Getting prompted for credentials when accessing read-only Office files on SharePoint 2003 from Windows Vista or Windows 7 with Office 2007 or Office 2010

  • Article

I faced this problem recently at a customer.

They had pure Windows XP with Office 2003 deployed to their clients. These clients were accessing a SharePoint 2003 site. When they started deploying new Windows 7 clients with Office 2007 they found that when the users clicked on links to Office files which they had read-only permissions to, they would get prompted to enter credentials. But entering credentials doesn’t work. If they hit cancel or escape, the prompt would disappear and the file would open as expected.

Being a good PFE,  the first place I started was with Network Monitor traces. I was looking for any strange “access denied” messages, authentication attempts with mismatched methods, bad HTTP redirections, DNS problems, that sort of thing.

Here’s what I found:

  • WebDAV is the agent which is trying to open the file, and is failing
  • By hitting cancel or escape you are telling the WebClient service to give up and fall back to HTTP
  • The WebDAV client which came with Office 2003 is not available on Office 2007 on Vista and newer – the OS has a WebDAV client called WebClient
    • This built-in WebDAV client doesn’t behave the same way as the Office 2003 extension does, and is too difficult to change
  • Stopping the WebClient service would avoid the prompt, as WebDAV is no longer being used. But now editing files on SharePoint 2003 is no longer possible
  • This is not a problem on versions of SharePoint which are newer than SPS 2003
  • The sites short name and FQDN were in the list of Trusted Sites in Internet Explorer
  • The security settings for IE allow automatic logon to sites in Trusted Sites
    • This means that Protected mode is avoided as IE can pass through authorisation to Office. Intranet Sites cannot do this apparently
  • They have a valid proxy server configured, but the short name for the SharePoint site and the FQDN are added to the proxy exception list
  • Using the registry key for AuthForwarServerList discussed here and here didn’t help

So what is going on?

WebClient is trying to take a write lock on the file. But the file is read-only to the user, so this fails. We see 4 requests to GET the file, each one has a reply which says “unauthorized”:

WedDAVFailures

Then I found this article:

https://support.microsoft.com/kb/955375

This says that by setting the registry value UseWinINETCache = 1 you will instruct Office to always open web-based files as read-only. If you need to edit the file on a SharePoint site, these will be opened as read-only also, so this will fail. To work-around this limitation you must do one of the following when editing a file:

  • Before opening the file, use the “Check Out” feature of SharePoint
  • Use the drop-down list for a file and choose “Edit in Microsoft Office Word/Excel”
  • Save the file as a different name

Note this limit applies to ALL web-based files opened by Office, even those on SharePoint 2007 and 2010, which do not experience this problem. Therefore, this is only a work-around until you are able to upgrade your SharePoint 2003 sites to 2007 or 2010. Note that Internet Explorer 8 is NOT a supported browser when accessing SharePoint 2003, for this reason and others.