Forum Discussion

nutullah's avatar
nutullah
Copper Contributor
Nov 08, 2019

SharePoint Server 2019 - Authentication issue with popup login window

Hello,

We are trying to configure a SharePoint Server 2019 application for our intranet but are running into authentication issues.

The authentication popup appears when loading each page in the following situations:

  1. If the user only has access to a sub site but not to the site collection and the sub site is a modern page
  2. Or a page has anonymous access and an anonymous user is trying to access a modern page

In the first case:

Site Collection: Departments
SubSite1: Administration   SubSite2: Faculties Subsite3: Students

Let’s say, we want studentA to have a read permission to “Subsite3: Students page”. If I only give studentA read permission to Subsite3, then studentA gets the login popup when trying to access Subsite3. However, if I assign studentA read permission to the Departments site collection, then studentA can access Subsite3 without getting the login popup, but in this case studentA also gets access to Subsite2 and Subsite3 which we do not want.

In the second case of the anonymous user - when I try to load the page, the page does not fully load and waits for authentication. Weirdly, the more I try to cancel out of the authentication popup, different pieces of the page will incrementally load; however, I am never successfully able to exit out of the authentication popup and my only option is to close the web browser.

I am running on a Windows 10 machine and all of my browser are updated.
Here is what I have tried so far:

  1. I enable the Anonymous Access check mark at the web application level. I enabled this on the Default zone.
  2. I set the Anonymous Policy to "Deny Write" on the Default zone. I enabled all of the view permissions.
  3. On the site collection level, I set the Anonymous Access to "Entire Website".
  4. In the IIS Manager, I enable the "Anonymous Access".
  5. I enabled "Anonymous Logon" on the web browser's settings
  6. All of the content on these pages is published.

Here are the different results I am seeing in fiddler:

Chrome:

/_api/sphome/GetAcronymsAndColors?labels=[{Text:%20%22Ob%2DGyn%20Intranet%22}]

/_api/Site?$select=StatusBarLink,StatusBarText

/_api/SP.Utilities.SPSocialSwitch.IsFollowingFeatureEnabled

/_api/web/welcomepage

/_api/web/GetOnePageContextAsStream

 

Edge:

/_layouts/15/CSPReporting.aspx

/_api/sphome/GetAcronymsAndColors?labels=[{Text:%20%22Ob%2DGyn%20Intranet%22}]/_api/Site?$select=StatusBarLink,StatusBarText

/_api/SP.Utilities.SPSocialSwitch.IsFollowingFeatureEnabled

 

Firefox:

/_api/web/welcomepage/_api/sphome/GetAcronymsAndColors?labels=[{Text:%20%22Ob%2DGyn%20Intranet%22}]

/_api/SP.Utilities.SPSocialSwitch.IsFollowingFeatureEnabled

/_api/Site?$select=StatusBarLink,StatusBarText

/_api/web/GetOnePageContextAsStream

 

Internet Explorer:

/_api/web/welcomepage/_api/sphome/GetAcronymsAndColors?labels=[{Text:%20%22Ob%2DGyn%20Intranet%22}]

/_api/SP.Utilities.SPSocialSwitch.IsFollowingFeatureEnabled

/_api/Site?$select=StatusBarLink,StatusBarTex

Please let me know if you have any idea what would cause this issue/how I can fix this.

Thank you

  • nutullah's avatar
    nutullah
    Copper Contributor

    Solution to Issue 1: 

    Michael Han helped to find a resolution for issue 1: (https://social.technet.microsoft.com/Forums/sqlserver/en-US/820b57d9-a2be-4f22-9c06-8ea67bdf6651/sharepoint-server-2019-anonymous-users-access?forum=SP2019)

     

    It seems like the Theme Gallery has separate permissions from the site collection permissions. If the subsite user doesn't have read permission to the Themes folder then I see the authentication issue. This means that we will have to grant permission to a user for the subsite and the themes folder at the site collection level. This isn’t ideal to have to give permissions in two places for this case and should be looked at being improved on the SharePoint side.

     

    To avoid granting permission in two places for each user, we decided to grant read permission to all AD Domain Users so everyone in the organization will have read permission to the themes folder.

     

    Issue 2 Unresolved: 

    However, the above resolution does not help our anonymous user access issue (issue 2) and this remains a top priority issue for us.

     

    Thank you,

    Nutullah

    • oranasraf's avatar
      oranasraf
      Copper Contributor

      nutullah 

       

      Hello, Nutullah.

      I had this problem (the 2nd scenario) in my farm as well,

      I suggest you to enable the flags

      useAppPoolCredentials & useKernelMode

      at the system.webServer/security/authentication/windowsAuthentication  in the web.config for this web application.

       

      these allows my users to connect with user and password when they needed and also give access to anonymous.

       

      Hope it will help you.

      • KevinColeMCM's avatar
        KevinColeMCM
        Copper Contributor

        oranasraf 

         

        Hello, I was brought here because I was looking for the reason why the SharePoint Modern List View experience was receiving a 401 access denied and then repeatedly prompting the user to login as it was trying to access /_api/Site?$select=StatusBarLink,StatusBarText.  This issue will occur when a user has been granted permission at a sub-site level but does not have permission at the site collection level (or only has Limited Access at the site collection level).  The limited access is typically there as part of the Style Resource Readers group.

         

        You will see in the developer window a pending authorisation for

        https://www.website.ca/sitecollection/subsite/_api/Site?$select=StatusBarLink,StatusBarText

         

        Followed by access denied messages in your ULS logs similar to:

        PermissionMask check failed for {Guid}. Asking for 0x2000010000, have 0x1008010000

         

        Specifically it will also fail with UnauthorizedAccessException on GetWebMetainfo 

         

        The way you can fix this is by ADDING the UseRemoteAPIs base permission to the Limited Access role definition at the site collection root web level.  Please note, this should not be done for Anonymous access or public (internet) sites as it may expose API to attackers for Denial of Service.  Internally it should be OK to do as it simply allows end users to make calls to the API (the contents of the results of the API are still security trimmed).

         

        Powershell you can use to resolve this is:

        $siteUrl = "https://www.website.ca/sitecollection/"
        
        $site = get-spsite $siteUrl
        $web = $site.RootWeb
        
        $limitedAccess = $web.RoleDefinitions["Limited Access"]
        $limitedAccess.BasePermissions = "$($limitedAccess.BasePermissions), UseRemoteAPIs"
        $limitedAccess.Update()

         

        You're welcome!

        Kevin Cole - SharePoint Microsoft Certified Master

Resources