2

I am trying to get FedAuth cookie in order to read SharePoint api from my mobile app.

However, I find that some of web applications do have FedAuth cookie, but other web applications do not have this cookie. Originally I thought all SharePoint sites use this cookie for authentication. (Claims + NTLM mode)

Say I have SiteA and SiteB:

Both sites are Claims Based Authentication with NTLM

SiteA has no FedAuth cookie
It has WSS_KeepSessionAuthenticated cookie instead (but it does not seems to be an authentication token since I can change it and SharePoint is still happy)
enter image description here

SiteB has Enabled Form Based Authentication, and it has FedAuth cookie. (if I change this cookie SharePoint reports error) enter image description here

I experimented and found that when I disable the Form Based Authentication in SiteB, it no longer sets the FedAuth cookie.

Question:

  1. Why FedAuth only appears for Form Based Authentication?
  2. Can I make SharePoint to use FedAuth when Form Based Authentication is not enabled? Because I want to use this cookie in api call.
  3. When SharePoint is not using FedAuth cookie, how does it maintain user session?

I don't have much knowledge in this area and probably missing some key concepts here, thanks for pointing out!

Wint
  • 214
  • 4
  • 17

3 Answers3

1

WSS_KeepSessionAuthenticated is used to keep users sessions authenticated. I believe this actually only present if anonymous access is also enabled. The reason is that by default you would be logged in as the "anon" users and not your account, so instead this is passed in after the first authentication is successful so you don't have to explicitly logon with each page request.

FedAuth cookie holds the reference for the claim token, but not the token itself, that is serviced by the Secure Store I believe. The STS is responsible for generating the FedAuth cookie.

I'm not 100% sure here - but I would say what is happening, is that without forms, SharePoint is accepting the NTLM token, and managing the claims mapping on the server side. If you watch the interaction of the session I'm sure you will see this in the 401 requests, and the NTLM response. It also could be as noted above the configuration with anonymous turned on. I would make sure anonymous is not allowed and run thru same tests again and see if results are the same.

Jesus Shelby
  • 10,860
  • 24
  • 52
  • You are right that SP returns 401 without forms. But eventually I want to authenticate SharePoint in a mobile WebView (users are already logged in the mobile app), then call its rest api with some token. I cannot find any token to call rest api now, do you have any suggestion? – Wint Jun 27 '16 at 09:11
  • Jesus was right that no cookie is generated in my case. So how does browser authenticate requests with SharePoint server? After few days of investigation I am almost sure that browser maintains http connection after authenticated (so need to to authenticate again). Once this connection is break, browser re-authenticate NTLM using cached user credentials (down vote me if I am wrong) – Wint Jul 20 '16 at 10:27
1

SharePoint only uses the FedAuth cookie in scenarios where it is necessary, such as ADFS authentication or FBA authentication.

In the case of Windows authentication (even claims-based) Windows auth, including NTLM, Kerberos, etc., no FedAuth cookie is necessary. In your case, instead of trying to force a FedAuth cookie where it isn't possible, you should look to authenticate via supported methods, such as OAuth.

See these answers for more details.

Community
  • 1
James Grizzle
  • 2,612
  • 4
  • 37
  • 61
  • I see your point. But without FedAuth, how does SharePoint maintain session in your browser? There should be some token in your browser right? the first video here says SharePoint sends an Authorization Code to client computer, what is this code? – Wint Jun 27 '16 at 09:01
  • In the end, I want to authenticate SharePoint in a mobile WebView (users are already logged in the mobile app), then call its rest api with some token. This is on premises installation + self hosted add-in, so OAuth is not applicable here, Do you have any suggestion? – Wint Jun 27 '16 at 09:06
0

My Sharepoint 2013 was not properly federated and I was authenticating with itself. As a result FedAuth cookie were missing.

Neftanic
  • 101
  • 1