Groups | Blog | Home
all groups > iis security > august 2006 >

iis security : User gets challenged for authentication when opening a document


John Beschler
8/8/2006 3:27:02 PM
WE have a WEB-Based application that (among other things) generates an excel
spreadsheet that is returned to the user. The entire site is SSL secured and
uses NTFS permissions for all pages.

All users must have a domain account to access the site. When initially
entering the site, they are challenged for their domain username/password.
Thereafter, no matter where they go within the site, they are not challenged
again excpet for this one instance. Whenever they request this aprticular
report (in excel) once the report generates, the user is prompted as to
whether they wish to open the file or save it. Then, they are challenged
again for their domain username/password.

Can anyone explain to me why this is happeneing and how to elimnate the
second challenge. Permissions "should" be the same for the document as for
the rest of the site.
Thanks,
John
David Wang [Msft]
8/8/2006 7:31:21 PM
I believe that second challenge comes from the Office application (Excel in
this case) because it uses a different HTTP client internally (not your web
browser) with a new HTTP/HTTPS connection and hence subject to that
challenge for username/password from your site. If you can get the Office
app to not request for anything from your site to view the report, you
should not see the challenge.

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//

[quoted text, click to view]

John Beschler
8/9/2006 4:47:12 AM
David,

Thank you for responding. I appreciate your help as I was not aware that
office would open a new client to view the spreadsheet.

However, I am not sure exactly what you mean by getting the office app to
not request anything from the site. The Excel Spreadsheet (report) is
generated on-the-fly by the server. Doesn't that, of necessity, mean that
Office must request the document from the server.

Basically, the process is that there is a dll on the server that opens and
excel template, populates it with some data and then returns the "new"
spreadsheet to the client in a new browser window. Would it make any
difference if we returned the ss in the same browser window from which it is
requested?

Perhaps if we wrote the excel file to some place on the server that has only
HTTP enabled, and then pass the ss from there?

Thanks again for the help you have already provided and, in advance, for any
additional wisdom you can supply.
John Beschler

[quoted text, click to view]
jigs4u4ever
8/9/2006 7:57:03 AM
Hi,

Try to add the MIME type for excel. this will not ask to save docs to the
system and open the same on availabel IE browse, and if it is some session
related problems, you will not get challenge for username and password again.

Note: NTLM authentication does not allow connection through proxy.
Thanks & Regards
jigs
[quoted text, click to view]
Funkadyleik Spynwhanker
8/9/2006 2:28:33 PM

[quoted text, click to view]

Not entirely accurate. It does open a HTTP session. But it does in an
attempt to do it in read/WRITE mode.

Office by default, assumes that documents on a web site are in a
"Sharepoint" or "Office Extended" site where the user is an active
particpant in the process and is supposed to be making changes in the
document.

Whether or not it is a dynamic document or not is irrelevant, the prompt is
generated by Office trying to get _WRITE_ mode.

The only fix for this I know of is to upgrade the office install to the
latest service pack. As a work around, instruct the users to right click
and download the document. Or better yet, present it in a read-only way via
HTML or PDF or something.

So the answer is "Get the SPs for Office and it will go away".

Got something to say? Click here to post a reply to this thread.
Don't see what you're looking for? Try a search.
View other messages about iis security
AddThis Social Bookmark Button
View Other Months
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
home · blog · groups Questions? Comments? Contact the dn