Over the years Microsoft has implemented a number of security enhancements to both Windows and Internet Explorer itself. Those security enhancements had an impact on end-user experience though especially when used with FQDN sites. This post describes some configuration changes you can make on user machines to ensure a better end-user experience with Microsoft SharePoint 2010 and 2013. These changes can be centrally deployed using GPO instead of configuring each machine manually, unfortunately this article wont describe the GPO process.
Internet Explorer – Intranet Zone
Internet Explorer puts all sites with a FQDN to the Internet Zone by default. This causes a number of issues with a SharePoint deployment such as:
- Login prompts by every web application. Internet Explorer does not automatically pass your Windows credentials to sites in the Internet Zone
- Active X controls and other web browser components are not loaded, resulting to messages like you are not running a compatible client. Once again sites in the Internet Zone do not load any add-ons without user consent.
- IE Compatibility Mode (SharePoint 2010 against IE9 and above). Chances are a number of things wont work at all. By default, Intranet Sites go into compatibility mode which in essence emulates IE7. Worth ensuring that Intranet Zone sites render in compatibility mode.
- Good idea to set the Intranet Zone settings back to their defaults.
You can add a wildcard domain to the Intranet zone to avoid having to configure multiple sites separately e.g. *.myorg.local
Login Prompts by Office Clients
So your site is in the Intranet Zone and IE no longer asks for login prompts. But when you access a document, say in Microsoft Word, you get at least two login prompts. Microsoft Office uses the Windows Service “Web Client” to get access to SharePoint or any site for that matter. In Windows XP, the Web Client Service used to share configuration with IE. This has changed from Windows Vista onwards and that is no longer the case. The way to instruct the Web Client service to pass your credentials over to sites, is to create a new registry value of type Multi-String named AuthForwardServerList under the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient\Parameters. Then enter your FQDNs you would like to avoid having multiple authentication prompts for. Once again you can enter *.myorg.local and solve the issue of having to enter each web application’s FQDN separately. For more information on this issue take a look at this KB article http://support.microsoft.com/kb/943280