Cannot Open Office Documents in SharePoint without Prompt for Password
This definitely appears to be a client issue, as I'm getting different results for different users, but the upshot is that, after logging into the SharePoint portal (MOSS 2007), some users are getting prompted for credentials when attempting to open Office
documents, while others don't get prompted at all. Still others, including me, get prompted for credentials, and yet can never get access to the documents ... and I'm a site administrator!
Oddly enough, if I try with Google Chrome or Firefox, it works, without any prompts. So it definitely smells like a client configuration issue.
I've tried just about all of the ideas I've seen posted, including adding the site to Trusted and/or Local Intranet sites, enabling/disabling Integrated Windows Authentication, adding the AuthForward (or whatever it is) Registry key, accessing with and without
proxy settings, adding Alternate Access Mappings in the Central Administration console, and nothing seems to work!
I'm about ready to pull my hair out. Does anyone have any ideas what can be done, so that I can use IE to open documents (particularly without getting prompted again)?
January 14th, 2011 3:24pm
Hello,
I am not sure how this may help,
On your Internet Explorer settings, Internet options, go to Security tab
intranet zone, click on Custom level
Scroll almost to the end
and there is an option-> Automatic login using...Regards, Rohan
Free Windows Admin Tool Kit Click here and download it now
January 14th, 2011 4:28pm
> and there is an option-> Automatic login using...
That stops the user being prompted when accessing a SP page provided the login identity is the identity given rights
to access that page (site; sub-site etc,).
Problems with being prompted when trying to open a document in a document library are usually solved by making sure
that the SharePoint site is included in the Trusted Sites list in IE.
(Unfortunately this isn't a solution for every problem with this).SP 2010 "FAQ" (mainly useful links):
http://wssv4faq.mindsharp.com/default.aspx
WSS3/MOSS FAQ (FAQ and Links) http://wssv3faq.mindsharp.com/default.aspx
Both also have links to extensive book lists and to (free) on-line chapters
January 15th, 2011 12:36am
Doing some more research, I now suspect this is tied to Network Load Balancing.
We have an IP cluster (A), that routes to two front-end Web servers, (B) and (C). If I point my browser to the cluster (A), pass-through authentication does not work: I am forced to enter my credentials, just to access the site, and I cannot open Office
documents, even after entering credentials.
However, if I point my browser directly to the WFE servers (B or C), everything works! My credentials pass-through. I do *not* have to enter credentials, and I *can* access Office documents in the repository.
At first glance, everything about the cluster appears to be configured properly. And honestly, despite having to authenticate the first time and not being able to open documents from the repository, everything else on the site works fine.
So now my question becomes, how do I fix this? Is there anything I can check?
One more note, we're using NTLM and not Kerberos.
Free Windows Admin Tool Kit Click here and download it now
January 20th, 2011 10:06am
I'm not sure why someone marked this post as "answered", when it hasn't been, so I am "unmarking" these. The suggested answers of adding these sites to my Trusted Sites list in IE does *NOT* resolve my issue! Regardless of whether or not these
are "Trusted", I still get prompted when accessing the cluster and not hitting the WFE directly.
February 8th, 2011 9:05am
It's your right as OP to decide when your question has been answered so it's of course fine that you have unmarked these "answers".
The usual reason for posts being marked as answers without waiting for the OP (here, you) to say his question has been answered is because the last post was a reply to which the OP hasn't responded. Here, however, the last post was from you saying that your
question hadn't yet been answered, so it's odd that posts in the thread have been marked as answers.
But remember that Moderators are often working under time pressure and so regard this one as probably being human error - missing the fact that the last post in the thread was from you.
(another) ModeratorSP 2010 "FAQ" (mainly useful links):
http://wssv4faq.mindsharp.com/default.aspx
WSS3/MOSS FAQ (FAQ and Links) http://wssv3faq.mindsharp.com/default.aspx
Both also have links to extensive book lists and to (free) on-line chapters
Free Windows Admin Tool Kit Click here and download it now
February 8th, 2011 10:02am
Are you 100% sure you hit the site using NTLM and not negotiating for Kerberos when you go through NLB? Did you configure IIS on the two web servers to force NTLM and not negotiate?
I use a tool called Fiddler (google it, free to download) to investigate authentication when-ever in doubt. If the web server is sending back negotiate in the header IE will try to negotiate and that might be the reason why it fails.
In Fiddler check Inspectors and the Auth-tab for both request and response. As you can see in my case I get a response back with WWW-Authenticate Header = Negotiate:
No Proxy-Authenticate Header is present.
WWW-Authenticate Header is present: Negotiate
WWW-Authenticate Header is present: NTLM
And truly I can see Kerberos being used in the next request:
No Proxy-Authorization Header is present.
Authorization Header (Negotiate) appears to contain a Kerberos ticket:
60 76 06 06 2B 06 01 05 05 02 A0 6C 30 6A A0 30 `v..+..... l0j 0
30 2E 06 0A 2B 06 01 04 01 82 37 02 02 0A 06 09 0...+....7.....
2A 86 48 82 F7 12 01 02 02 06 09 2A 86 48 86 F7 *H÷......*H÷
12 01 02 02 06 0A 2B 06 01 04 01 82 37 02 02 1E ......+....7...
A2 36 04 34 4E 54 4C 4D 53 53 50 00 01 00 00 00 ¢6.4NTLMSSP.....
97 B2 08 E2 05 00 05 00 2F 00 00 00 07 00 07 00 ².â..../.......
28 00 00 00 06 01 B0 1D 00 00 00 0F 42 4D 57 57 (.....°.....BMWW
If you truly want to force NTLM you need to alter the metabase in IIS6 or change the order or authentication providers in IIS 7 (removing Negotiate or put NTLM at the top).
bmw
February 14th, 2011 6:59am
Thanks, Bjorn.
While I haven't checked it out using any utility, I can say that only NTLM is selected in the SharePoint Central Administration portal, and the only authentication provider listed/enabled for the site (on both WFEs) is NTLM. No other providers are
in that list in IIS ... so I guess I'm 99% certain that we're only using NTLM.
Just for fun, I'll check out Fiddler and see if it gives me any surprises ...
Free Windows Admin Tool Kit Click here and download it now
February 14th, 2011 9:29am
found the answer to this problem .. i've been searching on and off for years for the answer .. this nailed it and worked ..
http://www.quantumofgeek.com/2010/02/windows-7-prompting-for-authentication-when-accessing-sharepoint-documents/
it is a local client issue ..
April 11th, 2011 10:07pm