Known issue: Office 2007 on Windows Vista prompts for user credentials when opening documents in a SharePoint 2007 site

January 11th, 2008 · No Comments

[01/10/2008 .. later in the day: The hotfix is currently private and not yet available. Sorry for jumping the gun! I’ll post another update when the hotfix is available for customers to request from our Product Support Services.]

[01/10/2008: A new hotfix is available that should address most proxy related scenarios that have been reported thus far (although there are still a few prompts that come from Office regardless of proxy settings). The most troublesome have been the no-proxy environments. We received an earlier Vista WebClient update that began considering host addresses without dots in the name to be part of the Intranet and okay to automatically provide credentials. Unfortunately, several organizations use FQDN host names.

This latest hotfix incorporates the previous changes and adds the ability to designate which servers are to be considered safe to pass credentials to. Please take a look at the following KB article for more details surrounding the problem and the fix: http://support.microsoft.com/?id=943280. (Yes, this hotfix will be in the upcoming Windows Vista Service Pack 1.)]

[11/07/2007: The following hotfixes have been released:

KB 941853 addresses the issue where “Automatically detect settings” was required to be enabled in order for the Automatic configuration script to be processed for WebDAV communication. With 941853 installed, the “Automatically detect settings” can be either enabled or not.

KB 941890 includes the fix from 941853 and in addition will assume (in an environment where no proxy server is configured in the IE settings) that a site that has no dots in the name will be treated as an intranet site (e.g. http://companyweb is intranet while http://www.mycompany.com is Internet) and credentials will be passed automatically for WebDAV communication.]

[10/19/2007: IMPORTANT UPDATE: Do not use the “fake proxy” workaround described below other than for testing purposes!

The reason that we strongly recommend against using this workaround broadly or in production is because it will reduce the security for default Internet sites by interpreting them as intranet sites instead. The good news though is that if this workaround is effective for you, then there’s a very good chance that the hotfix that will be release within the next week or so — look for another update soon — will permanently address your particular issue.

Another workaround is to stop and disable the WebClient service. However, this will disable the ability to use Map Drive to a webfolder and also disable the ability to use Explorer view in SharePoint.

The best workaround that we have at the moment though it requires a bit more work to implement is to configure the Office 2007 applications to run in Windows XP SP2 compatibility mode and install the Web Folders update. While extensive testing was not performed with Office 2007 configured this way on Windows Vista, Windows XP SP2 is a fully supported platform for Office 2007 and no unusual side-effects are anticipated. The reason this workaround is effective is that it subverts the preference to use WebDAV and uses Web Extender Client (WEC) instead. Here’s a bit more background info:

Office 2007 introduced a change such that when installed on Windows Vista machine, it prefers to use WebDAV technology when opening documents from a SharePoint site (previous versions first tried to use the Web Extender Client). Additionally, WebDAV on Windows Vista switched from using WinINet to using WinHTTP because the latter is considered to be more secure. Unfortunately, WinHTTP does not understand zones since it was designed more for services than interactive users. WebDAV implemented a subroutine that would check the user’s IE proxy settings and if a proxy was detected (either through the use of “Automatically detect settings” when it successfully retrieved a PAC or configuration script or through the use of specifically defined proxy settings), it would initiate the WinHTTP session with information that would allow the user’s credentials to be passed automatically (like WinINet does for Intranet and Trusted zones). The absence of a configured proxy would result in the prompt for credentials (which we agree is undesired and unnecessary in most intranet environments).

How to place Office 2007 applications into Windows XP SP2 compatibility mode
This can be accomplished by simply adding a few registry keys. Although we recommend placing them under the HKEY_LOCAL_MACHINE hive, it may be difficult in some corporate IT environments to push the keys because of the need for elevated privileges. Alternatively, the keys can be placed under the HKEY_CURRENT_USER hive and be just as effective.

The keys are application specific (examples for Excel, Word, and PowerPoint are listed below):

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]
“C:\\Program Files\\Microsoft Office\\Office12\\WINWORD.EXE”=”WINXPSP2″
“C:\\Program Files\\Microsoft Office\\Office12\\EXCEL.EXE”=”WINXPSP2″
“C:\\Program Files\\Microsoft Office\\Office12\\POWERPNT.EXE”=”WINXPSP2″

(Note that the keys above are meant to be copied from a .REG file. If the keys are entered in another manner, they would likely need to use “\” instead of “\\”. Also note that the paths are hardcoded; if you have an environment where the path to the Office 2007 executable vary, you may need to use a script so that the correct path can be determined programmatically.)

Install the latest Web Folder update
This is available from the KnowledgeBase article 907306. This is a “one size fits all” update and applies to both 32-bit and 64-bit versions of Windows Vista. Without this update, the documents will still open but will not save directly back to the document library. Installing the update should restore the ability to edit directly from the document library (providing the ability to use checkout functionality as needed).]

We’ve received several reports of this issue through our Customer Support Services. Although it would be impractical for us to post every known issue or confirmed bug on this blog, I have a strong feeling that this particular problem is much more widespread than has been reported. If you have experienced this problem and can consistently reproduce it, please leave a comment. While we’re still investigating a possible long term fix, here are several workarounds for you to try.

Problem Description

With Office 2007 running on Windows Vista, opening an Office document hosted on a SharePoint (i.e. WSS 3.0 or MOSS 2007) site results in a prompt for login credentials even if the user is already logged on with an account that has access to the document. Canceling the credential prompt may still (but not always) allow the document to open in read-only mode.

Potential Workarounds

Go to IE7 -> Internet Options -> Connections -> LAN Settings.

Behavior 1: Clearing all checkboxes on this dialog will cause the credential prompt.

Behavior 2: Automatically detect settings - enabling this option will prevent the prompt if it effectively enables a proxy server and enables bypassing the proxy for local addresses.

Behavior 3: Use a proxy server - enabling a proxy server in conjunction with enabling “Bypass proxy server for local addresses” will prevent the credential prompt.

When the user does not have a proxy in the environment, it’s still possible to work around this issue by setting a “fake proxy” and “blanket bypass” as follows in IE7’s LAN Settings dialog.