.

blargoe

Find out where that lives in the registry, and you can probably push it out if it's not a GPO setting.

sprkymrk

TechJunky wrote:

Ok, so it seems like I have figured the fix out.

I went under my local browser and did the following..

Tools>Internet Options>Security>Local Intranet

Sites>Advanced.. Typed in the websites that I want the users to use for local sites that require authentication login

Then,

Tools>Internet Options>Security>Local Intranet

Custom Level>User Authentication>Use Current Username/Password

Now I just need to figure out how to do that in a GPO.

To add sites to all computers "Local Sites" through a GPO go to:

Computer Configuration>Administrative Templates>Windows Components>Internet Explorer>Internet Control Panel>Security Page and edit the setting for "Site to Zone Assignement List".

Enter the sites you want to be Local Sites with a value of "(1)" for Intranet sites or "(2)" for Trusted Sites.

Still looking for where to set User Authentication>Use Current Username/Password....

sprkymrk

I think this is what you need:

Computer Configuration>Administrative Templates>Windows Components>Internet Explorer>Internet Control Panel>Security Page>Intranet Zone

Edit the setting for Logon Options.

TechJunky

Oops. Yes, I completed this right after I posted Yesterday.

Any yes, that is exactly what I had to do.