This article provides more information about this behavior and solution to eliminate the authentication prompt as the user has already logged in to the SharePoint site via TMG.
Office needs a persistent auth cookie to pass with the OPTIONS call and other WebDAV calls in order to be able to open the documents without prompting, Office can use the persistent cookie; but Office cannot use IE's session cookie. The persistent auth cookie should be implemented at TMG since FBA is implemented there.
Follow the steps to configure single sign-on and persistent cookies in TMG:
- In the Forefront TMG Management console, in the tree, click the Firewall Policy node.
- In the Tasks pane, click the applicable Web publishing rule
- On the Tasks tab, click Edit Selected Rule. (or just double-click rule)
- On the Listener tab, click Properties
- On the Authentication tab, verify that the Method clients use to authenticate to Forefront TMG is set to HTML Form Authentication.
- On the SSO tab, select Enable Single Sign On
- Under Specify the Single Sign On domains for this Web listener, perform the following steps for the sites for which you want to allow single sign-on (SSO)
- Click Add
- Type the SSO domain for two or more Web sites
- On the forms tab for the web listener click Advanced then select either on all computers or only on private computers under the use persistent cookies drop down. If persistent cookies are enabled only for private computers and not for public computers, when the user logs in to TMG and selects This is a private computer at the FBA / TMG login screen, the user is not prompted for credentials when opening Office documents from SharePoint, since Office is now able to use the persistent cookie. However, the site does have to be in the Trusted Sites zone per 932118 and Internet Explorer version 8.0 or higher must be used per 2538896. Also Office 2007 must be at SP2 + April 09 CU and MOSS 2007 must be at SP2 + April 09 CU.
If the user selects This is a public computer at the FBA / TMG login screen, the user will be prompted for username and password when opening Office documents.
- In the details pane, click Apply, and then click OK.
For more information about the security risk of persistent cookies and mitigation, visit the following articles in TechNet:
With SSO, users can click a link on a Web page supplied by one Web site and move safely to another Web site without having to supply their credentials again. Single sign-on is available for Web sites that are published by rules that use the same Web listener. The Web listener must be configured to use HTML forms-based authentication, and SSO must be enabled for it.
Article ID: 2756625 - Last Review: Mar 14, 2013 - Revision: 1