SharePoint and Claims: Map Network Drive issue


Scenario

If a SharePoint Web Application is configured with Claims Authentication, you might run into an issue when trying to map SharePoint as a network drive.

Map Network Drive

If you only have Windows Authentication configured on the Zone…

NTLM Only

…you’ll be either automatically signed in or get a credential prompt and you’ll see the SharePoint content just fine.

SharePoint content

But if you’re offering multiple authentication types on a single zone…

NTLM and FBA

Sign In

…you might get a nasty error.

Access Denied

The mapped network drive could not be created because the following error has occurred:

Access Denied. Before opening files in this location, you must first add the web site to your trusted sites list, browse to the web site, and select the option to login automatically.

Cause

If this is the case, it probably is because you’re not getting logged in automatically using the Windows Authentication option.

You can test this fairly easy by going to the URL you’re trying to map in Internet Explorer. If you get there without having to choose the authentication type, you’ll be fine for your Network Mapping.

Now if you close that browser and redo this and you have to select the authentication type *again*, it probably means your SharePoint environment is configured to use session cookies rather than persistent cookies.

PS C:\> $sts = Get-SPSecurityTokenServiceConfig
PS C:\> $sts.UseSessionCookies
True

Once you change this to use persistent cookies, you can close the browser and it will remember you as long as the cookie is valid.

PS C:\> $sts = Get-SPSecurityTokenServiceConfig
PS C:\> $sts.UseSessionCookies = $false
PS C:\> $sts.Update()
PS C:\> iisreset

Back to the issue

Once you have persistent cookies in place, you must first create it using the browser. This is required because the Network Mapping dialog doesn’t allow you to pick the authentication type. So go ahead and log in to your SharePoint site using your browser.

Now you can go create a Network Mapping and it will work as long as the cookie is present and valid.

If the cookie is removed and you reboot, you’ll get an error again.

Restoring Network Connections

An error occurred while reconnecting Z: to http://intranet.******.com/Shared Documents
Web Client Network: Access Denied. Before opening files in this location, you must first add the web site to your trusted sites list, browse to the web site, and select the option to login automatically.

This connection has not been restored.

To get it working again you just have to log in into the site with your browser to create the cookie. This will make the network mapping work again.

Hope this helps!

 


Comments

Thursday, 14 Nov 2013 08:22 by Pascal Van Vlaenderen
Also a nice find :) Had kinda the same problem with another client. Question though: why not extend it to another web app ? I like using 2 different Web Apps for 2 different authentication methods

Thursday, 14 Nov 2013 11:52 by Steven Van de Craen
Pascal, I think both have a purpose. This particular client wanted a single URL for all users (internal and external). I often see this combined with the request to automatically redirect users based on specific conditions (like source IP range) to the correct authentication mechanism.

CAPTCHA Image Validation