I very often get cases with the question:
“Why do I have to logon each time when opening a office Document from a SharePoint Library when I’m already authenticated via the browser?”
Well, first of all, the “Multiple logon prompt issue” can occur for al lot of reasons. It depends either on the version of Operating system (Client), Office version and some more circumstances like using ISA Server and FBA, coming from extranet or intranet etc.
So regardless of any special configurations or infrastructure, I’ll try to explain the native process and why we get another logon prompt when opening an office document inside a SharePoint Library.
- Trusted Client – A trusted Client is a computer with a logged on User that both is member of the domain the SharePoint resides. Since we use “Windows integrated authentication” the credentials of the “trusted client” will be passed through. The browser session cookie authenticates against SharePoint and the Office documents will be opened without further authentication request.
- Untrusted Client – A untrusted client is any computer outside the local network that is not member of the domain the SharePoint resides. If you are attempting to gain access, your system is considered untrusted, until you log-in as an authenticated user of that domain. A browser session cookie with the domain credentials will be established and you can now browse inside the SharePoint.
When you access a office document from a library as an Untrusted Client (even though your login credentials are already authenticated by the browser session cookie) when an Office Application opens, IE does not pass authentication/trust/token to the next application to gain the same access that is already trusted with IE. The additional log-in prompts is because the documents opened with Office 2003/2007 are trying to re-establish a trust per application, because the client machine is not trusted from a public web and a new authentication is requested.
This “by design” and you’ll have at least two logon prompts in such a scenario,
1st for the browser to access the SharePoint site,
2nd for the office application when you open a document from a library.
If you once have opened an office document and you do not close the application completely but just the document, the office application is still authenticated (after the 2nd logon) and you can open any other document without further prompts. But this is only a simple workaround and may not be applicable le in all cases.
We have published very detailed KB Articles that you may read to get a complete description and some recommendations on how to deal with this as far as it will be applicable:
Office: Authentication prompts when opening Microsoft Office documents
How documents are opened from a Web site in Office 2003
Persistent cookies are not shared between Internet Explorer 7 and Office applications in Windows Vista
Some related posts from my archive will also give some more information:
From the ISA Blog:
Unable to “Check Out” a Document in MOSS 2007 Published Through ISA Server 2006
Understand duplicate authentication prompts ISA 2006 publishing MOSS using FBA