Symptoms
- You use a computer that is running Windows Vista or a later version of Windows.
- You use Web Distributed Authoring and Versioning (WebDav) to access a fully qualified domain names (FQDN) site.
Cause
Note If the URL contains no period in the server name, such as in the following example, the server is assumed to be on a local intranet site:
http://sharepoint/davshare
If the URL contains periods, the server is assumed to be on the Internet. The periods indicate that you use an FQDN address. Therefore, no credentials are automatically sent to this server unless a proxy is configured and unless this server is indicated for proxy bypass.Note A server can be indicated for proxy bypass through either the bypass list or the proxy configuration script.
In this situation, you are either denied access or prompted to enter your credentials when the website asks for credentials. Even when this occurs, the security zone settings are ignored.
Resolution
Important
This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
Registry information
To resolve this problem, create a registry entry. To do this, follow these steps:
- Click Start, type regedit, and then press Enter.
- Locate and then select the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient\Parameters
- On the Edit menu, point to New, and then click Multi-String Value.
- Type AuthForwardServerList, and then press Enter.
- On the Edit menu, click Modify.
- In the Value data box, type the URL of the server that hosts the web share, and then click OK.
Note You can also type a list of URLs in the Value data box. For more information, see the "Sample URL list" section in this article. - Exit Registry Editor.
- If you have added the AuthForwardServerList registry entry, be aware that if Basic authentication or Digest authentication is implemented in the network, using the registry entry cannot prevent the prompt for credentials. This behavior is by design for Basic authentication and Digest authentication.
- You must restart the WebClient service after you modify the registry.
Sample URL list
In the Value data box for the new entry, you can enter a list of URLs, such as the following example:
https://*.Contoso.comhttp://*.dns.live.com*.microsoft.com
- Any encrypted channel to a child domain of a domain whose name is Contoso.com.
- Any nonsecure channel to a child domain of a domain whose name is dns.live.com.
- Any channel to a server whose name ends in ".microsoft.com."
Things to avoid in the URL list
- Do not add an asterisk (*) character at the end of a URL. This can create a security risk. For example, do not use the following URL:
- http://*.dns.live.*
- http://*.dns.live.*
- Do not add an asterisk (*) before or after a string. This can cause the WebClient service to send user credentials to additional servers. For example, do not use the following URLs:
- http://*Contoso.com
In this example, the service also sends user credentials to http://extra_charactersContoso.com.
- http://Contoso*.com
In this example, the service also sends user credentials to http://Contosoextra_characters.com.
- http://*Contoso.com
- In the URL list, do not type the UNC name of a host. For example, do not use the following URL:
- http://*.contoso.com@SSL
- http://*.contoso.com@SSL
- In the URL list, list, do not end the URL in a backslash, and do not include the share name or the port number to be used. For example, do not use the following URLs:
- http://*.dns.live.com/
- http://*.dns.live.com/DavShare
- http://*dns.live.com:80
- Do not use IPv6 in the URL list.
Important
This URL list does not affect the security zone settings. This URL list is used only for the specific purpose of forwarding the credentials to WebDAV servers. The list should be created as restrictively as possible to avoid any security issues. Also, because there is no specific deny list, the credentials are forwarded to all the servers that match this list.