IE9 behind authenticated proxy prompts for credentials when opening office documents

internet-explorer-9microsoft-office-2010PROXY

Here is the scenario:

Logged into a Windows 7 Enterprise SP1 computer with Internet Explorer 9, behind a proxy (squid I think, though not set up by our organisation) which uses current Windows credentials without prompting.

The user goes through the following process:

  • Visits a website and tries to download an Office (2010) document
  • IE9 brings up dialog box asking user to open/save.
  • User clicks open
  • The user is prompted to enter credentials for the proxy
  • User presses escape or enters credentials
  • The document opens

So, it is apparent that the credentials are not required. But IE9/Office asks anyway. Often this prompt is behind the browser so the user doesn't even know they need to do anything. This doesn't happen if the document is saved first, or in Firefox. I've also disabled on-access scanning in our anti-virus solution.

I have read quite a few things on the web regarding Sharepoint prompting, but none to do with proxy. Most of the solutions relate to "Local Intranet" sites or sites under the organisation's administrative control (mainly IIS related).

I have managed to avoid this scenario by explicitly naming a site in the proxy bypass list, but of course it is neither possible nor viable to do this for every site on the web!

Does anybody have any experience with this scenario?

Best Answer

I too experience this with a server hosted within our University. It appears to be the way that Office handels the requesting of a Office file from the web. Servers which don't offer WebDAV or other ability for users to save files on the server should have some verb/extensions disabled as outlined.

Microsoft’s Knowledge Base article 2019105 offers the best insight into why this occurs, and the suggested options for addressing it. KB article: http://support.microsoft.com/kb/2019105

Cause:

When Internet Explorer opens an Office document, the appropriate Office application is started with the path of the document. The Office application then tries to access the document directly from the server. This differs from other browsers and other file types. Most browsers download the file and call the application to open the file from the local cache. However, when this occurs, if the opened file is changed and saved, the changes are only made to the local copy and not to the server copy.

To establish the richest experience possible, the first thing that the Office application does is communicate with the server to determine the server type and what web authoring protocol is available. The application does this by making an OPTIONS request directly to the server.

As a new process accessing the server, the Office application is required to renegotiate authentication. This method is more secure than a method in which the new process uses an existing authentication that was established by the browser.

The article’s recommendation is that when users will not be attempting to save files back to the server directly addressing this should be completed on the server side. Specifically disabling the support of OPTIONS and PROPFIND verb/extensions.

Related Question