Anonymous PUT in WebDAV on IIS 7+ deprecated
I have been seeing this question being put up on lot many forums plus we are getting a lot of support cases opened by customers requesting for this feature.
In IIS 7+ we have changed the feature of allowing PUT, MKCOL, PROPPATCH, COPY, MOVE, and DELETE to require authentication. Anonymous PROPFINDs are allowed for file listings, but others require the request be authenticated. This was done as a security measure. In IIS 6.0 we did have the provision of using the above methods using anonymous requests from the clients but not anymore. I think the reason people still want this feature in IIS 7 is because of some 3rd party applications like CURL etc which send Anonymous PUT requests to a WebDAV site.
Lot of people who have migrated from IIS 6.0 to IIS 7+ still request for this functionality. Please note that this is neither recommended nor supported by Microsoft Product Support Services (PSS).
Here, however I will show you a method of achieving a similar feature without users requiring to send user credentials for WebDAV requests. Basically the WebDAV module checks whether the request is authenticated or not. If not (i.e. using Anonymous authentication) WebDAV module will respond saying “Anonymous access not allowed” in the FREB logs.
There is a KB article which talks about this as well https://support.microsoft.com/kb/2021641/en-us
So one way of hacking this is to convince WebDAV module that your request is authenticated. So before the WebDAV module gets a chance to handle the request ensure we change the identity context as an authenticated user. In IIS 7 we can write a native ISAPI filter (preferred for performance reasons) or a managed HTTP Module which can intercept the request and change the user context to some pre-configured windows identity. Or else you can read a username/password from a configuration file (or hard code the vale) and then create a basic Base64 hash for the combination and add it to the Request header collection. This in my opinion is a neater way than the first method.
Here are the steps for injecting Basic Base64 hash in the Request header collection:
- Create a custom HTTP Module (attached with the post) and on Application_BeginRequest read the username/password (either a local or a domain user credential, your choice). Here in the sample I have hardcoded these values but you can read it from a configuration file or by some other means. After we have the username and the password, we concatenate the strings separated by a colon (:), and then compute the Base64 hash for this string and then add a custom HTTP header (“Authorization”) to the incoming request with this Base64 value. The processing in the remaining pipeline thinks that the end user has sent a Basic authentication credential whereas our module is adding this in the BeginRequest event.
- Compile the Http Module and copy the dll in to the bin folder under your WebDAV site in IIs 7.
- Ensure that the custom HTTP Module is invoked before the WebDAV module. WebDAV module thinks that the request is authenticated and hence allows operations like PUT/DELETE etc.
- In the Web.config file under your WebDAV site, add the following:
<modules runManagedModulesForWebDavRequests="true">
<add name="CustomBasicWebDAVModule" type="CustomBasicWebDAVModule"/>
</modules>
- Ensure that we have added the following attribute runManagedModulesForWebDavRequests="true" to the Modules section as shown above.
- Last but not least enable only Basic authentication for your WebDAV site (Don’t worry user/client won’t be required to pass in any credentials).
Now go ahead and you should be able to use PUT/DELETE etc verbs for the WebDAV requests for this site anonymously (well, not technically correct though).
Thanks to Robert for the valuable suggestion on this forum and the inputs.
**PLEASE NOTE THAT THIS IS NEITHER RECOMMENDED NOR SUPPORTED BY MICROSOFT PSS. USE IT WITH CAUTION.