Prompt for Credentials When Accessing FQDN Sites From a Windows Vista or Windows 7 Computer

Article ID: 943280 - View products that this article applies to.

Support for Windows Vista without any service packs installed ended on April 13, 2010. To continue receiving security updates for Windows, make sure you're running Windows Vista with Service Pack 2 (SP2). For more information, refer to this Microsoft web page: Support is ending for some versions of Windows
(http://windows.microsoft.com/en-us/windows/help/end-support-windows-xp-sp2-windows-vista-without-service-packs)



Expand all | Collapse all

On This Page

SYMPTOMS

Consider the following scenario.
  • On a computer that is running Windows Vista or Windows 7, you do not configure a proxy in Windows Internet Explorer.
  • You use Web Distributed Authoring and Versioning (WebDav) to access a fully qualified domain names (FQDN) site.
In this scenario, you are prompted to enter your credentials, even though the user account that you are using has sufficient permission to access this site.

For example, when you open a Microsoft Office file from a Microsoft Office SharePoint site by using 2007 Microsoft Office on a Windows Vista-based client computer that has no proxy configured, you are prompted for authentication.

You may also see the following error when working with moved folders via explorer view:

Your client does not support opening this list with Windows Explorer."

Note This problem does not occur on a Windows XP-based computer.

Important This hotfix is included in Windows Vista Service Pack 1 or a later service pack. However, you must still configure the AuthForwardServerList registry entry. For more information, see the Registry information section.
Back to the top | Give Feedback

CAUSE

In Windows Vista, Internet Explorer uses the Web Client service when you use Internet Explorer to access a WebDAV resource. The Web Client Service uses Windows HTTP Services (WinHTTP) to perform the network I/O to the remote host. WinHTTP sends user credentials only in response to requests that occur on a local intranet site. However, WinHTTP does not check the security zone settings in Internet Explorer to determine whether a Web site is in a zone that lets credentials be sent automatically.

If no proxy is configured, WinHTTP sends credentials only to local intranet sites.

Note If the URL contains no period in the server’s name, such as in the following example, the server is assumed to be on a local intranet site:
http://sharepoint/davshare


If the URL contains periods, the server is assumed to be on the Internet. The periods indicate that you use an FQDN address. Therefore, no credentials are automatically sent to this server unless a proxy is configured and unless this server is indicated for proxy bypass.

Note A server can be indicated for proxy bypass either through the bypass list or through the proxy configuration script.

In this case, you are prompted to enter your credentials when the Web site asks for credentials. Even in this case, the security zone settings are ignored.
Back to the top | Give Feedback

RESOLUTION

The fix is included in Windows 7. To fix the issue, you only need to create the registry item below.

Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

If Basic authentication or Digest authentication is implemented in the network, hotfix 943280 cannot change this behavior. This behavior is by design in Basic authentication mode and in Digest authentication mode.

IIS does not support Windows authentication over the Internet. Therefore, this hotfix applies only to the Intranet scenarios.



Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:
http://support.microsoft.com/contactus/?ws=support
(http://support.microsoft.com/contactus/?ws=support)
Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

There are no prerequisites for installing this hotfix.

Restart requirement

You have to restart the computer after you apply this .

Hotfix replacement information

This hotfix does not replace a previously released hotfix.

Registry information

To use this hotfix, you have to modify the registry.
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756
(http://support.microsoft.com/kb/322756/ )
How to back up and restore the registry in Windows
After you apply this hotfix, you have to create a registry entry. To do this, follow these steps:
  1. Click Start, type regedit in the Start Search box, and then press ENTER.
  2. Locate and then click the following registry subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient\Parameters
  3. On the Edit menu, point to New, and then click Multi-String Value.
  4. Type AuthForwardServerList, and then press ENTER.
  5. On the Edit menu, click Modify.
  6. In the Value data box, type the URL of the server that hosts the Web share, and then click OK.

    Note You can also type a list of URLs in the Value data box. For more information, see the "Sample URL list" section in this article.
  7. Exit Registry Editor.
After this registry entry is created, the WebClient service will read the entry value. If the client computer tries to access a URL that matches any of the expressions in the list, the user credential will be sent successfully to authenticate the user, even if no proxy is configured.

Note You have to restart the WebClient service after you modify the registry.

Sample URL list

The following is a sample URL list:
https://*.Contoso.com
http://*.dns.live.com
*.microsoft.com
https://172.169.4.6
This URL list enables the WebClient service to send credentials through the following channels.

Note After you configure this URL list, the credentials will automatically authenticate to the WebDAV servers, even if these servers are on the Internet.
  • Any encrypted channel to a child domain of a domain whose name is Contoso.com.
  • Any nonsecure channel to a child domain of a domain whose name is dns.live.com.
  • Any channel to a server whose name ends with ".microsoft.com."
  • Any encrypted channel to a host whose IP address is 172.169.4.6.

Things to avoid in the URL list

  • Do not add an asterisk (*) character at the end of a URL. When you do this, a security risk may result.
    http://*.dns.live.*
  • Do not add an asterisk (*) before or after a string. When you do this, the WebClient service can send user credentials to more servers. See the following examples:
    • http://*Contoso.com

      In this example, the service also sends user credentials to http://extra_charactersContoso.com
    • http://Contoso*.com

      In this example, the service also sends user credentials to http://Contosoextra_characters.com
  • In the URL list, do not type the UNC name of a host. For example, do not use the following:
    *.contoso.com@SSL
  • In the URL list, do not include the share name or the port number to be used. For example, do not use the following:
    • http://*.dns.live.com/DavShare
    • http://*dns.live.com:80
  • Do not use IPv6 in the URL list.
Important This URL list does not affect the security zone settings. This URL list is used only for the specific purpose of forwarding the credentials to WebDAV servers. The list should be created as restrictively as possible to avoid any security issues. Also, because there is no specific deny list, the credentials are forwarded to all the servers that match this list.

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
Windows Vista, x86-based versions
Collapse this tableExpand this table
File nameFile versionFile sizeDateTimePlatform
Davclnt.dll6.0.6000.2072948,64029-Nov-200704:07x86
Mrxdav.sys6.0.6000.20729112,64029-Nov-200702:02x86
Webclnt.dll6.0.6000.20729196,09629-Nov-200704:09Not Applicable
Windows Vista, x64-based versions
Collapse this tableExpand this table
File nameFile versionFile sizeDateTimePlatform
Davclnt.dll6.0.6000.2072966,56029-Nov-200705:03x64
Mrxdav.sys6.0.6000.20729136,70429-Nov-200702:12x64
Webclnt.dll6.0.6000.20729212,99229-Nov-200705:05x64
Davclnt.dll6.0.6000.2072948,64029-Nov-200704:07x86
Webclnt.dll6.0.6000.20729196,09629-Nov-200704:09Not Applicable
Back to the top | Give Feedback

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Back to the top | Give Feedback

MORE INFORMATION

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684
(http://support.microsoft.com/kb/824684/LN/ )
Description of the standard terminology that is used to describe Microsoft software updates
Back to the top | Give Feedback
Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use
(http://go.microsoft.com/fwlink/?LinkId=151500)
for other considerations.
Back to the top | Give Feedback

Properties

Article ID: 943280 - Last Review: November 11, 2011 - Revision: 4.0
APPLIES TO
  • Windows Vista Enterprise 64-bit Edition
  • Windows Vista Ultimate 64-bit Edition
  • Windows Vista Business
  • Windows Vista Business 64-bit Edition
  • Windows Vista Enterprise
  • Windows Vista Ultimate
  • Windows 7 Enterprise
  • Windows 7 Home Basic
  • Windows 7 Home Premium
  • Windows 7 Professional
  • Windows 7 Starter
  • Windows 7 Ultimate
Keywords: 
kbautohotfix kbfix kbexpertiseadvanced kbqfe kbhotfixserver KB943280
Back to the top | Give Feedback

Give Feedback

 
Back to the topBack to the top