Environment

Windows Server 2008 R2 Enterprise (Build 7601: Service Pack 1)

IIS 7.5.7600.16385

Windows Authentication

• Extended Protection: Off
• Enable Kernel-mode authentication: checked
• Providers: NTLM, Negotiate

Impersonate=true

Application Pool

• Name: ASP.NET v4.0
• .NET Framework Version: v4.0
• Managed Pipeline Mode: Integrated
• Identity: ApplicationPoolIdentity

useAppPoolCredentials is not specified

Internet Options

Site is in Local intranet zone

• Automatic logon only in Intranet zone is checked
• Enable Integrated Windows Authentication is checked
• IE 9 and above

The site started prompting users for credentials last weekend. We found this discussion -- https://social.technet.microsoft.com/Forums/windowsserver/ja-JP/c9239a89-fbee-4adc-b72f-7a6a9648331f/401-unauthorized-access-is-denied-due-to-invalid-credentials?forum=winserversecurity -- and moved NTLM above Negotiate in Providers list.

Changing the order of providers allowed the users to access the site. However, they are now unable to open spreadsheets directly without going through the following:

1. User clicks link for document
2. Gets prompted 3 times for credentials
3. Receives “Could not open…” message box
4. Clicks OK and then receives “Microsoft Excel cannot access the file…” message box:
5. Clicks OK and Excel opens the document!

They can Save the document locally without getting prompted for credentials and then open it. But they go through this if they try to Open it without saving it locally first.

This looks to be the last entry in the IIS log for each of these transactions:

s-port: 80
cs-method: HEAD
cs-uri-stem: /site/excel/spreadsheet.xlsx
sc-status: 401
sc-substatus: 1
sc-win32-status: 2148074254
cs(User-Agent): Microsoft+Office+Existence+Discovery

Any suggestions?

Ray