Opening an office file on the web in office 2010 prompts again for credentials

As per the follwoing KB we just enabled SSL to allow for our office documents to be "opened" from the web as opposed to downloaded first.
http://support.microsoft.com/kb/2123563

We use htaccess/htpasswd for authentication. After logging into the website, opening an office file prompts again for the same credentials. The link to the office files are in the same secured directory, same server, same path. Entering the credentials again works but it is an annoyance as the user already supplied the credentials when first accessing the website.

January 23rd, 2012 6:48pm

Hi,

 

Thank you for using Microsoft Office for IT Professionals Forums.

 

In most Intranet instances, this issue is most easily addressed by configuring the server to use Integrated Windows Authentication and then configuring the client to enable automatic logon. The user name and the password of the currently logged-on Windows user is then automatically sent to the server when authentication is requested without prompting the user.

 

To enable integrated Windows authentication

  1. Log on to the Web server by using an administrator account.
  2. Click Start and then click Control Panel.
  3. In Control Panel, double-click Administrative Tools.
  4. Double-click Internet Information Services.
  5. Click the Web server node.

A Web Sites folder opens underneath the server name.

  1. You can configure authentication for all Web sites or for individual Web sites. To configure authentication for all Web sites, right-click the Web Sites folder and then click Properties. To configure authentication for an individual Web site, open the Web Sites folder, right-click the individual Web site, and then click Properties.

The Properties dialog box is displayed.

  1. Click the Directory Security tab.
  2. In the Anonymous access and authentication control section, click Edit.

The Authentication Methods dialog box is displayed.

  1. Under Authenticated access, select Integrated Windows authentication.
  2. Click OK to close the Authentication Methods dialog box.
  3. Click OK to close the Properties dialog box.
  4. Close the Internet Information Services window.

 

To enable integrated Windows authentication in Windows Vista/IIS 7

  1. Log on to the Web server by using an administrator account.
  2. Turn on Windows Authentication and II6 Management Compatibility, if you have not previously done this, by following these steps:
    1. Click Start, click Control Panel and then click Programs.
    2. Under Programs and Features, click Turn Windows features on or off.

The User Access Control dialog box appears and prompts you for permission to continue.

  1.  
    1. Click Continue.

The Windows Features dialog box appears.

  1.  
    1. In the feature list, expand the Internet Information Services node.
    2.  
    3. Under Internet Information Services, expand the World Wide Web Services node.
    4. Under World Wide Web Services, click Security.
    5. Click Windows Authentication.
    6. Under Internet Information Services, expand the Web Management Tools node.
    7. Under Web Management Tools, expand the IIS 6 Management Compatibility node, and select the IIS 6 Metabase and IIS 6 Configuration Compatibility check box.
    8. Under Web Management Tools, select IIS Management Console and Click OK.
    9. Restart the computer for these changes to take effect.
  2. Click Start and then, click Control Panel.
  3. Click Classic View, and then double-click Administrative Tools.
  4. In the Name column and double-click Internet Information Services (IIS) Manager.
  5. In the Connections column, expand the node for your server.

A Web Sites folder opens underneath the server name.

  1. Expand the Web Sites node and click the Web site for which you want to enable integrated Windows authentication.
  2. The title of the center pane changes to the name of the Web site that you selected. In this pane, under the IIS heading, double-click Authentication.

The title of the pane changes to Authentication.

  1. In the Authentication pane, in the Name column, right-click Windows Authentication and then click Enable.
  2. Close the Internet Information Services (IIS) Manager window.

 

 

To enable Internet Explorer to allow automatic logon, the option must be enabled for the zone where the site is. The Local Intranet zone has a default configuration of automatic logon with the current user name and password. The Local Intranet zone is defined as all network connections that were established by using a Universal Naming Convention (UNC) path and websites that bypass the proxy server or that have names that do not include periods (such as http://local), as long as they are not assigned to either the Restricted Sites or to the Trusted Sites zone. The Trusted zone has a default configuration of automatic logon only in the Intranet zone.

 

When you open Microsoft Office documents by using Microsoft Office on Windows Vista or on a later version of Windows, the application tries to establish a Web-based Distributed Authoring and Versioning (WebDAV) connection to the web server through the Web Client service. Starting with Windows Vista, the Web Client service uses the WinHTTP network protocol and does not use the zone manager. The logged-on user credentials are automatically passed only if one of the following criteria is met:

 

  • The site is a NetBIOS name (it has no "dots" in the URL).
  • A proxy is detected, and the site URL matches the proxy bypass criteria.
  • The site is a fully qualified domain name (FQDN), the webclnt.dll version is greater than or equal to 6.0.6000.20729, and the site URL matches the criteria that are specified in the Web Client service parameter registry value AuthForwardServerList. (See Knowledge Base article 943280 for more information.)

 

If your Windows logon credentials match those that are needed by the site, Integrated Windows Authentication should allow the client to be configured to automatically log on by using the Windows user name and password. Please be aware that using Integrated Windows Authentication over an Internet-facing connection is not recommended or supported.

 

Keep in mind that if the credentials of the currently logged-on user are not what is needed to access the document (such as when the server and the workstation are not in trusted domains), the user is prompted to enter credentials. The general guideline is that if you must provide credentials to access a site, you typically must provide credentials to open a document.

 

 

Please take your time to try the suggestions and let me know the results at your earliest convenience. If anything is unclear or if there is anything I can do for you, please feel free to let me know.

 

 

Sincerely

Rex Zhang

Free Windows Admin Tool Kit Click here and download it now
January 30th, 2012 5:35am

Thank you Rex for your detailed response. I expect your answer would apply, however, the web server is not in an IIS environment nor is it on a private network. The website is a public website running on Apache with htaccess/htpasswd files to control access to Office documents. I think it might be "by design" since the second prompt only occurs when you select "open" as opposed to save/save as. My guess here is that IE is not passing the credentials to the Office program (Ex. Word/Excel) and I'm prompted again for the credentials to the file?
February 1st, 2012 4:08pm

Is there any update to this?  I agree with Geoff:

I think it might be "by design" since the second prompt only occurs when you select "open" as opposed to save/save as. My guess here is that IE is not passing the credentials to the Office program (Ex. Word/Excel) and I'm prompted again for the credentials to the file?

Is it not possible to have IE to save the document to the temporary folder, then opening it like how other browsers do it?  FireFox and Chrome don't prompt for authentication when you select open.

Free Windows Admin Tool Kit Click here and download it now
April 13th, 2012 5:23pm

We are also experiencing the same problem and this problem only occurs in an IE9/Win7/Office 2010 environment.

Although not stated in this string the prompt for credentials occurs behind the active user window. The user sees "Document dowloading from...site" and is unaware that the system is actually waiting for response from the user. From the user perspective the system is hanging.

I agree with the assessments of both Geoff and Bobby.

Does anyone have an update or solution to this specific issue with credentials prompt when opening office documents in IE9/Win7/Office 2010? 

Secondarily, it would be most desirable to remove the user prompt when opening the Office document, i.e. What do you want to do? Open, Save, Save As. I have not found any acceptable solution for this issue either. Have you?

Thanks.


April 24th, 2012 9:35pm

One thing that I have done (still testing) is disable and stop the Webclient service.

This appears to have removed the prompt for credentials.

Using Windows 7 SP1, Office 2010, IE9.

Free Windows Admin Tool Kit Click here and download it now
May 23rd, 2013 6:15pm

We got the same Problem with W7 SP1 x64 + Office 2k13 32bit, IE10.

Documents sitting on an old 2k3 SP2 IIS6 Webserver.

The Logon Request Window Hiding behind the IE10 Window on Click > Open Document.
So for Users its looking like its hanging

When we click Abort on the Logon Request Window, Document Opening normal

I think the Problem is, the Webclient do not send Default the Credentials, so the HTTP Response is 401 Unauthorized, then the Window Popup, if we click then abort, Office Download the Document with NTLM Auth User Creds.

Still searching for a Solution :-(

September 3rd, 2013 6:05am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics