WebDAV FBA Authentication Sample Explained.
Here is some basic information on how FBA authentication is done with WebDAV. To provide some insight into how this works, you should look at the sample code of KB891748 and review it with the explanation below. Note that if you are going against Exchange 2007, you should reconsider using FBA authentication since FBA authentication is really for OWA and the settings for OWA and WebDAV are separate under 2007 – please refer to the links below for further information.
891748 How to programmatically access your Exchange Server 2003 Inbox using
https://support.microsoft.com/?id=891748
If FBA is enabled in the Exchange System Manager (ESM), then WebDAV will need to authenticate using FBA authentication. In order to use FBA, SSL should be to configured and enabled in addition to turning on FBA in ESM. Please note that the machine running the WebDAV code with an SSL URL will need to have the certificate installed on it.
Enabling FBA is controlled by checking the “Enable Forms Based Authentication” found under the properties of the HTTP protocol for the Exchange server in the Exchange System Manager.
You may be prompted to setup SSL if it’s not already. If you don’t want to setup SSL, there is a work-around. Even though it’s not advised, you can use FBA without SSL. This is not advised because credentials will be passed in clear text – which could be sniffed. To configure FBA to work without SSL for your development environment follow these steps:
1. Open the registry editor (run regedit.exe)
2. If it doesn’t exist already add an OWA key under:
HKLM\System\CurrentControlSet\Services\MSExchangeWeb
3. Under the OWA key add a DWord value named “AllowRetailHTTPAuth”
4. Set the value of this DWord to “1”
This is generally how it works:
1 An HTTP POST is done to /exchweb/bin/auth/owaauth.dll with an authentication string.
2) The authentication string looks like this:
Dim strServerName as string = “Myserver”
Dim strDomain as string = “myserverdomain.something.com”
Dim strUserName as string = “myuser”
Dim strPassword as string = “mypassword”
Dim strPostFields As String = "destination=https%3A%2F%2F" & strServerName & "%2Fexchange%2F" + strUserName + "%2F&username=" + strDomain + "%5C" + strUserName + "&password=" + strPassword + "&SubmitCreds=Log+On&forcedownlevel=0&trusted=0"
3) WebReq.KeepAlive and AllowAutoRedirect should be set to True on the request.
4) Note: If you are doing an asynchronous call, you need to wait for the response – or the code will fail. For .NET you could setup a callback.
5) In the response from the POST, you will get back cookie strings in the headers. These strings need to be extracted and placed into one string. This will hold your credentials for future WebDAV calls. These credentials will be good for a period of time (most often 20 minutes depending upon settings).
6) Now that you have the credentials, a header of “Cookie" with the data consisting of the combined cookie strings in each WebDAV call you make.
WebDAVRequest.Headers.Add("Cookie", strReusableCookies)
7) If you get a response from the WebDAV call saying "The operation has timed-out.", then the credentials have expired. You will need to get new credentials (start with step 1) and do the WebDAV call again.
Further information:
WebDAV and OWA Authentication Settings
https://blogs.msdn.com/webdav_101/archive/2008/12/12/webdav-and-owa-authentication-settings.aspx
How WebDAV - Use Basic Authentication with WebDAV even when FBA is enabled.