Prompt for Credentials When Accessing FQDN Sites From a Windows Vista or Windows 7 Computer

Consider the following scenario.

 

• On a computer that is running Windows Vista or Windows 7, you do not configure a proxy in Windows Internet Explorer.
• You use Web Distributed Authoring and Versioning (WebDav) to access a fully qualified domain names (FQDN) site.

In this scenario, you are prompted to enter your credentials, even though the user account that you are using has sufficient permission to access this site.

For example, when you open a Microsoft Office file from a Microsoft Office SharePoint site by using 2007 Microsoft Office on a Windows Vista-based client computer that has no proxy configured, you are prompted for authentication.

You may also see the following error when working with moved folders via explorer view:

Your client does not support opening this list with Windows Explorer.”

Note This problem does not occur on a Windows XP-based computer.

Important This hotfix is included in Windows Vista Service Pack 1 or a later service pack. However, you must still configure the AuthForwardServerList registry entry. For more information, see the Registry information section.

Back to the top

CAUSE

In Windows Vista, Internet Explorer uses the Web Client service when you use Internet Explorer to access a WebDAV resource. The Web Client Service uses Windows HTTP Services (WinHTTP) to perform the network I/O to the remote host. WinHTTP sends user credentials only in response to requests that occur on a local intranet site. However, WinHTTP does not check the security zone settings in Internet Explorer to determine whether a Web site is in a zone that lets credentials be sent automatically.

 

If no proxy is configured, WinHTTP sends credentials only to local intranet sites.

Note If the URL contains no period in the server’s name, such as in the following example, the server is assumed to be on a local intranet site:

http://sharepoint/davshare

If the URL contains periods, the server is assumed to be on the Internet. The periods indicate that you use an FQDN address. Therefore, no credentials are automatically sent to this server unless a proxy is configured and unless this server is indicated for proxy bypass.

Note A server can be indicated for proxy bypass either through the bypass list or through the proxy configuration script.

In this case, you are prompted to enter your credentials when the Web site asks for credentials. Even in this case, the security zone settings are ignored.

Back to the top

RESOLUTION

The fix is included in Windows 7. To fix the issue, you only need to create the registry item below.

Back to the top

Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a “Hotfix download available” section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

If Basic authentication or Digest authentication is implemented in the network, hotfix 943280 cannot change this behavior. This behavior is by design in Basic authentication mode and in Digest authentication mode.

IIS does not support Windows authentication over the Internet. Therefore, this hotfix applies only to the Intranet scenarios.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:

Note The “Hotfix download available” form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

There are no prerequisites for installing this hotfix.

Restart requirement

You have to restart the computer after you apply this .

Hotfix replacement information

This hotfix does not replace a previously released hotfix.

Registry information

To use this hotfix, you have to modify the registry.
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

After you apply this hotfix, you have to create a registry entry. To do this, follow these steps:

1. Click Start, type regedit in the Start Search box, and then press ENTER.
2. Locate and then click the following registry subkey:
   HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWebClientParameters
3. On the Edit menu, point to New, and then click Multi-String Value.
4. Type AuthForwardServerList, and then press ENTER.
5. On the Edit menu, click Modify.
6. In the Value data box, type the URL of the server that hosts the Web share, and then click OK.

   Note You can also type a list of URLs in the Value data box. For more information, see the “Sample URL list” section in this article.

7. Exit Registry Editor.

After this registry entry is created, the WebClient service will read the entry value. If the client computer tries to access a URL that matches any of the expressions in the list, the user credential will be sent successfully to authenticate the user, even if no proxy is configured.

Note You have to restart the WebClient service after you modify the registry.

Sample URL list

The following is a sample URL list:

https://*.Contoso.com
http://*.dns.live.com
*.microsoft.com
https://172.169.4.6

This URL list enables the WebClient service to send credentials through the following channels.

Note After you configure this URL list, the credentials will automatically authenticate to the WebDAV servers, even if these servers are on the Internet.

• Any encrypted channel to a child domain of a domain whose name is Contoso.com.
• Any nonsecure channel to a child domain of a domain whose name is dns.live.com.
• Any channel to a server whose name ends with “.microsoft.com.”
• Any encrypted channel to a host whose IP address is 172.169.4.6.

Things to avoid in the URL list

• Do not add an asterisk (*) character at the end of a URL. When you do this, a security risk may result.
  http://*.dns.live.*
• Do not add an asterisk (*) before or after a string. When you do this, the WebClient service can send user credentials to more servers. See the following examples:
  • http://*Contoso.com

    In this example, the service also sends user credentials to http://extra_charactersContoso.com

  • http://Contoso*.com

    In this example, the service also sends user credentials to http://Contosoextra_characters.com

• In the URL list, do not type the UNC name of a host. For example, do not use the following:
  *.contoso.com@SSL
• In the URL list, do not include the share name or the port number to be used. For example, do not use the following:
  • http://*.dns.live.com/DavShare
  • http://*dns.live.com:80
• Do not use IPv6 in the URL list.

Important This URL list does not affect the security zone settings. This URL list is used only for the specific purpose of forwarding the credentials to WebDAV servers. The list should be created as restrictively as possible to avoid any security issues. Also, because there is no specific deny list, the credentials are forwarded to all the servers that match this list.

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

Windows Vista, x86-based versions

Windows Vista, x64-based versions