Friday, November 18, 2011

Sharepoint 2010 - Impersonate issue in Office and SP2010 when editing Document?


There's a strange behaviour in SharePoint 2010 with Office and impoersonate users.

The Scenario:

  • User A is logged into Windows.
  • User A opens SharePoint 2010 site and then signs in under a different user (User B).
  • The user (now logged in as User B in SharePoint) edits a Word document which is required to be checked out.
  • User B checks out document in SharePoint 2010
  • But when Word opens, a message is displayed saying 'This document is checked out by User B'.
or
  • User B opens Word document, client Word opens and ask for check-out.
  • User checks out document in Word
  • But when user try to save, an error message is displayed and in Sharepoint user see that document is checked out by User A.

The Word document should be able to be edited because the user context from SharePoint sent to Word should be as User B not User A.
It seems that Word is still opening up as User A and because the document is actually checked out to User B it can't be edited.

The answer is that Office and SharePoint do not share the same context in IE and do not share the same credentials.
All office apps open a new instance of Internet Explorer internally and then connect to the SharePoint site using that.
If the site is such that it can pass windows/domain credentials (i.e. it is listed as in the Intranet Zone) then Office will pass the default windows credentials instead.

As to working around it, there are a few possibilities:

  • Remove the site from the local "Intranet Sites" or "Trusted Sites" zone which will force authentication both for IE and for Office
  • Give UserA proper permissions and simply use that ID instead.
  • Remove permissions to the item from UserA which will force an authentication request
  • Log into the workstation as UserB

Regardless of the above, it is also not a best practice to have users using multiple logins when interacting with a site as it makes basic accountability almost impossible.
For example, if User B deletes a document but the credentials for User B are shared around the office,
you have no idea who actually made the change.