000016365 - AxM 4.9 Agent for IIS does not serve read only copies of Microsoft Office Documents

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000016365
Applies ToRSA Access Manager 4.9.1 Agent for IIS 7.x
SharePoint is not installed on the backend server, and Office documents are being opened in read only mode.
IssueAxM 4.9 Agent for IIS does not serve read only copies of Microsoft Office Documents
When attempting to open an Office document (for example, an MSWord doc), the user is presented with a second forms based logon page in the Word application.  If the user attempts to authenticate in this window, the logon loops.
CauseThere was a change made to the 4.9 Agent to support SharePoint integration with Office applications.  In current versions of Office, the Office application will initiate a dialog with the back end web server to determine what kind of read and write access to documents is in use.  This negotiation uses the OPTIONS verb to exchange details.  The 4.9 agent now detects this negotiation, and changes the logon process for Office documents.  This requirement satisfies SharePoint support, but is not needed if SharePoint is not installed on IIS (and only read only access to Office documents is required). 
ResolutionThe following work around may be used if the hotfix cannot be applied.  If support is not required for SharePoint, disable the support for the OPTIONS verb in IIS 7.x.  This can be done in several ways and is dependent on the version of IIS if you have applied the administration pack.  If the administration pack is enabled, you can disable the OPTIONS verb by creating a deny rule in the IIS management console under "Request Filtering" for the "HTTP Verb" called OPTIONS.   
The same thing can be accomplished by executing the following applications management command for the virtual host where the content is being served from:
C:\Windows\System32\inetsrv>appcmd.exe set config /section:requestfiltering /+verbs.verb='OPTIONS',allowed='false']
This disables the dialog between Microsoft Word, and IIS will negotiate for SharePoint access.

This issue is resolved in hotfix for the RSA Access Manager 4.9.1 Agent for IIS 7.x.  Contact RSA Customer Support and request this hotfix or the latest cumulative hotfix for you platform. This hotfix introduces a new webagent.conf file parameter that may be used to disable the sharepoint support.
Set the value to false:
  # A Boolean parameter to enable support for client based integration with
  # Microsoft office documents hosted on SharePoint Server. If enabled, agent
  # would prompt for authentication in a new office client window and provide
  # access to the document after successful authentication.
  # This parameter should be enabled only for sites where client based
  # integration with office documents needs to be supported.
  # Allowed Values:
  #       True
  #       False
  # Default Value:
  #       False
NotesFor more information on the OPTIONS verb in IIS, see the following article:
Legacy Article IDa57990