Tuesday, 13 November 2007

Office 2007 and Vista, persistent cookies do not work

I have run into another issue with SharePoint 2007 which specifically only affects Office 2007 running on Windows Vista.

We have SharePoint setup using ISA 2006 for forms based authentication. This works perfectly for XP/2003 with Office 2003/2007 and Vista with Office 2003. However when we open a document from SharePoint 2007 using Office 2007 on Vista, we are prompted for a password. This is rather annoying. I have opened a call with Microsoft to see if I can get to the bottom of this.

There are numerous articles out there saying that this is to do with IE Protected mode, but we have this switched off for the Intranet zone (hence it works fine in Office 2003 on Vista).

Even more worrying than the simple inconvenience of the prompt is that fact that WebDAV caches the users' credentials. Imagine the scenario that you go to a public access machine and log onto SharePoint using ISA FBA. You then open a document and enter your credentials. You then finish working and log off Sharepoint and close the browser. You would think you were now logged off, but you are not as WebDAV is still caching your credentials. Whoops!


Following my call being escalated by the good guys at ESK UK to Microsoft, it has now been escalated within Microsoft. I've just been on a call with a very helpful escalation engineer at Microsoft who has confirmed that this issue is related to Office 2007 on Vista trying to use WebDAV and WebDAV trying to authenticate using Windows Auth, rather than using the persistent cookies. As our server is connected via ISA using FBA, Windows auth falls back to basic auth and then WebDAV caches the credentials (until the webclient service is restarted or the user logs off).

The engineer has provided a useful workaround: install the Web Client update for Vista (http://support.microsoft.com/default.aspx?scid=kb;EN-US;907306) and then set all Office Apps to run in compatibility mode. This has a couple of drawbacks other than the work involved. Firstly it loses the enhanced ability that WebDav has to be able to browse up and down SharePoint web applications and secondly it does not resolve the password prompt you get when when you try to use Explorer view (I don't know of a way of telling Explorer to run in compatibility mode). Nevertheless we will use this workaround on the few Vista machines we have, but will certainly have to think twice before rolling Outlook Vista and Office 2007 to our 12,000 desktops.

The following registry keys can be set to tell Office Apps to run in XP SP2 compatibility mode. Remember you can really mess up your machine by changing the wrong registry settings so back it up and go careful:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]


Anonymous said...

Yea, we have the same problem here. havn't found a fix yet :S

Rob Head said...

The call I have open with Microsoft is ongoing, although they have acknowledged that it is known issue associated with Office 2007 on Vista using Webdav rather than the Office Web Extensions that all other versions use (as well as 2007 on XP) and Webdav not having knowledge of IE Zones.... I'll post as soon as I hear anything useful from Microsoft.

Rob Head said...

I have just been informed by Microsoft that a bug has been raised, so hopefully a fix for this is imminent.

Brian said...

Hello. I just sent you an e-mail about this post. We are also experiencing this problem. Do you have any updates?



Rob Head said...

Hi Brian,

I've updated my email address. My forwarding subscription has just expired so I did not get your email.

All I have heard about this since is that Microsoft are still considering the fix as part of the next release of Office or a service pack. I have tried to make it clear to Microsoft that this is not simply a nuisance, but a concerning security issue.

We are currently looking at switching to Windows Authentication to the ISA servers with constrained Kerberos auth from ISA to the backend servers for single sign on. Hopefully it will work as I want it to and allow users who are on the domain to not have to login at all and those who are not on the domain to only have to login once.

Sorry I can't be more help.


Brian said...

Thank you for the quick reply. For the most part, we have come to a similar conclusion. Would it be possible for you to give me your MS case #? Perhaps I can get them to link our cases and provide a little more push.

Thanks again,


Rob Head said...

Hi Brian,

The support case number I have is SRZ071203000237.

Fpr your info, Microsoft's response was "The Microsoft Office Team has investigated the “Office 2007 on Vista prompts for authentication unnecessarily for SharePoint”.
The fix for this issue is beyond the scope of a Hotfix.
In order to fix this issue, we would need to redesign area’s around several new features in WSS V3 and Office 2007 as well as around Vista’s authentication process. The amount of redesign, coding and testing needed to provide a safe solution for all combinations of Office, Vista and WSS is out of scope for a Hotfix cycle.
The issue is caused by the implementation of several new features in WSS V3, Office 2007 and the way Vista works natively. These new feature provide greater control over permissions and more concise code paths for file open scenarios. Overall we provide more strict control over the opening of files across products, in particular the Sharepoint v2 readers code base does not have the same functionality as V3 and this causes alternate functionality. Changing the Office Core code to provide the exact same functionality across all products would increase risk of regression in file open, security, messaging and core scenarios.
Although we understand the customer’s pain, this is not a change we can make to the product in a Hotfix time frame.
This issue will be added to our Product Quality Initiative for consideration in the next Service Pack and version of Microsoft Office."

I'm personally very disappointed with the response I have had from Microsoft on this oneespecially considering the amount of time I spent investigating various things at their request, only to be told that it is a known issue!

Good luck and let me know how you get on.


Jason Jones said...

Hi Chaps,

I too recently came across this issue after upgrading my own work laptop to Vista.

The only viable solution I have found (the above didn't work for me anyhow and nor did KB943280) is the following:

* Add all ISA published MOSS URLs to the trusted zone in IE and ensure protected mode is disabled.

* Configure ISA for persistent cookies

* Stop and disable the 'Web Client' service on the Vista client.

It appears that when the 'Web Client' service is enabled it attempts to authenticate to ISA using Windows auth (ignoring perstistent cookies) and ISA cannot currently provide fallback to NLTM auth.

Disabling the Web Client service (although a little brutal) appears to return the behaviour to the same as on Windows XP. If you look at the ISA logs during document access with the web client service on and off, you will see that a different Client Agent is used for each scenario and you can clearly see when the client is using WebDAV and the denied result.

In an ideal world, it would be nice to somehow specify which URLs use the WebDAV redirector and which use native Office. At first I thought this is what KB943280 did, but I think this is a similar, but different issue that confuses the real problem.

Anyhow, hope this helps...



Patrice said...

We have this issue along with the rest of the world, it appears. Although I have tried stopping the WebClient service and it is just causing other issues. 1) you cannot upload from your computer through a stored network path. It gives an error, DAVWWWRoot. 2) You cannot select "edit" to make changes to files in a library. It says it cannot contact the server. So the only way to modify files is to use the edit menu dropdown and select "edit in MS Word/Excel/Etc". You also cannot "Check Out files". So this work around is causing many more issues. We no not ISA so I cannot makes those suggested modifications, but I have made the modifications to the browser settings. Still no luck. Has anyone come up with any other workable possibilities?

Rob Head said...

I have given up on this to be honest. It gets worse when you upgrade to Vista SP1 (you may find that you can open files but not save them, but SP thinks you have the file open for editing so the file is locked... so basically you cannot save the file anyway at all until the timeout expires, even if you chose 'Edit in....'). Vista SP1 also causes file copying issues from SP document libraries and is generally inconsistent with any file handling. I have had a call open with Microsoft for months and months and spoken to numerous engineers and departments, but keep getting bounced around and make no progress. We are currently in the process of switching to Windows auth and are planning on setting up external user accounts in a perimeter domain. Sorry I can't be more helpful.

Santo said...

Does anyone know whether using Kerberos Constrained Delegation resolves this issue?

Rob Head said...

In theory KKD should help, but I found it had little benefit over just switching to NTLM pass through as I could not get it to do single sign on like you get with forms based. We have switched to Windows pass through auth and are encouraging people to use our Citrix desktop when using SP off campus for long periods. Now comes the pain of IE8, which is having trouble using Windows auth (admitedly it is only an RTM, but still!!)

Anonymous said...

Rob et al

We have the same issue, but for our Customer we are seeing we actually have several Vista machines that persistently works for the SSO, using FB over ISA also when opening, checking in/out documents etc. Is this the fact also for you guys?

the working ones are very interresting..


Anonymous said...

Hi all,

Same problem here... In a day's investigating i have found the following:
- part of the problem machines run with vista x64 sp2 and part run win7. same issues with office 2k7 on both os
- protected mode, inprivate browsing, trusted sites, intranet zone and corresponding security zone settings didn't change anything, problem persists
- microsoft insists on that the hotfix KB943280 solves this problem and is included in vista sp1. situation is, we have vista sp2 and the problem is still here... for win7, there are no sp's or hotfixes concerning this problem. (btw, all systems run latest SP and windows updates)
- problem only arrises with doc, xls, ppt,... with docx, xlsx, pptx, no superfluous login prompt is displayed.
- I was able to work arround the problem by using the fakeproxy_policy (define a dummy proxy in IE settings and say to bypass proxy for adresses *). for me, this solves the login prompt problem, but another webbased app stops working. nevertheless, this might help some of you...

If anyone has some more input on this, it would be greatly appreciated.

regards from switzerland,