Reference Dec 22, 2010

WebDAV Over SSL with Windows 7

While setting up WebDAV over HTTP and getting it to work is pretty straightforward on most operating systems, many attempts to make it work over SSL with Windows 7 appear to be like the battle of David versus Goliath. The good news is that it works and, contrary to most comments on the internet, it is not painfully slow, but actually quite snappy. The setup turns out to be simple as well, but is not very well documented.

Tags: infrastructure ssl webdav windows

Obtaining A SSL Certificate

This is probably the biggest stumbling block for most users, and therefore I am going to point it out it first:

A certificate from a trusted root certificate authority is needed for normal use cases, or otherwise any attempt to map a WebDAV folder to a network drive will fail with undescriptive error messages, such as:

An unexpected network error occured.

SSL certificates can be purchased from various certificate authorities, such as GoDaddy, Thawte or VeriSign. However, in many cases WebDAV will be installed for personal use only, and spending hundreds of dollars per year on a certificate seems to be overkill.

Fortunately, there is another option: StartCom is currently the only certificate authority trusted by Microsoft Windows that offers free SSL certificates for personal use. The process is somewhat tedious and requires the establishing of a Client Certificate that identifies the user with StartCom’s web server as a means of login before any other certificates can be generated.

Windows 7 will trust certificates issued by StartCom out of the box. For Windows Vista and XP there are official patches from Microsoft to update the list of authorities accordingly.

Chosing A Port for HTTPS

Unless a wildcard certificate is used in combination with SSL host headers, or if multiple public IP addresses are available on the web server, one is usually limited to one SSL web site per web server on the default HTTPS port 443. This can be a problem if the web server is already serving another web site over HTTPS. An easy workaround is to use a different port number binding for the WebDAV web site.

Testing the WebDAV Web Site

In order to test whether the WebDAV web site is running properly, one can simply open a web browser and enter the URL of the web site. After successful authentication and authorization the browser should display a directory listing of the WebDAV folder. If the web site cannot be found by the browser, something is wrong with either the web site configuration or the firewall setup.

Mapping the Network Drive

Finally, WebDAV folders can be mapped to a network drive in Windows 7 through Windows Explorer’s Map Network Drive feature or from the command prompt using the following line:

net use DriveLetter: FolderUrl /User:UserName Password

In either case, the folder URL can be one of the following two formats:

https://DomainName:PortNumber/FolderName
\DomainName@SSL@PortNumber\FolderName

The parameters in the URLs above are as follows:

DomainName: The domain name of the WebDAV web site
i.e. mysubdomain.mydomain.com
PortNumber: The port number that the WebDAV web site is bound to
i.e. 443 (default)
FolderName: A folder name that points to a virtual or physical directory within the WebDAV root folder

Notes on Permissions

In order to allow read and/or write access to WebDAV files and folders, authorization rules need to be added to the following IIS Manager features for each user:

Allow Rule in Authorization Rules
Authoring Rule in WebDAV Authorization

The former enables access to the website itself and, depending on the web site’s Authentication settings, may present a login prompt to the user. The latter specifies access permissions in the context of WebDAV.

Please note that it is not necessary to make any changes to the NTFS permissions of files and folders that are accessible through WebDAV. In particular, it is not necessary to give full control to the IUSR or IIS_IUSRS accounts, as is often suggested in online forums and blogs.

Make sure that Require Lock for Writing is set to false in the WebDAV Settings, because the WebDAV client built into Windows 7 does not appear to support locks. It may fail on upload or rename operations with a 403.23 HTTP result in the web server log or the following error in Windows Explorer:

Error 0x80070780: The file cannot be accessed by the system.

Notes on File Sizes

The default maximum upload file size for both classic and integrated mode in ASP.Net is 4 MB, which may be too small for some users. This limit can be increased on a per-folder basis by adding the requestLimits configuration setting to the respective Web.config files:

<configuration>
    <system.webServer>
        <security>
            <requestFiltering>
                 <requestLimits maxAllowedContentLength="2147483648"/>
            </requestFiltering>
        </security>
    </system.webServer>
</configuration>

The example above sets the upload limit to 2 GB.

Related Resouces

Installing and Configuring WebDAV on IIS 7 (IIS.net)
Installation and Configuration of WebDAV on Apache (webdav.org)
Windows root certificate patch for Vista and XP (Microsoft)
How to Set Up SSL on IIS 7 (IIS.net)
Multiple SSL Sites on a Single IIS (Lane’s Tech Blog)
Deploying Certificates to the Trusted Publishers Store (Microsoft TechNet)

Configuring Firewalls

The web server’s software firewall, if enabled, needs to be configured to allow incoming traffic on the configured network port for the WebDAV web site, i.e. 443. If WebDAV is to be served over the internet, any existing hardware firewalls or gateways in front of the server need to be setup with port forwarding or pass-through on that port. Similarly, client firewalls need to allow outgoing traffic on this port as well.