SharePoint Designer and Modern Authentication
Published Mar 22 2019 10:24 AM 91.2K Views
Microsoft

I’ve seen a few requests from customers encountering authentication issues with SharePoint Designer 2013 after disabling legacy authentication (IDCRL) in SharePoint Online. While SharePoint Designer wasn’t natively designed to work with Modern Authentication (ADAL) there are updates available that allow it to work.

 

Most Office 2013 applications will be able to successfully use modern authentication once the EnableADAL=1 registry key has been set as documented in this article:

 

Enable Modern Authentication for Office 2013 on Windows devices

https://support.office.com/en-us/article/Enable-Modern-Authentication-for-Office-2013-on-Windows-dev...

 

But SharePoint Designer has additional requirements that need to be met before it will attempt to use Modern Authentication. Without meeting all the requirements, the typical experience will be a repeated authentication challenge with a generic credential dialog like this:

 

1 SPD_Legacy_Challenge.png

 

When successfully authenticating with SharePoint Online, the "Sign in" dialog should look like this:

SPD_Modern_Challenge.png

 

 

 

 

Modern Authentication (ADAL) support

For SharePoint Designer to attempt modern authentication the following requirements must be met:

 

1. The EnableADAL registry key referenced earlier must be set to 1 and the Type must be REG_DWORD:

HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Common\Identity\EnableADAL = 1

Regedit_EnableADAL.png

 

2. The following files must be at least these minimum versions:

ADAL.dll - 1.0.1933.710 or greater

MSO.dll - 15.0.4625.1000 or greater

CSI.dll - 15.0.4625.1000 or greater

 

By default, these DLL files will be in one of the following locations based on whether the 32-bit or 64-bit version of SharePoint Designer installed:

32-bit folder: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE15\

64-bit folder: C:\Program Files\Common Files\Microsoft Shared\OFFICE15\

 

3. If these Office 2013 applications are installed, they should be at minimum:

GROOVE.EXE - 15.0.4625.1000 or greater

OUTLOOK.EXE - 15.0.4625.1000 or greater

 

By default, these EXE files will be in one of the following locations based on whether the 32-bit or 64-bit version of SharePoint Designer installed:

32-bit folder: C:\Program Files (x86)\Microsoft Office\Office15

64-bit folder: C:\Program Files\Microsoft Office\Office15

 

Need to identify which DLLs are actually loading?  See the Advanced Information section below.

 

Where to get the required patches

The first step is to run Windows Update on your computer and make sure all Office 2013 updates have been installed. If you can’t get the updates via Windows Update the following article provides links to the most recent updates for many of the Office 2013 components.

List of the most current .msp files for Office 2013 products

https://docs.microsoft.com/en-us/officeupdates/msp-files-office-2013  

 

You can search the article for “SPD”, “MSO” and “CSI” to find the latest patches for those components. As of December 2019, those entries are:

 

spd-x-none

SharePoint Designer 2013

August 2, 2016

3114721

mso-x-none

Office 2013

September 10, 2019

4475607

csi-x-none

Office 2013

July 11, 2017

3172545

 

ADAL.dll isn’t listed in that article, but the most recent update is available here:

 

ADAL.dll

Office 2013

June 14, 2016

KB3085565

 

 

 

Also note that SharePoint Designer, and other Office applications, cache credentials in Windows Credential Manager. If SharePoint Designer is still failing to authenticate after updating the files then close all Office 2013 applications, open Credential Manager (Control Panel -> User Accounts -> Manage Windows Credentials) and “Remove” all entries that begin with “MicrosoftOffice15”.

 

 

Advanced Information

 

How can I tell exactly which DLLs are being loaded by SharePoint Designer?

The “Process Explorer” tool is excellent for this:

https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer

 

Make sure SharePoint Designer and Process Explorer are both running.

In Process Explorer select “SPDESIGN.EXE” in the “Process” list.

Click on the “View” menu and choose “Lower Pane View” > “DLLs”

Click on the “View” menu and choose “Select Columns” select the “DLL” tab and then check the “Version” checkbox.

Now you can easily verify the version and location of the DLLs.

For example, here is what x86 SharePoint Designer SP1 looks like. I sorted by the “Path” column and can easily see that ADAL.DLL and MSO.DLL are below the minimum requirement needed for Modern Authentication:

SPD_SP1_Process_Explorer.png

 

After running Windows Update and making sure the patches are installed it looks like this:

SPD_Patched_Process_Explorer.png

 

 

How can I tell if SharePoint Designer is attempting to use Modern Authentication?

Fiddler.exe from https://www.telerik.com/fiddler is a great tool for seeing the HTTP/HTTPS network traffic involved. To see the details of the HTTPS traffic you’ll first need to go to Tools -> Options -> HTTPS -> “Decrypt HTTPS traffic”.

 

Modern vs legacy authentication is negotiated when the client application attempts to connect to SharePoint Online. This negotiation is handled by headers that are added to the request. The client application will include headers advertising the authentication methods that it supports and SPO will return an HTTP 401 Unauthorized response with matching WWW-Authenticate headers for each of those methods that it also supports.

 

The legacy authentication headers are:

X-IDCRL_ACCEPTED: t

X-FORMS_BASED_AUTH_ACCEPTED: T

 

The modern authentication header is:

Authorization: Bearer

 

If the server doesn’t support any of the authentication methods the client advertised, then no WWW-Authenticate header will be returned, and the client will display a generic credential prompt which isn’t going to work with SPO.

 

Here is an example of what that looks like in Fiddler. You can see that SharePoint Designer (which appears as spdesign:9956 in the Process column) advertised that it supports legacy authentication only by including only the X-IDCRL_ACCEPTED: t header. Since legacy authentication is currently disabled in the SharePoint Online tenant the 401 response doesn’t include the WWW-Authenticate header necessary for the SharePoint Designer to move forward with authentication:

SPD Legacy Only.png

 

 

NOTE: The svchost process seen in this Fiddler trace is the WebClient Service making WebDAV calls attempting to populate the File Open dialog for SharePoint Designer. WebDAV can’t authenticate directly to SPO and instead needs to find an existing persistent cookie. I don’t have a persistent cookie and therefore all of those requests result in 401 Unauthroized responses as expected.

 

After running Windows Update and making sure my components are patched properly, Fiddler shows that SharePoint Designer advertised support for both Modern (Authorization: Bearer) and Legacy (X-IDCRL_ACCEPTED: t). Since my SharePoint Online tenant has blocked legacy authentication the 401 response includes only a WWW-Authenticate header for Modern / Bearer authentication which includes the information SharePoint Designer needs to proceed.

 

SPD_Patched_Fiddler_Modern.png

 

 

 

21 Comments
Brass Contributor

Hi Walter,

Basic/Legacy authentication has been turned off on our Microsoft 365 SharePoint site.  So I updated my registry key as required so I could use SharePoint Designer 2013.

ADAL_reg.png

 

However ....  I can not seem to get my SPD 2013 to authenticate to SharePoint using modern authentication.  The login window just keeps refreshing, with no error message, and it is the 'old' login form.

LogonForm.png

 

Following your wonderfully documented verification methods, I used Fiddler as you suggested to trace the headers, and I see that SharePoint Designer 2013 never ever sends the "Authorization: Bearer" header.  I only see the legacy headers (X-IDCRL_ACCEPTED and X-FORMS_BASED_AUTH_ACCEPTED)  which would explain why I can't authenticate.

 

But I do not understand why SharePoint Designer never advertises that it supports modern authentication.  Is there something else that I need to change besides the Identity registry key?

 

I actually even uninstalled then reinstalled SP 2013, running Windows Update to make sure it got all the required updates.

 

I verified that all the dll's you mentioned are current:

ADAL.dll = 1.0.2019.909

MSO.dll = 15.0.5127.1000

CSI.dll = 15.0.4941.1000

SPDESIGN.EXE = 15.0.5849.1000

 

As a note, when I looked at the list of DLLs in process explorer, ADAL.dll was not in the list.  MSO and CSI were.

 

I have cleared my Credentials through Credential Manager. 

 

I deleted files in the following folders:

\appdata\roaming\Microsoft\web server extensions\Cache

\appdata\local\Microsoft\websitecache

\appdata\local\sharepoint designer\proxyassemblycache

 

I also cleared the "Cache site data across SharePoint Designer sessions" application option checkbox in SPD 2013 (File > Options > General > Application Options)

 

Also tried logging into SharePoint first, getting into Classic mode, then trying the 'edit in SharePoint Designer' icon.  However, that simply took me to the Microsoft download page for sharepoint designer ??!!?

 

If I go ahead and re-enable basic authentication, all is well and I can get in.  But from everything I'm reading, including your article, it looks like I should be able to do this even with the modern authentication.

 

I am on a Windows 7, and we authenticate to Azure AD, using AD Connect to sync our on-premises Active Directory.  I currently have multi-factor authentication also turned on, but I don't think I am even getting that far.  I have global admin privileges.

 

Any ideas ?

 

Frustrated,

Betty Stolwyk

 

 

 

 

 

 

 

Copper Contributor

Same problem here

Copper Contributor

Why not simlpy bring another actual version of SharePoint Designer (at least for onPrem environments)? I mean, it is hard to explain to a custumer, why they have to use a 2013(!) client "administrating" a 2016 or even 2019 environment. It's even harder to understand why Microsoft let the SPD die.

Brass Contributor

@airliner - Agreed!  

Brass Contributor

All the download links inside the KB articles you linked are now dead ! :facepalm:

Microsoft

@Betty Stolwyk and @Saul Silva - I recently worked with a customer experiencing authentication failures in SPD due to information cached by the WebClient service (the Windows service responsible for the WebDAV calls).  On their system they could use Modern auth with SPD the first attempt after a reboot, but if they closed SPD and relaunched it it would fail going forward.  We found that restarting the WebClient service before launching SPD worked consistently for them. I'm curious if you are experiencing the same issue.  You can restart the WebClient service in Services.msc or you can create a simple bat file that can be run as Administrator with the following contents:
---------------------------------
net stop webclient
net start webclient
pause
---------------------------------

 

Microsoft

@Grzegorz Wierzbicki  - Thanks - I'll follow-up internally.

 

Update - I've followed-up internally and this should be fixed soon.  In the meantime, if you need to download a file right now this is an issue with the word "downloads" vs. "download" in the URLs. If you get a 404 you can remove the "s" from downloads and it should work.

 

For example, from: Download update KB3114721 for 32-bit version of SharePoint Designer 2013

Change this:

https://www.microsoft.com/downloads/details.aspx?familyid=542abe1a-9727-475c-8d62-87b6f0077e24

To this:

https://www.microsoft.com/download/details.aspx?familyid=542abe1a-9727-475c-8d62-87b6f0077e24

Brass Contributor

@Walter Warren 

The links are fixed now :)

Many thanks for a fast response!

Brass Contributor

@Walter Warren 

KB4462201 links are still broken (or again?)

Copper Contributor

Following this document from top to bottom got my issue resolved. 

Brass Contributor
I already have the KB installed, and just change the registry and it's working.
Brass Contributor

@Walter Warren I have to apologize about not responding to your thoughtful suggestion.  I had gotten sidetracked and even more so now.  I believe I did a quick test of that and it made no difference.  Some configuration changes have happened since I reported this though, so I will really need to start from scratch again looking at this.  And that won't be happening for awhile!  But even though it would not appear so, I do appreciate your quick response and suggestion.  :)

 

Betty

Copper Contributor

This worked like charm. Thanks so much.

Just to summarize the steps for other users:

  1. Open IE and check the site first and keep login
  2. Check all the dlls are updated or not
  3. Check ADAL registry settings set to 1
  4. Update all patches https://techcommunity.microsoft.com/t5/microsoft-sharepoint-blog/sharepoint-designer-and-modern-auth...
  5. Restart your system
  6. Connect IE again and keep login
  7. Open SPD and connect now. It will WORK

Regards,

Ravi Thapliyal

Copper Contributor

I have tried everything in this article and discussion but still get the "Your account is in a bad state" error.  I have cleared everything from credentials, confirmed all the versions etc.  I think the login box I am getting is the correct one (not legacy).  My machine has only ever had Click and Run O365 on it since new (around 2018).

jpottaway_0-1626239587881.png

 

Copper Contributor

Reporting Support on sharepoint for MAC

 

Trying to generate a report for my customized view in mac. it defaults to iqy extension and does not have the data in that file. 

 

How can i export to excel

Copper Contributor

Anyone found any work arounds? Followed all the steps and still no Modern Auth on opening the sites.

Brass Contributor

@Jarcque_Admin - we have just moved on to Power Automate (Flow).  I know that's a non-answer, but depending on the workflow, it's possible it won't be too hard to modify.  I got started with Todd Klindt's article about the SharePoint Modernization scanner.  This is a tool to help you find SPD workflows (among other things) and it gives a bit of info on its compatibility with Power Automate flows.  It will tell you which SPD commands do not have a match in Power Automate.  I started with what looked like it would be the easiest based on the results of that analysis, then went on from there.  

 

In case you decide to take the plunge, here are a few references that got me started:

 

Migrate from SPD to Power Automate Flows

https://www.toddklindt.com/blog/Lists/Posts/Post.aspx?ID=873

 

Guidance: Migrate from classic workflows to Power Automate flows in SharePoint

https://docs.microsoft.com/en-us/sharepoint/dev/business-apps/power-automate/guidance/migrate-from-c...

 

Business apps and business process automation
https://docs.microsoft.com/en-us/sharepoint/dev/business-apps/introduction-to-sharepoint-business-pr...

 

SharePoint Power Automate Documentation
https://docs.microsoft.com/en-us/sharepoint/dev/business-apps/power-automate/sharepoint-connector-ac...

 

Learn Power Automate
https://docs.microsoft.com/en-us/learn/browse/?products=power-automate&term=Power%20Automate&terms=P...

 

Power Automate Documentation
https://docs.microsoft.com/en-us/power-automate/?utm_source=flow-sidebar&utm_medium=web

 

Copper Contributor

After the ADAL reg key, it might not still work.  The workaround for me was to navigate to the site in IE, switch a list or library to 'classic' view, then 'Edit Library' via the ribbon.  It then prompted to launch SPD13, gave an allow dialogue, and connected up.

Copper Contributor

ADAL is retiring in 2022. This workaround is no longer valid.

Brass Contributor

We are facing this issue at my company.  Anyone get it to work consistently? 

Brass Contributor

@JohnForth I installed SharePoint Designer 2013 32-bit just now and got this to work.  One thing I found is that SharePoint Designer Service Pack 1 needs to be installed first before the updates below.  I clicked on "no" at the reboot prompt after Service Pack 1 was installed and was able to continue with the rest of the updates.

 

spd-x-none

SharePoint Designer 2013

August 2, 2016

3114721

mso-x-none

Office 2013

September 10, 2019

4475607

csi-x-none

Office 2013

July 11, 2017

3172545

ADAL.dll

Office 2013

June 14, 2016

KB3085565

 

I confirmed that I can now sign in with mult-factor authentication in SharePoint Designer 2013.  Microsoft recently announced the end of life for Office 2013 on 4/11/2023.  The apps will still work, Microsoft won't provide security updates or support for Office 2013.

Co-Authors
Version history
Last update:
‎Apr 30 2021 12:42 PM
Updated by: