SharePoint 2007 Anonymous MS Office Document Download Login Prompts

1. Editing the web.config to remove the “OPTION,PROPFIND” values from the for SharePoint. Ref: http://support.microsoft.com/kb/2019105 If the web application is not intended to be used for WebDAV, the Web Service Extension that provides the WebDAV functionality can be set to Prohibited on a default server that is running IIS. (This might be WebDAV or FrontPage Server Extensions.) If the site provides WebDAV functionality through another extension, the provider of that extension should be involved. For example, to do this with Windows SharePoint Services (WSS), the site should be configured to disable Client Integration, or the OPTIONS and PROPFIND verb should be inhibited. (On IIS 6, remove the verbs from the registration line in the web.config file. On IIS 7.0, use the HTTP Verbs tab of the Request Filtering feature to deny the verbs.) Be aware that this approach will open the content in read-only mode because this approach disables direct-edit functionality. Risks: Will disable client integration so if authenticated authors/users are expecting to open Office docs with integration Potentially disables site admin options in SharePoint Designer. Causes application recompile as we are committing change to web.config. Rewards: Eliminates 1 out of the 2 login prompt windows that pop up. –IF- you are using IIS7 there is the potential that denying PROPFIND and OPTION in IIS > Site > Request Filtering would also be required. I don’t know of a deny method for IIS6 except using 3rd party tools such as LinkDeny.

2. Editing Core DOCICON.XML Basically, hacking the code for the open/edit documents links that appear in list views, in the hive. Open the file: Change the default settings for Office Document format files from: to: Note: some of the "less advanced" formats such as Rich Text Format come out-of-the-box without the extra EditText="Microsoft Office Word" OpenControl="SharePoint.OpenDocuments" tags: Risks: Disables Open in Office functionality for authenticated author/users Rewards: Will disable the open with Office Client Integration on Office documents - users will just get a Save prompt.

3. Edit Publication Detail page by modifying Download Hyperlink to use Javascript download link You can either modify existing custom page layouts (or create a new one) to include a user control which provides the actual download link for documents in a list grid or on a detail page. In my case I edited an existing user control embedded in the downloads masterpage: Old link: New Link: Risks: Disables Open/Edit in Office functionality for authenticated author/users Rewards: Removes one of the two login prompts. Tried in combination with the technique of removing OPTIONS,PROPFIND from web.config

4. Custom Download Handler to Intercept Office documents being downloaded with specific format Created an .ASPX page as per (the idea in the comments) http://www.theblackknightsings.com/CommentView,guid,1c85a4a8-879e-4974-b7c8-e48e6811eedd.aspx that forces the download to go through in binary for specific document formats, in this case .DOT/.DOTX. The same method as trick #3 is used (modifying the download link in the control that actually provides the download link). This time instead of using the JS method it points to the custom .ASPX page . Here is an example of such as custom user control, which is specifically wired to intercept the .DOT and .DOTX mime types: Risks: Uses SPRunWithElevatedPrivileges to access the doc which could circumvent security if there was ever a need to have secure .DOT/.DOTX/ in the same site (unlikely) Rewards: None, gives a straight 401 unauthorized.

5. Modifying Core.js in SharePoint hive to hotwire document opening behaviours As per the post at , the following .JS modification will selectively (based on what file extensions you leave in there) override the core opening behaviour. Find this line in the core.js file at: Add the following directly after that opening {: Risks: You are modifying core SharePoint hive file which can be a maintenance/upgrade issue. Core.JS file will not be updated on end users browser until they refresh their caches or the JS expires naturally - they won't see the new behaviour until that JS is refreshed. Rewards: Overrides the open behaviour without requiring Office Integration in general to be turned off. Allows selected file extensions to be downloaded without the Office client producing the dummy login prompts.

6. Re-applying Anonymous permissions to Web App, Document Library Risks: none Rewards: There's been reports that this would correct any issues with document prompts, however I didn't see this result in my test cases.

The Winning Combination The following is what worked consistently best and with minimal interference with standard Office Client Integration functionality for logged in users. Note that I only illustrate how to insert a download link in a detail page, if you want to wire this up to a document list view it will require adapting it yourself. :) 1. Create/modify a document detail page in SharePoint Designer. Add a User Control which references your desired document fields (title, description, image etc.) and add the following as the download link: Note: the following assumes you have a working knowledge of how to use the SharePoint API to grab your server variables. The bolded text in the following link are the part you will have to sort out depending on where you will be applying this download link: 2. Open the file: I dont have to tell you to make a backup first. 3. Make some modifications, so your file will end like this (note that I have added the vital runat="server" which is required): 3. That's it! Needless to say, if you have the Publishing Cache feature turned on you may need refresh your cache in order for the changes to kick in on the download detail page you've made. Otherwise, no messy sticky client-side Javascript and a very light core modification. It's up to you if you want to beef up the restrictions in the AllowAnonymousAccess override - you could potentially combine some of the file extension restriction methods referenced in Method 4 to lock it down. (Credit to http://www.uv.mx/personal/gvera/sharepoint-login-prompt-when-accessing-files-in-a-document-library/ for the final clue needed to put this together)