WebDAV Client – Windows 7
Since I’ve already got Linux & OSX talking to my LDAP/WebDAV enabled Apache, I needed to finish my trifecta… Windows. Specifically, Windows 7. I had heard that it is possible to map WebDAV shares as network drives, just like you would with Samba. Of course, what you hear, what you hope for, and what Windows actually lets you do aren’t always the same (and usually ends with pain).
I had read somewhere that “Map Network Drive” was supposed to work with WebDAV in much the same way as in OSX. I tried it out, but it never seemed to work. I spent quite a while googling about for instructions that would work and eventually landed upon a semi-promising article that mentioned the need to install the “Software Update for Web Folders (KB907306)“. Cool! Maybe that was all I was missing. I gave the update a shot, and a reboot later I was ready to WebDAV…
Of course it didn’t work. That update does allow you to put in URLs directly into “Map Network Drive” rather than having to go into the more hidden “Connect to a website…” option. Even still, I couldn’t connect to my WebDAV share. I saw the connection attempts on the Apache logs, but Windows kept telling me it wasn’t a valid share (Liars!). After some more research, I found a post that said that the WebDAV connector didn’t allow ‘basic’ authentication, but you could fix that with a registry hack. This time I knew better than to get my hopes up… which was a good thing, because it didn’t work either.
After still more research, I found the answer. Microsoft’s WebDAV client only supports the use of ‘digest’ authentication. I almost never use digest authentication, even though it is technically superior, simply because it is not well supported. Any time you need “secure” authentication, you use SSL. In the interest of being sure, I switched my authentication on the WebDAV share from ‘basic’ to ‘digest’… TADA… Windows 7 worked with WebDAV.
Of course, there is one CRITICAL flaw, I’m doing this against an LDAP back-end. You cannot mix ‘digest’ authentication and LDAP. The short reason is that because digest hashes the password before sending it (where basic sends the password clear text), and that hash is not compatible with your LDAP password hashes. It makes sense, and is nether LDAP’s nor Apache’s fault for not working. The reality is that it is dumb (and typical) of Microsoft.
In summary: You cannot have Windows 7 natively talk to a ‘basic’ authentication WebDAV share, Period. You can use Windows 7 native WebDAV with ‘digest’ authentication only, but that prevents you from using LDAP.
This is highly unsatisfying. But you shouldn’t blame MS for using the more secure authentication method (Digest). Digest must have been around for more than five years??
To my knowledge the password encryption is done on the client (webbrowser) and then sent to the server.
This uses username, password and “realm”, which is sent by the server. And this hash will of course not match the hash in the LDAP directory, as the LDAP does not care about realm (and there can be several).
There is really no solution, except you change the client hash function. Imagine:
The client uses md5 to hash the password only. This hash is then, together with the username and realm, used to generate a second hash.
This second hash is transmitted to the server, and the server does the same. Except that the password hash is taken from the ldap.
This requires a new http-standard? or where is webdav defined?
The problem is that Digest is only mildly more secure than plain text. Yes, it is hashed, but it is MD5 level. So broken that you are almost better off not using it.
And you are correct on how it functions, client hashes, sends to server, server verifies with it’s already stored hash. In order to “fix” this for LDAP, you’d have to get the client to hash differently (Which won’t happen because Digest is defined by it’s hash method), and get support mod_ldap to add digest support.
Really the answer is using SSL, and Microsoft not arbitrarily un-supporting standards (ha!)
“This is highly unsatisfying. But you shouldn’t blame MS for using the more secure authentication method (Digest).”
Sorry, IMHO this is blame for MS since the WebDAV protocols does not state that digest auth is needed. In fact WebDAV had nothing to do with authentication and authorization; this is a task for the server implementation. Making this “ad hoc” choice of “only digest” it a typical “ME-MI-MINE only” tactics of MS.