Inicio > Artículos, Sharepoint > SharePoint login prompt when accessing files in a Document Library Solution

SharePoint login prompt when accessing files in a Document Library Solution

28 septiembre, 2010


Español | English

UPDATED 29-SEP-2011: Fixed for anonymous sites and IE. Really Works!

Since long ago we faced a problem here at the University Of Veracruz, with some of the out-of-the-box funcionality in WSS, MOSS 2007 and SharePoint Server 2010.

As we all know, in order to login in a non anonymous SharePoint Web Site, we have to provide our domain/username credentials. That is ok if our site has not the “allow anonymous” option enabled. But what happens when we click on an Office document (such as Word or Excel file) using Internet Explorer?

Any time we try to open a file, we are again, prompted for the credentials. This happens even if the user was the creator of the file or the “allow anonymous” option is enabled.

What does Microsoft has to say about it?

This is by design.

Some references of this problem from Microsoft’s Web sites:

Multiple Logon while open office Document from SharePoint

Office: Authentication prompts when opening Microsoft Office documents

How documents are opened from a Web site in Office 2003

Are you crazy?

What is happening is that Office is trying to be so smart that needs to know who you are in order to provide some functionality for working with online documents inside the Office suite.

– Me: That’s fine, but at least give me the option to disable this behavior from SharePoint Administration.

– Office-SharePoint: No. You cannot.

Explanation of this behavior

Well, if you try to open an Office file directly from a remote place, Office wants to know who the hell you are. If the server responses with the

  • Microsoft Office Protocol Discovery or a
  • FrontPage Protocol or a
  • WebDav Protocol

then it ask you for credentials. Not only Office does this. If you try to open a library as a HTTP SharePoint Folder View, Windows (something to do with how IE handles downloads) does the same. The request comes from one of these protocols so the Microsoft client app have to ask for credentials. It is by design. You can see this yourself if you catch the Request.UserAgent string at the moment you open a file from SharePoint.

You can create an HttpModule that searches for the Request.UserAgent string, so if you find one of these protocols, then send a 200 status code in the response. The problem here is that you are disabling not only logins prompts for documents, but for the entire client integration feature (opening files from Word, Excel or folder views in libraries). This is not what we want.

We want to be able to use client integration, it’s a nice feature, but we do not want to be prompted inside our document libraries.

Solution WSS 3.0 and MOSS2007

As I said before, there is not a solution for this problem since this behavior is by design, but that is not going to stop us, is it? Here you have a workaround.

After searching all over the Web with no results, I decided to face the problem myself. If you notice, there is an option inside the file dropdown menu called “Sent To->Download a Copy”. This options does exactly what we are trying to accomplish. It calls a file inside layouts folder called download.aspx. This file serves a file from SP content database using this code:

// This inside download.cs file
Response.AddHeader("Content-Disposition", "attachment;filename=" + filename);

That’s why this option does not open the file directly on the server (the attachment string does it all).

The problem here is that this download.aspx file needs you to be authenticated. So if your site is anonymous, the option “Sent To->Download a Copy” will ask you for credentials. It’s stupid I know, but it does. They fix this on SPS2010 though.


Don’t worry. We are going to handle the anonymous stuff later on (See below on Anonymous section)

So, where is the code for that «Download a copy» option?

Exactly, as you are guessing, in a JavaScript file called “CORE.JS” located in C:\Program Files\Common Files\Microsoft Shared\web server extensions\12\template\layouts\[some numbers] folder.

1. Make a backup of your CORE.JS file.

2. Find this line in the CORE.JS file:

Find this function
function DispDocItemEx(ele, fTransformServiceOn, fShouldTransformExtension, fTransformHandleUrl, strProgId)

3.Add this just below it UPDATED (29 SEP 2011):


/ Agregado por Memo Vera para evitar que abra las App de Office.
/ 28 SEP 2010
/ Modificado el 29 SEP 2011
var office_extensions = /(.docx?|.pptx?|xlsx?|md[ab]|mp[pt])$/i;
if (office_extensions.test(ele)) {
STSNavigate(ctx.HttpRoot + "/_layouts/download.aspx?" + "SourceUrl=" + escapeProperly(ele.href));
return false;
if (
event.cancelBubble = false;
return true;
/ FIN modificacion


Leave the rest of the function just as it is. No need to change anything else.

Don’t worry, no need to restart your SharePoint Server or any service. No need to add your SharePoint Server URL to your Trusted Sites (although I recommend it).

There you go. Refresh your Web Page and make sure you clean your local Web Browser cache so you get the new version of the CORE.JS file.


I have this working on my environment with WSS 3.0 with no problem. Everyone is happy, can use SharePoint Client Integration and those login prompts for online editing are gone. If I want to edit a document online, I select the option “Edit in Microsoft Word” or open the file from Word App.


Anonymous sites browsing with IE on MOSS 2007 and WSS 3.0

Like I wrote before, we are using the C:\Program Files\Common Files\Microsoft Shared\web server extensions\12\template\layouts\download.aspx file witch is the one that serves files from SP content database. The problem with anonymous sites and this file, is that it needs you to be authenticated. As crazy as it might sound, it is true. Try it yourself on a clean SP box:

Create an anonymous site, upload some Office documents and log off. Open IE and visit your site as anonymous and click on “Sent To->Download a Copy”. The box will ask for your credentials. Just crazy.


Microsoft fix this on SPS2010 though, so you do not need to do this on 2010 boxes.

We have to add just a simple line of code inside this file that tells SP that we dont need to be authenticated.

1. Open your C:\Program Files\Common Files\Microsoft Shared\web server extensions\12\template\layouts\download.aspx file. I dont have to tell you to make a backup first.

2. Make some modifications, so your file will end like this:


<script runat="server" type="text/C#">
/ Cambio por Memo Vera y no pedira autenticacion
/ 29 SEP 2011
protected override bool AllowAnonymousAccess
return true;


3. Nice! Save your file.

4. Try it! Visit your site anonymously and click on a file or use the option Sent To->Download a Copy”.


Beautiful, isn’t it?


Solution SharePoint Server 2010

In SPS 2010 is slightly different.

The JavaScript file called “init.js” located in \Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\TEMPLATE\LAYOUTS\1033 folder.

The functions inside this file reffer to the core.js file. This init.js es minified (from init.debug.js) so it won’t be easy to edit. You have to be carefull.

1. Make a backup of your init.js file.

2. Find this line in the init.js file:


function DispEx(o,n,e,a,d,i,g,m,k,b,h,j,f,c,l){


3. Add this just right to it (remove the line breaks if necessary):


/*Agregado por Memo Vera para evitar que abra las App de Office. 18 NOV 2010.*/STSNavigate(ctx.HttpRoot + "/_layouts/download.aspx?SourceUrl=" + o);return false;


Update: Excel files have a problem with SPS2010. They wont download until you log in. They do not even have the context menu «Download a copy» enabled. I also have a problem with Office Web Apps. Give me sometime to figure it out this part. In the mean time, i suggest you to upload those files within a zip file.

This will only work for logged on users.

1. Find this line in the init.js file:




2. Add this just right to it (remove the line breaks if necessary):


/*Agregado por Memo Vera para evitar que abra las App de Office. 29 AUG 2011.*/return false;


Leave the rest of the function just as it is. No need to change anything else.

This applies for all Office files and it’s working also on others browsers like Firefox.

Hope it helps you.


Well, the only one I can think of is when some SharePoint update or patch replaces the CORE.JS file. No problem because we added just a couple of lines of code. We can certainly add them back.

Try it yourself and let me know if this has worked for you.

  1. Mike
    6 octubre, 2010 a las 11:43 | #1

    Thanks for this easy work around. I tried it and it worked. The only thing I noticed, is not the site does not give uses the option to open the file for read only or edit. So I’m assuming they can not make changes and save them back to the sharepoint site without uploading the changed document and replacing the old. Is that correct?

  2. Kaleu
    26 octubre, 2010 a las 7:45 | #4

    How do I do that in Sharepoint 2010? There is no DispDocItemEx function.
    Another question: is it work for all Office files?


  3. 28 octubre, 2010 a las 13:30 | #6

    I finally had my hands on a SPS2010 box. I updated the post with the solution for SPS2010.

    Hope it helps you 😀

  4. Claudia Corrales
    11 noviembre, 2010 a las 17:02 | #7

    Hola Guillermo,

    Seguí tus recomendaciones pero sigo teniendo el problema de solicitud de credenciales cuando abro documentos Office alojados en un servidor Sharepoint, desde cualquier máquina que tenga Windows 7.

    Específicamente sobre esta tecnología: Windows 7 + Office 2007 + Sharepoint 2007 + IE.

    El sitio sharepoint donde se acceden los documentos es un sitio anónimo creado sobre la zona de internet que se extendió de uno autenticado.

    Cualquier ayuda sería bien recibida.


    • 18 noviembre, 2010 a las 13:26 | #8

      Hola Claudia. Yo estoy usando Windows 7 como cliente también. Office 20007 y Office 2007 instalado. FireFox 3.6 e IE 7 y 8 como navegadores.

      Para tu caso con anónimo, coloca el HttpModule de la entrada y listo. he actualizado el post. No hay necesidad de modulo. Funciona lindo ahora.

      También por si acaso, borra tu historial de navegación de tu cliente IE para que pueda obtener otra vez el core.js.


    • 29 septiembre, 2011 a las 13:46 | #9

      Ya lo arregle para anonimos. Espero te sirva.

  5. isaac g
    23 noviembre, 2010 a las 17:48 | #10

    hi , i tried this and it seems to have still prompt me to login(even though the dialogue box is now different in that it doesn’t ask me if its read only or edit that i’m going to open. i edited c:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\TEMPLATE\LAYOUTS\1033\CORE.JS as instructed.

    refreshing my browser and clearing my cache seems to have no effect either. Darn i thought i had found a nice fix for this.

    • 24 noviembre, 2010 a las 12:15 | #11

      This works nicely when you clic on a document in the sharepoint document views. If you are openning the file outside sharepoint site, the core.js file has no effect. In this case you have to make sure anonymous access is enabled and a Save/Prompt will be shown.

      Check it again. Should work for you, I haven’t found any problem with this in several sharepoint wss 3.0 installations so far (but with SP you never know for sure).

      Try adding an alert box just before the code in order to check if your function is being executed and your getting your new core.js.

      I have updated for anonymous. Check it out.

    • 29 septiembre, 2011 a las 13:45 | #12

      Fixed for anonymous and WSS 3.0. Hope it helps.

  6. Scottie
    2 diciembre, 2010 a las 14:19 | #13

    It appears to disable the dropdowns when I put it in. any ideas?

  7. 21 diciembre, 2010 a las 11:37 | #15

    You are Aswesome Dude! Thanks a Lot You have won a Client for Us

  8. anonymous
    21 diciembre, 2010 a las 12:54 | #16

    the edit option seems to be not working in form based authentication. any clues?

    • Administrador del sitio
      17 enero, 2011 a las 11:42 | #17

      I actually tryied this with forms auth and didnt find this problem so far. One problem you might face if your are using the module is related to special chars (latin chars like ñ, ó). I havent resolve that issue yet. No need for module anymore.

  9. Harry Poulter
    22 diciembre, 2010 a las 8:57 | #18

    Sorry ot be dense, but I don’t understand the 2010 solution. You made the script change in init.js instaead of core.js, but are you still using the same httphandler code? Didn’t you have to change it at all?

  10. pacer
    12 enero, 2011 a las 10:21 | #21

    hi i like your solution but how can i add this in content editor webpart..i dont want to modify core.js…can i orverride this function.and how? plz help

    • Administrador del sitio
      17 enero, 2011 a las 11:53 | #22

      You would have to override the client function from your webpart. It seems difficult from server code. You can try to add your own js file from your webpart with the same function just after core.js declaration. I’m not sure about this. You might have different results depending on the client’s browser. Cheers!

  11. Sylvain Girard
    13 enero, 2011 a las 1:40 | #23


    I tried it and it didn’t work. Well, there is no more login prompt when you open the document in the application, but you cannot save it back to the server.

    Looking closer into your solution, this makes perfect sense. Files open in client applications use a network protocol to open them. The way your solution works around the authentication required on such protocols is by just downloading it over http. When a file is downloaded, it is basically saved on your local computer and cannot be saved back to the server like that…

    I’d really like to see one of your wss installations where it does work, cause that wouldn’t make any sense to me…

    Anyway, nice try.

    • Administrador del sitio
      17 enero, 2011 a las 11:59 | #24

      The goal of this workaround is get rid of login prompt. Most of the users (an of course, the anonymous ones) only want to get a copy of the file.
      But you can program a module, catch the authentication ticket from SP on the request method and make the authentication bridge between IE & Office Apps. You will have the best of both worlds: No login prompts & Office integration in one single click. But you have to program that.

      It’s just not possible what you want out of the box. Blame Microsoft 😀 Cheers!

  12. 17 enero, 2011 a las 12:04 | #25

    Glad it worked for you.

  13. Carlos C
    10 febrero, 2011 a las 18:40 | #26

    Muchas gracias por el aporte, es justo lo que estaba buscando y funciona perfecto sobre MOSS2010

  14. feb 16, 2011
    16 febrero, 2011 a las 10:01 | #27

    For 2010 version, is it possilble to add back the Open button and not only have the Save when clicking on the doc?

  15. Dave
    18 febrero, 2011 a las 17:57 | #29

    This is excellent information and very helpful, however, I am having this same issue with a basic HTML page with links to Word documents that sit in a sub-folder within the same site. The site is in the «intranet» zone. If I open the site with IE7, 8 or 9, I get prompted to open each link (enter credentials). If I open it with Safari, Chrome or Firefox, after the initial authentication login, I never get prompted to provide credentials for opening the same links. Is this in IIS or IE?

    • 29 septiembre, 2011 a las 13:42 | #30

      For WSS or MOSS 2007; you have to write your links pointing the download.aspx file:

      /_layouts/download.aspx?» + «SourceUrl=» + URLOFYOURFILE

      Hope it helps

  16. GW
    3 marzo, 2011 a las 16:00 | #31

    I tried to implement your modified CORE.JS solution to get rid of credential prompts for opening office documents. After inserting the code where you indicate, I cleared cache and reloaded the sharepoint folder page in the browser on client PC and was able to open a document without getting prompted for credentials (success!). Though, I was no longer able to actually navigate the sharepoint site anymore. IE status bar either says «waiting to load scripts…» or «Error» when I try to navigate through different folders. I had to revert to the unmodified CORE.JS just to restore normal functionality, but for a brief moment it worked. What did I do wrong? I inserted your code directly after the line you indicated, and just before the first «{» in the original function. Is this not correct?

    • 24 marzo, 2011 a las 12:57 | #32

      Mmm, it seems like a javascript syntax error. I’d remove the code and would test it to make sure the problem is the code I just added.
      Then I’d double check it the code you are trying to insert. It really works (still missing some scenarios, work left to do). Use firebug to debug you js code in case of problems.

    • 29 septiembre, 2011 a las 13:43 | #33

      This happens when you have a JS error. 😀

  17. Nenad Banovic
    9 marzo, 2011 a las 3:15 | #34

    I just want to share some information with you. After applying December Cumulative Update(office2010-kb2459257-fullfile-x64-glb) for SharePoint 2010 this stop working, the problem is with ctx.HttpRoot. Just remove this so the function should lock like this: STSNavigate(/_layouts/download.aspx?SourceUrl=» + o);return false;
    and it should work fine.

  18. Olov
    24 marzo, 2011 a las 8:29 | #35

    Works fine in document libraries. Too bad it doesn’t work on documents attached to a list item.
    (tried it on SharePoint Foundation)

  19. mika
    30 agosto, 2011 a las 8:29 | #36

    Seems that it doesnt work any more since SP1?!

    • Guillermo Humberto Vera Amaro
      30 agosto, 2011 a las 9:03 | #37

      I have it working on mine after SP1. Doesnt affect it =)

  20. mika
    31 agosto, 2011 a las 2:18 | #38

    And it should deactivate the password prompt completly when opening files? or just disable it, after i entered it the first time?

    I added it after the function like this:

    function DispEx(o,n,e,a,d,i,g,m,k,b,h,j,f,c,l)){ULSA13:;/*Agregado por Memo Vera para evitar que abra las App de Office. 18 NOV 2010.*/STSNavigate(ctx.HttpRoot + «/_layouts/download.aspx?SourceUrl=» + o);return false;

    But it doesnt really work, with word only after the first login and excel dont work at all.

    • 31 agosto, 2011 a las 9:01 | #39

      I just tried it works for me like a charm. For 2010, be sure you are editing init.js and inside this function:
      function DispEx(o,n,e,a,d,i,g,m,k,b,h,j,f,c,l){
      Remeber this is for the anonymous download problem but it also works after you log in.
      Review the update for excel files.
      Good luck.

  21. mika
    1 septiembre, 2011 a las 6:48 | #40

    Very good, the only thing is, that its not directly the online editing after opening a file.
    but i think this is by design 😉

    Thank you very much!

  22. Norman
    13 septiembre, 2011 a las 5:48 | #42


    your Solution works great for me in Sharepoint 2010 Foundation.

    But you cant open aspx Files in a Wiki libary directly via click. U only get download prompt.

    So u cant use the List view for wiki-libary.


  23. Norman
    21 septiembre, 2011 a las 5:19 | #43


    thx to marzo:

    >I just want to share some information with you. After applying December Cumulative Update(office2010-
    >kb2459257-fullfile-x64-glb) for SharePoint 2010 this stop working, the problem is with ctx.HttpRoot. Just
    >remove this so the function should lock like this: STSNavigate(/_layouts/download.aspx?SourceUrl=” +
    >o);return false;and it should work fine.

    This Solution works for special Characters (like ö ü ä)! Downloading files is working like expected.


  24. Ryan
    6 octubre, 2011 a las 9:28 | #45

    Is there a way to force download from a Content Query Web Part. In our environment we have multiple content query web parts that query a document library elsewhere. Is there a way to insert this code to force similar behavior as the document libraries?

    • Administrador del sitio
      7 octubre, 2011 a las 18:05 | #46

      Yes. For anonymous sites you should not have a problem. We have to use our download.aspx file.

      URLSPSITE + «/_layouts/download.aspx?SourceUrl=» + URLOFYOURFILE

      Check out this example. You can access this Word file from any external app (from WordPress in this case) and wont prompt you for password: 😀


  25. Miguel Angel Cruz
    6 octubre, 2011 a las 17:04 | #47

    Cordial Saludo:

    He hecho el paso a paso y no me funciona. Tengo una granja con 9 servidores SP 2010. tengo páginas en las cuales he subido archivos en word 97 y 2010. no los estoy mostando directamente sobre la biblioteca sino como links, pero me sigue pidiendo autenticación.

    Le agradezco su colaboración

    Miguel Cruz

    • Guillermo Humberto Vera Amaro
      7 octubre, 2011 a las 18:09 | #48

      Para librerias anonimos lo que tenemos que hacer es usar nuestro download.aspx

      URLDETUSITIOSP + «/_layouts/download.aspx?SourceUrl=» + URLOFYOURFILE

      Mira, checa como tengo aqui un Word publicado, incluso con caracteres latinos. Le puedes caer desde cualquier app (en este caso desde aqui WordPress) y no pide password:


      • 7 octubre, 2011 a las 18:37 | #49

        Casi lo olvido. Como yo que uso español, si se ponen caracteres especiales en el nombre del archivo o el URL de la librería, incluye del core.js la function escapeProperlyCoreCore y escapeProperly más sus constantes (están al principio) para «escapear» la cadena.


      • Miguel Angel Cruz
        24 octubre, 2011 a las 14:10 | #50

        Cordial Saludo

        La ruta que me indicas en el ejemplo la debo colocar en cada uno de los links de los documentos o en el archivo init.js


        Miguel Cruz

  26. 28 octubre, 2011 a las 9:26 | #52

    Cordial Saludo

    Gracias por la respuesta pero tengo una duda

    La ruta que me indicas en el ejemplo la debo colocar en cada uno de los links de los documentos o en el archivo init.js adicionalmente debo hacer colocar esto STSNavigate(ctx.HttpRoot + «/_layouts/download.aspx?SourceUrl=» + o);return false; tambien o simplemente con el link a download.aspx

    • 28 octubre, 2011 a las 17:27 | #53

      Links externos a documentos, sólo necesitas usar la ruta:

      URLDETUSITIOSP + “/_layouts/download.aspx?SourceUrl=” + URLOFYOURFILE

      Sin la función STSNavigate y no hay necesidad de modificar el init.js.

      Observa el ejemplo a un file de Word que te puse en otro de tus comentarios.

      • Miguel Angel Cruz
        4 noviembre, 2011 a las 7:42 | #54

        Cordial Saludo:

        Me funcionó muchas gracias, por su colaboración. En cuanto la utilización de tildes no lo tengo muy claro. las funciones function escapeProperlyCoreCore y escapeProperly debo de crearlas en el archivo init.js??

        como siempre le agradezco su colaboración

        Miguel Angel Cruz Torres

        • 8 noviembre, 2011 a las 18:19 | #55

          Para los acentos, solo copiate esas dos funciones del archivo init.js que mencionas y ponlo en un archivo js propio. Así las podrás usar fuera de sharepoint y te arreglara los acentos.

  27. msdarlenet
    17 noviembre, 2011 a las 17:04 | #56

    This solution breaks Office Web Apps. If Office Web Apps is activated on your site collection, and «Open in Client Applications by Default» is deactivated on the site collection, and the user clicks on the filename in the SP 2010 Document Library, this error message will occur:

    Cannot open file «_layouts/WordViewer.aspx?id-/DocLibName/Filename.docx

    The trace will show:
    GET http://SPServer/Site/_layouts/download.aspx?SourceUrl=http://SPServer/Site/_layouts/WordViewer.aspx?id=/Site/DocLibName/Filename.docx&Source=http://yakyak.aspx&DefaultItemOpen=1&DefaultItemOpen=1&FldUrl= HTTP/1.1

    • 25 noviembre, 2011 a las 11:57 | #57

      Thanks for your comment Darlene. Don’t use this approach if you are using Office Web Apps. You probably wont need it because you can open your files on the cloud with Office Web Apps instead of downloading them.

  28. Gags
    25 enero, 2012 a las 7:32 | #58


    I have tried your solution for SPS2010. But, the solution you said is not working for me. Every time i open «MS Excel» it gives a window popup.

    Kindly suggest am i doing something wrong.


    • 31 enero, 2012 a las 17:25 | #59

      Check it for Word files. If it is working for Word, it should work for Excel as well. In SP2010 is a totally different situation about Excel because of Excel Viewer. I did not have the time to handle that yet. Regards 😀

  29. Chet
    21 febrero, 2012 a las 18:37 | #60

    Hi Guillermo, I have a user who is constantly getting a login prompt anytime she clicks on an email alert sent from Sharepoint (WSS 3) to Outlook 2010. Do you think your solutions above would fix her problem? Any ideas?

    Thanks man!

    • 23 febrero, 2012 a las 10:27 | #61

      Sorry Chet, this solution only works for the WSS front-end Web interface. If you are clicking the URL of the file directly from outside (outlook client for example) wont work. One thing you can do is to disable the client integration on the SharePoint Central Administration. I know, it sucks 🙁
      The other thing is to write an .NET module that intercepts the auth method when user request a Office file. I already did that but had a problem with latin codification. Maybe you will have better luck 😀

  30. Aj
    22 febrero, 2012 a las 11:26 | #62

    Hi, Hope you can help

    I tried the above for sharepoint 2007 authenticated users is our setup and was working fine. I had found another work around and replaced the core.js file back from a back up and ever since this users cannot access the site. Multiple logon prompts and eventually they login but action menus are static i.e. site actions etc.

    Could it be I had opened both core.js files in notepad, even the original.

    • 23 febrero, 2012 a las 10:25 | #63

      Use any of the developers tool out there (firebug for example) and find out the javascript error in your file. Then you can fix it accordingly. What you suppose may be what did happen, your file might be corrupted. I can send you the original core.js for WSS 3.0 if you needed. good luck. 😀

  31. Will
    7 marzo, 2012 a las 5:23 | #64

    On the download.aspx file, the changes weren’t working to allow anonymous access to download.aspx.

    I was initially quite distraught…..

    However, I figured it was worth a try and added the runat=»server» to the script tag, and it started working anonymously!


  32. Gerson
    23 marzo, 2012 a las 13:23 | #65

    Hi, i have a problema like that, i want permit the anonymous users to attachment a file into a list. But every time when the user send the attachment the server request login.aspx and the credential of user.
    How i can send attachments without the login.aspx or the credentials?



Mtro. Guillermo Humberto Vera Amaro