I've got a mysterious edge case with some Word 2016 users on Windows using my Word add-in.
I realize much more info might be required...but I also feel this is an issue that might have some proven ways to diagnose - or someone may know of a root cause.
My simple Word add-in pulls data from a MySQL db on my web server (via php) and stores it in localstorage. Works great in Word 2016 on multiple computers. A handful of users can't, essentially, download data and my solution throws errors for them.
I've even had 2 users on the same machine - one who can use my add-in, one who cannot (so each logging into different Windows accounts at the same institution. The user who was able to happily use my app is in IT and maybe had different settings).
My nose tells me there is an Internet Explorer security setting getting in the way...we've verified that localstorage is allowed.
When a user with the problem opens Internet Explorer directly, they're able to download data and use the app (part of it works outside of Word). As I understand it, Word 2016 Add-ins use Internet Explorer 11 to render html/js/css - and a setting changed in a user's IE11 settings area will cascade to Word 2016 add-ins.
Some of the weird details I've picked up:
Opening a new browser window from inside Word (clicking on a link in my add-in that opens a full web browser) prompts a "A website wants to open web content using this program on your computer" and points to Internet Explorer's Protected Mode. I've experimented with turning this on myself and can't recreate the issue.
The user isn't signed into O365. That doesn't seem to make a difference either.
Debugging via F12Chooser shows an [object error] with an error code of "-2147024891" and a "stack" message of "Error: Access is denied..." at the point where data would be pulled...I can't get much more out of the console.
The add-in is able to hit Firebase (I'm using Google's Firebase for authentication) and I get a response from their server...but not my ajax call to my php file.
Any thought or direction appreciated.
I have a program running as a service in IIS in Windows Server 2008 R2. The program has no problem creating a report in Excel. The problem occurs when it tries to get access to the Excel the that it has just created. This gives the users a 80070005 error right at this line of code:
Excel.Application excelSS = null;
excelSS = new Excel.Application(); <-- Error
Because at that point, the program has not tried to get access to the Excel file just yet, I believe the problem is not related to lack of access rights to the file. I believe the problem may have to do with locating the Excel program. This may have to do with the fact that the Excel is 32-bit and the Windows operating system is in 64-bit. I am not sure.
The strange thing is that I have no problem viewing the Excel report through IIS. Another IT guy also has no problem doing this. But normal users all have this problem trying to do the exact same thing. This all points to the high probability that this problem is related to "access rights". If it has to do with the setup of Excel, I would assume that everyone including me would have the same problem. This is very puzzling.
I have already tried all the tips that I can find in Internet:
Confirm that the Application-Pools in IIS uses IIS APPPOOL\DefaultAppPool user account.
Add a "Desktop" folder in system32 and in SysWOW64 under config\systemprofile and make sure the IIS APPPOOL\DefaultAppPool user account has read/write access to those folders.
Run DCOM-Config, and assign local access/launch/activation rights to IIS APPPOOL\DefaultAppPool under COM-Security. And make sure both 32-bit and 64-bit DCOM-Config get these settings.
Because of the fact that the users use "Windows Authentication" to run the program in IIS, I also make sure that the users can use their own user account to get access to the folder in IIS server that stores the Excel file.
I even go as far as adding IIS APPPOOL\DefaultAppPool to local admin user group.
The only tip that I cannot try is the fact that I cannot find "Microsoft Excel Application" listed in DCOM-Config program (Component Services --> Computers --> My Computer --> DCom Config). I am supposed to add launch/activate access rights to IIS APPPOOL\DefaultAppPool to "Microsoft Excel Application" in that list. But somehow "Microsoft Excel Application" is not in the list. I have tried looking for it in DCOM-Config in both System32 and SysWOW64 folders. This "seems" like where the problem is. But I am not sure about this because of the fact that I have no problem viewing the Excel report using my user account. If there was something wrong with the settings in Excel, I would think that none of us could view the Excel report.
I didn't have this problem when I had that program in Windows Server 2003 R2 - 32bit, or in Windows XP 32-bit.
I understand the issue about Microsoft want people not to use Office Automation in Windows Server 2008. And Microsoft wants people to use XML or something like that. But I also understand that people have tried this and can work around this. Because I am not the developer of that program, I really don't want to start changing that program. Therefore, I would like to be able to get the existing program to work.
Please help. Thanks in advance.
Jay Chan
Turned out this problem has to do with access rights. Seem like ASP.NET was running under the user's authentication (not surprising because I have set the web service to use "Windows Authentication"). And the user doesn't have permission to run Excel directly at the server. The solution is to use a special domain user account: (1) Assign the special user account as the local admin, (2) Assign the special user account as the "Specific user" for "ASP.NET Impersonation" for the web service.
I have a feeling that the special user account was somehow embedded in that specific web service. Therefore, the fix that I mentioned above may or may not work for other people. Unfortunately I don't know if this is true or not because I was not the developer of that web service. And I cannot find any where in the web service mentioning anything related to that specific user account.
I am glad that this is fixed.
Jay Chan
I have developed a server app that uses Excel 2007 COM automation to convert some xls files. It is started as a service on a Windows Datacenter instance, running under its own user, and I had to change DCOM security settings ("launch as interactive user") to make it work.
The problem is, when I log off (via RDP), it stops working. I log on, it works again.
Has anyone had the same problem?
Ok, so I couldn't get Excel to operate without an interactive user, no amount of DCOMCNFG trickery would do. So I simply configured autologin for the user the service is running under (see http://support.microsoft.com/kb/315231 for instructions).
This has the effect that on server bootup, that user will login as an interactive console session. Unlike RDP sessions, this is permanent and makes Excel happy.
Other hints for the poors souls who have to do something similar:
create the folder C:\Windows\System32[or SysWOW64]\config\systemprofile\Desktop
make sure a default printer is configured for the user the service runs under
change DCOMCNFG settings (mmc -32, add "component services") of Excel to run using the interactive account
change global DCOM defaults to allow local access, local launch and local activation for the user the service runs under
I've had this issue, and I found that the answer is actually in the DCOM Configuration.
I did the following to resolve the issue:
Open the Excel DCOM Properties
Go to the Identity tab
Select This User
Enter the credentials of someone who has access to Excel
You may need to go to the Security tab and ensure the user you've specified above has appropriate Permissions.
After doing this, I was able to Log Off the Server while still using the Excel COM Automation libraries.
Server side:
A) Switch "Interactive User" to "This User".
B) "This User" only works after creating these folders :
C:\Windows\SysWOW64\config\systemprofile\Desktop
C:\Windows\System32\config\systemprofile\Desktop
C) Wait for it... Step B) triggers Windows to auto create:
C:\Users\Default\Desktop
Note the definition of "Interactive User" is to piggybacked on whatever is the active logged in user to the server. Thus failure to launch MS Office when no user is active on the server.
I.e., for me, the solution was a hybrid of the already proposed solutions. I used Office 2013 (x86) on Win 2012R2. My issue was instead with Word (to use WordToPDF).
Details for Step B:
Login to Server > Start > run DCOMCNFG.EXE (to launch Component Services) > Console Root > Component Services > Computers > My Computer > DCOM Config...
Scroll to “Microsoft Word 97 - 2003 Document” or "Microsoft Excel Application" (... i.e., whatever MS Office thing you need to launch)...
Right click it and select “properties” > Identity tab > Choose “This User” > enter credentials for some user with access to MS Office on the server. (I used a user with administrator permissions.)
Details for Step C:
The wait varies from 5 min to over-night. Optionally, create this folder manually (if the folder does not exist and you're in a rush to complete testing).
There's a thing called Excel Services which is supposed to make it possible to run Excel as a service using SharePoint, which would allow it to run unattended with nobody logged in.
If the account which is running EXCEL is administrator then this will work:
For 64-bit (x64), create this folder: C:\Windows\SysWOW64\config\systemprofile\Desktop
For 32-bit (x86), create this folder: C:\Windows\System32\config\systemprofile\Desktop
Otherwise To resolve this issue follow these steps:
Login to your Server as a administrator
Go to "Start" -> "Run" and enter "MMC comexp.msc /32"
Go to the properties of Microsoft Excel Application, under Identity, change it to The Interactive User from The Launching User (which is set by default).
Go to the properties of Microsoft Office Excel 2007 Workbook, under Identity, change it to The Interactive User from The Launching User (which is set by default).
Go to Security tab for Microsoft Excel Application and select Customize for
" Launch and Activation Permissions" and add ACCOUNT (under which EXCEL is running) to it and give it "Local launch" and "Local Activation" permission
Go to Security tab for Microsoft Office Excel 2007 Workbook and select Customize for
" Access Permissions " and add ACCOUNT (under which EXCEL is running) to it and give it "Local Access" permission
I had two clients with a save issue in SharePoint.
When they try to save they would get a a very generic error: "Document Could not be saved"
The only way they could get them into SharePoint was by:
Saving to local File System
Using the Upload option from the SharePoint menu
Configurations
Client 1: Vista and Office 2007
Client 2: XP and Office 2003
I was able to fix client 1 by having him Map a Network Drive to the Sharepoint Site.
After mapping the network drive, somehow the OS magically knew about the SharePoint documents folder and he was able to save.
I'm not having the same luck with Client 2.
It won't even let me map the network drive. I get an error (one that I did not take a screenshot of and don't remember the exact wording...sorry). but it was an error trying to map the network drive to the SharePoint site.
So, after some Googling, I had him go to Windows Update and download all the latest patches for his OS.
He claims he did, but is still getting the problem.
Before I do another WebEx and start taking stabs in the dark to try and fix him, I was wondering if any veteran SharePoint users have run into this same issue and what they did to fix.
Or, is there some OS setting I should be looking at that needs to be toggled/modified.
I can access his SharePoint site just fine from several PCs and make modifications and save as necessary.
Did you try running the Microsoft Office Diagnostics?
Start --> Microsoft Office --> Microsoft Office Tools --> Microsoft Office Diagnostics
Let that scan and repair any issues it finds and see if that helps. That tool has fixed similar issues for me many times.
I have a MOSS 07 site that is configured for anonymous access. There is a document library within this site that also has anonymous access enabled. When an anonymous user clicks on a PDF file in this library, he or she can read or download it with no problem. When a user clicks on an Office document, he or she is prompted with a login box. The user can cancel out of this box without entering a log in, and will be taken to the document.
This happens in IE but not FireFox.
I see some references to this question on the web but no clear solutions:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.public.sharepoint.windowsservices.development&tid=5452e093-a0d7-45c5-8ed0-96551e854cec&cat=en_US_CC8402B4-DC5E-652D-7DB2-0119AFB7C906&lang=en&cr=US&sloc=&p=1
http://www.sharepointu.com/forums/t/5779.aspx
http://www.eggheadcafe.com/software/aspnet/30817418/anonymous-users-getting-p.aspx
To disable login prompt opening office documents from SharePoint 2010 do the following settings in web.config
<system.webServer>
<security>
<requestFiltering allowDoubleEscaping="true">
<!-- here's where the magic happens -->
<verbs allowUnlisted="true">
<add verb="OPTIONS" allowed="false" />
<add verb="PROPFIND" allowed="false" />
</verbs>
</requestFiltering>
</security>
</system.webServer>
If Sharepoint Shared Workspace is enabled in MS Word this may prompt users with a Windows login if users do not have permissions to access or create a Shared Workspace. Do the followoing to turn this off:
Open MS Word
Go to Tools/Options
Click General Tab
Click Service Options
Click Shared Workspace
Uncheck box that says “The document is part of a Workspace or SharePoint Site.”
Click OK
Click OK
Try to hit a MS Word document from the SharePoint site.
If this resolves issue repeat steps with every MS Office program to eliminate the prompt. (Excel, PowerPoint, Visio, ect)
http://office.microsoft.com/en-us/word/HP010414641033.aspx
Unfortuantly the only work around I've found breaks some functionality for logged in users (can't upload multiple files, connect to outlook ect..)
If that is acceptable, or you want to try it and see:
In central admin > application management > application security > authentication providers select your web app and select your provider (likely "default").
Select No for client integration and save the settings.
Open your web config, find the line <add verb="OPTIONS,PROPFIND,PUT,LOCK,UNLOCK..... and remove the verb OPTIONS.
You should no longer be asked in ie for credentials. To reverse this simply undo both changes.
If you can click cancel and it comes up the problem is...
AuthForwardServerList
http://support.microsoft.com/kb/943280
Office doesn't know the site is trusted/local so it doesn't fwd your credentials and prompts you with an opportunity to provide them. It's a feature....
If you list your site in the proper registry key it will forward your credentials which are not needed but you won't get prompted.
If you have a url rewriting module or urlscan, configure the software to send http 403 to http OPTIONS requests.
In the Sharepoint Server 2010, The solution method is a little bit changing because the new generation Sharepoint can not hold verbs in web.config. Therfore, you must change the method. First of all, you open IIS 7.0 and choose your application site. You can see many items at the middle of the screen. You choose and double click Request Filters. In the request filtres, you can see "Verbs". You can add OPTIONS and PROPFIND verbs to a deny mode. And finally test your site. Sometimes, Sharepoint needs to close Client Integration Mode of your site. If need, you can close Client Integration Mode in Central Administration.
Possible cause and resolution:
http://support.microsoft.com/kb/943280
"You are prompted to enter your credentials when you access an FQDN site from a computer that is running Windows Vista or Windows 7 and has no proxy configured"
"For example, when you open a Microsoft Office file from a Microsoft Office SharePoint site by using 2007 Microsoft Office on a Windows Vista-based client computer that has no proxy configured, you are prompted for authentication."
My guess is that the Office client is loading the underlying document template from another location where anonymous access is enabled. This also explains why you can still open the document as the Office client can also work without loading the template the document was originally created from. To see the template URL in Word 2007, enable the Developer Ribbon from Word options and click the Document Template button on the ribbon.
That doesn't seem to be it. Once of the documents in question is an Excel file, which would not use the .doc template. Also, in the Document Template dialog, it doesn't give me a url to the SharePoint template file if I create a new Word document based on it. It just says the template is "Normal." I also tried disabling the template at the document library level and it doesn't change the password situation.
When opening an Office document in IE, an ActiveX component is used to call the client application, and prompt it to open the document. In other browsers, the download is a standard hyperlink, handled by the browser.
Does this happen in search results and in standard linked columns in document libraries as well?
Using a tool like Fiddler (as referenced/suggested in your first link reference, see http://www.fiddlertool.com/fiddler/ for more info) is the only efficient way of determining the root cause of this type of issue I'm aware of. Whatever is causing this will be happening over HTTP. A debugging proxy like Fiddler will show you exactly which URL/resource is causing the request for authentication.
On a related note, are you running a recent build of the platform? It might be wise to check to make sure this issue hasn't already been addressed by MS e.g. in a hotfix. The best list of updates I'm aware of is here: http://www.harbar.net/articles/postsp1.aspx
Check this : Remove Login box when anonymous users download office document from SharePoint Site
http://www.theblackknightsings.com/RemoveLoginBoxWhenAnonymousUsersDownloadOfficeDocumentFromSharePointSite.aspx
When developing Extranet/Internet site in SharePoint you often want to allow anonymous access and this works fairly well.
But there is one are where the out of the box experience fails regarding anonymous access and that is when you allow the users to download Microsoft Office documents. In that case IE/Office pops up a couple of Login dialogs, if the user cancels out of these the document opens as expected, but you really don't want the user to have to cancel a couple of dialogs to open your documents
The problem is that office tries to be intelligent and issues a Microsoft Office Protocol Discovery request to see how much the user is allowed to do, but SharePoint responds with access denied until the users logs in.
The solution I've found is to implement a HttpModule which rejects the Microsoft Office Protocol Discovery request if the user isn't logged in and this gets rid of the Login boxes
I'm guessing that you use Windows Vista. We had this problem on Vista but not on XP.
From Microsoft: In Windows Vista, Internet Explorer uses the Web Client service when you use Internet Explorer to access a WebDAV resource. The Web Client Service uses Windows HTTP Services (WinHTTP) to perform the network I/O to the remote host. WinHTTP sends user credentials only in response to requests that occur on a local intranet site. However, WinHTTP does not check the security zone settings in Internet Explorer to determine whether a Web site is in a zone that lets credentials be sent automatically.
If no proxy is configured, WinHTTP sends credentials only to local intranet sites.
Note If the URL contains no period in the server’s name, such as in the following example, the server is assumed to be on a local intranet site:
http://sharepoint/davshare
If the URL contains periods, the server is assumed to be on the Internet. The periods indicate that you use an FQDN address. Therefore, no credentials are automatically sent to this server unless a proxy is configured and unless this server is indicated for proxy bypass.
This is a known issue that has not quite been completely fixed yet. There is a MSDN blog about it here: http://blogs.msdn.com/sharepoint/archive/2007/10/19/known-issue-office-2007-on-windows-vista-prompts-for-user-credentials-when-opening-documents-in-a-sharepoint-2007-site.aspx
There is an interesting workaround posted here: http://grounding.co.za/blogs/neil/archive/2008/11/10/workaround-sharepoint-keeps-prompting-for-login-when-creating-office-2007-documents-on-vista.aspx
Ultimately there is a patch that has been included with Vista SP1 but it also requires a registry edit. We just recently got this to work using the following steps on a Windows Vista SP2 client:
Open regedit. Navigate to the following subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient\Parameters
Create a new Multi-String value called AuthForwardServerList and give it a value of (for example):
https://.Contoso.com
http://.dns.live.com
*.microsoft.com
https://172.169.4.6
Then restart the WebClient service.
We were able to get this working by changing IE settings.
We have the site URL in Trusted Sites.
Under Custom Settings set User Authentication to: Automatic logon with current user name and password
I found a solution. First of all, you open the web application config file under the inetpub. Then you find the add verbs section. In this section, many verbs were added in the installation time. Delete Options and Profind verbs and save config file. Finally test the problem and see it. The problem is finished.
I've found the following workaround:
http://www.objectsharp.com/cs/blogs/max/archive/2008/04/21/sharepoint-public-facing-website-and-microsoft-office-documents.aspx
To keep it simple:
Disable client integration
Remove the OPTIONS verb from the registration line in the web.config file for the site