{"id":1509,"date":"2012-01-12T00:13:59","date_gmt":"2012-01-12T00:13:59","guid":{"rendered":"http:\/\/www.obieta.com\/?p=1509"},"modified":"2012-01-12T00:13:59","modified_gmt":"2012-01-12T00:13:59","slug":"prompt-for-credentials-when-accessing-fqdn-sites-from-a-windows-vista-or-windows-7-computer","status":"publish","type":"post","link":"https:\/\/obieta.com\/?p=1509","title":{"rendered":"Prompt for Credentials When Accessing FQDN Sites From a Windows Vista or Windows 7 Computer"},"content":{"rendered":"<div>Consider the following scenario.<\/p>\n<p>&nbsp;<\/p>\n<ul>\n<li>On a computer that is running Windows Vista or Windows 7, you do not configure a proxy in Windows Internet Explorer.<\/li>\n<li>You use Web Distributed Authoring and Versioning (WebDav) to access a fully qualified domain names (FQDN) site.<\/li>\n<\/ul>\n<p>In  this scenario, you are prompted to enter your credentials, even though  the user account that you are using has sufficient permission to access  this site.<\/p>\n<p>For example, when you open a Microsoft Office file  from a Microsoft Office SharePoint site by using 2007 Microsoft Office  on a Windows Vista-based client computer that has no proxy configured,  you are prompted for authentication.<\/p>\n<p>You may also see the following error when working with moved folders via explorer view:<\/p>\n<p>Your client does not support opening this list with Windows Explorer.&#8221;<\/p>\n<p><strong>Note<\/strong> This problem does not occur on a Windows XP-based computer.<\/p>\n<p><strong>Important<\/strong> This hotfix is included in Windows Vista Service Pack 1 or a later  service pack. However, you must still configure the  AuthForwardServerList registry entry. For more information, see the  Registry information section.<\/p>\n<div><a href=\"http:\/\/support.microsoft.com\/kb\/943280\/en-us#top\"><img src=\"http:\/\/support.microsoft.com\/library\/images\/support\/kbgraphics\/public\/en-us\/uparrow.gif\" alt=\"\" \/>Back to the top<\/a><\/div>\n<\/div>\n<h2 id=\"tocHeadRef\"><a>CAUSE<\/a><\/h2>\n<div>In  Windows Vista, Internet Explorer uses the Web Client service when you  use Internet Explorer to access a WebDAV resource. The Web Client  Service uses Windows HTTP Services (WinHTTP) to perform the network I\/O  to the remote host.  WinHTTP sends user credentials only in response to  requests that occur on a local intranet site.  However, WinHTTP does not  check the security zone settings in Internet Explorer to determine  whether a Web site is in a zone that lets credentials be sent  automatically.<\/p>\n<p>&nbsp;<\/p>\n<p>If  no proxy is configured, WinHTTP sends credentials only to local intranet sites.<\/p>\n<p><strong>Note<\/strong> If the URL contains no period in the server\u2019s name, such as in the  following example, the server is assumed to be on a local intranet site:<\/p>\n<div><strong>http:\/\/sharepoint\/davshare<\/strong><\/div>\n<p>If  the URL contains periods, the server is assumed to be on the Internet.  The periods indicate that you use an FQDN address. Therefore, no  credentials are automatically sent to this server unless a proxy is  configured and unless this server is indicated for proxy bypass.<\/p>\n<p><strong>Note<\/strong> A server can be indicated for proxy bypass either through the bypass list or through the proxy configuration script.<\/p>\n<p>In  this case, you are prompted to enter your credentials when the Web site  asks for credentials. Even in this case, the security zone settings are  ignored.<\/p>\n<div><a href=\"http:\/\/support.microsoft.com\/kb\/943280\/en-us#top\"><img src=\"http:\/\/support.microsoft.com\/library\/images\/support\/kbgraphics\/public\/en-us\/uparrow.gif\" alt=\"\" \/>Back to the top<\/a><\/div>\n<\/div>\n<h2 id=\"tocHeadRef\"><a>RESOLUTION<\/a><\/h2>\n<p>The fix is included in Windows 7. To fix the issue, you only need to create the registry item below.<\/p>\n<div><a href=\"http:\/\/support.microsoft.com\/kb\/943280\/en-us#top\"><img src=\"http:\/\/support.microsoft.com\/library\/images\/support\/kbgraphics\/public\/en-us\/uparrow.gif\" alt=\"\" \/>Back to the top<\/a><\/div>\n<h3 id=\"tocHeadRef\">Hotfix information<\/h3>\n<p>A supported hotfix is available from Microsoft. However, this hotfix is  intended to correct only the problem that is described in this article.  Apply this hotfix only to systems that are experiencing this specific  problem. This hotfix might receive additional testing. Therefore, if you  are not severely affected by this problem, we recommend that you wait  for the next software update that contains this hotfix.<\/p>\n<p>If the  hotfix is available for download, there is a &#8220;Hotfix download available&#8221;  section at the top of this Knowledge Base article. If this section does  not appear, contact Microsoft Customer Service and Support to obtain  the hotfix.<\/p>\n<p><strong>If Basic authentication or Digest authentication  is implemented in the network, hotfix 943280 cannot change this  behavior. This behavior is by design in Basic authentication mode and in  Digest authentication mode.<\/strong><strong><br \/><\/strong><strong><br \/><\/strong><strong>IIS does not support Windows authentication over the Internet. Therefore, this hotfix applies only to the Intranet scenarios.<\/strong><strong><br \/><\/strong><\/p>\n<p><strong>Note<\/strong> If additional issues occur or if any troubleshooting is required, you  might have to create a separate service request. The usual support costs  will apply to additional support questions and issues that do not  qualify for this specific hotfix. For a complete list of Microsoft  Customer Service and Support telephone numbers or to  create a separate  service request, visit the following Microsoft Web site:<\/p>\n<div><a href=\"http:\/\/support.microsoft.com\/contactus\/?ws=support\">http:\/\/support.microsoft.com\/contactus\/?ws=support<\/a><\/div>\n<p><strong>Note<\/strong> The &#8220;Hotfix download available&#8221; form displays the languages for which  the hotfix is available. If you do not see your language, it is because a  hotfix is not available for that language.<\/p>\n<h4 id=\"tocHeadRef\">Prerequisites<\/h4>\n<p>There are no prerequisites for installing this hotfix.<\/p>\n<h4 id=\"tocHeadRef\">Restart requirement<\/h4>\n<p>You have to restart the computer after you apply this .<\/p>\n<h4 id=\"tocHeadRef\">Hotfix replacement information<\/h4>\n<p>This hotfix does not replace a previously released hotfix.<\/p>\n<h4 id=\"tocHeadRef\">Registry information<\/h4>\n<p>To use this hotfix, you have to modify the registry. <br \/><strong>Important<\/strong> This section, method, or task contains steps that tell you how to  modify the registry. However, serious problems might occur if you modify  the registry incorrectly. Therefore, make sure that you follow these  steps carefully. For added protection, back up the registry before you  modify it. Then, you can restore the registry if a problem occurs. For  more information about how to back up and restore the registry, click  the following article number to view the article in the Microsoft  Knowledge Base:<\/p>\n<div><a href=\"http:\/\/support.microsoft.com\/kb\/322756\">322756<\/a> How to back up and restore the registry in Windows<\/div>\n<p>After you apply this hotfix, you have to create a registry entry. To do this, follow these steps:<\/p>\n<ol>\n<li>Click <strong>Start<\/strong>, type regedit in the <strong>Start Search<\/strong> box, and then press ENTER.<\/li>\n<li>Locate and then click the following registry subkey:\n<div>\n<div>HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWebClientParameters<\/div>\n<\/div>\n<\/li>\n<li>On the <strong>Edit<\/strong> menu, point to <strong>New<\/strong>, and then click <strong>Multi-String Value<\/strong>.<\/li>\n<li>Type AuthForwardServerList, and then press ENTER.<\/li>\n<li>On the <strong>Edit<\/strong> menu, click <strong>Modify<\/strong>.<\/li>\n<li>In the <strong>Value data<\/strong> box, type the URL of the server that hosts the Web share, and then click <strong>OK<\/strong>.\n<p><strong>Note<\/strong> You can also type a list of URLs in the <strong>Value data<\/strong> box. For more information, see the &#8220;Sample URL list&#8221; section in this article.<\/p>\n<\/li>\n<li>Exit Registry Editor.<\/li>\n<\/ol>\n<p>After  this registry entry is created, the WebClient service will read the  entry value. If the client computer tries to access a URL that matches  any of the expressions in the list,   the user credential will be sent  successfully to authenticate the user, even if no proxy is configured.<\/p>\n<p><strong>Note<\/strong> You have to  restart the WebClient service after you modify the registry.<\/p>\n<h4 id=\"tocHeadRef\">Sample URL list<\/h4>\n<p>The following is a sample URL list:<\/p>\n<div>\n<div>\n<pre>https:\/\/*.Contoso.com\nhttp:\/\/*.dns.live.com\n*.microsoft.com\nhttps:\/\/172.169.4.6\n<\/pre>\n<\/div>\n<\/div>\n<p>This URL list enables the WebClient service to send credentials through the following channels.<\/p>\n<p><strong>Note<\/strong> After you configure  this URL list,  the credentials will automatically  authenticate to the WebDAV servers, even if these servers  are  on the  Internet.<\/p>\n<ul>\n<li>Any encrypted channel to a child domain of a domain whose name is Contoso.com.<\/li>\n<li>Any nonsecure channel to a child domain of a domain whose name is dns.live.com.<\/li>\n<li>Any channel to a server whose name ends with &#8220;.microsoft.com.&#8221;<\/li>\n<li>Any encrypted channel to a host whose IP address is 172.169.4.6.<\/li>\n<\/ul>\n<h4 id=\"tocHeadRef\">Things to avoid in the URL list<\/h4>\n<ul>\n<li>Do not add an asterisk (*) character at the end of a URL. When you do this, a security risk may result.\n<div>http:\/\/*.dns.live.*<\/div>\n<\/li>\n<li>Do  not add an asterisk (*) before or after a string. When you do this, the  WebClient service can send user credentials to more servers. See the  following examples:\n<ul>\n<li>http:\/\/*Contoso.com\n<p>In this example, the service also sends user credentials to http:\/\/<var>extra_characters<\/var>Contoso.com<\/p>\n<\/li>\n<li>http:\/\/Contoso*.com\n<p>In this example, the service also sends user credentials to http:\/\/Contoso<var>extra_characters<\/var>.com<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<li> In the URL list, do not type the UNC name of a host. For example, do not use the following:\n<div>*.contoso.com@SSL<\/div>\n<\/li>\n<li>In the URL list, do not include the share name or the port number to be used. For example, do not use the following:\n<ul>\n<li> http:\/\/*.dns.live.com\/DavShare<\/li>\n<li>http:\/\/*dns.live.com:80<\/li>\n<\/ul>\n<\/li>\n<li>Do not use IPv6 in the URL list.<\/li>\n<\/ul>\n<p><strong>Important<\/strong> This URL list does not affect  the security zone settings. This URL  list is used only for the specific purpose of forwarding the credentials  to WebDAV servers. The list should be created as restrictively as  possible to avoid any security issues. Also, because there is no  specific deny list, the credentials are forwarded to all the servers  that match this list.<\/p>\n<h4 id=\"tocHeadRef\">File information<\/h4>\n<p>The English version of this hotfix has the file attributes (or later  file attributes) that are listed in the following table. The dates and  times for these files are listed in Coordinated Universal Time (UTC).  When you view the file information, it is converted to local time. To  find the difference between UTC and local time, use the <strong>Time Zone<\/strong> tab in the <strong>Date and Time<\/strong> item in Control Panel.<\/p>\n<h5 id=\"tocHeadRef\">Windows Vista, x86-based versions<\/h5>\n<div>\n<table cellspacing=\"1\">\n<tbody>\n<tr>\n<th>File name<\/th>\n<th>File version<\/th>\n<th>File size<\/th>\n<th>Date<\/th>\n<th>Time<\/th>\n<th>Platform<\/th>\n<\/tr>\n<tr>\n<td>Davclnt.dll<\/td>\n<td>6.0.6000.20729<\/td>\n<td>48,640<\/td>\n<td>29-Nov-2007<\/td>\n<td>04:07<\/td>\n<td>x86<\/td>\n<\/tr>\n<tr>\n<td>Mrxdav.sys<\/td>\n<td>6.0.6000.20729<\/td>\n<td>112,640<\/td>\n<td>29-Nov-2007<\/td>\n<td>02:02<\/td>\n<td>x86<\/td>\n<\/tr>\n<tr>\n<td>Webclnt.dll<\/td>\n<td>6.0.6000.20729<\/td>\n<td>196,096<\/td>\n<td>29-Nov-2007<\/td>\n<td>04:09<\/td>\n<td>Not Applicable<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<h5 id=\"tocHeadRef\">Windows Vista, x64-based versions<\/h5>\n<table cellspacing=\"1\">\n<tbody>\n<tr>\n<th>File name<\/th>\n<th>File version<\/th>\n<th>File size<\/th>\n<th>Date<\/th>\n<th>Time<\/th>\n<th>Platform<\/th>\n<\/tr>\n<tr>\n<td>Davclnt.dll<\/td>\n<td>6.0.6000.20729<\/td>\n<td>66,560<\/td>\n<td>29-Nov-2007<\/td>\n<td>05:03<\/td>\n<td>x64<\/td>\n<\/tr>\n<tr>\n<td>Mrxdav.sys<\/td>\n<td>6.0.6000.20729<\/td>\n<td>136,704<\/td>\n<td>29-Nov-2007<\/td>\n<td>02:12<\/td>\n<td>x64<\/td>\n<\/tr>\n<tr>\n<td>Webclnt.dll<\/td>\n<td>6.0.6000.20729<\/td>\n<td>212,992<\/td>\n<td>29-Nov-2007<\/td>\n<td>05:05<\/td>\n<td>x64<\/td>\n<\/tr>\n<tr>\n<td>Davclnt.dll<\/td>\n<td>6.0.6000.20729<\/td>\n<td>48,640<\/td>\n<td>29-Nov-2007<\/td>\n<td>04:07<\/td>\n<td>x86<\/td>\n<\/tr>\n<tr>\n<td>Webclnt.dll<\/td>\n<td>6.0.6000.20729<\/td>\n<td>196,096<\/td>\n<td>29-Nov-2007<\/td>\n<td>04:09<\/td>\n<td>Not Applicable<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Consider the following scenario. &nbsp; On a computer that is running Windows Vista or Windows 7, you do not configure a proxy in Windows Internet Explorer. You use Web Distributed Authoring and Versioning (WebDav) to access a fully qualified domain names (FQDN) site. In this scenario, you are prompted to enter your credentials, even though [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[5,1],"tags":[],"_links":{"self":[{"href":"https:\/\/obieta.com\/index.php?rest_route=\/wp\/v2\/posts\/1509"}],"collection":[{"href":"https:\/\/obieta.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/obieta.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/obieta.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/obieta.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1509"}],"version-history":[{"count":0,"href":"https:\/\/obieta.com\/index.php?rest_route=\/wp\/v2\/posts\/1509\/revisions"}],"wp:attachment":[{"href":"https:\/\/obieta.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1509"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/obieta.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1509"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/obieta.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1509"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}