[Bug]: WebDAV: Microsoft Office warns about unsecure sign-in method on save

[vansante]

⚠️ This issue respects the following points: ⚠️

• This is a bug, not a question or a configuration/webserver/proxy issue.
• This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
• Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• I agree to follow Nextcloud's Code of Conduct.

Bug description

After creating a WebDAV share on windows, and saving a new file with Microsoft Powerpoint to that WebDAV share, Powerpoint shows a warning about about unsecure sign-in method.

Steps to reproduce

1. Create a WebDAV mount on Windows (11).
2. Open Office Powerpoint
3. Create a new Powerpoint presentation
4. Save the Powerpoint presentation to a new file on the WebDAV mount.
5. The warning appears

Expected behavior

No warning appears

Installation method

Official All-in-One appliance

Nextcloud Server version

25

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.2

Web server

Apache (supported)

Database engine version

None

Is this bug present after an update or on a fresh install?

Fresh Nextcloud Server install

Are you using the Nextcloud Server Encryption module?

Encryption is Disabled

What user-backends are you using?

• Default user-backend (database)
• LDAP/ Active Directory
• SSO - SAML
• Other

Configuration report

# sudo -u www-data php occ config:list system
{
    "system": {
        "one-click-instance": true,
        "one-click-instance.user-limit": 100,
        "memcache.local": "\\OC\\Memcache\\APCu",
        "apps_paths": [
            {
                "path": "\/var\/www\/html\/apps",
                "url": "\/apps",
                "writable": false
            },
            {
                "path": "\/var\/www\/html\/custom_apps",
                "url": "\/custom_apps",
                "writable": true
            }
        ],
        "check_data_directory_permissions": false,
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "password": "***REMOVED SENSITIVE VALUE***",
            "port": 6379
        },
        "overwritehost": "dev.paulvansanten.nl",
        "overwriteprotocol": "https",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "localhost",
            "dev.paulvansanten.nl"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "pgsql",
        "version": "27.1.2.1",
        "overwrite.cli.url": "https:\/\/dev.paulvansanten.nl\/",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "maintenance": false,
        "loglevel": "2",
        "log_type": "file",
        "logfile": "\/var\/www\/html\/data\/nextcloud.log",
        "log_rotate_size": "10485760",
        "log.condition": {
            "apps": [
                "admin_audit"
            ]
        },
        "preview_max_x": "2048",
        "preview_max_y": "2048",
        "jpeg_quality": "60",
        "enabledPreviewProviders": {
            "1": "OC\\Preview\\Image",
            "2": "OC\\Preview\\MarkDown",
            "3": "OC\\Preview\\MP3",
            "4": "OC\\Preview\\TXT",
            "5": "OC\\Preview\\OpenDocument",
            "6": "OC\\Preview\\Movie",
            "7": "OC\\Preview\\Krita",
            "0": "OC\\Preview\\Imaginary"
        },
        "enable_previews": true,
        "upgrade.disable-web": true,
        "mail_smtpmode": "smtp",
        "trashbin_retention_obligation": "auto, 30",
        "versions_retention_obligation": "auto, 30",
        "activity_expire_days": "30",
        "simpleSignUpLink.shown": false,
        "share_folder": "\/Shared",
        "one-click-instance.link": "https:\/\/nextcloud.com\/all-in-one\/",
        "upgrade.cli-upgrade-link": "https:\/\/github.com\/nextcloud\/all-in-one\/discussions\/2726",
        "updatedirectory": "\/nc-updater",
        "davstorage.request_timeout": 3600,
        "htaccess.RewriteBase": "\/",
        "dbpersistent": false,
        "files_external_allow_create_new_local": false,
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "allow_local_remote_servers": true,
        "preview_imaginary_url": "http:\/\/nextcloud-aio-imaginary:9000"
    }
}

List of activated Apps

# sudo -u www-data php occ app:list
Enabled:
  - activity: 2.19.0
  - admin_audit: 1.17.0
  - calendar: 4.5.2
  - circles: 27.0.1
  - cloud_federation_api: 1.10.0
  - comments: 1.17.0
  - contacts: 5.4.2
  - contactsinteraction: 1.8.0
  - dashboard: 7.7.0
  - dav: 1.27.0
  - deck: 1.11.0
  - federatedfilesharing: 1.17.0
  - federation: 1.17.0
  - files: 1.22.0
  - files_pdfviewer: 2.8.0
  - files_reminders: 1.0.0
  - files_rightclick: 1.6.0
  - files_sharing: 1.19.0
  - files_trashbin: 1.17.0
  - files_versions: 1.20.0
  - firstrunwizard: 2.16.0
  - logreader: 2.12.0
  - lookup_server_connector: 1.15.0
  - nextcloud-aio: 0.4.0
  - nextcloud_announcements: 1.16.0
  - notes: 4.8.1
  - notifications: 2.15.0
  - notify_push: 0.6.3
  - oauth2: 1.15.1
  - password_policy: 1.17.0
  - photos: 2.3.0
  - privacy: 1.11.0
  - provisioning_api: 1.17.0
  - recommendations: 1.6.0
  - related_resources: 1.2.0
  - richdocuments: 8.2.1
  - serverinfo: 1.17.0
  - settings: 1.9.0
  - sharebymail: 1.17.0
  - support: 1.10.0
  - survey_client: 1.15.0
  - systemtags: 1.17.0
  - tasks: 0.15.0
  - text: 3.8.0
  - theming: 2.2.0
  - twofactor_backupcodes: 1.16.0
  - twofactor_totp: 9.0.0
  - user_status: 1.7.0
  - viewer: 2.1.0
  - weather_status: 1.7.0
  - workflowengine: 2.9.0
Disabled:
  - bruteforcesettings: 2.7.0
  - encryption: 2.15.0
  - files_external: 1.19.0
  - suspicious_login: 5.0.0
  - user_ldap: 1.17.0

Nextcloud Signing status

No errors have been found.

Nextcloud Logs

Empty it seems :(:

# cat /mnt/ncdata/nextcloud.log
#

Additional info

It seems that Office Powerpoint is doing an PROPFIND request without any authentication headers to the server, before showing the warning:

[kesselb]

Thanks for letting us know 👍

Some background information: https://learn.microsoft.com/en-us/deployoffice/security/basic-authentication-prompts-blocked

@vansante can you share the "learn more about how to prepare" link with us?

[vansante]

Sure, it links here:

https://support.microsoft.com/en-us/topic/microsoft-office-will-block-this-file-because-it-uses-a-sign-in-method-that-may-be-unsecure-a7c31d0d-ef2c-4760-bf66-505e9667c6fe

[aodtcr]

I, too, ran into this issue today for the first time, when saving an Excel file to my Nextcloud server connected via WebDAV. Following this issue with interest.

[kesselb]

https://help.nextcloud.com/t/end-of-microsoft-support-for-its-webclient-service-on-windows-10-and-11/174121 😨

[ozgurkazancci]

Got the same issue as well, following this issue here.

[amjadraza]

We are also facing same issue!

[tanfwc]

Am facing issue too.

[CoYoNq]

Same issue here.
After lastest MS security patchs, MS office (the whole suite) don't allow to work with files in a webDAV mount.

As a workaround
https://learn.microsoft.com/en-us/answers/questions/1533479/how-to-enable-basic-authentication-for-multiple-do

Resuming:
1- Download from https://www.microsoft.com/en-us/download/details.aspx?id=49030 the MSoffice administrative templates (en-us only available).
This allow to configure, via policy group editor (gpedit.msc) the MSoffice package (add a new "Microsoft Office 2016" category under USER CONFIGURATIONS - ADMINISTRATIVE TEMPLATES). It works with any MSoffice version.
2 - Execute the downloaded file. It asks for a place to extract contents.
3 - Enter ADMX folder, and copy "office2016.admx" file C:/windows/PolicyDefinitions folder. Copy (depend on your language setup) de lang-lang folder too (in my case ES-ES) inside the folder.
4 - Restart to apply changes
5 - open policy group editor (run -> gpdit.msc)
6 - Locate USER CONFIGURATIONS - ADMINISTRATIVE TEMPLATES new "Microsoft Office 2016" category.
7 - Look for "Security Configuration" "Allow specific host to show basic auth..." and add to it your NC webDAV hostname
8 - Restart and enjoy no more warnings.

This is only a workaround. The solution, for sure, is to implement a more advanced auth system in the NC webDAV engine.

[crackscout123]

CoYoNq

I tried it like this on two machines, one seemed to be working, so i can open files now from my webDav but I cant save em x.x
This is so bad for workflow, me and my team have to save everything to the local maschine first and then copy it manually :/

[CoYoNq]

Maybe you can try an alternative WebDAV client (in my setup i am not using NC client due to high cpu usage on terminals) like CYBERDUCK
I am not using it (my issue was solved with the workaround i explain here), but, maybe, you can temporary solve your problem with this client (at least for a while, until NC client is fixed)