Consider the following scenario on a Windows Vista-based computer:
- You map a network drive to a Web share that requires user credentials.
- You configure the drive to use the "Reconnect at logon" option.
- You enter the user credentials, and then you click to select the Remember my password check box when you access the drive.
- You restart the computer or you log off from Windows Vista.
In this scenario, when you log on to the Windows Vista-based computer again, you receive an error message that resembles the following when you try to access the mapped drive:
An error occurred while connecting to address
The operation being requested was not performed because the user has not been authenticated
The connection has not been restored
The mapped drive appears as disconnected after you log on to the computer again.
In Windows Vista, the Web Distributed Authoring and Versioning (WebDAV) redirector uses Windows HTTP Services (WinHTTP) instead of the Windows Internet (WinInet) API. In a non-proxy network configuration, WinHTTP sends user credentials only in response to requests that occur on a local intranet site. Therefore, if no proxy is configured, you may be unable to access a share that requires user credentials.
This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
How to back up and restore the registry in Windows
To resolve this problem, apply hotfix 943280.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
You are prompted to enter your credentials when you access an FQDN site by using a Windows Vista-based client computer that has no proxy configured
After you apply this hotfix, you have to create a registry entry. To do this, follow these steps:
- Click Start, type regedit in the Start Search box, and then press ENTER.
- Locate and then click the following registry subkey:
- On the Edit menu, point to New, and then click Multi-String Value.
- Type AuthForwardServerList , and then press ENTER.
- On the Edit menu, click Modify.
- In the Value date box, type the URL of the server that hosts the Web share, and then click OK.
Note You can also type a list of URLs in the Value date box. For more information, see the "Sample URL list" section.
- Exit Registry Editor.
After this registry entry is created, the WebClient service will read the entry value. If the client computer tries to access a URL that matches any of the expressions in the list, the user credential will be successfully sent to authenticate the user even if no proxy is configured.Note
You have to restart the WebClient service after you modify the registry.
Sample URL list
The following is a sample URL list:
This URL list enables the WebClient service to send credentials through the following channels.Note
After you configure this URL list, the credentials will automatically authenticate to the WebDAV servers even if these servers are on the Internet.
- Any encrypted channel to a child domain of a domain whose name is Contoso.com.
- Any nonsecure channel to a child domain of a domain whose name is dns.live.com.
- Any channel to a server whose name ends with ".microsoft.com."
- Any encrypted channel to a host whose IP address is 188.8.131.52.
Things to avoid in the URL list
- Do not add an asterisk (*) at the end of a URL. When you do this, a security risk may result. For example, do not use the following:
- Do not add an asterisk (*) before or after a string. When you do this, the WebClient service can send user credentials to more servers. For example, do not use the following:
In this example, the service also sends user credentials to http://extra_charactersContoso.com.
In this example, the service also sends user credentials to http://Contosoextra_characters.com.
- Do not type the UNC name of a host in the URL list. For example, do not use the following:
- Do not include the share name or the port number to be used in the URL list. For example, do not use the following:
- Do not use IPv6 in the URL list.
This URL list has no effect on the security zone settings, and this URL list is used only for the specific purpose of forwarding the credentials to WebDAV servers. Create the list as restrictively as possible to avoid any security issues. Also, notice that there is no specific deny list. Therefore, the credentials are forwarded to all the servers that match this list.
If Basic authentication or Digest authentication is implemented in the network, hotfix 943280 cannot change this behavior. This behavior is by design in Basic authentication mode and in Digest authentication mode.
IIS does not support Windows authentication over the Internet. Therefore, this hotfix applies only to the Intranet scenarios.
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.