WebDAV with Basic Authentication and Windows 7
No, Watson, this was not done by accident, but by design.– Sherlock Holmes
WebDAV is a useful protocol that allows us to leverage off of web technologies to deliver file system like functionality. From a security perspective, as it uses HTTP, you can use the same policies and procedures for securing a WebDAV service that you would use with a web server. For instance, running it over SSL allows you to have multiple layers of security. Another plus is that it’s supported widely on smart phones so mobility is enhanced greatly. With our eBoard service, we provide WebDAV as one of the methods of connection so that tablets can access our file services remotely.
One of the caveats with using WebDAV is that while it may work perfectly fine on smartphones, Linux or Mac OS X, using it on Windows is another matter entirely.
The Problem
Windows 7 does not support automatically reconnecting to a WebDAV share with Basic Authentication. You may be able to add it as a network connection, but once your PC restarts, it will fail to connect. This is documented here with a suggested workaround:
http://support.microsoft.com/kb/2673544
A common task within a Windows environment is the automatic mapping of drives via Group Policy. In the earlier days, this was accomplished using a logon script. Now Group Policy allows you to dedicate mapped drives within a Group Policy definition, but unfortunately does not work very well with WebDAV connections.
The Workaround
As suggested in the article, falling back to a logon script appears to be the easiest way, but there are a number of considerations that the article fails to mention before you can get this to work successfully:
- SSL needs to be used, or the WebClient needs to be told to allow Basic Auth use on unencrypted connections. This is not recommended in production, but you can change it by editing the following registry key value to 2 (to allow Basic Auth on SSL and non-SSL connections):
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWebClientParametersBasicAuthLevel
- The WebClient service needs to be running. If it’s not running and you execute a net use command for a WebDAV share, it will fail with System error 67:
C:Usersexample>net use X: https://alfresco.example.com/alfresco/webdav/ password /U:user /P:NO System error 67 has occurred. The network name cannot be found.
- The WebDAV server needs to be reachable before you try to connect. If it’s not, the WebClient service appears to be inoperable for that URL until it’s been restarted. If you have a wireless connection that takes time to connect, then you will notice this issue quite dramatically.
- You may not have your PC joined to the domain and can’t rely on group policy at all.
Luckily, there are two workarounds for this windows failing depending on whether or not you are using Group Policy.
Without Group Policy
If you want to automatically connect to a WebDAV share with Basic Authentication without Group Policy, follow the instructions here:
- Navigate to Services in Control Panel and make sure that WebClient is started automatically
- Follow these instructions to create a Task Schedule when the network is activated
- Go to the Actions tab, Create a new Action with the following settings:
- Action: Start a Program
- Program/script:
net
- Add arguments (Change to suit your settings):
use X: https://alfresco.example.com/alfresco/webdav/ password /U:user /P:NO
- Log out and back in and confirm its working
With Group Policy
As alluded to earlier, you can use logon scripts to work around this issue, adding in a net use command upon login to sort out the network drive automatically.
One thing worth mentioning with this approach is that Administrators will execute logon scripts with elevated privileges. This means that network maps applied within a logon script with an administrator user won’t be accessible in explorer. There is a workaround for this also using the Task Scheduler:
UAC, Logon Scripts, and the Launchapp.wsf workaround
One could assume though that most environments wouldn’t have a large number of administrators for normal user accounts.
Creating a GPO
Please take caution and confirm that any settings changed here are compatible with your environment. Test this correctly before being put into production.
- Start by opening up your Group Policy Editor on your DC, navigating to your intended OU, right clicking and selectingCreate a GPO…. and then giving it a meaningful name
- Edit the Group Policy and navigate to:
Computer Configuration -> Policies -> Administrative Templates -> System -> Logon
- Set Always wait for the network at computer startup and logon to Enabled
- Navigate to:
Computer Configuration -> Preferences -> Control Panel Settings -> Services
- Add a new Service with the following:
- Startup: Automatic
- Service Name: WebClient
- Navigate to:
User Configuration -> Policies -> Windows Settings -> Scripts (Logon/Logoff)
- Double click Logon and select Show Files… to bring up a window where we’ll be putting our scripts
- Create a batch file named networkmap.bat with your net use command (changing to suit your settings):
net use X: https://alfresco.example.com/alfresco/webdav/ password /U:user /P:NO
- Back in the Logon Properties window, select Add, and select the networkmap.bat file as the Script Name
- If you need Administrator users to work also, instead of using networmap.bat as the Script Name, do the following:
- Copy over the Launchapp.wsf file into the same folder
- Add a Script with the Script Name set to Launchapp.wsf
- Set the Script Parameters to the full path of the Script file. e.g.:
DOMAINSysVolDOMAIN..UserScriptsLogonnetworkmap.bat
- Run gpupdate /force on your test machine
- Run rsop.msc or gpresult /v to confirm that the computer has pulled down the appropriate GPO
- Log out and log back in to confirm that it’s working
Conclusion
The above methods propose workarounds to allow you to use WebDAV with Basic Authentication as a network drive. We have demonstrated two possible workarounds in place, both of which will allow WebDAV to be used with the Native Windows Integration. It would also be possible to use a WebDAV client or connect into the service in another way.
It may be in future that another solution will present itself, or Microsoft will get round to fixing their Credential Storage, but for now the use of a well crafted logon script is the easiest workaround.