Convert Microsoft Office files

The Conversion Service uses Microsoft Office applications to process jobs containing Word, Excel, and PowerPoint documents. One of two options can be selected when setting up the service with the Conversion Service Configurator:

• Conversion with a local Microsoft Office installation on the same server
• Conversion via the Office for the web service in the Microsoft Azure Cloud

The conversion options differ with regard to parameters, quality and performance.

In all cases, embedded documents from Office documents in Open XML format (e.g. DOCX, XLSX, PPTX) are extracted in a destructuring step prior to conversion. Macro instructions are disabled in all options.

Choosing the Office conversion option for your installation

Conversion quality with respect to the layout and high visual resemblance is the reason why two options from Microsoft are offered for this processing step. The conversion quality is equally high with both options and no relevant differences were identified in a detailed comparison.

It is recommended that you use the local Microsoft Office installation on the same server in these cases:

• If performance is a key concern. Cloud-based conversions may have significant overhead for uploading and downloading file contents. Conversions may also be throttled.
• Large documents (> 100 MB) need to be converted.
• Numerous large Excel documents need to be converted.
  • The local Microsoft Office Installation supports fit to page options for Excel.
  • Excel files that contain multiple sheets and hundreds of pages cannot be converted with the Office for the web service.
• The data set contains Word documents that can be repaired with a local Microsoft Office installation.
• Password-protected documents need to be converted.
• Macro-enabled spreadsheet templates (XLTM), macro-enabled presentation files (PPTM) or WordProcessingML files (WordML) need to be converted.
• Special fonts or custom fonts are used in the documents.
  • The fonts can be installed on the server and used with a local Microsoft Office installation, but cannot be provided for the Office for the web service.
  • In any case, the Office for the web service has generally more fonts available than are typically installed on a Windows server installation.
• Data needs to be stored in the local environment due to security concerns or the server cannot be connected to the Internet.
  • For the conversion with the Office for the web service, the documents are uploaded and temporarily stored in the Azure cloud. The geographical location where the data is temporarily stored depends on the subscription.

It is recommended that you use the Office for the web service in these cases:

• Smaller files (smaller than 100 MB), and mainly Word documents need to be converted.
• Documents were originally created with the Office for the web service.
• It is planned to use the Docker version of the product in production.
• Lower installation, maintenance, and configuration effort is required.

---

Convert using a local Microsoft Office installation

caution

For Microsoft licensing compliance, every client that sends jobs with Word, Excel or PowerPoint documents to the Conversion Service must be licensed for Microsoft Office.
For more information, see Licensing Microsoft Office software in Commercial Licensing on the Microsoft site.

If you want to convert using a local Microsoft Office installation, you must have a compatible version of Microsoft Office installed on the Conversion Service server:

Office version
Office 2016 (64-bit)
Office 2019 (64-bit)
Office 2021 (64-bit)
Office 365 (64-bit)

The recommended and supported language package is English (United States).

Microsoft Office version compatibility

For optimal conversion results, it is recommended you use the same Microsoft Office version as that used to create the documents. In any case, the Conversion Service only supports Microsoft Office 2016 and later.

Installing & configuring the local Microsoft Office installation

• For Microsoft Office 2016, take care when installing the 64-bit version. The default option in the installation wizard is 32-bits for Office versions up to Office 2016.
• In general, it is recommended that you use a static license key (device license) regardless the Office version. For Microsoft Office 365, use a static license key rather than a user login, particularly in production environments. If you use a user login, pop-up dialog windows may be triggered from time to time, which can block conversion or cause other problems.
• After installing your Office version, you need to activate the license for the Office applications.
• Check the Office installation by opening a sample document in Word, Excel, and PowerPoint and ensure that there are no pop-up dialog windows that must be closed manually.
• When language-dependent features such as hyphenation are used in the documents, check that you have installed the corresponding language pack.

Windows Defender real-time protection

If you use Windows Defender real-time protection in your installation, make sure to check that the Windows Defender rules have been enabled in the Conversion Service Configurator. Otherwise, the conversion process may be affected.

To do this in the Configurator, go to the Conversion Service tab and check that the Windows Defender Rules toggle switch is turned on.

If you use group policies, check that they allow for exceptions.

Third-party anti-virus software

Third-party anti-virus software such as Bitdefender may block some Conversion Service operations, preventing it from starting or accessing Office applications. To guarantee successful conversion, you must add any application exceptions to your third-party anti-virus software.

Set up in Windows

A dedicated user account is required for the local Office installation. You can either set up the local installation with:

• an automatically generated local user account
• an existing user account

Use an automatically generated user account

This is the recommended option for most servers unless certain restrictions for the Log on as a batch job or Allow log on locally security policies apply or the server is managed by a domain controller.

With this option, the Conversion Service creates and automatically configures a local user account ConvsrvOfficeUser with a secure random password.

These properties and settings are set automatically:

• The account is automatically added to the Users group.
• The password is encrypted using the Windows Data Protection API before it is stored to a configuration file.
• The Allow log on locally and the Log on as a batch job security policies are granted to this user.
• The registry and DCOM permissions for Word, Excel, and PowerPoint are adjusted.

To set up an automatically generated user account in the Configurator:

1. Go to the Conversion Service tab.
2. For Office Conversion, click the Configure button.
3. Select Local Office Installation and Automatically Create a User Account and click Next.
4. ConvsrvOfficeUser appears in the username field with a random password. Click Apply.

Use an existing user account

This option is intended for servers that have certain security restrictions or servers that are managed by a domain controller and prohibit local user accounts. In these cases, you need to provide an existing (local or domain) user account. The account has to be created manually and is not modified by the Configurator.

In addition, you need to grant the Allow log on locally and the Log on as a batch job security policies to this existing user or add the user to a group with these permissions.

It is recommended that you set up the user account with minimum user rights. You should not assign the user account to the Administrators group. You need to update the configuration if the password of the user is changed or expires.

These properties and settings are set automatically:

• The password is encrypted using the Windows Data Protection API before it is stored to a configuration file.
• The registry and DCOM permissions for Word, Excel, and PowerPoint are adjusted.

caution

If you are using a domain user account, you need to disable any group policies that force a password change at a regular interval for that user. Otherwise, you need to reset the password for the Office configuration setup every time the domain user password changes.

To set up an existing user account in the Configurator:

1. Go to the Conversion Service tab.
2. For Office Conversion, click the Configure button.
3. Select Local Office Installation with an Existing User Account and click Next.
4. Enter the username and password for the user account.
   The Conversion Service accepts all standard formats for Windows users (both Username@domain and domain\Username formats). Username is automatically resolved to ServerName\Username.
5. Click Apply.

Set up in Docker container

Office documents can be converted by sending them to another instance of the Conversion Service running on Windows. Office document conversion can be activated as follows:

1. Set up and run the service on Windows.
2. Enable Office Conversion in the Processing Steps section of your profile. Note that this is active by default.
3. When starting the Docker container, set the WINDOWS_SERVICE_ENDPOINT environment variable:

docker run -dp 13033:13033 ... \
  -e WINDOWS_SERVICE_ENDPOINT=http://server:13033/conversion/v1.0/rest \
  pdftoolsag/conversion-service

Note that if the Windows service uses HTTPS, its host certificate must be trusted by the Docker container. Otherwise no connection can be established. By default, no trusted certificates are installed.

4. Copy trusted certificates to /usr/local/share/ca-certificates/.
5. Run the command update-ca-certificates.

Convert using the Microsoft Office for the web service

The Office for the web service option converts the documents using a Microsoft Azure Cloud service. Technologies used with this option include the Microsoft Authentication Library (MSAL), the Microsoft Graph API, and the Microsoft Sharepoint API.

The Office file conversion involves these steps:

1. A file is uploaded to the configured user's OneDrive.
2. The file is converted to PDF and downloaded.
3. Finally, the uploaded file is deleted from the user's OneDrive

Connection to the cloud is via HTTPS. Bear in mind that the files (although encrypted) are transmitted via the Internet.

caution

You need a valid license to allow the Conversion Service to convert Word, Excel, and PowerPoint documents. This means you must have:

1. Microsoft 365 for business subscription (Azure Cloud tenant) with a dedicated user account
2. An Office 365 license for this dedicated user

You should create a dedicated user account, as full control over this user’s OneDrive is requested.

Set up in Windows

You use the Configurator to set up the Microsoft Office for the web service.

To set up the Microsoft Office for the Web Service in the Configurator:

1. Go to the Conversion Service tab.
2. For Office Conversion, click the Configure button.
3. Select Microsoft Office for the Web Service and click Next.
4. Enter the user account login (usually, an email address) for the Microsoft Office for the Web Service in the Username field.
5. Click Apply.
6. In the Conversion Service tab, a message appears that indicates that changes have been made. Click Save.
7. Sign into the Microsoft 365 user account in the pop-up window that appears. Enter the password for the user account. If your company has set up 2-factor authentication, enter the authenticator code and click Verify.

Set up in Docker

1. Enable Office Conversion in the Processing Steps section of your profile. Note that this option is active by default.
2. You can use the csconfig command from the Docker image to consent to the required application permissions and to initialize the token cache.
   You should create a volume (e.g. convsrv-etc ) to store this file-based cache. The convsrv-etc volume is mounted to /etc/convsrv to provide the tokens to the Conversion Service Docker. The token cache is stored in /etc/convsrv/TokenCaches. The convsrv user requires read and write permissions to this folder.
   Please be aware that the tokens and the binary file containing the tokens are not encrypted. The username myuser@myorganization.onmicrosoft.com and Office type are provided as environment variables SERVICE\__OFFICE\__TYPE and SERVICE\__OFFICE\__USERNAME.

docker volume create --name convsrv-etc 
   docker run --rm --mount "type=volume,src=convsrv-etc,dst=/etc/convsrv" \
   --user root pdftoolsag/conversion-service \
   bash -c "mkdir /etc/convsrv/TokenCaches && chown convsrv:convsrv /etc/convsrv/TokenCaches"
   docker run --mount "type=volume,src=convsrv-etc,dst=/etc/convsrv" \
   -e SERVICE__OFFICE__TYPE=OfficeWebService \
   -e SERVICE__OFFICE__USERNAME=myuser@myorganization.onmicrosoft.com \
   pdftoolsag/conversion-service \
   bash -c "bin/csconfig office webinit"

3. When starting the Docker container, mount the volume convsrv-etc inside the container at /etc/convsrv to provide access to the token cache.
   Set environment variables SERVICE__OFFICE__TYPE and SERVICE__OFFICE__USERNAME according to the configured user and office type.

docker run -dp 13033:13033 ... \
   --mount "type=volume,src=convsrv-etc,dst=/etc/convsrv" \ 
   -e SERVICE__OFFICE__TYPE=OfficeWebService \
   -e SERVICE__OFFICE__USERNAME=myuser@myorganization.onmicrosoft.com \
   pdftoolsag/conversion-service

Troubleshooting

You may encounter problems when setting up and using Office conversion. These are the most common issues found:

Configuration errors
Some of the warnings and errors that can be encountered inside the Configurator during configuration and possible solutions.

Microsoft Office is not installed

Solution:

The conversion of Word, Excel, and PowerPoint documents to PDF requires an installation of Microsoft Office on the same server where the Conversion Service is installed. Install a compatible Microsoft Office version (see compatible Microsoft Office versions).

3-Heights Document Converter installation detected

Solution:

A parallel operation of the Conversion Service and the 3-Heights Document Converter on the same server is not recommended because the Office configurations of the two services interfere and break each other.

User validation failed

Solution:

This error usually occurs when the domain of the domain user is not recognized. Check the spelling and specify the domain by writing the username in SAM or UPN format, e.g. YourDomain\YourDomainUser or YourDomainUser@YourDomain.com, respectively.

Trust relationship failed

Solution:

This error usually signals a connection problem between the server and the domain controller. Check that the server where the Conversion Service is installed is a member of the domain you are trying to access.

Office configuration problem in Configurator

Solution:

This message can occur when a setting related to the Office Configuration was changed after the Office User was configured. Try to configure the Office user again. If the problem persists or another error occurs, contact Support.

The user name or password is incorrect when using a domain user account

The Office conversion suddenly stops working when using a domain user account. In this case, the error is usually caused by a password group policy that forces password change at a regular interval. You need to disable the group policy for that domain user.

Specific errors related to Word, Excel, and PowerPoint documents
These errors are associated with the Microsoft Office application being used.

The document is corrupt or a pop-up dialog window blocks the conversion process.

This error can occur if the document is corrupt or a pop-up blocks the conversion process. It occurs when no progress in the conversion of the Office document was observed for a certain amount of time. If the error was triggered by a pop-up dialog box that is blocking the conversion process, the problem can sometimes be resolved by opening and editing the document manually.

The application WINWORD exceeded the memory limit of 2048 MB.

This error indicates that, during the conversion of a Microsoft Word document (e.g. DOCX), the application process (Microsoft Word) required more than 2048 MB of memory during conversion. This limit is a precaution set by the Conversion Service to support the overall stability of the conversion process.

For further assistance, contact Support, including the input file.

Conversion of test.docx to PDF failed COM Exception: (0x80004005)

If you use Microsoft Windows Defender or another third-party anti-virus software, the conversion process for Office may fail, particulary when using Microsoft Excel.

If this is the case, check:

• Windows Defender Rules are enabled in the Configurator.
• Any exceptions in the Windows Defender Rules are not forbidden by group policy
• Any exceptions are added to any third-party anti-virus software (e.g. Bitdefender)

COM Exception: (0x800a18a0): You are attempting to open a file type xxx that has been blocked by your File Block settings in the Trust Center.

This error occurs when the Trust Center settings block the file. The settings can be adjusted by opening Word (or Excel) as the configured Office User and changing the File Block settings in Office. You need to restart the service after performing this change.

Excel conversion fails with a “Generic” error (COM exception 0x800a03ec)

This error may be caused by:

• the printer spooler or Microsoft Printer.

The printer spooler is required for Office conversion.

If you encounter this error, check:

• The Printer Spooler service is not disabled.
• Install or reinstall the Microsoft Printer (Print to PDF).