nextcloud
[Bug]: WebDAV: Microsoft Office warns about unsecure sign-in method on save
⚠️ This issue respects the following points: ⚠️
- [X] This is a bug, not a question or a configuration/webserver/proxy issue.
- [X] This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
- [X] Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
- [X] I agree to follow Nextcloud's Code of Conduct.
Bug description
After creating a WebDAV share on windows, and saving a new file with Microsoft Powerpoint to that WebDAV share, Powerpoint shows a warning about about unsecure sign-in method.
Steps to reproduce
- Create a WebDAV mount on Windows (11).
- Open Office Powerpoint
- Create a new Powerpoint presentation
- Save the Powerpoint presentation to a new file on the WebDAV mount.
- The warning appears
Expected behavior
No warning appears
Installation method
Official All-in-One appliance
Nextcloud Server version
25
Operating system
Debian/Ubuntu
PHP engine version
PHP 8.2
Web server
Apache (supported)
Database engine version
None
Is this bug present after an update or on a fresh install?
Fresh Nextcloud Server install
Are you using the Nextcloud Server Encryption module?
Encryption is Disabled
What user-backends are you using?
- [X] Default user-backend (database)
- [ ] LDAP/ Active Directory
- [ ] SSO - SAML
- [ ] Other
Configuration report
# sudo -u www-data php occ config:list system
{
"system": {
"one-click-instance": true,
"one-click-instance.user-limit": 100,
"memcache.local": "\\OC\\Memcache\\APCu",
"apps_paths": [
{
"path": "\/var\/www\/html\/apps",
"url": "\/apps",
"writable": false
},
{
"path": "\/var\/www\/html\/custom_apps",
"url": "\/custom_apps",
"writable": true
}
],
"check_data_directory_permissions": false,
"memcache.distributed": "\\OC\\Memcache\\Redis",
"memcache.locking": "\\OC\\Memcache\\Redis",
"redis": {
"host": "***REMOVED SENSITIVE VALUE***",
"password": "***REMOVED SENSITIVE VALUE***",
"port": 6379
},
"overwritehost": "dev.paulvansanten.nl",
"overwriteprotocol": "https",
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"trusted_domains": [
"localhost",
"dev.paulvansanten.nl"
],
"datadirectory": "***REMOVED SENSITIVE VALUE***",
"dbtype": "pgsql",
"version": "27.1.2.1",
"overwrite.cli.url": "https:\/\/dev.paulvansanten.nl\/",
"dbname": "***REMOVED SENSITIVE VALUE***",
"dbhost": "***REMOVED SENSITIVE VALUE***",
"dbport": "",
"dbtableprefix": "oc_",
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"installed": true,
"instanceid": "***REMOVED SENSITIVE VALUE***",
"maintenance": false,
"loglevel": "2",
"log_type": "file",
"logfile": "\/var\/www\/html\/data\/nextcloud.log",
"log_rotate_size": "10485760",
"log.condition": {
"apps": [
"admin_audit"
]
},
"preview_max_x": "2048",
"preview_max_y": "2048",
"jpeg_quality": "60",
"enabledPreviewProviders": {
"1": "OC\\Preview\\Image",
"2": "OC\\Preview\\MarkDown",
"3": "OC\\Preview\\MP3",
"4": "OC\\Preview\\TXT",
"5": "OC\\Preview\\OpenDocument",
"6": "OC\\Preview\\Movie",
"7": "OC\\Preview\\Krita",
"0": "OC\\Preview\\Imaginary"
},
"enable_previews": true,
"upgrade.disable-web": true,
"mail_smtpmode": "smtp",
"trashbin_retention_obligation": "auto, 30",
"versions_retention_obligation": "auto, 30",
"activity_expire_days": "30",
"simpleSignUpLink.shown": false,
"share_folder": "\/Shared",
"one-click-instance.link": "https:\/\/nextcloud.com\/all-in-one\/",
"upgrade.cli-upgrade-link": "https:\/\/github.com\/nextcloud\/all-in-one\/discussions\/2726",
"updatedirectory": "\/nc-updater",
"davstorage.request_timeout": 3600,
"htaccess.RewriteBase": "\/",
"dbpersistent": false,
"files_external_allow_create_new_local": false,
"trusted_proxies": "***REMOVED SENSITIVE VALUE***",
"allow_local_remote_servers": true,
"preview_imaginary_url": "http:\/\/nextcloud-aio-imaginary:9000"
}
}
List of activated Apps
# sudo -u www-data php occ app:list
Enabled:
- activity: 2.19.0
- admin_audit: 1.17.0
- calendar: 4.5.2
- circles: 27.0.1
- cloud_federation_api: 1.10.0
- comments: 1.17.0
- contacts: 5.4.2
- contactsinteraction: 1.8.0
- dashboard: 7.7.0
- dav: 1.27.0
- deck: 1.11.0
- federatedfilesharing: 1.17.0
- federation: 1.17.0
- files: 1.22.0
- files_pdfviewer: 2.8.0
- files_reminders: 1.0.0
- files_rightclick: 1.6.0
- files_sharing: 1.19.0
- files_trashbin: 1.17.0
- files_versions: 1.20.0
- firstrunwizard: 2.16.0
- logreader: 2.12.0
- lookup_server_connector: 1.15.0
- nextcloud-aio: 0.4.0
- nextcloud_announcements: 1.16.0
- notes: 4.8.1
- notifications: 2.15.0
- notify_push: 0.6.3
- oauth2: 1.15.1
- password_policy: 1.17.0
- photos: 2.3.0
- privacy: 1.11.0
- provisioning_api: 1.17.0
- recommendations: 1.6.0
- related_resources: 1.2.0
- richdocuments: 8.2.1
- serverinfo: 1.17.0
- settings: 1.9.0
- sharebymail: 1.17.0
- support: 1.10.0
- survey_client: 1.15.0
- systemtags: 1.17.0
- tasks: 0.15.0
- text: 3.8.0
- theming: 2.2.0
- twofactor_backupcodes: 1.16.0
- twofactor_totp: 9.0.0
- user_status: 1.7.0
- viewer: 2.1.0
- weather_status: 1.7.0
- workflowengine: 2.9.0
Disabled:
- bruteforcesettings: 2.7.0
- encryption: 2.15.0
- files_external: 1.19.0
- suspicious_login: 5.0.0
- user_ldap: 1.17.0
Nextcloud Signing status
No errors have been found.
Nextcloud Logs
Empty it seems :(:
# cat /mnt/ncdata/nextcloud.log
#
Additional info
It seems that Office Powerpoint is doing an PROPFIND request without any authentication headers to the server, before showing the warning:
Thanks for letting us know :+1:
Some background information: https://learn.microsoft.com/en-us/deployoffice/security/basic-authentication-prompts-blocked
@vansante can you share the "learn more about how to prepare" link with us?
Sure, it links here:
https://support.microsoft.com/en-us/topic/microsoft-office-will-block-this-file-because-it-uses-a-sign-in-method-that-may-be-unsecure-a7c31d0d-ef2c-4760-bf66-505e9667c6fe
I, too, ran into this issue today for the first time, when saving an Excel file to my Nextcloud server connected via WebDAV. Following this issue with interest.
https://help.nextcloud.com/t/end-of-microsoft-support-for-its-webclient-service-on-windows-10-and-11/174121 :fearful:
Same issue here. After lastest MS security patchs, MS office (the whole suite) don't allow to work with files in a webDAV mount.
As a workaround https://learn.microsoft.com/en-us/answers/questions/1533479/how-to-enable-basic-authentication-for-multiple-do
Resuming: 1- Download from https://www.microsoft.com/en-us/download/details.aspx?id=49030 the MSoffice administrative templates (en-us only available). This allow to configure, via policy group editor (gpedit.msc) the MSoffice package (add a new "Microsoft Office 2016" category under USER CONFIGURATIONS - ADMINISTRATIVE TEMPLATES). It works with any MSoffice version. 2 - Execute the downloaded file. It asks for a place to extract contents. 3 - Enter ADMX folder, and copy "office2016.admx" file C:/windows/PolicyDefinitions folder. Copy (depend on your language setup) de lang-lang folder too (in my case ES-ES) inside the folder. 4 - Restart to apply changes 5 - open policy group editor (run -> gpdit.msc) 6 - Locate USER CONFIGURATIONS - ADMINISTRATIVE TEMPLATES new "Microsoft Office 2016" category. 7 - Look for "Security Configuration" "Allow specific host to show basic auth..." and add to it your NC webDAV hostname 8 - Restart and enjoy no more warnings.
This is only a workaround. The solution, for sure, is to implement a more advanced auth system in the NC webDAV engine.
CoYoNq
I tried it like this on two machines, one seemed to be working, so i can open files now from my webDav but I cant save em x.x This is so bad for workflow, me and my team have to save everything to the local maschine first and then copy it manually :/
Maybe you can try an alternative WebDAV client (in my setup i am not using NC client due to high cpu usage on terminals) like CYBERDUCK I am not using it (my issue was solved with the workaround i explain here), but, maybe, you can temporary solve your problem with this client (at least for a while, until NC client is fixed)