12
7
We have an existing WebDAV installation with an Apache mod_dav was WebDAV drive hosted at an SSL protected URL with CA issued certificate and basic authentication. MacOSX and Windows < 10 have been able to connect for a number of years.
With the exception of one machine, new Windows 10 machines fail to connect to this WebDAV server. An attempt to map the network drive results in the basic authentication credentials being asked twice, and then the following error appears:
The mapped network drive could not be created because the following error
has occurred:
Mutual Authentication failed: The server's password is out of date at
the domain controller.
More specifically, when the "Finish" button is pressed in the Map Network Drive dialog, a username and password is requested - this dialog is shown before attempting to make any kind of connection to the WebDAV server. A valid username and password is entered, and at this point an approximately 6 second delay is experienced while a dialog is shown saying "Attempting to connect to". After this delay a single request arrives at the WebDAV server looking like this:
PROPFIND /shared HTTP/1.1
Host: 127.0.0.1:8022
User-Agent: Microsoft-WebDAV-MiniRedir/10.0.10586
translate: f
X-Forwarded-For: xx.xx.xx.xx
X-Forwarded-Host: x.x.x
X-Forwarded-Server: x.x.x
Connection: Keep-Alive
The above request contains no authentication headers, and so the WebDAV server responds as expected with the following:
HTTP/1.1 401 Unauthorized
Date: Wed, 13 Jan 2016 14:18:10 GMT
Server: Apache/2.4.12 (Unix)
WWW-Authenticate: Basic realm="Xxx Xx"
Content-Length: 381
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
[content]
Immediately after receiving this response the Map Network Drive dialog asks for a username and password again. Entering the same username and password triggers a second approximately 6 second delay, after which the "Mutual authentication error" appears without any attempt being made to contact the WebDAV server.
Some notes:
There is no domain controller, this is a simple secure WebDAV server protected by Basic Auth and SSL.
One Windows 10 machine works fine, we do not know what is special about this machine, and all new Windows 10 machines fail.
We tried changing the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient\Parameters\ BasicAuthLevel to 2 and it made no difference (as expected, the original value was 1, and we are using a CA issued SSL certificate).
Has anyone encountered this problem before?
Graham Leggett
Posted 2016-01-13T14:44:53.330
Reputation: 303
1Try to: (1) disable all firewalls, (2) Run Windows Explorer as administrator, (3) Verify there is no clock drift, (4) Verify the Certificate Authority that issued the SSL certificate is recognized, (5) Compare the good and bad client computers in
gpedit.mscbranch Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options, the values of all entries that start withNetwork security:. – harrymc – 2017-04-06T17:36:40.977(6) Is the SSL certificate self signed? – harrymc – 2017-04-06T19:40:12.737
I can access gpedit.msc but I only have one computer (Windows 10) to check the properties. I don't know which property I must check.... – Felipe – 2017-04-10T08:07:06.750
also when I check the certificate status it is OK. I can access the webdev from Mac and Linux. Only the Win10 map network is not working. But I access through the Firefox of the Win10. – Felipe – 2017-04-10T08:10:17.620
Windows might have cached bad credentials - you may clear the disk cache by the command
certutil -urlcache * delete. In gpedit the properties that might have effect have names that start with "Network security:". – harrymc – 2017-04-10T08:43:47.540I used the command
certutil -urlcache * deleteand installed again my certificate and it didn't work. Do you know which option I have to enable at the gpedit? – Felipe – 2017-04-10T12:27:12.500gpedit : the entries whose names start with
Network security:– harrymc – 2017-04-11T09:18:47.763Is the time the same on both machines? Answer : change the time on the affected machine to ensure they match. – Stese – 2017-04-12T10:16:02.890