Microsoft KB Archive/943280

= You are prompted to enter your credentials when you access an FQDN site by using a Windows Vista-based client computer that has no proxy configured =

Article ID: 943280

Article Last Modified on 1/4/2008

-

APPLIES TO


 * Windows Vista Enterprise 64-bit Edition
 * Windows Vista Ultimate 64-bit Edition
 * Windows Vista Business
 * Windows Vista Business 64-bit Edition
 * Windows Vista Enterprise
 * Windows Vista Ultimate

-



SYMPTOMS
Consider the following scenario.
 * On a Windows Vista-based computer, you do not configure a proxy in Windows Internet Explorer.
 * You use Web Distributed Authoring and Versioning (WebDav) to access a fully qualified domain names (FQDN) site.

In this scenario, you are prompted to enter your credentials, even though the user account that you are using has sufficient permission to access this site.

For example, when you open a Microsoft Office file from a Microsoft Office SharePoint site by using 2007 Microsoft Office on a Windows Vista-based client computer that has no proxy configured, you are prompted for authentication.

Note This problem does not occur on a Windows XP-based computer.



CAUSE
In Windows Vista, Internet Explorer uses the Web Client service when you use Internet Explorer to access a WebDAV resource. The Web Client Service uses Windows HTTP Services (WinHTTP) to perform the network I/O to the remote host. WinHTTP sends user credentials only in response to requests that occur on a local intranet site. However, WinHTTP does not check the security zone settings in Internet Explorer to determine whether a Web site is in a zone that lets credentials be sent automatically.

If no proxy is configured, WinHTTP sends credentials only to local intranet sites.

Note If the URL contains no period in the server’s name, such as in the following example, the server is assumed to be on a local intranet site:

http://sharepoint/davshare

If the URL contains periods, the server is assumed to be on the Internet. The periods indicate that you use an FQDN address. Therefore, no credentials are automatically sent to this server unless a proxy is configured and unless this server is indicated for proxy bypass.

Note A server can be indicated for proxy bypass either through the bypass list or through the proxy configuration script.

In this case, you are prompted to enter your credentials when the Web site asks for credentials. Even in this case, the security zone settings are ignored.



Hotfix information
A supported hotfix is now available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next Windows Vista service pack that contains this hotfix.

To resolve this problem, submit a request to Microsoft Online Customer Services to obtain the hotfix. To submit an online request to obtain the hotfix, visit the following Microsoft Web site:

http://go.microsoft.com/?linkid=6294451

Note If additional issues occur or any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. To create a separate service request, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

Prerequisites
There are no prerequisites for installing this hotfix.

Restart requirement
You have to restart the computer after you apply this.

Hotfix replacement information
This hotfix does not replace a previously released hotfix.

Registry information
To use this hotfix, you have to modify the registry.

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756 How to back up and restore the registry in Windows XP and Windows Vista

After you apply this hotfix, you have to create a registry entry. To do this, follow these steps:  Click Start, type regedit in the Start Search box, and then press ENTER . Locate and then click the following registry subkey:

 On the Edit menu, point to New, and then click Multi-String Value. Type AuthForwardServerList, and then press ENTER . On the Edit menu, click Modify. In the Value date box, type the URL of the server that hosts the Web share, and then click OK.

Note You can also type a list of URLs in the Value date box. For more information, see the &quot;Sample URL list&quot; section in this article. Exit Registry Editor.</li></ol>

After this registry entry is created, the WebClient service will read the entry value. If the client computer tries to access a URL that matches any of the expressions in the list, the user credential will be sent successfully to authenticate the user, even if no proxy is configured.

Note You have to restart the WebClient service after you modify the registry.

Sample URL list
The following is a sample URL list: <pre class="fixed_text">https://*.Contoso.com http://*.dns.live.com https://172.169.4.6 This URL list enables the WebClient service to send credentials through the following channels.
 * .microsoft.com

Note After you configure this URL list, the credentials will automatically authenticate to the WebDAV servers, even if these servers are on the Internet.
 * Any encrypted channel to a child domain of a domain whose name is Contoso.com.
 * Any nonsecure channel to a child domain of a domain whose name is dns.live.com.
 * Any channel to a server whose name ends with &quot;.microsoft.com.&quot;
 * Any encrypted channel to a host whose IP address is 172.169.4.6.

Things to avoid in the URL list
<ul> Do not add an asterisk (*) character at the end of a URL. When you do this, a security risk may result.

http://*.dns.live.*

</li> Do not add an asterisk (*) before or after a string. When you do this, the WebClient service can send user credentials to more servers. See the following examples: <ul> http://*Contoso.com

In this example, the service also sends user credentials to http:// Contoso.com</li> http://Contoso*.com

In this example, the service also sends user credentials to http://Contoso .com</li></ul> </li> In the URL list, do not type the UNC name of a host. For example, do not use the following:

*.contoso.com@SSL

</li> In the URL list, do not include the share name or the port number to be used. For example, do not use the following: <ul> http://*.dns.live.com/DavShare</li> http://*dns.live.com:80</li></ul> </li> Do not use IPv6 in the URL list.</li></ul>

Important This URL list does not affect the security zone settings. This URL list is used only for the specific purpose of forwarding the credentials to WebDAV servers. The list should be created as restrictively as possible to avoid any security issues. Also, because there is no specific deny list, the credentials are forwarded to all the servers that match this list.

File information
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

Windows Vista, x64-based versions
<div class="status_section">

STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.

<div class="moreinformation_section">

MORE INFORMATION
For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:

824684 Description of the standard terminology that is used to describe Microsoft software updates

Keywords: kbfix kbexpertiseadvanced kbqfe kbhotfixserver KB943280

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.