SharePoint, CRM, Line of Business web apps, Integrated Windows Authentication and Windows 10 (Microsoft Edge, Microsoft Internet Explorer 11)

There is quite some time since Windows 10 was released, but usually, the large companies (especially non-tech ones) start to deploy it internally when there is absolutely no good deal to run the older OS versions. Reasons like:

  • when Microsoft is announcing the end of mainstream support for the previous OS;
  • when the competitors are already using the new OS;
  • when the vendors offer better/only deals for the new OS;
  • when the consumer space already provided good feedback for the new OS and the company is somehow under pressure to step-up;
  • when the company is substantially reducing the costs of managing the new OS (less maintenance is required, the new OS is more stable, the new OS incorporates new essential functionalities provided in the past by 3rd party products …);
  • when the work productivity is increased;

 

A small percentage of large companies moved to Windows 10 in the second half of 2016 and of course, 2017 and 2018 will be full years for Windows 10 deployments.

 

Windows 10 introduced Microsoft Edge as the default web browser, but Edge is not enterprise ready. Internet Explorer 11 is still present on Windows 10. It is somehow hidden, but Microsoft’s intention is to offer Internet Explorer 11 as an alternative until Microsoft Edge will get the maturity level to answer the enterprise space needs.

 

Requesting to type the username and password when a user is accessing the line of business applications is the first thing observed with Windows 10 and Microsoft Edge. This is happening because Integrated Windows Authentication is not available in Microsoft Edge. Usually, the large non-tech companies still have some SharePoint, Microsoft CRM, Microsoft Exchange, Project … . Even Office 365 SSO relies on Integrated Windows Authentication.

Starting with Windows 10 Anniversary Update (build version 1607) Integrated Windows Authentication is available in Microsoft Edge.

 

So, is Microsoft Edge out of the discussion? What is the best setup for Windows 10 regarding Microsoft Edge and Microsoft Internet Explorer 11?

I personally think Microsoft Edge is still not ready to cover the current needs the enterprises have, but is the browser where Microsoft is investing. So, it is a matter of time (a year, maybe two) until Microsoft Edge is getting to that level where is no longer necessary to count on Microsoft Internet Explorer 11.

 

Even if Microsoft Internet Explorer 11 could be set as the default web browser for Windows 10, keep in mind IE11 was released in October 2013 and there will be no new version of it. IE11 will continue to receive security updates and technical support for the support lifecycle of the version of Windows on which it is installed.
In my opinion, setting IE11 as the default browser in Windows 10 is making the dependency to it much stronger, until the point where IE11 becomes obsolete and your Line of Business apps still aren’t upgraded. Leaving Microsoft Edge as the default browser and not configuring Enterprise Site Mode List is again not good because you actually reduce the user productivity due to all the issues are coming using this browser on old software web solutions.
Bellow, I am providing two links that will provide enough details to decide the route you want to go:

 

 

In the next section, I am describing the best way I consider Windows 10 should be configured to support Microsoft SharePoint, Microsoft CRM and other Line of Business web apps
I think the combination of Microsoft Edge and Microsoft Internet Explorer 11 is good long term. That means is necessary to configure both browsers to use proper settings. Microsoft Edge should be the default Windows 10 browser. Enterprise Sites Mode List must be configured to instruct Microsoft Edge the compatibility mode and the browser version that must be used for the Line of Business applications.

 

In this way, you expose Microsoft Edge to the users, which is a good thing, because long term this will be the only Microsoft web browser available.

 

Aside from your tests, you will benefit from the company’s users Microsoft Edge usage -> they will report all the Microsoft Edge problematic Line of Business applications, which is again a good thing because you are able to track them and from time challenge the vendors to step-up.

 

In both cases (when, either the solution is not compatible with Microsoft Edge, or when Microsoft Edge is not mature enough), thanks to Enterprise Sites Mode List you can automatically redirect the request to IE11.

 

 

Start by configuring the Local Intranet sites

The main reason for setting up first the Local Intranet sites is because of Integrated Windows Authentication. In fact, the automatic logon can be configured for each Internet Zone (Internet / Local intranet / Trusted sites / Restricted sites), but Microsoft Edge will only perform automatic logon for the FQDNs/URLs added part of Local Internet zone.  So, you need to add the FQDNs/URLs of Microsoft SharePoint / CRM / Exchange and other Line of Business applications part of Local Intranet zone in case you want Microsoft Edge to not prompt for user and password.

SharePoint_Windows_10_Microsoft_Edge_Microsoft_Internet_Explorer_11_17

 

SharePoint_Windows_10_Microsoft_Edge_Microsoft_Internet_Explorer_11_18

 

Let’s see how to get this functionality

  1. Make sure you have Administrative Templates (.admx) for Windows 10 and Windows Server 2016 deployed.
    It is a good thing to deploy all the ADMX files (and related ADML’s), but in case you are interested to just have the Microsoft Internet Explorer policy definitions, then inetres.admx and inetres.adml are the minimum requirement for the central store deployment.
    SharePoint_Windows_10_Microsoft_Edge_Microsoft_Internet_Explorer_11_11
    .SharePoint_Windows_10_Microsoft_Edge_Microsoft_Internet_Explorer_11_12 .
  2. Define and link a Group Policy Object that will control the Microsoft Internet Explorer behavior.
    SharePoint_Windows_10_Microsoft_Edge_Microsoft_Internet_Explorer_11_13
    .
  3. Configure what URLs/FQDNs to be part of Local Intranet Zone.
    Policies -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Site to Zone Assignment List
    SharePoint_Windows_10_Microsoft_Edge_Microsoft_Internet_Explorer_11_14
    .
    SharePoint_Windows_10_Microsoft_Edge_Microsoft_Internet_Explorer_11_19
    .

 

These above-mentioned settings will help you get automatic logon in Microsoft Edge when you are accessing Integrated Windows Authentication web applications  – so, no more authentication screen who request to type the username and password.

 

However, Microsoft Egde is not 100% compatible with Microsoft SharePoint / CRM / Exchange and other Line of Business applications. For example:

  • constant “Are you sure you want to leave this page” prompts when using OneNote Web App.
  • Silverlight is not supported by Microsoft Edge -> the SharePoint 2013 farms configured to support Power BI will be impacted (Power View and PowerPivot Galleries will prompt for Silverlight installation).
  • Open with Explorer” is grayout.
  • Connect to Office” is grayout.
  • extra and unnecessary “Do you want to open [document name.XYZ] (X KB) from [FQDN]?” for Intranet Zone sites when the user wants to view or edit that document in the client application.
  • The “Text Editor — Web page Dialog” dialog when you click on Source Editor (part of HTML Form Web Part) is not loading in Edge.
  • In Microsoft Edge, “Export to Excel”  prompts the user with “To export a list, you must have Microsoft SharePoint Foundation-compatible application.
  • The user presence indicator (that green / yellow / red Skype for Business status) isn’t working on Microsoft Edge.
  •  … – and the list goes on.

 

In some cases, these incompatibilities can be dealbreaker and the only option is to fallback to IE11 -> where Enterprise Sites Mode List should be used.

 

Let’s see how to implement Enterprise Sites Mode List

  1. Make sure you have Administrative Templates (.admx) for Windows 10 and Windows Server 2016 deployed. This is very easy to be performed and is kind of “a must” if you will start to use Windows 10 within your organization.
    It is a good thing to deploy all the ADMX files (and related ADML’s), but in case you are interested to just have the Microsoft Edge Policy Definitions, then MicrosoftEdge.admx and MicrosoftEdge.adml are the minimum requirement for the central store deployment.
    SharePoint_Windows_10_Microsoft_Edge_Microsoft_Internet_Explorer_11_02 .SharePoint_Windows_10_Microsoft_Edge_Microsoft_Internet_Explorer_11_03
    .
  2. Install Enterprise Mode Site List Manager (schema v.2). This application will help you to define the XML that stays behind the Enterprise Sites Mode List functionality. You can install this application on any machine -> in the end is just producing a properly formatted XML that will be hosted in a centralized location.
    SharePoint_Windows_10_Microsoft_Edge_Microsoft_Internet_Explorer_11_04
    .
    SharePoint_Windows_10_Microsoft_Edge_Microsoft_Internet_Explorer_11_05
    .
  3. Define and link a Group Policy Object that will control the Microsoft Edge behavior.
    SharePoint_Windows_10_Microsoft_Edge_Microsoft_Internet_Explorer_11_06
    .
    The Enterprise Sites Mode List policy can be located in both places: Computer Configuration and User Configuration.
    Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Microsoft Edge
    or
    User Configuration -> Policies -> Administrative Templates -> Windows Components -> Microsoft Edge
    SharePoint_Windows_10_Microsoft_Edge_Microsoft_Internet_Explorer_11_07

 

Adding those FQDNs/URLs part of the Enterprise_mode_sites_schema_v2.xml and configuring them to open using IE11 will make Microsoft Edge redirect those requests.
So, the user will open Microsoft Edge, will enter the Line of Business URL and Microsoft Edge will redirect that request to Microsoft IE11.

SharePoint_Windows_10_Microsoft_Edge_Microsoft_Internet_Explorer_11_08

 

 

 

Can Enterprise Sites Mode List redirect specific SharePoint site collections to IE11?

Yes! Enterprise Sites Mode List is not restricted to domain names (like Internet Zone are).

 

For example, let’s assume you have multiple SharePoint farms where the URL of all the Web Applications is sharing the yourcustomdomainame.com DNS zone (e.g.: europe.yourcustomdomainame.com, america.yourcustomdomainame.com, asia.yourcustomdomainame.com …). If from all your SharePoint site collections only one is using features that are not running well in Microsoft Edge, then the easiest solution is to add *.yourcustomdomainame.com in the Local Intranet Zone and specify the non-Edge-ready site collections URLs (e.g.: europe.yourcustomdomainame.com/sites/heavy-IE11-based-site) in  Enterprise Sites Mode List to be opened with IE11.

In this way, all the site collections will be opened in Microsoft Edge, and only europe.yourcustomdomainame.com/sites/heavy-IE11-based-site will be passed/handled to Microsoft IE11.

 

Leave a Reply