Choosing WebDAV Server Authentication Schema

Most desktop WebDAV clients do not support Cookies/Forms authentication and require Basic, Digest, NTLM or Kerberos. They cannot present the HTML login page with the login form.

The only exception is the Microsoft Office 2007 SP1 and later, that support Microsoft Office Forms-Based Authentication (MS-OFBA). It can show your HTML login page that you can customize to your needs including authentication in third-party authentication providers such as Facebook, Google, Twitter, etc.

What Authentication Type do I Need for My WebDAV Server?

Below you can see which authentication method you can use with some authentication scenarios:

 BasicDigestMS-OFBANTLM/
Kerberos
Forms/
Cookies
Your custom auth SQL/CMS/DMS/CRM/etc. storage + +1 + - +
Windows or Active Directory accounts +2 +2 -3 + -3
Third-party OAuth (Facebook, Google, Twitter, Microsoft, etc) - - + - +

 

Below you can see authentication support among some WebDAV clients: 

 BasicDigestMS-OFBANTLM/
Kerberos
Forms/
Cookies
MS Mini-redirector, OS X Finder, etc + + - + -
MS Office 2007 SP1 and later + + + + -
MS Office 2007 (no SP) and earlier + + - + -
Any Ajax clients (Ajax Browser, WebDAV Ajax Library, etc) + + +4 + +

 

1 Digest require storing HA1 value instead of the password hash: HA1=MD5(username:realm:password). For sample implementation use ‘Add WebDAV Server Implementation’ wizard with MVC 5 or Web Forms project with OWIN authentication middleware.

2 You can use Basic and Digest with Windows or Active Directory accounts if your server runs in IIS. Or you can authenticate in your back-end code against Windows or Active Directory accounts. The later is supported for Basic only.

3 You can use MS-OFBA and Forms/Cookies authentication with Windows or Active Directory accounts if you authenticate in your back-end code against Windows or Active Directory accounts.

4 As soon as MS-OFBA is always used together with Forms/Cookies authentication your website will actually use Forms/Cookies authentication, see below how Mixed authentication is selected.

When do I need MS-OFBA?

You will need MS-OFBA in following cases:

    1. If you need to use third-party OAuth providers, such as Facebook, Google, Twitter, etc. These providers require HTML page to be presented to authenticate the user. 
    2. If you want to customize Microsoft Office login dialog. You can display a custom HTML page.

MS-OFBA is supported by a limited amount of client applications, such as Microsoft Office. MS-OFBA is NOT supported by Microsoft Mini-redirector, OS X Finder and most other desktop WebDAV clients.

Note that you cannot use Basic or Digest with third-party authentication providers, such as Facebook, Google or Twitter.

How Authentication Schema is Selected in case of Mixed Authentication.

In Add WebDAV Server Implementation wizard, you can enable up to 3 types of authentication on your WebDAV folder: Forms/Cookies + Basic or Digest + MS-OFBA. Here is how authentication is selected depending on the WebDAV client application accessing the server:

  • MS-OFBA. If “Microsoft Office” string is found in ‘User Agent’ header or if ‘X-FORMS_BASED_AUTH_ACCEPTED: t’ header is present in client request, then your server will select MS-OFBA and will reply with MS-OFBA headers. ‘User Agent: Microsoft Office’ and ‘X-FORMS_BASED_AUTH_ACCEPTED: t’ headers are usually present in client OPTIONS requests only. 
  • Forms/Cookies. If “Mozilla” string is found in ‘User Agent’ header than Cookies / Forms authentication is selected. ‘Mozilla’ string is submitted by all web browsers with all requests. 
  • Basic/Digest. If none of the above, your server will use Basic or Digest authentication. It will reply with Basic or Digest headers.