SharePoint 2007 and Internet Explorer 8 – side effect with Sign-in As different User
Hello @all,
in the last weeks I could see a side effect with SharePoint 2007 and Internet Explorer 8. We publish a KB with 3 different workarounds as solution
KB 2435214 - SharePoint 2007 and Internet Explorer 8 has problems with "Sign in as a different user" does not clear ASP.Net Session object
Symptom:
In SharePoint 2007 using Internet Explorer 8 and "Sign in as a different user" displays old Session data. After 30 seconds the session object is completely refreshed and all data is correct.
What does this mean for SharePoint?
Normally users browse over the portal with their own account. In case a user switch to another identify the user will use the function: Sign-In as different User. An administrator is doing this more then ones a day. This “easy” function has a little requirement, the authentication behavior of the client (Browser) is very important.
After calling “Sign in as a different user” the user will enter new Credentials and under the hood of the IE6 & IE7, the browser will drop the existing socket connection and create with the new credentials a new socket connection. The IIS and SharePoint Web Application create for a new socket connection a new Session object and the old Session will be deleted automatically. With IE8 this behavior has changed because the IE8 use a Session based authentication and IE8 use the same connection as before. This means the web application need to delete the session object manually. Unfortunately SharePoint 2007 was ealier in the market as IE8, so the manually deletion is not in place.
The root cause of the behavior was really nice. Browser like IE6 and IE7 have a connection based authentication architecture and IE8 has a new design, it’s a session based authentication. With IE8 it take 30 sec. until the old connection times out or the session object is refreshed. As solution we have 3 workarounds with 3 advantages or disadvantages:
Workaround 1: customize init.js file or overload the method of LoginAsAnother() with an addition line of code: document.execCommand("ClearAuthenticationCache");
https://support.microsoft.com/kb/970814/en-us(https://support.microsoft.com/kb/970814/en-us)
-> can be critical with patching SharePoint in case the js file will be changed. After each patching we need to check the js-customization.
Workaround 2: change IIS authentication behavior to force the authentication for each incoming http request
Run the following:
cscript adsutil.vbs SET w3svc/<webappidentifier>/AuthPersistSingleRequest TRUE
example: cscript adsutil.vbs SET w3svc/1048141505/AuthPersistSingleRequest TRUE-> this will create more IIS authentication overhead of the WFE and DC, but the implementation is very easy
Workaround 3: create a custom httpmodule and deploy it over the farm (all webapplications)
Task of the custom http module: after calling sign-in as different user a custom http module implement EndRequest method of http module interface: Logic to implement: after calling "/_layouts/AccessDenied.aspx?loginasanotheruser=true" run httpcontext.Session.Clear();Implementation: after sending Response of "/_layouts/AccessDenied.aspx?loginasanotheruser=true" it’s important to call httpcontext.Session.Clear();
More details to implementing a custom httpmodule:
https://support.microsoft.com/kb/307996/en-us (https://support.microsoft.com/kb/307996/en-us)
https://msdn.microsoft.com/en-us/library/ms227673.aspx-> this is an additional customization in the farm but in my opinion a elegant solution.
I hope this helps.
regards
Patrick
Comments
Anonymous
January 01, 2003
hello sudhanshu, using Visual Studio 2008 + SharePoint Extention to create a feature. After complile you will have a WSP-File for in the folder structure. Now you can run stsadm -o addsolution to and over central admin in (operation/solution management) you can deploy this solution to your webapplication. regards patrickAnonymous
January 01, 2003
The comment has been removedAnonymous
January 01, 2003
hi Thomas,i recommand to open a support ticket for detailed help.Further speps would go into debugging analysis. which Server OS version and IIS version do you use? regards patrickAnonymous
October 27, 2010
Thanks for the information. We are having that problem on our test environment, but not with our production one. Booth have the same configuration, and from the same PC we have an automatic refresh when we sign in as different user in the production but no on the test. So my question is if there may be some different configuration on the servers or these is only configuration of Explorer 8 on the PC.Anonymous
December 10, 2010
I've tried it with the following (workaround 3) workaround 1 and 2 isn't an option public class FixSignInAsAnotherUserHttpModule : IHttpModule { public void Dispose() { } public void Init(HttpApplication context) { context.PreRequestHandlerExecute += new EventHandler(context_PreRequestHandlerExecute); context.EndRequest += new EventHandler(context_EndRequest); } void context_EndRequest(object sender, EventArgs e) { try { var context = ((HttpApplication)sender).Context; if (context.Request.Url.ToString().ToLower().Contains("/_layouts/accessdenied.aspx?loginasanotheruser=true")) { context.Session.Clear(); //context.Response.Cookies.Clear(); } } catch (Exception ex) { } } void context_PreRequestHandlerExecute(object sender, EventArgs e) { } } and added to the web.config <add name="FixSignInAsAnotherUserHttpModule" type="ONPRVP.Common.HttpModules.FixSignInAsAnotherUserHttpModule, ONPRVP.Common, Version=1.0.0.0, Culture=neutral, PublicKeyToken=5ec763fc9d10a840" /> but in my case, it still doesn't workAnonymous
July 28, 2011
hi can some one tell me how we can provide on production(MOSS 2007) sign as adifferent user feature although it is present on my test server