by Andreas

Sharepoint 2010 – get rid of the Windows Security login dialog

When you’re running Sharepoint 2010 in your development environment you probably wont have a domain and Active Directory set up. After all, it is a bit of an overkill when it’s just you and your cat that require a login and a profile. Unfortunately the lack of an Active Directory means you will be prompted to enter your username and password each and every time you open up your Sharepoint site, whether this be during development and debugging or just accessing the intranet you’ve set up (for you and your cat – hey, animals need shared calendars and document libraries too..).

image

“Remember my credentials” doesn’t seem to work in this case, and if you’ve attempted to create a new entry in the Credential Manager you’ll soon find out that it doesn’t help either (which is where “Remember my credentials” should have stored your login info in the first place). So, the trick is to add your Sharepoint site as a local intranet site in Internet Explorer. Go to Internet Options, open the security tab and choose “Local intranet”. Click sites, and in the following dialog box choose Advanced. If you did this while browsing your Sharepoint site the web site address should already be in the input textbox, but if not just add it manually (e.g. “http://localhost”):

image

Close your browser and reopen your Sharepoint site – and you’re automatically logged in.

by Andreas

Active Directory password decryption – Yes it can be done!

It’s a common misconception that Active Directory only stores the non-reversible hash value of passwords. This is not necessarily true! There is a flag that can be set per user or per domain called AllowReversiblePasswordEncryption which controls whether AD uses a hash value or a normal two-way encrypted string. The reason for allowing this is to support some authentication protocols that require decrypted passwords to function, like CHAP and HTTP Digest Authentication.

Programmatically the flag can be accessed through the AllowReversiblePasswordEncryption property of the UserPrincipal class (under System.DirectoryServices.AccountManagement), and is obviously false by default:

userPrincipal.AllowReversiblePasswordEncryption = true;


imageBut Reversible Password Encryption must be enabled on your domain controller for this to take effect. This guy has made a very simple walkthrough, and also a tool called RevDump that will do the job for you (unfortunately needs an update for Windows Server 2008 / 2008 R2). I am not going to steal his sunshine, so check out his post (and also the follow-up about how it works). The only thing I felt that he left out was how to actually enable this in Active Directory, but by using the tool he suggests (Active Directory Explorer) connect to your domain, navigate to System and then Password Settings Container (DC=<domain_name>CN =System CN=Password Settings Container). Add a new object from the msDS-PasswordSettings class and choose the msDS-PasswordSettings. Then find the msDS-PasswordReversibleEncryptionEnabled attribute, add the value “true”, give the new object a valid name and there you go.

Be prepared that your sysadmin will tear out whatever hair he might have left when you suggest doing this. The common phrase you will hear is “don’t do it, you might as well store the passwords in plain text”. This is because anyone with domain administrator rights will be able to acquire everything necessary to decrypt passwords, but if some undeserving clown has been given (or illegally taken) this level of access I think your sysadmin has bigger problems on his hands anyway.. Use it with caution though, and only when absolutely necessary.