none
KB943280 - Group policy solution RRS feed

  • Question

  • Maybe this is not the right place, because i think this is a common WebDaw problem.

    Really common scenario: Server 2008R2, 25x Win7 client, Sharepoint 2010, domain enviroment

    My question is: really the only one possibility to solve problem described in KB943280 in a domain enviroment with 25 client machines to execute a registry edit at the client machines?

    There is no written administrative template exists for it?

    Rgds,

    Lotar

    Wednesday, November 10, 2010 9:14 AM

Answers

  • Hi Lotar,

     

    I liked the screenshots I can’t read them but they are understandable... Ok I see the issue, the problem I had is that we already have a GPO pushing the Registry Entry out and I will explain how... But in the mean time I owe you coffee.... Good Work

     

    The issue: You are prompted to enter your credentials when you access an FQDN site from a computer that is running Windows Vista or Windows 7 and has no proxy configured, when you attempt to use Explorer View

     

    The issue occurs:

     

    ·         On a computer that is running Windows Vista or Windows 7, you do not configure a proxy in Windows Internet Explorer.

    ·         You use Web Distributed Authoring and Versioning (WebDav) to access a fully qualified domain names (FQDN) site.

     

    To resolve the issue for a single user

     

    1.     Click Start, type regedit in the Start Search box, and then press ENTER.

    2.     Locate and then click the following registry subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient\Parameters

    3.     On the Edit menu, point to New, and then click Multi-String Value.

    4.     Type AuthForwardServerList, and then press ENTER.

    5.     On the Edit menu, click Modify.

    6.     In the Value data box, type the URL of the server that hosts the Web share, and then click OK.

     

    However, in larger organizations it would be difficult to visit every desk and create the AuthForwardServerList Parameter. Instead you have two choices 1) Export the AuthForwardServerList MutiValued String with the FQDNs added to the value and add the resulting .reg file to your login scripts or 2) Create a GPO to push the changes down to the desktops, option 2 is a more elegant solution and can be more easily maintained

     

    To enable all users within an organization to Open Document Libraries in Explorer without being prompted to Authenticate.

     

    1.     On the machine where you have Added the AuthForwardServerList Multistring Values to the registry.

    2.     Open GPO Manager > Right Click on the Domain, Site, or OU and choose Create GPO in this Domain or if you have an IE GPOP then edit the existing GPO

    3.     Go to Computer Configuration > Preferences > Windows Settings > Right Click on Registry

    4.     Choose New > Registry Wizard > Local Computer, Next > Use the tree View to expand down to where the AuthForwardServerList Multistring Values were added  to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient\Parameters

    5.     Enter a Check into the Box next to the entries you made earlier, Click Finish, and close GPO manager

    6.     All that’s left is to link it to the domain, site or URL and QA

     

     

    7.     The GPO is completed  http://bit.ly/d4ji0L and you can view The Value Data or the websites you were mentioning earlier…

    8.     Using the Wizard to Create the GPO…… http://bit.ly/bE8V62

     

     

     

    -Ivan


    Ivan Sanders My LinkedIn Profile, My Blog, @iasanders.
    • Marked as answer by Lotar Spatay Monday, November 15, 2010 11:18 AM
    Monday, November 15, 2010 9:18 AM

All replies

  • Hi Lotar,

    You can use IEM to create a GPO where the URLs of the FQDNs will be added to the Local Intranet Zone. To test if this resolves your issue add all of the FQDNs of the URLs that you are being asked to authenticate to your Local Instranet Zone in IE. Then QA by going to the site in IE you shouldnt be asked to authenticate and then mapping a drive net use x: Http://myUrl.My.com...

    -Ivan

     


    Ivan Sanders My LinkedIn Profile, My Blog, @iasanders.
    • Proposed as answer by Florin Duca Wednesday, November 10, 2010 10:05 AM
    • Unproposed as answer by Lotar Spatay Sunday, November 14, 2010 5:44 AM
    Wednesday, November 10, 2010 9:44 AM
  • Dear Ivan!

    A second after reading Your answer i knew, that this will not solve the problem, but even though i've tried it. Creating GPO with using IEM results, that users are not promted for authentication when they open sharepoint site with FQDN in IE.

    But as it is described in KB943280 i have problem with opening libraries in explorer view and opening files in applications (e.g. excel file in excel, not in Office Web Apps) from an FQDN-named sharepoint site (e.g. http://sharepoint.skcont.local).

    This is made using Web Client Service to access WebDAV resource which uses WinHTTP, which sends credentials only to local intranet sites and doesn't check the zone settings of IE, decides just upon the fact if the site adress contains periods or not.

    Let me cite from mentioned KB:

    "In Windows Vista, Internet Explorer uses the Web Client service when you use Internet Explorer to access a WebDAV resource. The Web Client Service uses Windows HTTP Services (WinHTTP) to perform the network I/O to the remote host. WinHTTP sends user credentials only in response to requests that occur on a local intranet site. However, WinHTTP does not check the security zone settings in Internet Explorer to determine whether a Web site is in a zone that lets credentials be sent automatically.

    If no proxy is configured, WinHTTP sends credentials only to local intranet sites.

    Note If the URL contains no period in the server’s name, such as in the following example, the server is assumed to be on a local intranet site:

    http://sharepoint/davshare

    If the URL contains periods, the server is assumed to be on the Internet. The periods indicate that you use an FQDN address. Therefore, no credentials are automatically sent to this server unless a proxy is configured and unless this server is indicated for proxy bypass."

    (Please don't answer me to use a proxy, I don't want.)

    The functional solution is to add a multi-string value to the registry of all domain member computers (in our case 27):

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient\Parameters\AuthForwardServerList
    which forces system to forward authentication to listed FQDN adresses.

    BUT THIS SOLUTION IS "VERY FEW MUSIC FOR TOO MUCH MONEY" I THINK!!!!!!!!

    The intelligent solution must be DEPLOYMENT OF  AuthForwardServerList via Administrative template in GPO!!!!!!!

     

    Therefore once again:

    My question is: really the only one possibility to solve problem described in KB943280 in a domain enviroment with 25 client machines to execute a registry edit at the client machines?

    There is no written administrative template exists for it?

    Rgds,

    Lotar

    Sunday, November 14, 2010 6:22 AM
  • Hi Lotar,

    Thats why you use IEM to add the FQDN to the Local Intranet Zone.. The following you cite in your last post and I quote: "If no proxy is configured, WinHTTP sends credentials only to local intranet sites. Note If the URL contains no period in the server’s name, such as in the following example, the server is assumed to be on a local intranet site:"

    • THis is completely true... However, you can add FQDNs to the Local Intranet Zone  now you have bypassed the default behaviour and you have solved the issue.. Its pretty simple and you should give it a try open IE8 and go to the FQDN of the site and login then Click on Tools > Internet Options > Security > Local Intranet Zone > Sites > Advanced > Add > Close > Ok > Ok...

    To test Close all of your IE sessions and go to the FQDN you will not be prompted to login and as long as you have Automatically Detect Settings, Checked for the proxy, WebDav will work.. This works all day long, just as you said it would as long as the FQDN is in the Local Intranet Zone...

    Just test it, kinda like the Nike commercial Just do it... Hey if it doesnt work for ya we can do a live meeting and I will walk you through it and I will buy you a coffee..

     

    -Ivan


    Ivan Sanders My LinkedIn Profile, My Blog, @iasanders.
    Sunday, November 14, 2010 7:34 AM
  • Hi Lotar,

     

    I liked the screenshots I can’t read them but they are understandable... Ok I see the issue, the problem I had is that we already have a GPO pushing the Registry Entry out and I will explain how... But in the mean time I owe you coffee.... Good Work

     

    The issue: You are prompted to enter your credentials when you access an FQDN site from a computer that is running Windows Vista or Windows 7 and has no proxy configured, when you attempt to use Explorer View

     

    The issue occurs:

     

    ·         On a computer that is running Windows Vista or Windows 7, you do not configure a proxy in Windows Internet Explorer.

    ·         You use Web Distributed Authoring and Versioning (WebDav) to access a fully qualified domain names (FQDN) site.

     

    To resolve the issue for a single user

     

    1.     Click Start, type regedit in the Start Search box, and then press ENTER.

    2.     Locate and then click the following registry subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient\Parameters

    3.     On the Edit menu, point to New, and then click Multi-String Value.

    4.     Type AuthForwardServerList, and then press ENTER.

    5.     On the Edit menu, click Modify.

    6.     In the Value data box, type the URL of the server that hosts the Web share, and then click OK.

     

    However, in larger organizations it would be difficult to visit every desk and create the AuthForwardServerList Parameter. Instead you have two choices 1) Export the AuthForwardServerList MutiValued String with the FQDNs added to the value and add the resulting .reg file to your login scripts or 2) Create a GPO to push the changes down to the desktops, option 2 is a more elegant solution and can be more easily maintained

     

    To enable all users within an organization to Open Document Libraries in Explorer without being prompted to Authenticate.

     

    1.     On the machine where you have Added the AuthForwardServerList Multistring Values to the registry.

    2.     Open GPO Manager > Right Click on the Domain, Site, or OU and choose Create GPO in this Domain or if you have an IE GPOP then edit the existing GPO

    3.     Go to Computer Configuration > Preferences > Windows Settings > Right Click on Registry

    4.     Choose New > Registry Wizard > Local Computer, Next > Use the tree View to expand down to where the AuthForwardServerList Multistring Values were added  to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient\Parameters

    5.     Enter a Check into the Box next to the entries you made earlier, Click Finish, and close GPO manager

    6.     All that’s left is to link it to the domain, site or URL and QA

     

     

    7.     The GPO is completed  http://bit.ly/d4ji0L and you can view The Value Data or the websites you were mentioning earlier…

    8.     Using the Wizard to Create the GPO…… http://bit.ly/bE8V62

     

     

     

    -Ivan


    Ivan Sanders My LinkedIn Profile, My Blog, @iasanders.
    • Marked as answer by Lotar Spatay Monday, November 15, 2010 11:18 AM
    Monday, November 15, 2010 9:18 AM
  • Hi Ivan!

    Coffee will be paid by me, because You helped a lot to improve my skills in GPO-configuration.

    Thanks a lot!

    When You will be in Bratislava, Prague or Budapest to drink that coffee together? :)

    Rgds,

    Lotti

     

    P.S.: By the way, just for information: "Automatically detect settings" in LAN settings abnormally slows down WebDAV. After unchecking this setting WebDAV is really quick.

    Monday, November 15, 2010 11:22 AM
  • Hi Lotar,

    It was my pleasure and I enjoy helping anyone willing to learn. I will either be in the EU sometime late spring or early fall. Hopefully miss most of the crowds in the fall.. I have not been to Budapest, the closet i think is prague or milan and would love to check out the people.... As far as the coffee we can work it out, but it is I who have to thank you for pointing out the fallacy of my conclusion.... Please stay in touch, you can find me on twitter, facebook or my blog and I would very much enjoy listening to any additional issues you find and would enjoy connecting next year... Also, I live in southern california if your ever around I can show the city..

    I completely agree with not using Auto detect, have I mention using it recently? I must be losing it, I either copied/pastedfrom old client docs prior to November of 2008...  or its time to take a few days off get over the jet lag.

     

    Cheers,

    -Ivan


    Ivan Sanders My LinkedIn Profile, My Blog, @iasanders.
    Tuesday, November 16, 2010 8:20 AM
  • Ok so what if you DONT have the AuthForwardServerList registry entrie on all 2000 of your computers?  This still doesn't solve the problem...or am I missing something?
    Friday, October 28, 2011 4:47 PM
  • Hello Ivan,

    Thanks for the post, we attached an SSL to our SharePoint site and quickly fixed the issue of users being prompted when opening a document library in a Windows explorer view.

    Concerning adding the FQDNs with a GPO, I remember attempting this in the past with SharePoint 2007.  I also remember that the GPO ended up overwriting every URL the user had previously entered in the local intranet zone and locking it down so they couldn't add or edit.

    Does using an IEM (which stands for ____________________) to create the GPO simply add my entries to the end user profile Internet Exploder, leave existing URLs intact and allow the end user to add, modify and delete?

    Thanks for the article,

    -Dave


    Dave Schafer

    Wednesday, July 18, 2018 7:33 PM