How to tell which authentication protocols can be used with WebDAV.

  • Artykuł

When you do an anonymous POST to the “exchange” virtual folder, you will get back a response which will tell you about which authentication protocols are supported.  Each “WWW-Authenticate:” header in the response tells you which type of authentication method is supported.  If you get back a 440 Login Timeout with no “WWW-Authenticate:” headers and you do get back “Set-Cookie: “ headers then FBA is likely on.  If you get back a 401 Unauthorized and “WWW-Authenticate:” headers, then FBA is off.  If you get back a 500 error, then there is probably no authentication enabled (ie just Anonymous authentication is on).   FBA Authentication is an override to other authentication methods.  Checking the “WWW-Authenticate:” using this method can be used for checking authentication when any other Web API is used - such as EWS and EAS (Exchange Server ActiveSync).

If you do an Anonymous OPTIONS POST such as the following:

OPTIONS https://127.0.0.1/exchange HTTP/1.1
User-Agent: Fiddler
Host: 127.0.0.1
Translate: F

With FBA Enabled you will get back this:

HTTP/1.1 440 Login Timeout
Content-Length: 43
Content-Type: text/html
Set-Cookie: sessionid=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT
Set-Cookie: cadata=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT
Date: Tue, 20 Sep 2011 23:15:08 GMT
<HTML><BODY>440 Login Timeout</BODY></HTML>

 

With FBA not enabled you will get back this:

HTTP/1.1 401 Unauthorized
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
WWW-Authenticate: Basic realm="127.0.0.1"
X-Powered-By: ASP.NET
Date: Tue, 20 Sep 2011 23:20:15 GMT
Content-Length: 6283
Proxy-Support: Session-Based-Authentication

Here are some tools which you might find helpful for doing a POST:

WFetch 1.4
https://www.microsoft.com/download/en/details.aspx?displaylang=en&id=21625

HOW TO: Use Wfetch.exe to Troubleshoot HTTP Connections
https://support.microsoft.com/kb/284285

Fiddler:
https://fiddler2.com/fiddler2/

Note that Fiddler is not a Microsoft prodcut, so we cannot endorse it.  However, it is used here at MS quite a bit in Support. This tool can both capture traces and issue/re-issue POST.  The RAW tabs are useful for seeing the actual requests and responses.

Comments

  • Anonymous
    October 13, 2011
    Useful for troubleshooting Activesync authentication, as you mention. For novices, it would be helpful to include the names of the tools that can be used. For example WFetch or Fiddler. WFetch was easier for me, but Fiddler seems more powerful. (I'm not sure I could have made Fiddler work if I hadn't used WFetch first.)

  • Anonymous
    October 13, 2011
    Thanks Kris - I have updated it.  

  • Anonymous
    February 05, 2014
    Microsofts Webdav breaks all the rules in the book and Win8 uses another message protocol to win7. Microsoft's plan is to stop/break everyone else webdav clients but I have a better plan at that't to hunt down a beter webdav clients and stick to the known protocol

  • Anonymous
    February 05, 2014
    The comment has been removed

  • Anonymous
    April 13, 2014
    No meu caso, no diretório virtual do Microsoft-Server-ActiveSync estava configurado em HTTP Redirect apontando para o caminho /owa. Quando ele conectava direcionava para o owa e dava o erro descrito acima.