Client Integration Support for Different Authentication Providers

  • Article

It’s a common question these days that ”Can I access Office documents if I use Form base (FBA) or Single sign-on (SSO) authentication?”

You can select Windows, FBA or SSO as your authentication type for a web application zone and can disable client integration, which removes features that start client applications. This is the optimal configuration for some scenarios, such as publishing read-only content to the Web for anonymous access. Additionally, if you select ASP.NET forms authentication or Web Single Sign-On (SSO) authentication, client integration is set to No by default.

To get to Client Integration section, SharePoint Central Administration Web site, on the Application Management page, in the Application Security section, click Authentication providers. Click the zone that you want to modify authentication settings for. The Edit Authentication page opens.

Expected behaviors when client integration is disabled

When client integration is disabled, sites behave in the following ways:

 

  • Links that start client applications are not visible.
  • Documents are opened in the browser. Documents cannot be opened by client applications.
  • Users cannot edit documents on the site directly from the client applications. However, users can download the document, edit the document locally, and then upload the document.

Behaviors of specific authentication methods

In addition to the deployment scenario (such as publishing read-only content), the choice of authentication method might determine how to configure client integration. Some authentication methods behave differently with client applications. In some cases, the behavior depends on whether client browsers are configured to use persistent cookies or session cookies.

Basic

Users are prompted to enter their credentials each time they access a document. Other features might also require that they enter their credentials again.

ASP.NET forms and Web SSO

If the following conditions are true, a persistent cookie is created:

  • The authentication provider supports persistent cookies.
  • The user clicks Sign me in automatically when they log in.

The persistent cookie is shared by all applications that use the same cookie store and the user can open documents in the client applications. The persistent cookie is created with a default time-out value of 30 minutes. This value can be changed by adding or updating the time-out parameter in the forms node in the Web.config file. For example:

<forms loginUrl="login.aspx" name=".ASPXFORMSAUTH" timeout="100" />

When the cookie expires, client integration stops working. If users are in a browser, they will be prompted to re-enter credentials.

If the authentication provider does not support persistent cookies or the user did not click Sign me in automatically when they logged in, a session cookie is used. A session cookie is only accessible by the browser. The user will not be able to open document directly in the client applications.

If the authentication provider does not provide support for persistent cookies or if persistent cookies are not allowed in your environment, turn off client integration. For example, Active Directory Federation Services (AD FS) does not provide support for persistent cookies.

Anonymous

When opening a document, users are repeatedly prompted for their credentials. If they click Cancel in the authentication dialog box 10 times, the site might open the document by using the client application. Because of this poor experience, it is recommended that client integration be turned off for anonymous access scenarios.

The Plan authentication settings for Web applications contain more information