Authentication prompts when opening Microsoft Office documents on Anonymous SharePoint Sites

  • Article

If you are using SharePoint for internet site with anonymous access, your users might be prompted for authentication.

 

Microsoft released https://support.microsoft.com/kb/2019105 article for this issue.

 

If users use different browser than Internet Explorer, they are not prompted. It is because other browsers download the file first and open with Microsoft Office Application as it is explained in KB article

 

“When Internet Explorer opens an Office document, it launches the appropriate Office application with the path to the document. The Office application will then attempt to access the document directly from the server. This is different from other browsers and other file types – most browsers download the file and call the application to open it from the local cache. However, when this is done, if the opened file is changed and saved, the changes are only made to the local copy and not to the server copy.”

I was using Internet Information Service 7.0 on one of my project and faced the same issue. If you read the article fully. It says at the end

 

“Disable support of the OPTIONS and PROPFIND verbs – If the Web application is not intended to be used for WebDAV, then on a default IIS server the Web Service Extension providing the WebDAV functionality can be set to Prohibited (this could be WebDAV or FrontPage Server Extensions). If the site is providing WebDAV functionality through another extension, then the provider of that extension should be involved. For instance, to accomplish this with Windows SharePoint Services (WSS) the site should be configured to disable Client Integration and/or the OPTIONS and PROPFIND verb should be inhibited (on IIS6, remove the verbs from the <httpHandlers> registration line in the web.config file; on IIS7, use the HTTP Verbs tab of the Request Filtering feature to deny the verbs). Note that this approach will open the content in Read only mode as this disables direct-edit functionality.”

First, disable client Integration on SharePoint Central Administration > Application Management > Authentication Providers > Edit Authentication for your web application

Second, prevent OPTIONS and PROFIND in <httphandlers> section in IIS 6.0 or <requestFiltering> section in IIS 7.0. I used below to prevent it in my case.

<security>

   <requestFiltering>

                <verbs applyToWebDAV="false">

                      <add verb="OPTIONS" allowed="false" />

                   </verbs>

   </requestFiltering>

</security>