We have a web site hosting Office documents behind IIS6 Basic authentication.
IE has an authentication token for basic auth, which it presents to download the file. The user clicks "Open", and then Microsoft Office Protocol Discovery does a HTTP OPTIONS request on the directory the file was served from. However, Office does not have the auth token that IE does, so it prompts again for credentials. Hitting Cancel will then show you the file in Office.
As we are not a Sharepoint-like application, and we don't have a way of responding to OPTIONS, I would like to reply to all requests with the OPTIONS method (that are sent with a user-agent of "Microsoft Office Protocol Discovery") with something like an empty 200, as
RFC 2616 states:
If no response body is included, the response MUST include a Content-Length field with a field-value of "0".
I am leaning towards an ISAPI filter that responds with 200 – before the Basic authentication happens. Windows auth or anonymous access are not options. Are there any alternatives I am missing?
Best Answer
Is the draconian approach of just denying the OPTIONS verb in IIS globally a possibility? You could install URLScan and put OPTIONS in the [DenyVerbs] configuration.