Tuesday, March 23, 2010

Get rid of modal login window when user opens Office 2007 document in Sharepoint under FBA

As described here when user clicks on some Office 2007 document which located in Sharepoint document library and when FBA is used – user may see modal login window:

“The Forms Authentication Integration Update for Office 2007

When Office SharePoint Server 2007 and Microsoft Office 2007 were first released, the Office client applications such as Microsoft Office Word and Microsoft Office Excel could not directly open a document from a site that was secured with forms authentication. This is because, as explained earlier, a 302 HTTP response code is sent back to the client when it tries to open an item in a site using forms authentication. The Office clients were not able to respond to a 302 response code, and as a result would display the actual forms logon page in the application, instead of the requested document.

An update is available for Office 2007 client applications that allow the applications to process a 302 HTTP response code. The applications that are affected by this update are Microsoft Office Word 2007, Microsoft Office Excel 2007, Microsoft Office PowerPoint 2007 and Microsoft Office SharePoint Designer2007. Because of this update, an Office application can display the forms logon page that is being used for the site in a pop-up dialog box. To do this, the application issues a request to the SharePoint site. The server sends a response that indicates its authentication method is forms authentication, including the location of the logon page that the client should use to authenticate. The Office application then renders the HTML from that logon page and enables the user to enter credentials. The credentials are sent via an HTTP POST back to the server. If the server returns a redirect response for the document that was originally requested, the Office application assumes that the identity is successfully established. It then uses the authorization cookie that the HTTP POST gave it to retrieve the document and any associated metadata, and open the item.”

We have a requirement to remove this login page when user opens office document from Sharepoint doclib. Trying out to enable client integration in internet zone and changing “HKEY_CURRENT_USER\ Software\Microsoft\Office\12.\Common\Internet\FormsBasedAuthSettings” registry key didn’t help – login window didn’t disappear.

I would separate this problem on two issues:

  1. Login window is shown for authenticated users when they open documents. If user just closes this login window without entering valid credentials – an empty office document is opened
  2. Login window is also shown to anonymous users. But despite of authenticated user, if anonymous user closes login window – then document successfully opened (of course if you configured anonymous access to the doclib from which document is loaded. But this is out of scope of the current post)

After investigation I found the following solutions for both mentioned problems:

  1. For authenticated users – persistent cookies should be used. See comments to the following post http://www.sharepointkings.com/2008/06/in-fba-when-i-open-document-from.html. We use custom login page and standard ASP.Net Login control on it. So I set RememberMeSet property to true. It in turns passed true in second parameter of FormsAuthenticateion.SetAuthCookie(…) method. See AttemptLogin() method of Login control:
  2.    1: private void AttemptLogin()
       2: {
       3:     ...
       4:     FormsAuthentication.SetAuthCookie(this.UserNameInternal, this.RememberMeSet);
       5:     this.OnLoggedIn(EventArgs.Empty);
       6:     this.Page.Response.Redirect(this.GetRedirectUrl(), false);
       7:     ...
       8: }
  3. In order to remove login window for anonymous users – special http module is required. See http://www.theblackknightsings.com/RemoveLoginBoxWhenAnonymousUsersDownloadOfficeDocumentFromSharePointSite.aspx:

“But there is one are where the out of the box experience fails regarding anonymous access and that is when you allow the users to download Microsoft Office documents. In that case IE/Office pops up a couple of Login dialogs, if the user cancels out of these the document opens as expected, but you really don't want the user to have to cancel a couple of dialogs to open your documents

The problem is that office tries to be intelligent and issues a Microsoft Office Protocol Discovery request to see how much the user is allowed to do, but SharePoint responds with access denied until the users logs in.

The solution I've found is to implement a HttpModule which rejects the Microsoft Office Protocol Discovery request if the user isn't logged in and this gets rid of the Login boxes”

After I applied this module – login window disappeared for anonymous users.

These 2 solutions helped me to avoid problem with modal login window both for authenticated and anonymous users.

No comments:

Post a Comment