locked
Sharepoint 2010, Constant prompt for credentials to edit office documents in a fqdn setup RRS feed

  • Question

  • Is there a solution to resolve the constant "Prompts" For user id's and passwords when a person tries to open/launch/edit office documents from sharepoint 2010.

    My setup: sharepoint fqdn in the domain sp.domainname.local, The sharepoint server is a member of this internal domain. In dns I have local zone of sp.domainname.com with a cname that points to the internal sharepoint server. There is no issue in users accessing the server both internal and external, The issue arises when Office documents are launched from SP2010.

    In central admin I have configured the alternate access mappings to be http://sp

    I have also tried putting the fqdn dns name of the sharepoint server in IE8 trusted zone but
    no luck, I still get credential prompts.

    I think the issue might be that Office does not see that the files are coming from the fqdn of sp.domainname.com so hence the prompts.

    Trying to fix this as right now its a total pita. I found some previous posts on this issue with SP2007 but found nothing that really addresses this in SP2010.

    Thanks Paul

    Sunday, June 27, 2010 9:03 PM

Answers

  • Just to follow up.

    I have resolved this issue. The fix was

    1 Add the FQDN Site to the IE8 Trusted Zone:
    2 Edit the Trusted Site Custom level and change as in item 3 below.
    3 Check Automatic Logon With Current Name and Password under the user auth section.

    I do not get prompts for credentials when opening office documents anymore.

    Life is good :)

    Thanks Paul

    • Marked as answer by Lily Wu Tuesday, June 29, 2010 4:31 AM
    Monday, June 28, 2010 5:45 PM

All replies

  • Monday, June 28, 2010 1:59 AM
  • Yes I tried that, did a IIS reset and the issue with credential prompts for MS documents
    continues.

    The problem is isolated to MS documents, its a non issue with pdf's etc.

    Thanks Paul

    Monday, June 28, 2010 5:59 AM
  • Just to follow up.

    I have resolved this issue. The fix was

    1 Add the FQDN Site to the IE8 Trusted Zone:
    2 Edit the Trusted Site Custom level and change as in item 3 below.
    3 Check Automatic Logon With Current Name and Password under the user auth section.

    I do not get prompts for credentials when opening office documents anymore.

    Life is good :)

    Thanks Paul

    • Marked as answer by Lily Wu Tuesday, June 29, 2010 4:31 AM
    Monday, June 28, 2010 5:45 PM
  • Hello

    Just try to enable "Use Client Integration Features"  on the web application in question.

    Please navigate to Central Admin site, select the web application, and then click on User Permissions. Make sure the Use Client Integration Features is enabled.

    Eugene

     

     


    Eugene Vasile
    • Proposed as answer by scogordo Friday, March 2, 2012 8:56 PM
    Monday, June 28, 2010 6:00 PM
  • I doubt this is the problem - all permissions/features are enabled by default.

    Bryce

     


    Bryce
    Wednesday, September 22, 2010 2:32 PM
  • Hi!

     

    I have the same problem, but do not understand point 2 of your solution

    "2 Edit the Trusted Site Custom level and change as in item 3 below."

    Can you describe that step a little further, please?

    Thanks a lot!! :)

     

    Friday, September 24, 2010 10:27 AM
  • This works great for opening and editing word documents.

    However, I still get a prompt when creating a new document from sharepoint when logging onto the fqdn using Windows 7, ie8, and Word 2010. The prompt does not occur on Windows XP, IE7, and Word 2007.

    Any Ideas?

    Friday, October 22, 2010 1:59 PM
  • there is no problem when accessing through other browsers(Firefox). only IE has some issues.
    Saturday, October 30, 2010 9:47 AM
  • Hi,

    This has fixed it for me on Terminal Server 2008 R2, but it might work on other OS, too. It works even without setting "Automatic Logon With Current Name and Password" and it also eliminated the prompt when opening a new document.

    By the way, for Server 2008 R2, I did not need the hotfix referenced in the second article. It's a machine-wide setting, so it works for all users:

    Source: 

    http://support.microsoft.com/kb/2019105/en-us and http://support.microsoft.com/kb/943280/en-us:

    1. Click Start, type regedit in the Start Search box, and then press ENTER.
    2. Locate and then click the following registry subkey:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient\Parameters
    3. On the Edit menu, point to New, and then click Multi-String Value.
    4. Type AuthForwardServerList, and then press ENTER.
    5. On the Edit menu, click Modify.
    6. In the Value data box, type the URL of the server that hosts the Web share, and then click OK.

      Note You can also type a list of URLs in the Value data box. For more information, see the "Sample URL list" section in this article.
    7. Exit Registry Editor.

    After this registry entry is created, the WebClient service will read the entry value. If the client computer tries to access a URL that matches any of the expressions in the list, the user credential will be sent successfully to authenticate the user, even if no proxy is configured.

    Note You have to restart the WebClient service after you modify the registry.

    Sample URL list

    The following is a sample URL list:

    https://*.Contoso.com
    http://*.dns.live.com
    *.microsoft.com
    https://172.169.4.6
    

    This URL list enables the WebClient service to send credentials through the following channels.

    Note After you configure this URL list, the credentials will automatically authenticate to the WebDAV servers, even if these servers are on the Internet.

    • Any encrypted channel to a child domain of a domain whose name is Contoso.com.
    • Any nonsecure channel to a child domain of a domain whose name is dns.live.com.
    • Any channel to a server whose name ends with ".microsoft.com."
    • Any encrypted channel to a host whose IP address is 172.169.4.6.

    Things to avoid in the URL list

    • Do not add an asterisk (*) character at the end of a URL. When you do this, a security risk may result.
      http://*.dns.live.*
    • Do not add an asterisk (*) before or after a string. When you do this, the WebClient service can send user credentials to more servers. See the following examples:
      • http://*Contoso.com

        In this example, the service also sends user credentials to http://<var>extra_characters</var>Contoso.com
      • http://Contoso*.com

        In this example, the service also sends user credentials to http://Contoso<var>extra_characters</var>.com
    • In the URL list, do not type the UNC name of a host. For example, do not use the following:
      *.contoso.com@SSL
    • In the URL list, do not include the share name or the port number to be used. For example, do not use the following:
      • http://*.dns.live.com/DavShare
      • http://*dns.live.com:80
    • Do not use IPv6 in the URL list.

    Important This URL list does not affect the security zone settings. This URL list is used only for the specific purpose of forwarding the credentials to WebDAV servers. The list should be created as restrictively as possible to avoid any security issues. Also, because there is no specific deny list, the credentials are forwarded to all the servers that match this list.

    • Proposed as answer by dbiz Friday, January 7, 2011 9:18 PM
    Friday, November 5, 2010 10:12 AM
  • Hi,

    This has fixed it for me on Terminal Server 2008 R2, but it might work on other OS, too. It works even without setting "Automatic Logon With Current Name and Password" and it also eliminated the prompt when opening a new document.

    By the way, for Server 2008 R2, I did not need the hotfix referenced in the second article. It's a machine-wide setting, so it works for all users:

    Source: 

    http://support.microsoft.com/kb/2019105/en-us and http://support.microsoft.com/kb/943280/en-us:

    1. Click Start, type regedit in the Start Search box, and then press ENTER.
    2. Locate and then click the following registry subkey:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient\Parameters
    3. On the Edit menu, point to New, and then click Multi-String Value.
    4. Type AuthForwardServerList, and then press ENTER.
    5. On the Edit menu, click Modify.
    6. In the Value data box, type the URL of the server that hosts the Web share, and then click OK.

      Note You can also type a list of URLs in the Value data box. For more information, see the "Sample URL list" section in this article.
    7. Exit Registry Editor.

    After this registry entry is created, the WebClient service will read the entry value. If the client computer tries to access a URL that matches any of the expressions in the list, the user credential will be sent successfully to authenticate the user, even if no proxy is configured.

    Note You have to restart the WebClient service after you modify the registry.

    Sample URL list

    The following is a sample URL list:

    https://*.Contoso.com
    
    http://*.dns.live.com
    
    *.microsoft.com
    
    https://172.169.4.6
    
    

    This URL list enables the WebClient service to send credentials through the following channels.

    Note After you configure this URL list, the credentials will automatically authenticate to the WebDAV servers, even if these servers are on the Internet.

    • Any encrypted channel to a child domain of a domain whose name is Contoso.com.
    • Any nonsecure channel to a child domain of a domain whose name is dns.live.com.
    • Any channel to a server whose name ends with ".microsoft.com."
    • Any encrypted channel to a host whose IP address is 172.169.4.6.

    Things to avoid in the URL list

    • Do not add an asterisk (*) character at the end of a URL. When you do this, a security risk may result.
      http://*.dns.live.*
    • Do not add an asterisk (*) before or after a string. When you do this, the WebClient service can send user credentials to more servers. See the following examples:
      • http://*Contoso.com

        In this example, the service also sends user credentials to http://<var>extra_characters</var>Contoso.com
      • http://Contoso*.com

        In this example, the service also sends user credentials to http://Contoso<var>extra_characters</var>.com
    • In the URL list, do not type the UNC name of a host. For example, do not use the following:
      *.contoso.com@SSL
    • In the URL list, do not include the share name or the port number to be used. For example, do not use the following:
      • http://*.dns.live.com/DavShare
      • http://*dns.live.com:80
    • Do not use IPv6 in the URL list.

    Important This URL list does not affect the security zone settings. This URL list is used only for the specific purpose of forwarding the credentials to WebDAV servers. The list should be created as restrictively as possible to avoid any security issues. Also, because there is no specific deny list, the credentials are forwarded to all the servers that match this list.


    This worked for us.  It eliminated authentication pops for saving from word to SharePoint and for network locations.  Thanks.  I'll add for people who are interested you can deploy this via group policy from PowerShell.

    Import-module grouppolicy –verbose

    set-gpregistryvalue -name "Group Policy Name" -key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient\Parameters" -valuename "AuthForwardServerList" -value (get-content("c:\\names.txt")) -type multistring

    Where names.txt contains the URL list.

    • Proposed as answer by RyanMcAlister Wednesday, April 20, 2011 8:03 PM
    • Unproposed as answer by RyanMcAlister Wednesday, April 20, 2011 8:03 PM
    Friday, January 7, 2011 11:17 PM
  • If you are using a proxy server in IE you have to add the FQDN of your SharePoint server to the exception list in IE.

    All of this applies to IE 8 and 9 when using a Proxy Server. On Win 7 and XP.

    I did not need to set the "Automatic Logon With Current Name and Password" in the Custom Level and I did not need to add the registry hack stated above. 

     

    The following steps totally resolved the issue of Word, Excel, Etc. prompting for a username and password when using the New Document option from a Document Library in SharePoint 2010 and also resolved the problem of SharePoint 2010 prompting for a username and password when accessing the SharePoint server:

    1. Add the FQDN to the Local Intranet Sites Websites: section: example=sharepointserver.domain.com

       -IE: Tools > Internet Options > Security Tab > Local intranet > Sites button > Advanced button > add the FQDN to the Websites:  section

    2. Add the FQDN to the Proxy Exception list in IE.

     - IE: Tools > Internet Options > Connections Tab > LAN Settings Button > Proxy Server Section, Advanced Button > add the FQDN into the Do not use proxy server for addresses beginning with:  section: example=sharepointserver.domain.com

    The two steps above can also be done via a group policy and work just as well.

     

     


    Wednesday, April 20, 2011 8:23 PM
  • hi,

    nope did not solved my issue.

    Still getting credentials screen in read only, edit or check out mode.

    any suggestions?


    Friday, February 24, 2012 2:37 AM
  • This didn't solve it for me either. Any other things to try?
    Thursday, June 7, 2012 8:50 PM
  • Just to follow up.

    I have resolved this issue. The fix was

    1 Add the FQDN Site to the IE8 Trusted Zone:
    2 Edit the Trusted Site Custom level and change as in item 3 below.
    3 Check Automatic Logon With Current Name and Password under the user auth section.

    I do not get prompts for credentials when opening office documents anymore.

    Life is good :)

    Thanks Paul

    This did not work for us. SOrry.
    Friday, August 31, 2012 11:15 PM
  • We have the same problem. Reading this KB http://support.microsoft.com/kb/943280/en-us and it said:

    "If Basic authentication or Digest authentication is implemented in the network, hotfix 943280 cannot change this behavior. This behavior is by design in Basic authentication mode and in Digest authentication mode.

    IIS does not support Windows authentication over the Internet. Therefore, this hotfix applies only to the Intranet scenarios."

    Is there a solution for Internet scenarios? Users are accessing to the Sharepoint site from the Internet and they always get credential prompt when trying to open Office document only.

    Thank you

     
    Tuesday, October 23, 2012 6:31 PM