3

Using Apache's mod_dav as the server, Samba 4.1.17 as the server and any version of Windows from 7 upwards as the client how can I mount a WebDAV share using Kerberos for the authentication?

Currently I have WebDAV and Kerberos confirmed working with both IE and Firefox user agents. Here's an example of IE working:

[23/Aug/2015:15:22:56 +0100] "GET / HTTP/1.1" 200 1062 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Trident/8.0; .NET4.0C; .NET4.0E)"
[23/Aug/2015:15:22:59 +0100] "GET /favicon.ico HTTP/1.1" 404 778 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Trident/8.0; .NET4.0C; .NET4.0E)"

When I try to map or browse to it this always fails, with 401 errors being the only things recorded by Apache:

[23/Aug/2015:15:23:21 +0100] "OPTIONS / HTTP/1.1" 401 814 "-" "Microsoft-WebDAV-MiniRedir/10.0.10240"
[23/Aug/2015:15:23:21 +0100] "OPTIONS / HTTP/1.1" 401 813 "-" "Microsoft-WebDAV-MiniRedir/10.0.10240"
[23/Aug/2015:15:23:21 +0100] "OPTIONS / HTTP/1.1" 401 813 "-" "Microsoft-WebDAV-MiniRedir/10.0.10240"
[23/Aug/2015:15:23:21 +0100] "OPTIONS / HTTP/1.1" 401 813 "-" "Microsoft-WebDAV-MiniRedir/10.0.10240"

Windows reports "The operation being requested was not performed because user has not been authenticated" in this instance since that example was not HTTPS and I've (deliberately) not enabled basic authentication without HTTPS in the registry.

The raw HTTP for those requests looks like:

OPTIONS / HTTP/1.1
Connection: Keep-Alive
User-Agent: Microsoft-WebDAV-MiniRedir/10.0.10240
translate: f
Host: dav.exmaple.com

The server replies with:

HTTP/1.1 401 Authorization Required
Date: Sun, 23 Aug 2015 18:31:13 GMT
Server: Apache/2.2.22 (Debian)
WWW-Authenticate: Negotiate
WWW-Authenticate: Basic realm="Kerberos Login"
Vary: Accept-Encoding
Content-Length: 484
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

Which looks like the client is totally ignoring the server's attempts to negotiate to me.

I've read a lot of information about how confused and broken WebDAV clients are on Windows, so when my earlier efforts (at /upload/private) didn't work I setup a seperate subdomain where the WebDAV is enabled for the whole namespace and non-mandatory SSL, which is what's being used in these examples.

The certificate used is trusted by the clients and both the HTTP and HTTPS cases fail (almost) identicaly. The only difference being that the credtentials choser gets shown if HTTPS is being used, but I don't want to manually type credentials and go down the Basic Auth route.

I also tried mounting with:

net use \\dav.example.com *
net use \\dav.example.com\ *
net use http://dav.example.com/ *
net use http://dav.example.com *
net use \\dav.example.com@SSL *
net use \\dav.example.com@SSL\ *
net use https://dav.example.com/ *
net use https://dav.example.com *

All with the same failure.

What gives? How can I persuade the WebDAV mini redirector to use Kerberos for authentication? Is it even possible? The end goal here is true SSO for the users.

Community
  • 1
Flexo
  • 588
  • 9
  • 23
  • 1
    Is the client sending the Kerberos PAC in the http authorization header? If the auth header begins with "Y" it is kerberos. http://serverfault.com/a/440050/20701 – Greg Askew Aug 23 '15 at 15:41
  • Did you manage to get this working? I'm in the same situation... – Marti Markov May 17 '17 at 23:52
  • No joy, sorry. Best workaround I have is a really awful workaround joining the WebDAV box into the domain and exporting with samba and davfs2 – Flexo May 18 '17 at 08:30

1 Answers1

2

Did you have a look at the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient\Parameters AuthForwardServerList entry (KB 943280)?

This works for me.

Henryk Gerlach
  • 41
  • 3