KB943280 vista authentication to FQDN intranet site

I posted this in a sharepoint group and didn't get much. I haven't seen
this come up here yet. As you may know vista has a problem
where users are prompted for credentials when opening office documents on a
sharepoint site that uses a FQDN. A hotfix has been released.
http://support.microsoft.com/?id=943280

The problem I see with this hotfix is the end user must install it AND edit
the registry to list the URLs of the servers they want to pass their
credentials to. I don't understand why the hotfix can't use the list of
URLs already provided by the user to decide which sites to consider
trustworthy. You know, the list of "Trusted Sites" or perhaps "Intranet
Sites".

Am I understanding the requirements of this hotfix correctly?
Any suggestions?

Dear Customer,

Thank you for your post.

In Windows Vista, Internet Explorer uses the Web Client service when you
use Internet Explorer to access a WebDAV resource.

The Web Client Service uses Windows HTTP Services (WinHTTP) instead of
Windows Internet (WinInet) API to perform the network I/O to the remote
host. WinHTTP sends user credentials only in response to requests that
occur on a local intranet site. Please note, WinHTTP does not check the
security zone settings in Internet Explorer to determine whether a Web site
is in a zone that lets credentials be sent automatically. This is different
from Windows Internet (WinInet) API which will check the security zone
settings in Internet Explorer.

Therefore, the Intranet Sites and Trusted Sites configured in Internet
Explorer security zone will take no effect on WinHTTP.

The solution is to install the hotfix 943280 and add URL of the server that
hosts the Web share in 'AuthForwardServerList' Registry Key. After that, if
any clients try to access a URL that matched any of the expressions found
in the "AuthForwardServerList" value, credentials will be sent to
authenticate the user even if he doesn't have a proxy configured.

I hope this helps.

Sincerely,
Neo Zhu,
Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
================================================== ===
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
================================================== ===
This posting is provided "AS IS" with no warranties, and confers no rights.

This hotfix isn't practical enough to consider using.


"Jian-Ping Zhu [MSFT]" <v-> wrote in message
news:...
> Dear Customer,
>
> Thank you for your post.
>
> In Windows Vista, Internet Explorer uses the Web Client service when you
> use Internet Explorer to access a WebDAV resource.
>
> The Web Client Service uses Windows HTTP Services (WinHTTP) instead of
> Windows Internet (WinInet) API to perform the network I/O to the remote
> host. WinHTTP sends user credentials only in response to requests that
> occur on a local intranet site. Please note, WinHTTP does not check the
> security zone settings in Internet Explorer to determine whether a Web
> site
> is in a zone that lets credentials be sent automatically. This is
> different
> from Windows Internet (WinInet) API which will check the security zone
> settings in Internet Explorer.
>
> Therefore, the Intranet Sites and Trusted Sites configured in Internet
> Explorer security zone will take no effect on WinHTTP.
>
> The solution is to install the hotfix 943280 and add URL of the server
> that
> hosts the Web share in 'AuthForwardServerList' Registry Key. After that,
> if
> any clients try to access a URL that matched any of the expressions found
> in the "AuthForwardServerList" value, credentials will be sent to
> authenticate the user even if he doesn't have a proxy configured.
>
> I hope this helps.
>
> Sincerely,
> Neo Zhu,
> Microsoft Online Support
> Microsoft Global Technical Support Center
>
> Get Secure! - www.microsoft.com/security
> ================================================== ===
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> ================================================== ===
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>

Hello Customer,

Thank you for your feedback.

The solution provided in KB943280 is based on WinHTTP's working mechanism.
As explained before, the main reason is that WinHTTP does not check the
security zone settings in Internet Explorer to determine whether a Web site
is in a zone that lets credentials be sent automatically.

If you don't think this hotfix is practical, you could submit your
suggestions here:
https://support.microsoft.com/common...14&showpage=1&
WS=Wish&url=http%3a%2f%2fwww.microsoft.com%2firela nd%2fcontact%2f

You are welcome to upload suggestions and feedbacks like the following via
the above website:

Enhancement or feature addition to existing Microsoft products
Reproducible problem or bug with current version that needs resolution
Cannot find documentation of feature within the help files
Difficulty using the product
All beta products
Product packaging complaints
Added accessibility feature for a Microsoft product

In fact, we are always striving to capture any feedback from our partners
and customers so as to ensure that we are continuously developing products
that meet our customer needs. Suggestions like yours are always appreciated
and taken seriously.

Thanks again for using our products.

Sincerely,
Neo Zhu,
Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
================================================== ===
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
================================================== ===
This posting is provided "AS IS" with no warranties, and confers no rights.