locked
MOSS 2007 behind FBA keeps prompting for credentials when opening MS documents RRS feed

  • Question

  • Hi all,

    We recently, with Microsoft's help, put our SharePoint farm behind TMG with FBA enabled, as an added layer of security for our internet-available sites.  The web applications themselves are running Kerberos.

    It's working fine and well, all but for one thing and I'm not sure if it's fixable.  So I thought I'd ask the experts.  Every time we go to open a Microsoft document (Word, Excel), it keeps prompting for credentials.  It does through XP and Windows 7, with any of the following browsers; IE7, IE8, or IE9.  It does not do this in Firefox, but it opens it in read-only so it's not editable.  Clicking cancel does not bring up the document in this instance.  It happens with both Office 2007 and 2010.

    Our environment is:
    MOSS 2007 SP2 on server 2K3 Enterprise R2
    SQL 2005 SP3
    TMG 2010 on server 2K8 R2

    What I've tried already:
    - Added the site to the local intranet zone
    - Enabled Automatic logon with current username and password (everything goes via our AD)
    - Followed this article: http://support.microsoft.com/kb/943280/en-us

    Not quite sure what else to try.  Maybe it's just something we have to deal with.

    Thanks!
    Veronica

    • Edited by Veronica Harris Wednesday, April 27, 2011 2:56 PM link messed up
    Wednesday, April 27, 2011 2:55 PM

All replies

  • Hi Veronica,

     

    As I understand, you deployed SharePoint farm behind Forefront Threat Management Gateway (TMG) with Form based authentication. Besides that, you enabled Kerberos authentication on the web application. Every time you go to open a Microsoft document (Word, Excel), it keeps prompting for credentials.

     

    Forefront TMG can pass user credentials directly to a Web published server only when these credentials are received using Basic authentication or HTTP forms-based authentication. In particular, credentials supplied in a Secure Sockets Layer (SSL) certificate cannot be passed to a published server. So please check if you enable SSL, if so, please disable it, then check the effect.

     

    Forefront TMG provides support for Kerberos constrained delegation (often abbreviated as KCD) to enable published Web servers to authenticate users by Kerberos after Forefront TMG verifies their identity by using a non-Kerberos authentication method. When used in this way, Kerberos constrained delegation eliminates the need for requiring users to provide credentials twice.

     

    For more information about configuring Kerberos constrained delegation, where first hop is form-based (or any other authentication) and subsequent are Kerberos, check the following articles:

     

    http://www.adopenstatic.com/cs/blogs/ken/archive/2007/07/19/8460.aspx

     

    http://technet.microsoft.com/en-us/library/cc995228.aspx

     

    Thanks,

    Rock Wang

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com


    Regards, Rock Wang Microsoft Online Community Support
    Friday, April 29, 2011 1:42 AM
  • Thank you Rock,

    I will read the articles and let you know if any of them work.

    Yes, we do have SSL on all of the sites and no, we will not be disabling the SSL to check.

    Thanks again!
    Veronica

    Monday, May 2, 2011 1:09 PM
  • Hi Veronica,

     

    How is everything going? If you need any help, feel free to reply to the forum.

     

    Thanks,

    Rock Wang

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com


    Regards, Rock Wang Microsoft Online Community Support
    Wednesday, May 4, 2011 6:12 AM
  • Rock, I am slowly finding time to go through the articles.  I will also have to have our network admins look at them to see if they are willing to make any changes/

    Sadomovalex, thanks for the link.  I will check it out as well.

    Wednesday, May 4, 2011 7:21 PM
  • Hi Veronica,

     

    Did you have any questions? If anything is unclear, feel free to let me know.

     

    Thanks,

    Rock Wang

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com

     

     


    Regards, Rock Wang Microsoft Online Community Support
    Wednesday, May 25, 2011 2:54 AM
  • Hi

    we have similar Problem.

    sharepoint 2007

    Office 2007

    Windows 7 64bit / 32bit

    IE 9

    Evrytime we open a Office Document it prompting for credentials. We can click on cancel, it work, if we save it prompting for credentials again if we click on cancel it save the file. If we type in our credentials first it ask not again. If we say save credentials it doesnt save it.

    on a xp maschieusing ie 8 we have not problem.

    proxy on / off make no difference.

    We tried alot we found in the net.

    Additional hint, out portal has a external Domain name. https://portal.domainname.com

    thx for help.



     

    Tuesday, June 7, 2011 8:14 AM