Choosing WebDAV Server Authentication Schema

Most desktop WebDAV clients do not support Cookies/Forms authentication and require Basic, Digest, NTLM or Kerberos. They cannot present the HTML login page with the login form.

Note! To overcome the Cookies/Forms authentication being not supported by WebDAV clients you can use the IT Hit WebDAV Ajax Library or IT Hit Ajax File Browser together with web browser DavX protocol application (Edit Document Opener) and open documents from a web page passing an authentication cookie.

The only exception of the application that directly supports some kind of Cookies/Forms authentication is the Microsoft Office 2007 SP1 and later, that support Microsoft Office Forms-Based Authentication (MS-OFBA). It can display a HTML login page that you can customize for your needs including authentication in third-party authentication providers such as Facebook, Google, Twitter, etc.

What Authentication Type do I Need for My WebDAV Server?

Below you can see which authentication method you can use with some authentication scenarios:

 BasicDigestMS-OFBANTLM/
Kerberos
Forms/
Cookies
Your custom auth SQL/CMS/DMS/CRM/etc. storage + +1 + - +
Windows or Active Directory accounts +2 +2 -3 + -3
Third-party OAuth (Facebook, Google, Twitter, Microsoft, etc) - - + - +

 

Below you can see authentication support among some WebDAV clients: 

 BasicDigestMS-OFBANTLM/
Kerberos
Forms/
Cookies
Microsoft Mini-redirector, OS X Finder, etc + + - + -
Microsoft Office 2007 SP1 and later for Windows + + + + -
Microsoft Office 2007 (no SP) and earlier for Windows + + - + -
Microsoft Office 2011 and later for Mac + + + + -
Microsoft Office Mobile Apps for iOS + + - + -
Any Ajax clients (Ajax Browser, WebDAV Ajax Library, etc) + + +4 + +

 

1 Digest require storing HA1 value instead of the password hash: HA1=MD5(username:realm:password). To generate a sample Digest code use ‘Add WebDAV Server Implementation’ wizard with MVC 5 or Web Forms project with OWIN authentication middleware.

2 You can use Basic and Digest with Windows or Active Directory accounts if your server runs in IIS. Or you can authenticate in your back-end code against Windows or Active Directory accounts. The later is supported for Basic only.

3 You can use MS-OFBA and Forms/Cookies authentication with Windows or Active Directory accounts if you authenticate in your back-end code against Windows or Active Directory accounts.

4 As soon as MS-OFBA is always used together with Forms/Cookies authentication your website will actually use Forms/Cookies authentication, see below how Mixed authentication is selected.

When do I need MS-OFBA?

You will need MS-OFBA in following cases:

    1. If you need to use third-party OAuth providers, such as Facebook, Google, Twitter, etc. These providers require HTML page to be presented to authenticate the user. 
    2. If you want to customize Microsoft Office login dialog. You can display a custom HTML page.

MS-OFBA is supported by a limited amount of client applications, such as Microsoft Office. MS-OFBA is NOT supported by Microsoft Mini-redirector, OS X Finder and most other desktop WebDAV clients.

Note that you cannot use Basic or Digest with third-party authentication providers, such as Facebook, Google or Twitter.

How Authentication Schema is Selected in case of Mixed Authentication.

In Add WebDAV Server Implementation wizard, you can enable up to 3 types of authentication on your WebDAV folder: Forms/Cookies + Basic or Digest + MS-OFBA. Here is how authentication is selected depending on the WebDAV client application accessing the server:

  • MS-OFBA. If “Microsoft Office” string is found in ‘User Agent’ header or if ‘X-FORMS_BASED_AUTH_ACCEPTED: t’ header is present in client request, then your server will select MS-OFBA and will reply with MS-OFBA headers. ‘User Agent: Microsoft Office’ and ‘X-FORMS_BASED_AUTH_ACCEPTED: t’ headers are usually present in client OPTIONS requests only. 
  • Forms/Cookies. If “Mozilla” string is found in ‘User Agent’ header than Cookies / Forms authentication is selected. ‘Mozilla’ string is submitted by all web browsers with all requests. 
  • Basic/Digest. If none of the above, your server will use Basic or Digest authentication. It will reply with Basic or Digest headers.