Hi!

I am trying to set up webDAV folders using digest authentication. The
event log shows the account authenticating correctly and everything
works when trying to access a folder that is on the web server, but when
trying to access a folder on another machine through a UNC name, after 3
attempts, IIS returns:

"You are not authorized to view this page - You do not have permission
to view this directory or page due to the access control list (ACL) that
is configured for this resource on the Web server."

This occus, even if the authenticating account is a domain
administrator. It is also clearly not a straightforward permissions
problem, because the account has access when using basic authentication.

It is almost as if, IIS does not have enough or the correct information
to complete the network request when using digest authentication, but
somehow does have what it needs for  local access.

Any help would be appreciated.

regards,
Alan.

Alan van der Vyver wrote:

In fact, the event log shows the web server attempting an anonymous
logon to the machine with the UNC share using a blank user name and domain.

Actually, this is a very straight forward problem. The concept you are
missing is "delegation".

Here is the basic problem. Assume that the remote user authenticates to the
front-end web server using some user identity. Why should the front-end web
server be able to re-use that user identity to access resources on another
server unknown to the remote user?

Before you scoff at the question by saying "why, that's what most websites
do", consider a more pointed example. Suppose a user authenticates to the
web server, why should the web server be able to use your identity to
withdraw all the money from your bank.

Both examples are exactly the same thing to the web server, yet clearly you
want one to happen while the other to NOT happen. How you control this is
through delegation and using an authentication protocol that supports
delegation.

Basic authentication is implicit delegation. It passes the username/password
to the server, who can use it at will. The user only hopes that the server
doesn't do something bad with the implicit trust.  Kerberos supports
delegation. NTLM/Digest do not support delegation. This should explain what
you are seeing.

Here is a URL that explains a bit more:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/constdel.mspx


Thus, if you want the client to use digest and also want delegated access to
backend UNCs, a easy solution is to use Windows Server 2003 and protocol
transition to do this securely.  Of course, you can always re-invent the
wheel by implementing your own custom authentication protocol instead of
using the openly designed Kerberos protocol, but then you are in charge of
all the security details.

I am trying to set up webDAV folders using digest authentication. The
event log shows the account authenticating correctly and everything
works when trying to access a folder that is on the web server, but when
trying to access a folder on another machine through a UNC name, after 3
attempts, IIS returns:

"You are not authorized to view this page - You do not have permission
to view this directory or page due to the access control list (ACL) that
is configured for this resource on the Web server."

This occus, even if the authenticating account is a domain
administrator. It is also clearly not a straightforward permissions
problem, because the account has access when using basic authentication.

It is almost as if, IIS does not have enough or the correct information
to complete the network request when using digest authentication, but
somehow does have what it needs for  local access.

Any help would be appreciated.

regards,
Alan.

Hi!

Thanks very much for the information. The article is interesting and I
might even try to work through the configuration one day, but I decided
to go back to the basics and found I could not even make WebDAV work
satisfactorily that way, so I have decided to abondon it. It looks like
a promising technology that does not really work.

Even with open anonymous access, although I can create a web folder
across the Internet from Windows 2000, I can't from Windows XP. Windows
XP still requires a user name and password of some sort and no user name
and password combination works. Since most of our remote staff use
Windows XP, that renders it useless.

regards,
Alan.

You mean you cannot get WebDAV of a UNC share working when you use Pass-thru
Basic authentication? This should work on IIS6 by default, and it takes a
bit more tweaking on IIS5.

URL (talks about IIS6, but same concepts apply to IIS5 and has a bunch of
related URLs):
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/remstorg.mspx )

Thanks very much for the information. The article is interesting and I
might even try to work through the configuration one day, but I decided
to go back to the basics and found I could not even make WebDAV work
satisfactorily that way, so I have decided to abondon it. It looks like
a promising technology that does not really work.

Even with open anonymous access, although I can create a web folder
across the Internet from Windows 2000, I can't from Windows XP. Windows
XP still requires a user name and password of some sort and no user name
and password combination works. Since most of our remote staff use
Windows XP, that renders it useless.

regards,
Alan.

David,

Once again you have found an interesting article. Thank you.

I found I was not able to connect to a WebDAV folder across the Internet
from Windows XP at all - even if the folder was configured for pass-thru
basic authentication or even no authentication (anonymous). Windows 2000
was working fine in both cases.

Windows XP was asking for a user name and password, even with anonymous
access and was rejecting every user name and password combination I
supplied.

In the end, while researching whether I might have better luck with
WebDAV on Apache, I found an article that refered to Microsoft knowledge
base article 298353. This was useful in that it confirmed the problem,
but was otherwise the singularly most useless knowledge base article I
have come across as it provides neither resolution nor work-around nor a
time frame for one. It conveys the distinct sense of "Its broken. Tough!
Live with it!"

Fortunately, the same article that referred me to the knowledge base
provided a work around - add "/." or "/#" to the WebDAV URL when
creating the web folder in Windows XP. The full article can be found at
http://www.atarex.com/services/support/webdav-msft.shtml.

Using that, I can make Windows XP work, so I will revive the project at
some point in the future and make use of the delegation information you
supplied earlier. I am running out of time now. I will make use of FTP
in the mean time.

regards,
Alan.

David Wang [Msft] wrote:
Show quoteHide quote

You need to first get WebDAV+Basic on local Filesystem working first. Then,
change it to UNC share. Finally, change authentication scheme. The URL I
gave previously should get all this working on IIS6. Some slight adaptations
have to be made for IIS5 since it doesn't support pass-thru as nicely, nor
does it support protocol transitioning (so it is Kerberos or nothing).

WebDAV is basically a protocol over HTTP, so you are really looking at
proper web-server configuration to support your scenario. There are also two
different WebDAV clients, one within Windows and the other within IE, both
with different sets of capabilities.

Once again you have found an interesting article. Thank you.

I found I was not able to connect to a WebDAV folder across the Internet
from Windows XP at all - even if the folder was configured for pass-thru
basic authentication or even no authentication (anonymous). Windows 2000
was working fine in both cases.

Windows XP was asking for a user name and password, even with anonymous
access and was rejecting every user name and password combination I
supplied.

In the end, while researching whether I might have better luck with
WebDAV on Apache, I found an article that refered to Microsoft knowledge
base article 298353. This was useful in that it confirmed the problem,
but was otherwise the singularly most useless knowledge base article I
have come across as it provides neither resolution nor work-around nor a
time frame for one. It conveys the distinct sense of "Its broken. Tough!
Live with it!"

Fortunately, the same article that referred me to the knowledge base
provided a work around - add "/." or "/#" to the WebDAV URL when
creating the web folder in Windows XP. The full article can be found at
http://www.atarex.com/services/support/webdav-msft.shtml.

Using that, I can make Windows XP work, so I will revive the project at
some point in the future and make use of the delegation information you
supplied earlier. I am running out of time now. I will make use of FTP
in the mean time.

regards,
Alan.

David Wang [Msft] wrote:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/remstorg.mspx )
Show quoteHide quote

IIS 5.0 - Create Server Certificate Wizard
Cannot find server or DNS error
401 Unauthorized trying to read SPList Attachment - owssrv.dll
Access Denied to share with anonymous access disabled
Problem with Integrated Windows authentication on SSL connection - second times
How to remove version of IIS 6.0 on Windows 2003 Server?
Permission Denied when writing text file from ASP Site
access only through Local groups
Traverse rights - yet can read files. Help?
Issiung certifcates by a Windows 2000 Enterprise CA