Scott alluded to the issue here (http://www.imason.com/blogs/scott_howlett/archive/2009/04/03/ie8-and-crm-3-0-unsupported-browser-or-is-it.aspx), but I’m going to take a deeper dive for all of the SharePoint users experiencing the following problem.

Set-up: SharePoint 2007 using Forms Based Authentication (FBA)

Problem: When trying to access the root site URL to log in, some users experience a blank screen or a 403 Forbidden error instead of the forms login page.

Reason...and it might shock you: Because of a conflict between the new Office Live Components and a by-design condition in WSS 3.0’s implementation of WebDAV, SharePoint gets confused, thinks that the web request is for WebDAV and returns a 403 error code.

Let’s look a little deeper...

If a user has installed the new Office Live Components (http://www.microsoft.com/downloads/details.aspx?FamilyID=91fe0002-eb00-434b-8726-27911326d2b2&DisplayLang=en) two new entries will be added to Internet Explorer’s user agent on each GET request: OfficeLiveConnector.1.3 and OfficeLivePatch.0.0

GET / HTTP/1.1

Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, application/x-silverlight, application/x-silverlight-2-b2, */*

Accept-Language: en-ca

User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; WOW64; Trident/4.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 1.1.4322; InfoPath.2; .NET CLR 3.5.21022; .NET CLR 3.5.30729; .NET CLR 3.0.30618; MS-RTC LM 8; OfficeLiveConnector.1.3; OfficeLivePatch.0.0)

Accept-Encoding: gzip, deflate

Host: mysharepointsite.com

Connection: Keep-Alive

But the WebDAV implementation in SharePoint looks specifically for the substring “Office” in the user agent to make some assumptions about the request:

From: http://msdn.microsoft.com/en-us/library/cc250199(PROT.10).aspx

<4> Section 2.2.8: The WebDAV server in Windows Windows SharePoint Services 3.0 technology checks the product tokens in the User-Agent request-header field sent with a request for the presence of "Mozilla" and the absence of either "Office", "FrontPage", or "non-browser" to determine whether to send an HTTP 302 redirect message to a login page when using ASP.NET Forms Authentication for unauthenticated clients. Otherwise, the server assumes that the client user agent is not a browser and will return either an HTTP 401 "Unauthorized" error to prompt authentication when using Windows Integrated authentication, or an HTTP 403 "Forbidden" error when using ASP.NET Forms Authentication along with an X-MSDAVEXT_ERROR message [MS-WDV] section 2.2.3 with an Extended-error value of 917656. This specific error combination is used by the Windows client WebDAV Redirector as a signal to send a Cookies request-header along with the request. If the Windows client does not have a Forms Authentication cookie, the server will resend the HTTP 403 error with the X-MSDAVEXT_ERROR message with an Extended-error value of 917656, as a signal to the Windows client that it needs to prompt the user to authenticate.

So there you have it: the new Office Live Components add new entries to the IE user agent, but WebDAV confuses these entries with requests coming from a WebDAV compatible client (not a browser), causing an error to be returned.

I’ve come across two other people with the same issue, so you can check out the following links for more details:

• http://blogs.catalystss.com/blogs/marek_mazur/archive/2009/04/14/sharepoint-office-live-add-in-and-403-forbidden.aspx
• http://social.microsoft.com/Forums/zh-CN/sharepointadmin/thread/f65a760e-dbe3-4641-868b-7d4c1f8b641d

I was really hoping that WSS 3.0 SP2 would have patched up this issue, but when I installed it recently, sadly no fix.

Workarounds: Unfortunately, I still haven’t come across a silver bullet solution for this but there are a couple things that you can do (I’m open to other ideas too if you want to suggest them in the comments):

1)      Get your users to hit the FBA login page directly; for instance, instead of going to http://mysharepointsite, get them to go to http://mysharepointsite/_layouts/<FBALoginPage>.aspx?ReturnUrl= (notice the ReturnUrl query string parameter -> it’s mandatory)

2)      Get your users to change their user agent by uninstalling the Office Live Components or using a tool like the User Agent Picker: http://www.enhanceie.com/ietoys/uapick.asp. This isn’t an ideal approach, but it does work

Hope this helps someone else!