Passwordstate Prompts for Authentication

[support]

When using the Active Directory Integrated version of Passwordstate, your browser should pass through your domain credentials to the web server, and you should not be prompted to enter your username and password. If you are, the following could be possible causes:

Suggestion 1

• If you are running an Operating System which still has Internet Explorer, the Passwordstate web site should be detected as being in the 'Local Intranet' security zone, and the option for 'User Authentication' is set to 'Automatic logon only in Intranet zone'. (You may need to add the URL of the site to a group policy which forces Internet Explorer to detect the site is in the intranet zone. Alternatively, each user can add this manually in Internet Explorer via the Internet Options -> Security Tab.  By adding your site to Local Intranet Zones, this should also fix the issue for Chrome.)
• If not running an OS with IE, you can check if your site is in the Local Intranet zone by running the following Powershell code: $(get-item "HKCU:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey").property.  If needed, you can add the site in manually from Control Panel -> Internet Options -> Security Tab, or even better use Group Policy to apply to all machines.
• If using Firefox, it does this by design. To fix this, please try the following:
  • Open Firefox, and type about:config in the URL bar
  • Search for network:automatic
  • Double click network.automatic-ntlm-auth.trusted-uris and enter your full Passwordstate URL.  (Screenshot below for reference)
  • Restart your browse and Single Sign on should now work

 

 

Suggestion 2

Ensure that the DNS entry you have created for your Passwordstate URL is a CNAME DNS entry, and not a A record.

 

Suggestion 3
Something else which has affected a few customers in the past is the order of authentication 'providers' in IIS for the Windows Authentication. By changing the following setting, helped prevent the web site prompting for authentication:

 

• Open IIS and select the Passwordstate web site
• Open the "Authentication" property under the "IIS" header
• Click the "Windows Authentication" item and click "Providers"
• Try moving NTLM to the top, then restart IIS, or reboot the server

 

Suggestion 4
Using host files for name resolution does not work with using Windows Authentication in IIS. You need to use DNS for name resolution.

 

Suggestion 5
You need to be logged on with a domain account, not a local account on a desktop or server. If accessing Passwordstate from a Mac or Linux machine, you cannot prevent this prompt as Single Sign on will not work.  Possibly you could consider enabling Anonymous Authentication on your Passwordstate website, which means users need to enter their username and password to access the system.

 

Suggestion 6
Believe it or not, sometimes a reboot of the web server after upgrades has helped quite a number of customers.

 

Suggestion 7

If you do not have a CName DNS record already for your Passwordstate URL, please create one and that should help.  An example of a CNAME DNS record can be found in this forum post: https://forums.clickstudios.com.au/topic/1465-changing-the-passwordstate-url/

 

Regards

Click Studios