Forum OpenACS Q&A: webDAV Authentication Difficulties

Posted by Richard Hamilton on 05/15/11 03:53 PM

I am experimenting with webDAV access to the OpenACS File Storage application but having no success.

In Windows 7 it is possible to map a network drive in the o/s file manager (called Windows Explorer) to a drive letter or network location, just as you can on OSX.

When I enter the dav url:

https://63.246.8.12:8440/dav/dropbox

...I see a security window that asks for username and password, just as I would expect. However, when I enter the email address and password that I normally use to login to the OpenACS (the sitewide admin ID), the authentication fails and the error given is that the network location seems to be invalid.

What am I doing wrong?

Regards
Richard

2: Re: webDAV Authentication Difficulties (response to 1)

Posted by Richard Hamilton on 05/15/11 04:24 PM

The above webDAV folder works with an iPhone webDAV client which clearly indicates that the problem is specific to Windows 7.

This document that strongly suggests that the problem is that Windows 7 cannot cope with basic authentication for webDAV and needs to use digest authentication:

http://shon.org/blog/2010/03/04/howto-fix-windows-7-64bit-webdav/

Does anyone have any experience of configuring Aolserver tDAV to use digest configuration? This may well make OpenACS webDAV Windows 7 friendly as well.

Regards
Richard

3: Re: webDAV Authentication Difficulties (response to 1)

Posted by Brian Fenton on 05/16/11 01:36 PM

Richard

I can confirm that I got OpenACS Webdav working fine a couple of years back with a Windows XP PC, so I guess it's probably a Windows 7 issue.

Brian

4: Re: webDAV Authentication Difficulties (response to 3)

Posted by Richard Hamilton on 05/16/11 02:14 PM

Brian,

Thanks for the reply. I found this TechNet article that seems to confirm that Windows 7 and Windows Vista both ship with 'Basic Authentication' switched off. This article details how to switch it back on again:

*here*

However!

Switching it back on is a little involved and has unknown consequences for security beyond webDAV, so I would like to establish whether openACS webDAV support can be configured to use digest authentication. If not, as it is written in tcl it is not beyond the realms of possibility that I could add it, but I'd probably need some guidance for sources of information.

Regards
Richard

5: Re: webDAV Authentication Difficulties (response to 4)

Posted by Dave Bauer on 05/16/11 02:59 PM

Richard,

Digest Authentication is inherently insecure so, while it will be easier to work with Windows 7 clients, you will still need to use SSL to secure the system. That's the main reason we did no bother with digest authentication when the WebDAV support was built.

6: Re: webDAV Authentication Difficulties (response to 1)

Posted by Dave Bauer on 05/16/11 03:03 PM

Ah, another issue is that historically Microsoft WebDAV client have been broken in an astonishing number of ways. Depend on what version of IE and Microsoft office you might have installed, you could have a half a dozen instances of WebDAV running on Windows XP. Maybe in Windows 7 they have consolidated to only 1 picky version of WebDAV client.

Another option is to use a third-party client, and that is what all my users have traditionally done. There is one called WebDrive that is very popular ( I have no connection to this company, but I do have experience with the product working with OpenACS WebDAV.)

7: Re: webDAV Authentication Difficulties (response to 6)

Posted by Richard Hamilton on 05/16/11 09:59 PM

Dave,

Thanks for the reply. I 've been googling around this today and it is obvious that respect for Microsoft has not been enhanced by their various webDAV implementations!!

First I thought the problem was specific to the default authentication behaviour of Windows 7, but having checked the appropriate registry key it turned out that basic authentication was switched on by default after all. I have now tried in a Windows XP VM and can confirm that this doesn't work either.

I suspect that the reason I have never been able to get this to work with any version of Windows over the years is that the particular combination of OpenACS settings I choose is incomprehensible to Microsoft. Because I always like authentication to be encrypted, I set OpenACS to redirect to https for login. However, because I am a cheapskate, most of my domains have self-signed certificates.

I suspect that even though I have entered the webDAV url as an https url complete with the port number, Windows chokes when it gets redirected for authentication on a domain with a certficate signed by an unknown CA. I have tried importing the CA but this doesn't help.

I might try spending some money on a certificate to see if that works, but given the multiplicity of potential glitches in various mod states of Windows, I think your idea of using a standalone client is probably the best one.

It really is very strange that they can't sort this out.

Regards
Richard

8: Re: webDAV Authentication Difficulties (response to 1)

Posted by Richard Hamilton on 05/16/11 11:38 PM

Ah, here is an excellent summary of the problem! 😊

http://barracudaserver.com/products/BarracudaDrive/tutorials/mapping_windows_drive.lsp#

Specifically:

"WebDAV Mini Redirector limitations:
•No support for HTTPS, i.e. no support for secure connections.
•Your WebDAV server must be using port 80, the default port.
•Typically fails when transfering larger files.
•Gets confused if the user does not have access to read and/or write to a file or directory."

So that kills it stone dead then. Even if digest authentication were to be implemented, you'd still want to use https, and you're very unlikely to want to do that on port 80.

How astonishingly mediocre!!

Regards
Richard

9: Re: webDAV Authentication Difficulties (response to 1)

Posted by Richard Hamilton on 05/17/11 12:22 AM

Netdrive works well with Windows 7 64-bit.

http://www.netdrive.net/

What a shame Microsoft can't make this work out of the box.

Richard