Sep 26

Windows XP compatible WebDAV in Apache

Web Add comments

If your client happens to be Windows XP, you’re bound for some trouble. Of course, for something as important as WebDAV that you’re likely going to use for accessing your entire htdocs folder, a password sent as clear text will not cut it. So the authentication method of choice is digest authentication. Windows XP clients do support htdigest authentication, however, since Windows 2000, someone at Microsoft broke the code, causing Windows to think our WebDAV share actually uses another kind of authentication and to transmit the windows domain part with it.

There have been various recommendations, ranging from adding a # to the end of the WebDAV URL when configuring your windows client up to a special apache authentication module which will cut the windows domain part from the transmitted credentials before handing them over to the WebDAV module. This guide will explain how you can configure your Apache2 server so it works with all clients - unmodified.

The most important thing first: You need SSL. Using an https:// URL makes Windows XP use WebDAV and goes around the authentication problem in its entirety.

In your <VirtualHost /> section for the SSL IP (see [[Configuring multiple domains in Apache2]] why you should have this) we will define two aliases for the WebDAV share:

Alias /webdav/ /var/www/
Alias /webdav /var/www

This avoids another common problem of WebDAV clients, including, but not limited to, Windows XP.

Of course we now need to tell apache that this directory is supposed to be accessed via WebDAV and that the server should require authentication before letting a user fiddle around in our sensitive web roots:

<Location /webdav>
    DAV on

    Options Indexes FollowSymLinks

    <LimitExcept OPTIONS>
        AuthType Digest
        AuthName "webdav"
        AuthDigestFile /var/www/ssl-xy/conf/.htdigest

        Require valid-user
    </LimitExcept>

</Location>

That’s all, folks. No additional modules, no hazzle for the clients, no non-conforming server. Windows XP clients will now be able to access this WebDAV server as will any other WebDAV client.

This article originally appeared in my wiki, but since I’ve got different plans with that site now, I’ve just blogged it because I think it might be useful to some people :)

9 Responses to “Windows XP compatible WebDAV in Apache”

  1. George Says:
    October 30th, 2006 at 4:57 pm

    This does not work for me. I have tried several suggestions and they all work with Mac as client, and none of them work with a PC as client.

    Here’s how I applied the above suggestion (you leave out some details, my interpretation is as follows). This does work with OS X as client.

    # Some MIME-types for downloading Certificates and CRLs
    AddType application/x-x509-ca-cert .crt
    AddType application/x-pkcs7-crl .crl

    Listen 80
    Listen 443

    SSLCertificateFile /Library/WebServer/sslconf/cert-2001.pem
    SSLCertificateKeyFile /Library/WebServer/sslconf/privkey-2001.pem

    SSLRandomSeed startup builtin
    SSLRandomSeed connect builtin

    Alias /dav/ /Library/WebServer/Documents/
    Alias /dav /Library/WebServer/Documents
    SSLEngine on

    DAV On
    Options Indexes FollowSymLinks
    AuthType Digest
    AuthName “webdav”
    AuthDigestFile “/Library/WebServer/sslconf/.htdigest”
    Require valid-user

  2. cygon Says:
    October 30th, 2006 at 6:47 pm

    I’m using the setup shown in my article on a gentoo linux machine running apache 2.0.58 and it works very well there. I’m connecting with a Windows XP SP2 client.

    The key part seemed to be to allow the OPTIONS directive without requiring authentication first.

  3. Atom Powers Says:
    November 28th, 2006 at 2:52 am

    I wish I had found this three weeks ago.
    Some observations:
    “AuthDigestFile” is invalid in Apache 2.2, use “AuthUserFile”
    Make sure you create your digest user file, `htdigest -c ”

    Here is my working configuation:

    ServerName upload.my.domain

    DAVLockDB /tmp/WebDavLock
    DAVMinTimeout 300
    DocumentRoot /usr/export/upload

    Options None +Indexes
    AllowOverride None
    Allow from my.domain

    Alias /public/ /usr/export/upload/PUBLIC/
    Alias /public /usr/export/upload/PUBLIC

    Dav filesystem
    Allow from All

    AuthType Digest
    AuthName “my.domain”
    AuthUserFile /usr/local/etc/apache22/.htpasswd-digest
    Require valid-user

  4. Michael Spradling Says:
    January 20th, 2007 at 1:08 am

    This works for me, except I am not able to get a Microsoft Windows Vista Client to connect.

  5. cygon Says:
    January 20th, 2007 at 10:11 pm

    How do you set up WebDAV folder in Vista?

    I have been looking in the Network Manager and various other pages, but there’s no trace of WebDAV to be found. After some googling I had come to the conclusion that WebDAV was removed from Windows Vista. O_o

  6. Robert Huie Says:
    January 22nd, 2007 at 8:37 am

    vista webdav works through “map network drive”

    for those who are encountering issues with logins (login works from browser but not through “map network drive”) try creating a username in UNC format test@test.com. this tricks windows into not passing the username in test.com\test format.

    regards,
    Rob.

  7. Michael Spradling Says:
    January 22nd, 2007 at 7:32 pm

    I am doing it through map a network drive. Just to let you know this does work with a Windows XP Client, but not in vista.

    Here are my config files
    myfiles.domainname.com
    NameVirtualHost *:80

    ServerName myfiles.domainname.com
    Serveralias www.myfiles.domainname.com
    ServerAdmin root@domainname.com
    DocumentRoot “/home”
    ForceType text/plain
    ErrorLog /var/log/apache2/myfiles.domainname.com-error_log
    CustomLog /var/log/apache2/myfiles.domainname.com-access_log common

    Dav On
    DavMinTimeout 600
    AllowOverride FileInfo AuthConfig
    Options FollowSymLinks MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec

    #
    Order allow,deny
    Allow from all
    AuthType Basic
    AuthName “MyFiles.domainname.com WebDav Restricted”
    AuthLDAPURL ldaps://127.0.0.1:636/ou=People,dc=domainname,dc=com
    #require group webdav

    Order deny,allow
    deny from all

    AccessFileName .htdavaccess

    Logs
    error_log — Nothing
    access_log

    66.114.184.107 - - [21/Jan/2007:21:41:54 -0600] “GET / HTTP/1.0″ 200 81
    66.114.184.107 - - [21/Jan/2007:21:51:20 -0600] “GET / HTTP/1.0″ 200 81
    66.114.184.107 - - [21/Jan/2007:22:01:18 -0600] “GET / HTTP/1.0″ 200 81
    66.114.184.107 - - [21/Jan/2007:22:28:22 -0600] “GET / HTTP/1.0″ 200 81

  8. Michael Spradling Says:
    January 22nd, 2007 at 7:35 pm

    I forgot to say inside each homedir the following exists
    .htdavaccess owned by root so user can’t change it

    AuthType Basic
    AuthName “Please login to Manage Files”

    Require user uersname

  9. davidmur Says:
    July 3rd, 2007 at 3:30 am

    Thanks for the info.

    However why do I have to type in username & password twice (dialog window comes up twice) when I am accessing Webdav directory from windows xp (sp2) client?

Leave a Reply

WP Theme & Icons by N.Design Studio
Entries RSS Comments RSS Login