Office documents prompt for login in anonymous SharePoint site

Question

I have a MOSS 07 site that is configured for anonymous access. There is a document library within this site that also has anonymous access enabled. When an anonymous user clicks on a PDF file in this library, he or she can read or download it with no problem. When a user clicks on an Office document, he or she is prompted with a login box. The user can cancel out of this box without entering a log in, and will be taken to the document.

This happens in IE but not FireFox.

I see some references to this question on the web but no clear solutions: http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.public.sharepoint.windowsservices.development&tid=5452e093-a0d7-45c5-8ed0-96551e854cec&cat=en_US_CC8402B4-DC5E-652D-7DB2-0119AFB7C906&lang=en&cr=US&sloc=&p=1

http://www.sharepointu.com/forums/t/5779.aspx

http://www.eggheadcafe.com/software/aspnet/30817418/anonymous-users-getting-p.aspx

Answer 1

My guess is that the Office client is loading the underlying document template from another location where anonymous access is enabled. This also explains why you can still open the document as the Office client can also work without loading the template the document was originally created from. To see the template URL in Word 2007, enable the Developer Ribbon from Word options and click the Document Template button on the ribbon.

Answer 2

That doesn't seem to be it. Once of the documents in question is an Excel file, which would not use the .doc template. Also, in the Document Template dialog, it doesn't give me a url to the SharePoint template file if I create a new Word document based on it. It just says the template is "Normal." I also tried disabling the template at the document library level and it doesn't change the password situation.

Answer 3

When opening an Office document in IE, an ActiveX component is used to call the client application, and prompt it to open the document. In other browsers, the download is a standard hyperlink, handled by the browser.

Does this happen in search results and in standard linked columns in document libraries as well?

Answer 4

Using a tool like Fiddler (as referenced/suggested in your first link reference, see http://www.fiddlertool.com/fiddler/ for more info) is the only efficient way of determining the root cause of this type of issue I'm aware of. Whatever is causing this will be happening over HTTP. A debugging proxy like Fiddler will show you exactly which URL/resource is causing the request for authentication.

On a related note, are you running a recent build of the platform? It might be wise to check to make sure this issue hasn't already been addressed by MS e.g. in a hotfix. The best list of updates I'm aware of is here: http://www.harbar.net/articles/postsp1.aspx

Answer 5

Unfortuantly the only work around I've found breaks some functionality for logged in users (can't upload multiple files, connect to outlook ect..)

If that is acceptable, or you want to try it and see:

1. In central admin > application management > application security > authentication providers select your web app and select your provider (likely "default").

2. Select No for client integration and save the settings.

3. Open your web config, find the line <add verb="OPTIONS,PROPFIND,PUT,LOCK,UNLOCK..... and remove the verb OPTIONS.

You should no longer be asked in ie for credentials. To reverse this simply undo both changes.

Answer 6

Did anyone find a solution to this problem. We are having the exact same problem with a very resent intall which in completly upto date with updates.

Answer 7

If you can click cancel and it comes up the problem is... AuthForwardServerList

http://support.microsoft.com/kb/943280

Office doesn't know the site is trusted/local so it doesn't fwd your credentials and prompts you with an opportunity to provide them. It's a feature....

If you list your site in the proper registry key it will forward your credentials which are not needed but you won't get prompted.

Answer 8

Check this : Remove Login box when anonymous users download office document from SharePoint Site

http://www.theblackknightsings.com/RemoveLoginBoxWhenAnonymousUsersDownloadOfficeDocumentFromSharePointSite.aspx

When developing Extranet/Internet site in SharePoint you often want to allow anonymous access and this works fairly well. But there is one are where the out of the box experience fails regarding anonymous access and that is when you allow the users to download Microsoft Office documents. In that case IE/Office pops up a couple of Login dialogs, if the user cancels out of these the document opens as expected, but you really don't want the user to have to cancel a couple of dialogs to open your documents

The problem is that office tries to be intelligent and issues a Microsoft Office Protocol Discovery request to see how much the user is allowed to do, but SharePoint responds with access denied until the users logs in.

The solution I've found is to implement a HttpModule which rejects the Microsoft Office Protocol Discovery request if the user isn't logged in and this gets rid of the Login boxes

Answer 9

If Sharepoint Shared Workspace is enabled in MS Word this may prompt users with a Windows login if users do not have permissions to access or create a Shared Workspace. Do the followoing to turn this off:

1. Open MS Word
2. Go to Tools/Options
3. Click General Tab
4. Click Service Options
5. Click Shared Workspace
6. Uncheck box that says “The document is part of a Workspace or SharePoint Site.”
7. Click OK
8. Click OK
9. Try to hit a MS Word document from the SharePoint site.

If this resolves issue repeat steps with every MS Office program to eliminate the prompt. (Excel, PowerPoint, Visio, ect)

http://office.microsoft.com/en-us/word/HP010414641033.aspx

Answer 10

I'm guessing that you use Windows Vista. We had this problem on Vista but not on XP.

---

From Microsoft: In Windows Vista, Internet Explorer uses the Web Client service when you use Internet Explorer to access a WebDAV resource. The Web Client Service uses Windows HTTP Services (WinHTTP) to perform the network I/O to the remote host. WinHTTP sends user credentials only in response to requests that occur on a local intranet site. However, WinHTTP does not check the security zone settings in Internet Explorer to determine whether a Web site is in a zone that lets credentials be sent automatically.

If no proxy is configured, WinHTTP sends credentials only to local intranet sites.

Note If the URL contains no period in the server’s name, such as in the following example, the server is assumed to be on a local intranet site: http://sharepoint/davshare

If the URL contains periods, the server is assumed to be on the Internet. The periods indicate that you use an FQDN address. Therefore, no credentials are automatically sent to this server unless a proxy is configured and unless this server is indicated for proxy bypass.

---

This is a known issue that has not quite been completely fixed yet. There is a MSDN blog about it here: http://blogs.msdn.com/sharepoint/archive/2007/10/19/known-issue-office-2007-on-windows-vista-prompts-for-user-credentials-when-opening-documents-in-a-sharepoint-2007-site.aspx

There is an interesting workaround posted here: http://grounding.co.za/blogs/neil/archive/2008/11/10/workaround-sharepoint-keeps-prompting-for-login-when-creating-office-2007-documents-on-vista.aspx

Ultimately there is a patch that has been included with Vista SP1 but it also requires a registry edit. We just recently got this to work using the following steps on a Windows Vista SP2 client:

Open regedit. Navigate to the following subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient\Parameters

Create a new Multi-String value called AuthForwardServerList and give it a value of (for example): https://.Contoso.com
http://.dns.live.com
*.microsoft.com
https://172.169.4.6

Then restart the WebClient service.

Answer 11

If you have a url rewriting module or urlscan, configure the software to send http 403 to http OPTIONS requests.

Answer 12

We are also experiencing this with IE 8, Windows 7 and SharePoint 2007 libraries. Every time any MS Office 2007 documents are opened through IE 8 browser (anonymously) from SharePoint 2007 libraries it prompts for login credentials. Even though users cancels the prompt out document still opens in the Office application. This is not a problem with any other browser (Firefox/ Chrome).

Any fix for this available yet?

Thank you for any help,

Daisy

Answer 13

No one solves this problem.

Answer 14

We were able to get this working by changing IE settings.

We have the site URL in Trusted Sites. Under Custom Settings set User Authentication to: Automatic logon with current user name and password

Answer 15

I leave my own solution to this:

http://www.uv.mx/personal/gvera/2010/09/28/sharepoint-login-prompt-when-accessing-files-in-a-document-library/

Hope it helps.