manual & docs
drivers & updates
the people (& their mails)
the aeros wildest dream...
Windows XP and Apache WebDAV
Password problems with webfolders
WebDAV is an easy way to upload files through the services of a webserver - no FTP-program needed. Windows 95 and Windows 2000 made it even easier by enabling it's users to simply use the "Windows Explorer" and it's "Webfolder"-function. Unfortunately some of that simplicity is gone in Win XP.
The screenshots come from my Windows XP-version so the language is german. I hope you can make some sense out of it anyway.
If you try to add a webfolder through "Windows Explorer - Network - My Network Places" you will be asked over and over for your username and password - although it is correct it won't be accepted.
As you may see in the image above, Windows XP tries to authenticate in the format "domain\username". But Apache accepts only "username" and password.
Another hint is given by the authentication window itself: By default, Windows XP uses the new "Microsoft-WebDAV-MiniRedir/5.1.2600" mechanism which presents the following window:
Other Windows Versions, f.i. Windows 2000 use the "Microsoft Data Access Internet Publishing Provider DAV 1.1" which works with webfolders/Apache WebDAV without any problems. This mechanism shows that kind of window:
If you look at the apache log file "access.log", you find the following entry for the wrong authentication by "Microsoft-WebDAV-MiniRedir/5.1.2600":
OPTIONS / HTTP/1.1" 200 - "-" "Microsoft-WebDAV-MiniRedir/5.1.2600 PROPFIND /dav HTTP/1.1" 401 409 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600
There is no entry in the "error.log"-file, which can only mean that Windows XP made no
attempt to authenticate.
So the following solutions seem to be possible:
My configuration is the following:
I will now describe the solutions I found in the web to fix the problem at the client and at the server side. Of course there maybe more and better solutions, and maybe I did some things wrong. Please use the form-window at the end of this page to add ideas and corrections.
Solutions on the client-side
1. Adding a port number to the webfolder-address
Peter Clark describes in his weblog the trick to attach the port-number (80 by default) to the http-address you enter into the field of the "My Network Places"-assistant. As you can see in the following image and the linked screenshot, this will force Windows XP to use the "Microsoft Data Access Internet Publishing Provider DAV 1.1" mechanism instead of "Microsoft-WebDAV-MiniRedir/5.1.2600".
2. Adding a number-sign ("#") to the webfolder-address
As one of Peter Clarks weblog guests noted, it is also possible to add the number sign # to the http-address you enter into the field of the "My Network Places"-assistant. As you can see in the following image and the linked screenshot, this will also force Windows XP to use the "Microsoft Data Access Internet Publishing Provider DAV 1.1" mechanism instead of "Microsoft-WebDAV-MiniRedir/5.1.2600".
3. Force Windows XP to use Basic Authentication
There is a third way to get this working from the client-site. As described in the Microsoft Knowledge Base, Article ID: 841215, Windows XP disables "Basic Auth" in his "Microsoft-WebDAV-MiniRedir/5.1.2600"-mechanism by default for security reasons. Because the Apache Auth-Mechanism depends on "Basic Auth" we need to enable it on the client. This can be done in the registry:
This forces "Microsoft-WebDAV-MiniRedir/5.1.2600" to use the
"basic auth"-mechanism to connect to the Apache-server.
Security issues: In a comment to my website here, Ian Griffiths critically remarks that using "basic auth" may be a security risk. Please read his comment further down in this document.
Solutions on the server-side
Unfortunately editing the registry won't work for people without admin-rights on their clients. So as webadmin I looked for solutions on the server-side.
1. Using the Apache module mod_encoding.so
The California Institute of Technology and the Apple-Forum macosxhints recommend to use the apache module "mod_encoding.so" (which can be found here) together with the module "mod_headers.so" to solve the problem. Both sites describe the procedure in detail so it isn't necessary to add a third page about it.
Just some hints for fellow Debian GNU/Linux -users:
It's also worth to mention, that the "mod_encoding" tar-file already includes the necessary library "iconv_hook" in a subdirectory - you should "make" and "make install" this library first.
Unfortunately this all didn't work for me - the XP-behavior didn't change at all for still unknown reasons.
2. Using the Apache module "Mod_Auth_MSFix"
The second possibility to solve the problem on the server-side is a module that seemed to be written exactly for this purpose: "Mod_Auth_MSFix" which can be found here or here on my server. Although written for Apache 2 the module can also be compiled for Apache 1.3 by using one of the modified c-files which can be found on the same site.
A working binary module for Debian Woody and Apache 1.3.26 can be found here (Version 0.2.1 by Charles Gentry, ported to the Apache 1.3 API by Michail Bachmann). It must be copied into the "usr/lib/apache/1.3" directory and enabled in httpd.conf.
The "Mod_Auth_MSFix" module re-writes the HTTP Basic authorization header that comes from Microsoft's Webdav clients. It is enabled in Apache's httpd.conf inside an 'AuthType BASIC' directory or location:
If someone accesses the directory the module will check the client's header against a pattern (Microsoft / not Microsoft). If it matches a Microsoft WebDav client it will rewrite the "domain\username" authentication to "username".
At least that's the theory. I installed it, but it didn't correct the XP-behavior when adding a webfolder from "Windows Explorer - Network - My Network Places".
After rethinking the problem, it seems obvious why the module can't succeed: The "Microsoft-WebDAV-MiniRedir/5.1.2600" won't even try to send the username and the password - because the basic authentication that apache requests is disabled by default in Windows XP SP2 (see the MS paper above). So when there is no HTTP Basic authorization header that comes from the Microsoft's Webdav client the module can't correct it.
"Mod_Auth_MSFix" proved nevertheless useful for correcting the authentication from Internet Explorer - this browser also uses the format "domain\user". Its correction may help some inexperienced IE users ;-).
3. Using an SSL-encrypted webfolder
The California Institute of Technology also suggests to use "https" for accessing the webfolder.
This also seems to force Windows XP to use the "Microsoft Data Access Internet Publishing Provider DAV 1.1"
mechanism. I personally don't use this because my server is an old
486SX and it wouldn't be a good idea
to encrypt all communications to the webfolder with that processor.
With the adding of the number-sign "#" there is a simple way to work around XP's authentication problems on the client-side. On the server-side there seems to be no easy solution yet (although Mod_Auth_MSFix may help IE users).
The logical solution on the server side would be an Apache auth-module which understands the handshake of Windows XPs "Microsoft-WebDAV-MiniRedir/5.1.2600". As long as that's not available, admins may tell their webfolder-users the trick with the "#"-sign.
Hope this helps.
The following comments were added to this article (newest first):
Have spent with this issue the whole day. Wonderful! ;-)
posted by Tomá Zrna at 07.08.2008 - 17:47:00
WebDAV, Windows, and Basic Auth
You say that the registry change tells the WebDAV redirector to use what you describe as:
posted by Ian Griffiths at 15.07.2008 - 17:57:31
Mounting webdav shares on a drive letter on XP SP2
I stumbeled upon this thread while researching possibilities for using webdav with these criteria:
posted by Guido at 25.09.2006 - 22:52:16
have it all up and running. went through all the usual authentication issues. leaving one small issue. the folder i am currently browsing seems to echo itself. so for example, if the folder is called WebDAV, when i opnen it it contains a folder called WebDAV. clicking into this folder, just points to the same location with a folder called WebDAV again. you can click into these folder echos inifintely. then to get back you have to go back through each folder as if it were a real folder. very annoying!! anyone know how to get ridds of this?
posted by Rob at 24.07.2006 - 13:01:44
I tried everything on this page to get XP to work with webdav/apache2.0, none works for me. The # and :80 trick both return "The folder does not appear to be valid", I've tried formatting it in every possible way, using IP, using host, using host.domain, trailing slash, none are accepted as valid. I tried the registry edit and it made no difference. This is a fresh XPpro SP2 install.
posted by Lee at 10.07.2006 - 21:47:35
None of these methods worked for mounting the webdav as a drive letter.
posted by Exp at 10.06.2006 - 03:53:14
this solution worked for me
I had to add PROPFIND to the LimitExcept, and then it worked like a charm
posted by theo theunissen at 25.05.2006 - 22:03:05
As luluware seems in fact to be down, here you find mod_auth_msfix.tar as source. I repacked it from my own install-diretory. Beneath the Apache 2-module I also included the sources of the backported version for Apache 1.3. This is legal, as the author, Charles Gentry, released the whole module under the GPL.
posted by Ulrich Hansen at 25.04.2006 - 07:40:23
Won't mount a root directory!
I just discovered that windows won't mount the root (eg http://webdav.example.com/) as it thinks it's a windows share and looks for some special files (such as _vti_inf.html, _vti_bin etc) as an index of "shares". If it doesn't find those, it claims the folder is invalid. You have to make it webdav.example.com/dav or something, which then gets you to the classic digest authentication issues mentioned on this page, which I'm now trying to sort out.
posted by Neil at 24.04.2006 - 03:16:41
Server luluware.com down
Unfortunatly the server for downloading the Apache 2 module Mod_Auth_MSFix is down since a few days. Does anyone know another source or can anyone share this module, if it's legal?
posted by Chris at 15.04.2006 - 13:47:34
I am using WinXP "WebClient" Service properly as follows.
posted by ftlabo at 28.02.2006 - 04:59:32
Thanks for these comments and clarifications! Please don't forget this site, if you have additional ideas!
posted by Ulrich Hansen at 8.02.2006 - 19:40:01
THANKS A LOT!
well i have setup 2 debian sarge apache2 dav servers.
posted by boring name at 20.01.2006 - 10:32:19
Clarification of domain name and registry problems
Just some clarifications to some of the earlier points:
posted by Stuart R at 13.01.2006 - 12:36:37
Another Server Side Option
try to create your username with firstname.lastname@example.org, cause windows don't send the domain
posted by Andres Botero at 30.12.2005 - 21:06:38
still problems with XP
posted by Til at 16.11.2005 - 13:55:29
excellent! i've been browsing around for hours and you article sums up about everything i've read sofar. and adds some sense.
posted by pike at 29.10.2005 - 22:57:29
Another Server Side Option
There's another server side option.
posted by Dan at 12.10.2005 - 04:45:50
Thx a lot
Thank you, made my day ! Now it works flawless
posted by Sven at 14.09.2005 - 10:39:44
I couldn't get WebDAV to work on Apache with the Windows XP Client. The # sign fix did the trick for me. Thank you for your help.
posted by Thor Ringler at 27.06.2005 - 19:32:44
with Windows server 2003 you need:
posted by Tom at 23.06.2005 - 12:30:27
Add a comment (Temporarily defunct)
Unfortunately there has been massive spamming to this site, so I temporarily disabled commentaries until I find a better solution. Please send me your comments as E-Mail and I will publish them here.
Thanks a lot!