I've enabled WebDAV on IIS6.  I don't want anonymous viewers to have write
access so I explicily turn on "Deny Write" NTFS for the IUSR_servername
account.

However; during my testing, the system still pops-up the dialog box to ask
the anonymous viewer for credential.    When the "Cancel" button is clicked
on the dialog box, the document will then opened in Read Only mode.

So why the web server still asks for credential when IUSR already has Read
access?  Did I set something wrong?

Any pointer greatly appreciated.

Show quote Hide quote Things are working exactly as you configured.

It seems that you want one behavior for authenticated users, and
another, degraded behavior for anonymous users. The problem with the
expectation is that it's really hard for Web DAV clients (or any
client) to figure out which behavior to perform. Server configuration
has little to do with this.

On the one hand, you want to "fallback" to degraded (read-only)
behavior for anonymous users. On the other hand, you probably want
"enhanced (i.e. get authentication for proper user) for authenticated
users. The two behaviors are incompatible because for the same failure
event from the client, you want to either show or not show an
authentication dialog. Which should the Web DAV client choose by
default?


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//

On 10/24/08 12:33 PM, in article uhGMzYfNJHA.1***@TK2MSFTNGP03.phx.gbl, "E.
Kwong" <ekwong999AThotmail.com> wrote:

If you're looking to WebDav to provide authenticated users with the ability
to modify the website contents, but wish to have anonymous users to browse
only, you could proceed as follows. Allow the IUSR Read access to the entire
website (and configure IIS for read only), and then create a virtual
directory called for example "/WebDav", pointing its home directory to the
same physical directory as the root's site. On this virtual directory,
remove anonymous access, and allow authenticated users RWD permissions in
NTFS, and configure IIS (for this virtual dir) to allow write access.
Then tell your authenticated users to publish to "mywebsite.com/WebDav". All
their content will be physically placed in the actual root of the website,
and only your authenticated users will be prompted to login (if you enable
integrated authentication and the conditions are right they won't even be
prompted...) while regular visitors will be browsing normally.

Show quote Hide quote The behavior is by-design and depends on the client.

What happened is this -- since the client has NO idea whether it is
allowed read or read/write access, it tested for write. Since your set
the Deny Write NTFS ACL, that came back as a 401.3, which was
interpreted by the Web DAV client as "ask for user credential" which
could write. When you hit Cancel, that entire test was abandoned, and
you got read-only access.

The question is whether a Web DAV client should automatically fallback
to degraded (read-only) behavior or attempt to acquire enhanced (read-
write) behavior. The problem here is that you want both to happen
depending on authenticated user -- if authenticated, then attempt to
acquire enhanced, and if anonymous, automatically fallback -- but
that's not how the client works.

There is nothing you can do in server configuration.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//

Thanks everyone for contributing to my knowledge of WebDAV.

Show quoteHide quote

Using integrated Windows authentication over the Internet and 401.2 error?
IIS6 - URLScan and MaxQueryString
Kerberos Configured, but occasionally users login using NTLM
The 'Source' permission for WebDAV in IIS 7.0
IIS6 auth. problem
Authentication againts ADS
URLScan a single site?
SQL injection attempt
IIS 6 <domain>\<user> vs <user>@<domain>
IIS6, mulitple Versign Certificates and Host Headers