WebDAV FBA Authentication Sample Explained.

 Here is some basic information on how FBA authentication is done with WebDAV.  To provide some insight into how this works, you should look at the sample code of KB891748 and review it with the explanation below.  Note that if you are going against Exchange 2007, you should reconsider using FBA authentication since FBA authentication is really for OWA and the settings for OWA and WebDAV are separate under 2007 – please refer to the links below for further information.


891748 How to programmatically access your Exchange Server 2003 Inbox using



If FBA is enabled in the Exchange System Manager (ESM), then WebDAV will need to authenticate using FBA authentication.  In order to use FBA, SSL should be to configured and enabled in addition to turning on FBA in ESM.  Please note that the machine running the WebDAV code with an SSL URL will need to have the certificate installed on it.


Enabling FBA is controlled by checking the “Enable Forms Based Authentication” found under the properties of the HTTP protocol for the Exchange server in the Exchange System Manager.


You may be prompted to setup SSL if it’s not already.  If you don’t want to setup SSL, there is a work-around.  Even though it’s not advised, you can use FBA without SSL.  This is not advised because credentials will be passed in clear text – which could be sniffed.  To configure FBA to work without SSL for your development environment follow these steps:

1.     Open the registry editor (run regedit.exe)

2.     If it doesn’t exist already add an OWA key under:

3.     Under the OWA key add a DWord value named “AllowRetailHTTPAuth”

4.     Set the value of this DWord to “1”


This is generally how it works:

1    An HTTP POST is done to /exchweb/bin/auth/owaauth.dll with an authentication string.


2)   The authentication string looks like this:


Dim strServerName as string = “Myserver”

Dim strDomain as string = “myserverdomain.something.com”

Dim strUserName as string = “myuser”

Dim strPassword as string = “mypassword”


Dim strPostFields As String = "destination=https%3A%2F%2F" & strServerName & "%2Fexchange%2F" + strUserName + "%2F&username=" + strDomain + "%5C" + strUserName + "&password=" + strPassword + "&SubmitCreds=Log+On&forcedownlevel=0&trusted=0"


3)   WebReq.KeepAlive and AllowAutoRedirect should be set to True on the request.


4)   Note: If you are doing an asynchronous call, you need to wait for the response – or the code will fail.  For .NET you could setup a callback.


5)   In the response from the POST, you will get back cookie strings in the headers.  These strings need to be extracted and placed into one string.  This will hold your credentials for future WebDAV calls.  These credentials will be good for a period of time (most often 20 minutes depending upon settings).


6)   Now that you have the credentials, a header of “Cookie" with the data consisting of the combined cookie strings in each WebDAV call you make.


WebDAVRequest.Headers.Add("Cookie", strReusableCookies)


7) If you get a response from the WebDAV call saying "The operation has timed-out.", then the credentials have expired. You will need to get new credentials (start with step 1) and do the WebDAV call again.


Further information:


WebDAV and OWA Authentication Settings



How WebDAV - Use Basic Authentication with WebDAV even when FBA is enabled.




Comments (3)
  1. werkerbee says:

    Hi Dan, Your article here on WebDAV FBA Authentication has been the most helpful article on the subject I could find. Thanks for that.

    However, I’m still looking for a little more help. I’m trying to do this in PHP. While I don’t expect you to have the time to explain it in PHP, I would like to see a complete example in ASP if possible.

    I think if I saw a complete example script in ASP, I would better understand what I need to do in PHP.

    Places where I could use clarification:

    – Am I suppose to simply POST to whats loaded in the strPostFields variable.

    – For setting WebReq.KeepAlive and AllowAutoRedirect to True do I do something like: <input type="hidden" name="WebReq.KeepAlive" value="True"> ?

    Also, why should hey be set to true?

    – In step 4 you describe an asynchronous call situation. All I can think to do is simple POST the necessary data. Do I need to set it up in a loop of some sort until I can verify that I’ve gotten something back.

    – Is the owaauth.dll file a special file that will send data back to me in some manner? My apologies, but I’ve only ever POST’ed to a page that I’m also going to.

    Thanks again, any further info would be very helpful.

  2. Webdav101 says:

    If you have issues with WebDAV FBA auth code, try using WebStoreExplore…



Comments are closed.

Skip to main content