Prompt for Credentials When Accessing FQDN Sites From a Windows Vista or Windows 7 Computer
Support for Windows Vista without any service packs installed ended on April 13, 2010. To continue receiving security updates for Windows, make sure you're running Windows Vista with Service Pack 2 (SP2). For more information, refer to this Microsoft web page: Support is ending for some versions of Windows
- On a computer that is running Windows Vista or Windows 7, you do not configure a proxy in Windows Internet Explorer.
- You use Web Distributed Authoring and Versioning (WebDav) to access a fully qualified domain names (FQDN) site.
For example, when you open a Microsoft Office file from a Microsoft Office SharePoint site by using 2007 Microsoft Office on a Windows Vista-based client computer that has no proxy configured, you are prompted for authentication.
You may also see the following error when working with moved folders via explorer view:
Your client does not support opening this list with Windows Explorer."
Note This problem does not occur on a Windows XP-based computer.
Important This hotfix is included in Windows Vista Service Pack 1 or a later service pack. However, you must still configure the AuthForwardServerList registry entry. For more information, see the Registry information section.
If no proxy is configured, WinHTTP sends credentials only to local intranet sites.
Note If the URL contains no period in the server’s name, such as in the following example, the server is assumed to be on a local intranet site:
If the URL contains periods, the server is assumed to be on the Internet. The periods indicate that you use an FQDN address. Therefore, no credentials are automatically sent to this server unless a proxy is configured and unless this server is indicated for proxy bypass.
Note A server can be indicated for proxy bypass either through the bypass list or through the proxy configuration script.
In this case, you are prompted to enter your credentials when the Web site asks for credentials. Even in this case, the security zone settings are ignored.
Hotfix informationA supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.
If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.
If Basic authentication or Digest authentication is implemented in the network, hotfix 943280 cannot change this behavior. This behavior is by design in Basic authentication mode and in Digest authentication mode.
IIS does not support Windows authentication over the Internet. Therefore, this hotfix applies only to the Intranet scenarios.
Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.
PrerequisitesThere are no prerequisites for installing this hotfix.
Restart requirementYou have to restart the computer after you apply this .
Hotfix replacement informationThis hotfix does not replace a previously released hotfix.
Registry informationTo use this hotfix, you have to modify the registry.
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
- Click Start, type regedit in the Start Search box, and then press ENTER.
- Locate and then click the following registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient\Parameters
- On the Edit menu, point to New, and then click Multi-String Value.
- Type AuthForwardServerList, and then press ENTER.
- On the Edit menu, click Modify.
- In the Value data box, type the URL of the server that hosts the Web share, and then click OK.
Note You can also type a list of URLs in the Value data box. For more information, see the "Sample URL list" section in this article.
- Exit Registry Editor.
Note You have to restart the WebClient service after you modify the registry.
Sample URL listThe following is a sample URL list:
https://*.Contoso.comhttp://*.dns.live.com*.microsoft.comhttps://18.104.22.168This URL list enables the WebClient service to send credentials through the following channels.
Note After you configure this URL list, the credentials will automatically authenticate to the WebDAV servers, even if these servers are on the Internet.
- Any encrypted channel to a child domain of a domain whose name is Contoso.com.
- Any nonsecure channel to a child domain of a domain whose name is dns.live.com.
- Any channel to a server whose name ends with ".microsoft.com."
- Any encrypted channel to a host whose IP address is 22.214.171.124.
Things to avoid in the URL list
- Do not add an asterisk (*) character at the end of a URL. When you do this, a security risk may result. http://*.dns.live.*
- Do not add an asterisk (*) before or after a string. When you do this, the WebClient service can send user credentials to more servers. See the following examples:
In this example, the service also sends user credentials to http://extra_charactersContoso.com
In this example, the service also sends user credentials to http://Contosoextra_characters.com
- In the URL list, do not type the UNC name of a host. For example, do not use the following:*.contoso.com@SSL
- In the URL list, do not include the share name or the port number to be used. For example, do not use the following:
- Do not use IPv6 in the URL list.
File informationThe English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
Windows Vista, x86-based versions
|File name||File version||File size||Date||Time||Platform|
Windows Vista, x64-based versions
|File name||File version||File size||Date||Time||Platform|
Article ID: 943280 - Last Review: 11/11/2011 18:33:00 - Revision: 4.0
- kbautohotfix kbfix kbexpertiseadvanced kbqfe kbhotfixserver KB943280