Article ID: 2756625 - View products that this article applies to.
Consider a scenario where users log in to an external SharePoint site which has been published through Threat Management Gateway (TMG). The site requires logging in via Forms-Based Authentication (FBA) which has been implemented at TMG. However, users are prompted for credentials via a Windows Security prompt for username and password when they try and open Office documents.
This article provides more information about this behavior and solution to eliminate the authentication prompt as the user has already logged in to the SharePoint site via TMG.
The prompt occurs because IE is authenticated but when the process switches to Office when the file is opened, Office is not authenticated when the Office application tries to do an OPTIONS call on the folder that has the document in it. Since there are no credentials or cookies available to pass with the OPTIONS request, the OPTIONS call fails with a 401 status message and the user is prompted for credentials. Entering the credentials allows the document to open and editing the document to take place.
Office needs a persistent auth cookie to pass with the OPTIONS call and other WebDAV calls in order to be able to open the documents without prompting, Office can use the persistent cookie; but Office cannot use IE's session cookie. The persistent auth cookie should be implemented at TMG since FBA is implemented there.
Single sign-on between different applications requires persistent cookies, which are disabled by default. For example, persistent cookies allow users to navigate to Word documents from links provided by a SharePoint site without being prompted for credentials. As a security best practice, Microsoft recommends that you use persistent cookies only on private computers (which is the default setting).
Follow the steps to configure single sign-on and persistent cookies in TMG:
For more information about the security risk of persistent cookies and mitigation, visit the following articles in TechNet:
Note (From TMG Help):
With SSO, users can click a link on a Web page supplied by one Web site and move safely to another Web site without having to supply their credentials again. Single sign-on is available for Web sites that are published by rules that use the same Web listener. The Web listener must be configured to use HTML forms-based authentication, and SSO must be enabled for it.
(http://go.microsoft.com/fwlink/?LinkId=151500)for other considerations.