Respond to HTTP OPTIONS with basic auth
Is the draconian approach of just denying the OPTIONS verb in IIS globally a possibility? You could install URLScan and put OPTIONS in the [DenyVerbs] configuration.
Related videos on Youtube
08 : 16
05 : 07
07 : 44
02 : 09
02 : 48
crb
Digital factotum. Google Cloud guy. Previously: Consultant, problem solver, Windows/Linux sysadmin, integrator. Check out my LinkedIn profile.
Updated on September 17, 2022Comments
-
crb almost 2 years
We have a web site hosting Office documents behind IIS6 Basic authentication.
IE has an authentication token for basic auth, which it presents to download the file. The user clicks "Open", and then Microsoft Office Protocol Discovery does a HTTP OPTIONS request on the directory the file was served from. However, Office does not have the auth token that IE does, so it prompts again for credentials. Hitting Cancel will then show you the file in Office.
As we are not a Sharepoint-like application, and we don't have a way of responding to OPTIONS, I would like to reply to all requests with the OPTIONS method (that are sent with a user-agent of "Microsoft Office Protocol Discovery") with something like an empty 200, as RFC 2616 states:
If no response body is included, the response MUST include a Content-Length field with a field-value of "0".
I am leaning towards an ISAPI filter that responds with 200 - before the Basic authentication happens. Windows auth or anonymous access are not options. Are there any alternatives I am missing?
-
Madhu Cheluvaraju about 15 yearsI'm afraid that you might get the tumbleweed badge for this.
-
crb about 15 yearsThen it may get the Necromancer badge for whoever answers it :)
-
Arjan almost 15 yearsAnd I assume forcing "Save as" is not an option, right? If it is an option, then maybe changing the content type of Office documents to application/octet-stream may remove the "Open" button from the IE download dialog. (Feels more like a hack, and you already got a workaround by hitting Cancel.) -
Arjan almost 15 yearsAnother thing you may, or may not, need to take into account: would Office interpret any HTTP Expires or Last-Modified headers, if any of those are returned along with your empty response? Like: what would happen if someone selects a file from a Recent Files menu in Office: would it request the document from the server again, or would it use a cached version? (By the way: I would expect the OPTIONS request to include the full path. Apparently not, as your KB article claims that allowing anonymous browse permissions may solve it.)
-
-
crb about 15 yearsappcmd.exe is an IIS7 program; we're running IIS6. (We aren't running Sharepoint, but unfortunately I believe we need WebDAV for another part of the application.)
-
John Rennie about 15 yearsYou can disable WebDAV without appcmd, but obviously if you need WebDAV you're stuck. Even if you need WebDAV maybe you could still split the site into two separate sites, one with WebDAV enabled and one without. They could point to the same physical directory and you would use the WebDAV disabled site only when you don't want the HTTP OPTIONS verb to be processed. Other than that, your suggestion of an ISAPI filter is the only solution I can think of. Sorry :-( -
John Rennie about 15 yearsDo I get my Necromancer badge? :-)
