Consider a scenario where users log in to an external SharePoint site which has been published through Threat Management Gateway (TMG). The site requires logging in via Forms-Based Authentication (FBA) which has been implemented at TMG. However, users are prompted for credentials via a Windows Security prompt for username and password when they try and open Office documents.
This article provides more information about this behavior and solution to eliminate the authentication prompt as the user has already logged in to the SharePoint site via TMG.
The prompt occurs because IE is authenticated but when the process switches to Office when the file is opened, Office is not authenticated when the Office application tries to do an OPTIONS call on the folder that has the document in it. Since there are no credentials or cookies available to pass with the OPTIONS request, the OPTIONS call fails with a 401 status message and the user is prompted for credentials. Entering the credentials allows the document to open and editing the document to take place.
Office needs a persistent auth cookie to pass with the OPTIONS call and other WebDAV calls in order to be able to open the documents without prompting, Office can use the persistent cookie; but Office cannot use IE's session cookie. The persistent auth cookie should be implemented at TMG since FBA is implemented there.
Single sign-on between different applications requires persistent cookies, which are disabled by default. For example, persistent cookies allow users to navigate to Word documents from links provided by a SharePoint site without being prompted for credentials. As a security best practice, Microsoft recommends that you use persistent cookies only on private computers (which is the default setting).
Follow the steps to configure single sign-on and persistent cookies in TMG:
In the Forefront TMG Management console, in the tree, click the Firewall Policy node.
In the Tasks pane, click the applicable Web publishing rule
On the Tasks tab, click Edit Selected Rule. (or just double-click rule)
On the Listener tab, click Properties
On the Authentication tab, verify that the Method clients use to authenticate to Forefront TMG is set to HTML Form Authentication.
On the SSO tab, select Enable Single Sign On
Under Specify the Single Sign On domains for this Web listener, perform the following steps for the sites for which you want to allow single sign-on (SSO)
Type the SSO domain for two or more Web sites
On the forms tab for the web listener click Advanced then select either on all computers or only on private computers under the use persistent cookies drop down. If persistent cookies are enabled only for private computers and not for public computers, when the user logs in to TMG and selects This is a private computer at the FBA / TMG login screen, the user is not prompted for credentials when opening Office documents from SharePoint, since Office is now able to use the persistent cookie. However, the site does have to be in the Trusted Sites zone per 932118 and Internet Explorer version 8.0 or higher must be used per 2538896. Also Office 2007 must be at SP2 + April 09 CU and MOSS 2007 must be at SP2 + April 09 CU.
If the user selects This is a public computer at the FBA / TMG login screen, the user will be prompted for username and password when opening Office documents.
In the details pane, click Apply, and then click OK.
For more information about the security risk of persistent cookies and mitigation, visit the following articles in TechNet:
With SSO, users can click a link on a Web page supplied by one Web site and move safely to another Web site without having to supply their credentials again. Single sign-on is available for Web sites that are published by rules that use the same Web listener. The Web listener must be configured to use HTML forms-based authentication, and SSO must be enabled for it.