OT?: Restrict SPNEGO in IE

  • Last Post 01 February 2012
gabriel/tfi posted this 01 February 2012

We have a requirement to run Sharepoint within the Trusted Sites in IE and so we need to enable “Automatic logon with current user name and password” over Trusted Sites to achieve SSO.

Trusted Sites contains other web sites we would NOT like to engage a SPNEGO with. Is there a way to restrict SPNEGO to a “white list” of sites within the Trusted Site zone?

Something like the Firefox option network.negotiate-auth.trusted-uris, network.negotiate-auth.delegation-uris, "network.automatic-ntlm-auth.trusted-uris".


I understand the Trusted Site zone is a white-list per-se, but not all trusted sites are equal (especially if we need to put our Sharepoint into it!).

Thanks - Gabriele.

Order By: Standard | Newest | Votes
lovesouthafrica posted this 01 February 2012

Hi Gabriele

Have you considered going the Kerberos route rather than NTLM? Is this SPS 2010?


Peter Johnson
I.T Architect
United Kingdom: +44 1285 658542
South Africa: +27 11 252 1100
Swaziland: +268 2442 7000
Fax:+27 11 974 7130
Mobile: +2783 306 0019

This email message (including attachments) contains information which may be confidential and/or legally privileged. Unless you are the intended recipient, you may not use, copy or disclose to anyone the message or any information contained in the message or from any attachments that were sent with this email, and If you have received this email message in error, please advise the sender by email, and delete the message. Unauthorised disclosure and/or use of information contained in this email may result in civil and criminal liability. Everything in this e-mail and attachments relating to the official business of Peterstow Aquapower is proprietary to the company.

Caution should be observed in placing any reliance upon any information contained in this e-mail, which is not intended to be a representation or inducement to make any decision in relation to Peterstow Aquapower. Any decision taken based on the information provided in this e-mail, should only be made after consultation with appropriate legal, regulatory, tax, technical, business, investment, financial, and accounting advisors. Neither the sender of the e-mail, nor Peterstow Aquapower shall be liable to any party for any direct, indirect or consequential damages, including, without limitation, loss of profit, interruption of business or loss of information, data or software or otherwise.

The e-mail address of the sender may not be used, copied, sold, disclosed or incorporated into any database or mailing list for spamming and/or other marketing purposes without the prior consent of Peterstow Aquapower.
No warranties are created or implied that an employee of Peterstow Aquapower and/or a contractor of Peterstow Aquapower is authorized to create and send this e-mail.


CrawfordS posted this 01 February 2012

Wouldn’t it be nice if ie allowed you to have more than 4 security zones?


ken posted this 01 February 2012

Apologies – what are you trying to do here?

Restrict the sites with “automatic logon with current username and password”? I don’t think that’s an SPNEGO issue.
Or do you want to prevent NTLM (or Kerberos) from being used with certain sites (which is SPNEGO)

Also, why does SharePoint have to be in Trusted Sites to start with? I’m guessing this is a Lync/SharePoint integration issue.


Ken Schaefer
Architect | CTO Office | SOE Program
Mobile: +65 9824 4445

HP Enterprise Services
Level 3, Block C, Jackson Square, 11 Lorong 3
Toa Payoh, Singapore, 319759


gabriel/tfi posted this 01 February 2012

Yes, Lync/SharePoint integration requires Sharepoint URL being added to the Trusted Sites zone, because Sharepoint is there “Automatic logon with current user name and password” has to be enabled on Trusted Sites to allow SSO (by IE default SSO/AutomaticLogon is enabled over Local Intranet zone only).

I would like to enable IE AutomaticLogon for Sharepoint site(s) only, while for other Trusted Sites (mostly Internet sites) AutomaticLogon should be disabled.

In a few words I would like to keep “Automatic logon with current user name and password” disabled over Trusted Sites, add Sharepoint sites into Trusted Sites and have “Automatic Logon…” enabled just for Sharepoint Sites (“white list”).

I don’t want to restrict SPNEGO to a specific authN mechanism/protocol NTLM vs Kerb.

Thanks – Gabriele.


kamleshap posted this 01 February 2012

If you are only worried about "Automatic login", is there any reason, you
can't put them in local intranet sites?

Argue for your limitations, and sure enough, they're yours.


sivasankar_33 posted this 01 February 2012

Hello Ken,

I dont have an suggestion for your issue, but the concept you have explained
is really cool.

Can you provide me a link where i can start from scratch on IIIS. i am new
to AD and Win server :)

Thanks a lot.