How to stop webdav from prompting for credentials when accessing a public internet based webdav site
Hi,
My company uses a third party webdav file storage solution hosted on the public internet. We have the webdav site connected via LDAP to Active Directory for authentication. Whenever a windows 7 or Vista machine attempts to open a MS Office document stored in the webdav cloud, the user is prompted for credentials. This only happens when opening MS office documents (all others open without a credentials prompt). If they click "ok" using the pre-populated credentials dialog box, or just click cancel, the document opens with no problem which leads me to believe the credentials are not relevant anyway. Regardless of if the "remember my credentials" checkbox is ticked or not, it prompts every time.
This works flawlessly on Macs - the user does an initial authentication, and they are never prompted for a password again regardless of the type of document they try to open.
The caveat... We have one single Vista machine that seems to work with no authentication, but they are all imaged exactly the same, so I'm trying to figure out why the one machine is working and not the others.
Things we have tried already:
- Applied just about every Microsoft patch/hotfix available that relates to webdav/web folders
- Tried adding a registry entry for auto-passing credentials to external websites found in KB943280
- Tried adding the website to the "trusted" sites list for both intranet and internet
- Tried a fake proxy server, excluding everything, which tells the system to pass credentials to any website (not fond of this one for security reasons)
- Stopping/disabling the webclient service (resulted in even more problems)
- Banging head off the wall....
All of these methods were found scouring the net, none of which helped us...
The bottom line is, if the user clicks ok or cancel, they can do what they need to do, but it is an annoyance for our helpdesk that has made an otherwise rock solid remote access tool, a nightmare to support.
I suspect it has something to do with the fact that the office products are treating the webdav connection as if it were a Sharepoint site, and the prompt for credentials is due to the 'authoring' function.
From all the hits on google for similar topics, it is evident that this issue has plagued many folks, and after many years, there is still not a good solution. I'm offering a substantial points reward to anyone that can tell me 1. why this is happening, and 2. how to fix it. There HAS to be a solution.
Thanks
My company uses a third party webdav file storage solution hosted on the public internet. We have the webdav site connected via LDAP to Active Directory for authentication. Whenever a windows 7 or Vista machine attempts to open a MS Office document stored in the webdav cloud, the user is prompted for credentials. This only happens when opening MS office documents (all others open without a credentials prompt). If they click "ok" using the pre-populated credentials dialog box, or just click cancel, the document opens with no problem which leads me to believe the credentials are not relevant anyway. Regardless of if the "remember my credentials" checkbox is ticked or not, it prompts every time.
This works flawlessly on Macs - the user does an initial authentication, and they are never prompted for a password again regardless of the type of document they try to open.
The caveat... We have one single Vista machine that seems to work with no authentication, but they are all imaged exactly the same, so I'm trying to figure out why the one machine is working and not the others.
Things we have tried already:
- Applied just about every Microsoft patch/hotfix available that relates to webdav/web folders
- Tried adding a registry entry for auto-passing credentials to external websites found in KB943280
- Tried adding the website to the "trusted" sites list for both intranet and internet
- Tried a fake proxy server, excluding everything, which tells the system to pass credentials to any website (not fond of this one for security reasons)
- Stopping/disabling the webclient service (resulted in even more problems)
- Banging head off the wall....
All of these methods were found scouring the net, none of which helped us...
The bottom line is, if the user clicks ok or cancel, they can do what they need to do, but it is an annoyance for our helpdesk that has made an otherwise rock solid remote access tool, a nightmare to support.
I suspect it has something to do with the fact that the office products are treating the webdav connection as if it were a Sharepoint site, and the prompt for credentials is due to the 'authoring' function.
From all the hits on google for similar topics, it is evident that this issue has plagued many folks, and after many years, there is still not a good solution. I'm offering a substantial points reward to anyone that can tell me 1. why this is happening, and 2. how to fix it. There HAS to be a solution.
Thanks
ASKER
Hi Louis,
Appreciate the ideas, but I have already tried both of those articles with no luck. I don't really classify this as a licensing or terminal server issue either. I'm not launching the office product from a remote desktop session, I'm simply using a web enabled share to hold documents.
I'm trying to compare the working vista system with all the others to find out what is different, which may give a clue.
Thanks!
Appreciate the ideas, but I have already tried both of those articles with no luck. I don't really classify this as a licensing or terminal server issue either. I'm not launching the office product from a remote desktop session, I'm simply using a web enabled share to hold documents.
I'm trying to compare the working vista system with all the others to find out what is different, which may give a clue.
Thanks!
I don't consider this a licensing breach by any means.....
In the Options>Security>Trusted site>Custom , whats the bottom option (Authentication ) set to?
Secondly, (stupid question), but is the dialog box for the site actually listed on the Credentials box? Just curious to see if maybe something stored locally might be passing through first (locally stored credentials get passed first)....
start, and type Credential Manager, and look for this resource listed....
In the Options>Security>Trusted site>Custom , whats the bottom option (Authentication ) set to?
Secondly, (stupid question), but is the dialog box for the site actually listed on the Credentials box? Just curious to see if maybe something stored locally might be passing through first (locally stored credentials get passed first)....
start, and type Credential Manager, and look for this resource listed....
ASKER
Auth is set to auto, and yes the credentials are listed in the Credential Manager. It auto-populates the authentication box with the credentials, but doesnt submit them.
But are they correct? Im curious to see if clearing the credentials will work?
Sorry, been a while since I have used webdav....
Sorry, been a while since I have used webdav....
ASKER
Yes, I even deleted them from the cache and manually added the correct ones in a new credential file just to make sure, although it doesn't seem to matter - if you click cancel and don't authenticate it seems to log you in anyway.
I'm starting to see why this technology (which is a really nice concept) has not caught on. Microsoft has been "fixing" the issues with web folders since the XP days...
This one's really a brain burner...
I'm starting to see why this technology (which is a really nice concept) has not caught on. Microsoft has been "fixing" the issues with web folders since the XP days...
This one's really a brain burner...
Yup...
Does it still try and prompt for authentication if there are NO credentials?
There is a single authentication to get to the site, right, and supposed to not be any AFTER that, for the docs.....
Does it still try and prompt for authentication if there are NO credentials?
There is a single authentication to get to the site, right, and supposed to not be any AFTER that, for the docs.....
ASKER
Correct - you initially authenticate to the share itself, then you can browse the folder structure, create/delete/rename folders within the folder structure with no prompt. As soon as you try to open something the credentials box pops up.
The killer is - I have one machine out of 200+ that is NOT doing this and working properly (doesn't prompt after initial login). Can't figure out whats different about that one.
The killer is - I have one machine out of 200+ that is NOT doing this and working properly (doesn't prompt after initial login). Can't figure out whats different about that one.
All users on this box? Maybe a shot profile?
I guess you checked this already - Are your Vista Systems on SP3?
In Vista there was a WebDav credential issue that was fixed in KB 945145 (included in SP1):
On a Windows Vista-based computer, you may be prompted for your passport credentials every time that you try to access
documents on a WebDAV site from a new workspace
http://support.microsoft.com/default.aspx?scid=kb;EN-US;945145
and another one in: http://support.microsoft.com/default.aspx?scid=kb;EN-US;981879 (included in SP3)
In Vista there was a WebDav credential issue that was fixed in KB 945145 (included in SP1):
On a Windows Vista-based computer, you may be prompted for your passport credentials every time that you try to access
documents on a WebDAV site from a new workspace
http://support.microsoft.com/default.aspx?scid=kb;EN-US;945145
and another one in: http://support.microsoft.com/default.aspx?scid=kb;EN-US;981879 (included in SP3)
ASKER
We have machines with various SP levels from none to the latest. SP doesn't seem to make a diff for the repeating credentials prompt. I will say that SP1 MUST be installed or the authentication does not work at all...
I'm running a system comparison tool to see if anything sticks out between the working one and the broken ones. I'm starting to wonder if this is a network problem where the server or firewall is not maintaing the cookie session when it hands off to the document. But that doesn't explain why one of the machines is working, and ALL of my macs...
I've got a case open with Microsoft now - we'll see what $300 gets me :-)
Thanks for your post...
I'm running a system comparison tool to see if anything sticks out between the working one and the broken ones. I'm starting to wonder if this is a network problem where the server or firewall is not maintaing the cookie session when it hands off to the document. But that doesn't explain why one of the machines is working, and ALL of my macs...
I've got a case open with Microsoft now - we'll see what $300 gets me :-)
Thanks for your post...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
No resolution - this behavior is by design according to Microsoft.
My experience is that as long as the application, in my case Excel, remains open I can open subsequent Excel files with no need to authenticate again. If I close Excel, I have to re-authenticate. SO, my work around is to keep the app open and close only the data files when finished.
You would think there could be a Windows setting for trusted sites that would put a stop this behavior.
You would think there could be a Windows setting for trusted sites that would put a stop this behavior.
I can tell you that every once in a while you run into a Microsoft boundry that is only explainable by the lack of something happeneing. This issue very closely boarders the Licsensing agreement boundaries for Windows and Office. In other words, Serving a Page (office/ aka Word) with a web page is a Terminal Server boundary. Look up the definition of Terminal Server and thats what you are very close to trying to accomplish. That said, the flip side is you are just trying to present a Read only Web page.(ok maybe write too). The issue is you are most likely using the MS webdav to open the file. There is a Reg Edit that may be helpful. See Below:
http://forums.iis.net/t/1147129.aspx
Also, I would be curious if you stepped out of the box and tried another way of opening the file. (see below). If this Mozilla plug in works. I would say that proves the MS Webdav is an IIS process Issue.
http://www.shokurov.com/?p=56
Try this REFEDIT out and let me know if you get any success with this reg edit or the plugin:
According to http://support.microsoft.com/?id=943280 The intranet site should be added to
HKEY_LOCAL_MACHINE\SYSTEM\
If neither work, Start looking at the EULA, YOu most likely, are trying to create a Terminal Server for
MS DOCS. I hope that is not your end result.
L