How to tell which authentication protocols can be used with WebDAV.


When you do an anonymous POST to the “exchange” virtual folder, you will get back a response which will tell you about which authentication protocols are supported.  Each “WWW-Authenticate:” header in the response tells you which type of authentication method is supported.  If you get back a 440 Login Timeout with no “WWW-Authenticate:” headers and you do get back “Set-Cookie: “ headers then FBA is likely on.  If you get back a 401 Unauthorized and “WWW-Authenticate:” headers, then FBA is off.  If you get back a 500 error, then there is probably no authentication enabled (ie just Anonymous authentication is on).   FBA Authentication is an override to other authentication methods.  Checking the “WWW-Authenticate:” using this method can be used for checking authentication when any other Web API is used – such as EWS and EAS (Exchange Server ActiveSync).

If you do an Anonymous OPTIONS POST such as the following:

OPTIONS https://127.0.0.1/exchange HTTP/1.1
User-Agent: Fiddler
Host: 127.0.0.1
Translate: F

With FBA Enabled you will get back this:

HTTP/1.1 440 Login Timeout
Content-Length: 43
Content-Type: text/html
Set-Cookie: sessionid=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT
Set-Cookie: cadata=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT
Date: Tue, 20 Sep 2011 23:15:08 GMT
<HTML><BODY>440 Login Timeout</BODY></HTML>

 

With FBA not enabled you will get back this:

HTTP/1.1 401 Unauthorized
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
WWW-Authenticate: Basic realm=”127.0.0.1″
X-Powered-By: ASP.NET
Date: Tue, 20 Sep 2011 23:20:15 GMT
Content-Length: 6283
Proxy-Support: Session-Based-Authentication

Here are some tools which you might find helpful for doing a POST:

WFetch 1.4
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=21625

HOW TO: Use Wfetch.exe to Troubleshoot HTTP Connections
http://support.microsoft.com/kb/284285

Fiddler:
http://fiddler2.com/fiddler2/

Note that Fiddler is not a Microsoft prodcut, so we cannot endorse it.  However, it is used here at MS quite a bit in Support. This tool can both capture traces and issue/re-issue POST.  The RAW tabs are useful for seeing the actual requests and responses.

 

Comments (5)

  1. Kris says:

    Useful for troubleshooting Activesync authentication, as you mention. For novices, it would be helpful to include the names of the tools that can be used. For example WFetch or Fiddler. WFetch was easier for me, but Fiddler seems more powerful. (I'm not sure I could have made Fiddler work if I hadn't used WFetch first.)

  2. danba says:

    Thanks Kris – I have updated it.  

  3. V_Guard says:

    Microsofts Webdav breaks all the rules in the book and Win8 uses another message protocol to win7.

    Microsoft's plan is to stop/break everyone else webdav clients but I have a better plan at that't to hunt down a beter webdav clients and stick to the known protocol

  4. danba says:

    Hello V_Guard.  

    This blog post has to do with Exchange WebDAV and not WebDAV used against Windows.  There are variations of WebDAV.  

    The last version of Exchange to support WebDAV was Exchange 2007 and there have been two versions of Exchange since.  WebDAV was dropped form Exchange for many reasons and its replacement was Exchange Web Services.   The reasons for this change were many, however a lot of it had to do with badly created items – especially calendaring related content.  The knowledge to create anything beyond a simple appointment took a very high level of knowledge and a lot of operations were just not possible.  So, EWS was created to be the primary API for accessing Exchange and was to replace many other API s- not just WebDAV.

    Microsoft has no "plan" to break clients.  Perhaps there was a change which broke clients doing WebDAV against Windows folders and items???  I have no knowledge of such a problem.  Accessing a windows with a client using WebDAV is something I don't get into.  I don't know what the replacement for WebDAV against Windows is or if its still a valid thing.

    Thanks,

    Dan

  5. Luciano says:

    No meu caso, no diretório virtual do Microsoft-Server-ActiveSync estava configurado em HTTP Redirect apontando para o caminho /owa. Quando ele conectava direcionava para o owa e dava o erro descrito acima.