Share via


Why IE promts for User authentication while opening office documents

There is a big difference between Internet Explorer and other browsers like FireFox. When FireFox invokes the application and passes the document name it uses the path of the copy of the document from the local cache; when IE invokes the application it passes the path of the document on the server. The new process accessing the server will require new authentication.

There is also a significant difference in behavior when Office detects that WebDAV is enabled on the server. If WebDAV is enabled then Microsoft Office also has to determine whether or not to open the document as ReadWrite or ReadOnly.

Typically Office on Windows XP uses WinInet to handle the communication with the server and therefore should handle authentication just like IE does; if the server is configured for Windows authentication then you are prompted to access the server, you can probably expect a prompt to open the document.

The expected default behavior is that if the site can be identified as a local intranet site then Windows logon credentials will be automatically sent to the server. A site is typically determined to be identified as local when there is no '.' in the address.  When a '.' exists in the address then some help may be needed in order to identify the site as local intranet; if the site does not show "Local intranet" in the lower, right of the status bar then you may need to check [Sites] for Local intranet on the Security tab of IE's Internet options. If the 'Automatically detect intranet network' is checked and/or the appropriate sub-options are checked then you may need to specifically use the [Advanced] button to add the site to the Local intranet.

It is possible to change the security settings for the other zones to allow User Authentication\Logon to Automatic logon with current user name and password but it is not recommended as that could result in sending credentials in a scenario when they are not secure (such as to a site using Basic authentication without SSL).

Prior to Windows Vista, Microsoft Office would install the Web Extender Client to allow OLE DB to handle the WebDAV protocol because the native Web Client was not robust enough. Since the Vista Web client was enhanced  Office 2007 on Vista will try to use the native WebClient (which uses WinHTTP instead of WinInet) to handle the communication. WinHTTP does not have the concept of zones and requires the configuration of a registry key in order to properly pass credentials automatically for sites with a '.' in the name. This is referenced in KB 943280 (https://support.microsoft.com/?id=943280). The 'Office 2007 prompting on Vista' scenario is also discussed in more detail in the following blog: https://blogs.msdn.com/sharepoint/archive/2007/10/19/known-issue-office-2007-on-windows-vista-prompts-for-user-credentials-when-opening-documents-in-a-sharepoint-2007-site.aspx