Monday, 10 January 2011

Multiple authentication prompts when opening documents from WSS/MOSS/Sharepoint


This one was bugging me for a long time but I never really had time to solve it for myself until I had to solve it for a customer, how typical for me :)

Consider a following scenario:
  • Sharepoint site is published through ISA/TMG server
  • The user authenticates to the published site using Basic authentication (popup window appears)
  • When the user tries to open a document from a document library he needs to authenticate again, sometimes even multiple times
  • If the user accesses the Sharepoint site directly, from inside the network, he experience no issues
The reason this happens is that Office applications look for persistent authentication cookies that should be stored on the local client. If the authentication cookie is not available we get the log on prompt when we use Word for example to open a docx file from a Sharepoint site. We do not get the authentication prompt when we access the Sharepoint site from internal network because the Office applications authenticate using Windows Integrated authentication and we are saved from typing credentials in this case.

This persistent cookie sharing between IE and Office applications is described here in more detail:

So how do we get the persistent cookie from site published through ISA/TMG server?

Complete the following steps:
  • Switch from Basic authentication in ISA/TMG listener to Forms-based authentication
  • Turn the Persistent cookies support on ISA/TMG listener
  • Add the site to the Trusted Sites list in Internet Explorer client
  • If we are using Internet Explorer 7/8 we also need to turn of "Protected Mode" for Trusted Sites (it should be off by default
Now we only need to login once using Forms-based authentication window and we can open any document from Sharepoint site without additional authentication prompts. It is because the cookie has now been saved to the location from which Office applications can access it.
For detailed steps on how to turn on "Persistent Cookies" on ISA/TMG listener please visit this blog:

You will notice one more thing and that is if you exit the Internet Explorer window without first logging off from the Sharepoint site, when you visit the same site again you will not be presented with the Forms-based authetication window but instead you will be automatically authenticated to the site. This is because cookie is "persistent" and it will only be deleted if you explicitly log off or until the the cookie times out. On ISA/TMG listener you have an option to use persistent cookies "Only on private computers" or "On all computers" which is an option that you choose when you enter your credentials on the Forms-based authentication window and you can additionally set the timeout in minutes separately for Public and Private computers.


No comments:

Post a Comment