WebDAV IIS

Hi,

Can somebody point to an HowTo, how I manage NTLM-Auth for WebDAV. I
could not
get it working, maybe I'm doing something wrong.

I have a workgroup szenario, no Domain szenario.

- ServerUser and Workstation Username are correct ( SMB/CIFS works )
- NtAuthenticationProviders are "Negotiate,NTLM"
- The Webfolder is correct, Plain Auth works with that webfolder
- I have only a Standard Website, the webfolder in that Website

I think it has something to do with setspn.exe, what do i have to type
if I want to register a IP Adress as
SPN for http

I have tried it it with "setspn.exe -A http/192.168.0.1 server1"


How can I debug this a little bit more, I don't know where to start
( not very often in the Windows world .. )

Many Many thx for help ..

Greetings
Erik

Re: WebDAV IIS

If you have a workgroup, there are no SPNs to set. SPNs are used for
Kerberos authentication only (not NTLM), and to use Kerberos you must have
an Active Directory domain. The SPNs are stored in Active Directory.

I would suggest that if you need assistance in solving the problem, you need
to tell us what is actually happening, and what is going wrong. In your post
below there is no description of what the actual error/problem is that you
are running into.

Cheers
Ken

wrote in message
news:1189620135.732995.38610@19g2000hsx.googlegroups.com...
> Hi,
>
> Can somebody point to an HowTo, how I manage NTLM-Auth for WebDAV. I
> could not
> get it working, maybe I'm doing something wrong.
>
> I have a workgroup szenario, no Domain szenario.
>
> - ServerUser and Workstation Username are correct ( SMB/CIFS works )
> - NtAuthenticationProviders are "Negotiate,NTLM"
> - The Webfolder is correct, Plain Auth works with that webfolder
> - I have only a Standard Website, the webfolder in that Website
>
> I think it has something to do with setspn.exe, what do i have to type
> if I want to register a IP Adress as
> SPN for http
>
> I have tried it it with "setspn.exe -A http/192.168.0.1 server1"
>
>
> How can I debug this a little bit more, I don't know where to start
> ( not very often in the Windows world .. )
>
> Many Many thx for help ..
>
> Greetings
> Erik
>

Re: WebDAV IIS

Hi,

> If you have a workgroup, there are no SPNs to set. SPNs are used for
> Kerberos authentication only (not NTLM), and to use Kerberos you must have
> an Active Directory domain. The SPNs are stored in Active Directory.

Though, it is a Windows 2003 Server, so I have a Domain and AD but no
clients
are actually in this domain. They only connect to some shares.

> I would suggest that if you need assistance in solving the problem, you need
> to tell us what is actually happening, and what is going wrong. In your post
> below there is no description of what the actual error/problem is that you
> are running into.

Your are are right, this was my problem. The problem is that on the
clients, the
"Login Box" appears again again and again, when I connect to webfolder
with
Windows-Authentification switched on.

I always get an http 401 back and the IIS Log show's that too. But
when I set
"Standard Authentification ( plain password)" then it works like a
charme.

Clients can connect via "Internet Explorer -> Open as Webfolder"
and "Explorer -> Tools -> Map Drive"

But when I set back to Windows-Authentificaton, it won't work again.

Though directly on the server it is working, if I connect via
localhost or IP to the
Webfolder, with different username. But assume it uses Kerberos now.

NTFS ACL'S are correct because the work under Standard-
Authentification, so I assume this is not the problem.


Maybe someone can help me a little bit ..

Many thx
Erik




> wrote in message
>
> news:1189620135.732995.38610@19g2000hsx.googlegroups.com...
>
> > Hi,
>
> > Can somebody point to an HowTo, how I manage NTLM-Auth for WebDAV. I
> > could not
> > get it working, maybe I'm doing something wrong.
>
> > I have a workgroup szenario, no Domain szenario.
>
> > - ServerUser and Workstation Username are correct ( SMB/CIFS works )
> > - NtAuthenticationProviders are "Negotiate,NTLM"
> > - The Webfolder is correct, Plain Auth works with that webfolder
> > - I have only a Standard Website, the webfolder in that Website
>
> > I think it has something to do with setspn.exe, what do i have to type
> > if I want to register a IP Adress as
> > SPN for http
>
> > I have tried it it with "setspn.exe -A http/192.168.0.1 server1"
>
> > How can I debug this a little bit more, I don't know where to start
> > ( not very often in the Windows world .. )
>
> > Many Many thx for help ..
>
> > Greetings
> > Erik

Re: WebDAV IIS

wrote in message
news:1189670014.708077.275600@g4g2000hsf.googlegroups.com...
> Hi,
>
>> If you have a workgroup, there are no SPNs to set. SPNs are used for
>> Kerberos authentication only (not NTLM), and to use Kerberos you must
>> have
>> an Active Directory domain. The SPNs are stored in Active Directory.
>
> Though, it is a Windows 2003 Server, so I have a Domain and AD but no
> clients
> are actually in this domain. They only connect to some shares.

If the client is not in the domain, it usually will not attempt Kerberos
authentication. This is because it doesn't know where the KDC is, so it's
unable to get a service ticket for the remote server.



>> I would suggest that if you need assistance in solving the problem, you
>> need
>> to tell us what is actually happening, and what is going wrong. In your
>> post
>> below there is no description of what the actual error/problem is that
>> you
>> are running into.
>
> Your are are right, this was my problem. The problem is that on the
> clients, the
> "Login Box" appears again again and again, when I connect to webfolder
> with
> Windows-Authentification switched on.
>
> I always get an http 401 back and the IIS Log show's that too. But
> when I set
> "Standard Authentification ( plain password)" then it works like a
> charme.
>
> Clients can connect via "Internet Explorer -> Open as Webfolder"
> and "Explorer -> Tools -> Map Drive"
>
> But when I set back to Windows-Authentificaton, it won't work again.
>
> Though directly on the server it is working, if I connect via
> localhost or IP to the
> Webfolder, with different username. But assume it uses Kerberos now.
>
> NTFS ACL'S are correct because the work under Standard-
> Authentification, so I assume this is not the problem.

Can you get a packet capture using WireShark/Ethereal? That would show
exactly what authentication is being used.

Alternatively, force the use of NTLM by removing the Negotiate
authentication provider.

Cheers
Ken




>
> Maybe someone can help me a little bit ..
>
> Many thx
> Erik
>
>
>
>
>> wrote in message
>>
>> news:1189620135.732995.38610@19g2000hsx.googlegroups.com...
>>
>> > Hi,
>>
>> > Can somebody point to an HowTo, how I manage NTLM-Auth for WebDAV. I
>> > could not
>> > get it working, maybe I'm doing something wrong.
>>
>> > I have a workgroup szenario, no Domain szenario.
>>
>> > - ServerUser and Workstation Username are correct ( SMB/CIFS works )
>> > - NtAuthenticationProviders are "Negotiate,NTLM"
>> > - The Webfolder is correct, Plain Auth works with that webfolder
>> > - I have only a Standard Website, the webfolder in that Website
>>
>> > I think it has something to do with setspn.exe, what do i have to type
>> > if I want to register a IP Adress as
>> > SPN for http
>>
>> > I have tried it it with "setspn.exe -A http/192.168.0.1 server1"
>>
>> > How can I debug this a little bit more, I don't know where to start
>> > ( not very often in the Windows world .. )
>>
>> > Many Many thx for help ..
>>
>> > Greetings
>> > Erik
>
>

Re: WebDAV IIS

On 13 Sep., 11:39, "Ken Schaefer"
wrote:
> wrote in message
>
> news:1189670014.708077.275600@g4g2000hsf.googlegroups.com...
>
> > Hi,
>
> >> If you have a workgroup, there are no SPNs to set. SPNs are used for
> >> Kerberos authentication only (not NTLM), and to use Kerberos you must
> >> have
> >> an Active Directory domain. The SPNs are stored in Active Directory.
>
> > Though, it is a Windows 2003 Server, so I have a Domain and AD but no
> > clients
> > are actually in this domain. They only connect to some shares.
>
> If the client is not in the domain, it usually will not attempt Kerberos
> authentication. This is because it doesn't know where the KDC is, so it's
> unable to get a service ticket for the remote server.

Ok, so Kerberos is never used when clients are not part of an
Domain ....
>
> >> I would suggest that if you need assistance in solving the problem, you
> >> need
> >> to tell us what is actually happening, and what is going wrong. In your
> >> post
> >> below there is no description of what the actual error/problem is that
> >> you
> >> are running into.
>
> > Your are are right, this was my problem. The problem is that on the
> > clients, the
> > "Login Box" appears again again and again, when I connect to webfolder
> > with
> > Windows-Authentification switched on.
>
> > I always get an http 401 back and the IIS Log show's that too. But
> > when I set
> > "Standard Authentification ( plain password)" then it works like a
> > charme.
>
> > Clients can connect via "Internet Explorer -> Open as Webfolder"
> > and "Explorer -> Tools -> Map Drive"
>
> > But when I set back to Windows-Authentificaton, it won't work again.
>
> > Though directly on the server it is working, if I connect via
> > localhost or IP to the
> > Webfolder, with different username. But assume it uses Kerberos now.
>
> > NTFS ACL'S are correct because the work under Standard-
> > Authentification, so I assume this is not the problem.
>
> Can you get a packet capture using WireShark/Ethereal? That would show
> exactly what authentication is being used.

No Problem ...

But I have to upload to googlepages, download it here, Can use my
Newsclient at work, since the
newsserver I use comes from my home ISP and I have to be in their
network to connect to that server.

So I'm using Google Groups now ... But download it here ...

http://evetters.googlepages.com/dump_webdav.cap

It uses some kind of NTLM, but I'm not very good in debugging Network
Protocols ;-( I only
see that it fails .. But why .. ;-)

> Alternatively, force the use of NTLM by removing the Negotiate
> authentication provider.

Will try that later ..

Many thx
Erik


> Cheers
> Ken
>
>
>
> > Maybe someone can help me a little bit ..
>
> > Many thx
> > Erik
>
> >> wrote in message
>
> >>news:1189620135.732995.38610@19g2000hsx.googlegroups.com.. .
>
> >> > Hi,
>
> >> > Can somebody point to an HowTo, how I manage NTLM-Auth for WebDAV. I
> >> > could not
> >> > get it working, maybe I'm doing something wrong.
>
> >> > I have a workgroup szenario, no Domain szenario.
>
> >> > - ServerUser and Workstation Username are correct ( SMB/CIFS works )
> >> > - NtAuthenticationProviders are "Negotiate,NTLM"
> >> > - The Webfolder is correct, Plain Auth works with that webfolder
> >> > - I have only a Standard Website, the webfolder in that Website
>
> >> > I think it has something to do with setspn.exe, what do i have to type
> >> > if I want to register a IP Adress as
> >> > SPN for http
>
> >> > I have tried it it with "setspn.exe -A http/192.168.0.1 server1"
>
> >> > How can I debug this a little bit more, I don't know where to start
> >> > ( not very often in the Windows world .. )
>
> >> > Many Many thx for help ..
>
> >> > Greetings
> >> > Erik

Re: WebDAV IIS

Hi,

The client is definately trying to use NTLM (over Negotiate). The user
account it is attempting to authenticate with is Test\erik_vetters. Is that
the correct domain and username?

Unfortunately the capture stops before the final server response is
returned. Packet 18 is the client attempting to make an authenticated
PROPFIND request using NTLM, but we don't see the final server response to
that request.

Cheers
Ken

--
My IIS Blog: www.adOpenStatic.com/cs/blogs/ken


"Erik Vetters" wrote in message
news:1189679636.773995.71520@w3g2000hsg.googlegroups.com...
> On 13 Sep., 11:39, "Ken Schaefer"
> wrote:
>> wrote in message
>>
>> news:1189670014.708077.275600@g4g2000hsf.googlegroups.com...
>>
>> > Hi,
>>
>> >> If you have a workgroup, there are no SPNs to set. SPNs are used for
>> >> Kerberos authentication only (not NTLM), and to use Kerberos you must
>> >> have
>> >> an Active Directory domain. The SPNs are stored in Active Directory.
>>
>> > Though, it is a Windows 2003 Server, so I have a Domain and AD but no
>> > clients
>> > are actually in this domain. They only connect to some shares.
>>
>> If the client is not in the domain, it usually will not attempt Kerberos
>> authentication. This is because it doesn't know where the KDC is, so it's
>> unable to get a service ticket for the remote server.
>
> Ok, so Kerberos is never used when clients are not part of an
> Domain ....
>>
>> >> I would suggest that if you need assistance in solving the problem,
>> >> you
>> >> need
>> >> to tell us what is actually happening, and what is going wrong. In
>> >> your
>> >> post
>> >> below there is no description of what the actual error/problem is that
>> >> you
>> >> are running into.
>>
>> > Your are are right, this was my problem. The problem is that on the
>> > clients, the
>> > "Login Box" appears again again and again, when I connect to webfolder
>> > with
>> > Windows-Authentification switched on.
>>
>> > I always get an http 401 back and the IIS Log show's that too. But
>> > when I set
>> > "Standard Authentification ( plain password)" then it works like a
>> > charme.
>>
>> > Clients can connect via "Internet Explorer -> Open as Webfolder"
>> > and "Explorer -> Tools -> Map Drive"
>>
>> > But when I set back to Windows-Authentificaton, it won't work again.
>>
>> > Though directly on the server it is working, if I connect via
>> > localhost or IP to the
>> > Webfolder, with different username. But assume it uses Kerberos now.
>>
>> > NTFS ACL'S are correct because the work under Standard-
>> > Authentification, so I assume this is not the problem.
>>
>> Can you get a packet capture using WireShark/Ethereal? That would show
>> exactly what authentication is being used.
>
> No Problem ...
>
> But I have to upload to googlepages, download it here, Can use my
> Newsclient at work, since the
> newsserver I use comes from my home ISP and I have to be in their
> network to connect to that server.
>
> So I'm using Google Groups now ... But download it here ...
>
> http://evetters.googlepages.com/dump_webdav.cap
>
> It uses some kind of NTLM, but I'm not very good in debugging Network
> Protocols ;-( I only
> see that it fails .. But why .. ;-)
>
>> Alternatively, force the use of NTLM by removing the Negotiate
>> authentication provider.
>
> Will try that later ..
>
> Many thx
> Erik
>
>
>> Cheers
>> Ken
>>
>>
>>
>> > Maybe someone can help me a little bit ..
>>
>> > Many thx
>> > Erik
>>
>> >> wrote in message
>>
>> >>news:1189620135.732995.38610@19g2000hsx.googlegroups.com.. .
>>
>> >> > Hi,
>>
>> >> > Can somebody point to an HowTo, how I manage NTLM-Auth for WebDAV. I
>> >> > could not
>> >> > get it working, maybe I'm doing something wrong.
>>
>> >> > I have a workgroup szenario, no Domain szenario.
>>
>> >> > - ServerUser and Workstation Username are correct ( SMB/CIFS works )
>> >> > - NtAuthenticationProviders are "Negotiate,NTLM"
>> >> > - The Webfolder is correct, Plain Auth works with that webfolder
>> >> > - I have only a Standard Website, the webfolder in that Website
>>
>> >> > I think it has something to do with setspn.exe, what do i have to
>> >> > type
>> >> > if I want to register a IP Adress as
>> >> > SPN for http
>>
>> >> > I have tried it it with "setspn.exe -A http/192.168.0.1 server1"
>>
>> >> > How can I debug this a little bit more, I don't know where to start
>> >> > ( not very often in the Windows world .. )
>>
>> >> > Many Many thx for help ..
>>
>> >> > Greetings
>> >> > Erik
>
>

Re: WebDAV IIS

Him

many thx for the help ...

this is very strange ...

This was I have done ...

1. Tools -> Map Network Drive
- put in http://192.168.88.2/Erik
- connect with different Username password
- Click connect
- Error comes up -> Network Path http://192.168.88.2/Erik not
found

dump here ( waited some time for reply, nearly the same as last
time )


http://evetters.googlepages.com/dump_MAP_different_user.cap


2.
The same as 1. but not with "Connect with different user" --
login box comes up, tried 2 times one with TEST\erik_vetters and one
with
FMB\erik_vetters ( the domain name) (SMB is working probaly )

dump here ..

http://evetters.googlepages.com/dump_MAP_logged_in_user.cap


3.
Tried with Internet Explorer, open as Webfolder not happens, after
some time
it tries to open as \\192.168.88.2\

dump here ...

http://evetters.googlepages.com/dump_IE.cap


It would be great if you can point me to some stuff ... I have no
clue, where to lock.

Could me something with Security Policies or something else, Has this
an effect of
IIS, WebDAV


many Greetings
Erik



> Hi,
>
> The client is definately trying to use NTLM (over Negotiate). The user
> account it is attempting to authenticate with is Test\erik_vetters. Is that
> the correct domain and username?
>
> Unfortunately the capture stops before the final server response is
> returned. Packet 18 is the client attempting to make an authenticated
> PROPFIND request using NTLM, but we don't see the final server response to
> that request.
>
> Cheers
> Ken
>
> --
> My IIS Blog:www.adOpenStatic.com/cs/blogs/ken
>
> "Erik Vetters" wrote in message
>
> news:1189679636.773995.71520@w3g2000hsg.googlegroups.com...
>
> > On 13 Sep., 11:39, "Ken Schaefer"
> > wrote:
> >> wrote in message
>
> >>news:1189670014.708077.275600@g4g2000hsf.googlegroups.com. ..
>
> >> > Hi,
>
> >> >> If you have a workgroup, there are no SPNs to set. SPNs are used for
> >> >> Kerberos authentication only (not NTLM), and to use Kerberos you must
> >> >> have
> >> >> an Active Directory domain. The SPNs are stored in Active Directory.
>
> >> > Though, it is a Windows 2003 Server, so I have a Domain and AD but no
> >> > clients
> >> > are actually in this domain. They only connect to some shares.
>
> >> If the client is not in the domain, it usually will not attempt Kerberos
> >> authentication. This is because it doesn't know where the KDC is, so it's
> >> unable to get a service ticket for the remote server.
>
> > Ok, so Kerberos is never used when clients are not part of an
> > Domain ....
>
> >> >> I would suggest that if you need assistance in solving the problem,
> >> >> you
> >> >> need
> >> >> to tell us what is actually happening, and what is going wrong. In
> >> >> your
> >> >> post
> >> >> below there is no description of what the actual error/problem is that
> >> >> you
> >> >> are running into.
>
> >> > Your are are right, this was my problem. The problem is that on the
> >> > clients, the
> >> > "Login Box" appears again again and again, when I connect to webfolder
> >> > with
> >> > Windows-Authentification switched on.
>
> >> > I always get an http 401 back and the IIS Log show's that too. But
> >> > when I set
> >> > "Standard Authentification ( plain password)" then it works like a
> >> > charme.
>
> >> > Clients can connect via "Internet Explorer -> Open as Webfolder"
> >> > and "Explorer -> Tools -> Map Drive"
>
> >> > But when I set back to Windows-Authentificaton, it won't work again.
>
> >> > Though directly on the server it is working, if I connect via
> >> > localhost or IP to the
> >> > Webfolder, with different username. But assume it uses Kerberos now.
>
> >> > NTFS ACL'S are correct because the work under Standard-
> >> > Authentification, so I assume this is not the problem.
>
> >> Can you get a packet capture using WireShark/Ethereal? That would show
> >> exactly what authentication is being used.
>
> > No Problem ...
>
> > But I have to upload to googlepages, download it here, Can use my
> > Newsclient at work, since the
> > newsserver I use comes from my home ISP and I have to be in their
> > network to connect to that server.
>
> > So I'm using Google Groups now ... But download it here ...
>
> >http://evetters.googlepages.com/dump_webdav.cap
>
> > It uses some kind of NTLM, but I'm not very good in debugging Network
> > Protocols ;-( I only
> > see that it fails .. But why .. ;-)
>
> >> Alternatively, force the use of NTLM by removing the Negotiate
> >> authentication provider.
>
> > Will try that later ..
>
> > Many thx
> > Erik
>
> >> Cheers
> >> Ken
>
> >> > Maybe someone can help me a little bit ..
>
> >> > Many thx
> >> > Erik
>
> >> >> wrote in message
>
> >> >>news:1189620135.732995.38610@19g2000hsx.googlegroups.com.. .
>
> >> >> > Hi,
>
> >> >> > Can somebody point to an HowTo, how I manage NTLM-Auth for WebDAV. I
> >> >> > could not
> >> >> > get it working, maybe I'm doing something wrong.
>
> >> >> > I have a workgroup szenario, no Domain szenario.
>
> >> >> > - ServerUser and Workstation Username are correct ( SMB/CIFS works )
> >> >> > - NtAuthenticationProviders are "Negotiate,NTLM"
> >> >> > - The Webfolder is correct, Plain Auth works with that webfolder
> >> >> > - I have only a Standard Website, the webfolder in that Website
>
> >> >> > I think it has something to do with setspn.exe, what do i have to
> >> >> > type
> >> >> > if I want to register a IP Adress as
> >> >> > SPN for http
>
> >> >> > I have tried it it with "setspn.exe -A http/192.168.0.1 server1"
>
> >> >> > How can I debug this a little bit more, I don't know where to start
> >> >> > ( not very often in the Windows world .. )
>
> >> >> > Many Many thx for help ..
>
> >> >> > Greetings
> >> >> > Erik

Re: WebDAV IIS

You mention you use Test\erik_vetters and FMB\erik_vetters.

You need to use an account that has Read permissions to the files/folders on
IIS. Are both of those accounts valid on the IIS machine?

In terms of the permissions you need to configure on IIS:
a) NTFS Read permissions for the folder/ilfes in question
b) in IIS Manager, there is a "Read" checkbox (for static files) and a
"Script Source Access" (for ASP etc files) that needs to be checked
c) The WebDAV web service extension needs to be enabled

Cheers
Ken


"Erik Vetters" wrote in message
news:1189685561.671707.207580@r34g2000hsd.googlegroups.com.. .
> Him
>
> many thx for the help ...
>
> this is very strange ...
>
> This was I have done ...
>
> 1. Tools -> Map Network Drive
> - put in http://192.168.88.2/Erik
> - connect with different Username password
> - Click connect
> - Error comes up -> Network Path http://192.168.88.2/Erik not
> found
>
> dump here ( waited some time for reply, nearly the same as last
> time )
>
>
> http://evetters.googlepages.com/dump_MAP_different_user.cap
>
>
> 2.
> The same as 1. but not with "Connect with different user" --
> login box comes up, tried 2 times one with TEST\erik_vetters and one
> with
> FMB\erik_vetters ( the domain name) (SMB is working probaly )
>
> dump here ..
>
> http://evetters.googlepages.com/dump_MAP_logged_in_user.cap
>
>
> 3.
> Tried with Internet Explorer, open as Webfolder not happens, after
> some time
> it tries to open as \\192.168.88.2\
>
> dump here ...
>
> http://evetters.googlepages.com/dump_IE.cap
>
>
> It would be great if you can point me to some stuff ... I have no
> clue, where to lock.
>
> Could me something with Security Policies or something else, Has this
> an effect of
> IIS, WebDAV
>
>
> many Greetings
> Erik
>
>
>
>> Hi,
>>
>> The client is definately trying to use NTLM (over Negotiate). The user
>> account it is attempting to authenticate with is Test\erik_vetters. Is
>> that
>> the correct domain and username?
>>
>> Unfortunately the capture stops before the final server response is
>> returned. Packet 18 is the client attempting to make an authenticated
>> PROPFIND request using NTLM, but we don't see the final server response
>> to
>> that request.
>>
>> Cheers
>> Ken
>>
>> --
>> My IIS Blog:www.adOpenStatic.com/cs/blogs/ken
>>
>> "Erik Vetters" wrote in message
>>
>> news:1189679636.773995.71520@w3g2000hsg.googlegroups.com...
>>
>> > On 13 Sep., 11:39, "Ken Schaefer"
>> > wrote:
>> >> wrote in message
>>
>> >>news:1189670014.708077.275600@g4g2000hsf.googlegroups.com. ..
>>
>> >> > Hi,
>>
>> >> >> If you have a workgroup, there are no SPNs to set. SPNs are used
>> >> >> for
>> >> >> Kerberos authentication only (not NTLM), and to use Kerberos you
>> >> >> must
>> >> >> have
>> >> >> an Active Directory domain. The SPNs are stored in Active
>> >> >> Directory.
>>
>> >> > Though, it is a Windows 2003 Server, so I have a Domain and AD but
>> >> > no
>> >> > clients
>> >> > are actually in this domain. They only connect to some shares.
>>
>> >> If the client is not in the domain, it usually will not attempt
>> >> Kerberos
>> >> authentication. This is because it doesn't know where the KDC is, so
>> >> it's
>> >> unable to get a service ticket for the remote server.
>>
>> > Ok, so Kerberos is never used when clients are not part of an
>> > Domain ....
>>
>> >> >> I would suggest that if you need assistance in solving the problem,
>> >> >> you
>> >> >> need
>> >> >> to tell us what is actually happening, and what is going wrong. In
>> >> >> your
>> >> >> post
>> >> >> below there is no description of what the actual error/problem is
>> >> >> that
>> >> >> you
>> >> >> are running into.
>>
>> >> > Your are are right, this was my problem. The problem is that on the
>> >> > clients, the
>> >> > "Login Box" appears again again and again, when I connect to
>> >> > webfolder
>> >> > with
>> >> > Windows-Authentification switched on.
>>
>> >> > I always get an http 401 back and the IIS Log show's that too. But
>> >> > when I set
>> >> > "Standard Authentification ( plain password)" then it works like a
>> >> > charme.
>>
>> >> > Clients can connect via "Internet Explorer -> Open as Webfolder"
>> >> > and "Explorer -> Tools -> Map Drive"
>>
>> >> > But when I set back to Windows-Authentificaton, it won't work again.
>>
>> >> > Though directly on the server it is working, if I connect via
>> >> > localhost or IP to the
>> >> > Webfolder, with different username. But assume it uses Kerberos now.
>>
>> >> > NTFS ACL'S are correct because the work under Standard-
>> >> > Authentification, so I assume this is not the problem.
>>
>> >> Can you get a packet capture using WireShark/Ethereal? That would show
>> >> exactly what authentication is being used.
>>
>> > No Problem ...
>>
>> > But I have to upload to googlepages, download it here, Can use my
>> > Newsclient at work, since the
>> > newsserver I use comes from my home ISP and I have to be in their
>> > network to connect to that server.
>>
>> > So I'm using Google Groups now ... But download it here ...
>>
>> >http://evetters.googlepages.com/dump_webdav.cap
>>
>> > It uses some kind of NTLM, but I'm not very good in debugging Network
>> > Protocols ;-( I only
>> > see that it fails .. But why .. ;-)
>>
>> >> Alternatively, force the use of NTLM by removing the Negotiate
>> >> authentication provider.
>>
>> > Will try that later ..
>>
>> > Many thx
>> > Erik
>>
>> >> Cheers
>> >> Ken
>>
>> >> > Maybe someone can help me a little bit ..
>>
>> >> > Many thx
>> >> > Erik
>>
>> >> >> wrote in message
>>
>> >> >>news:1189620135.732995.38610@19g2000hsx.googlegroups.com.. .
>>
>> >> >> > Hi,
>>
>> >> >> > Can somebody point to an HowTo, how I manage NTLM-Auth for
>> >> >> > WebDAV. I
>> >> >> > could not
>> >> >> > get it working, maybe I'm doing something wrong.
>>
>> >> >> > I have a workgroup szenario, no Domain szenario.
>>
>> >> >> > - ServerUser and Workstation Username are correct ( SMB/CIFS
>> >> >> > works )
>> >> >> > - NtAuthenticationProviders are "Negotiate,NTLM"
>> >> >> > - The Webfolder is correct, Plain Auth works with that webfolder
>> >> >> > - I have only a Standard Website, the webfolder in that Website
>>
>> >> >> > I think it has something to do with setspn.exe, what do i have to
>> >> >> > type
>> >> >> > if I want to register a IP Adress as
>> >> >> > SPN for http
>>
>> >> >> > I have tried it it with "setspn.exe -A http/192.168.0.1 server1"
>>
>> >> >> > How can I debug this a little bit more, I don't know where to
>> >> >> > start
>> >> >> > ( not very often in the Windows world .. )
>>
>> >> >> > Many Many thx for help ..
>>
>> >> >> > Greetings
>> >> >> > Erik
>

Re: WebDAV IIS

> You mention you use Test\erik_vetters and FMB\erik_vetters.

It is working with "PLAIN auth " and SMB

> You need to use an account that has Read permissions to the files/folders on
> IIS. Are both of those accounts valid on the IIS machine?

> In terms of the permissions you need to configure on IIS:
> a) NTFS Read permissions for the folder/ilfes in question
> b) in IIS Manager, there is a "Read" checkbox (for static files) and a
> "Script Source Access" (for ASP etc files) that needs to be checked
> c) The WebDAV web service extension needs to be enabled

All ok ...

Tough I can authenticate with PLAIN Auth, so it should not be a
problem
of the NTFS Permissions ...

Any other hints ...


> Cheers
> Ken
>
> "Erik Vetters" wrote in message
>
> news:1189685561.671707.207580@r34g2000hsd.googlegroups.com.. .
>
> > Him
>
> > many thx for the help ...
>
> > this is very strange ...
>
> > This was I have done ...
>
> > 1. Tools -> Map Network Drive
> > - put inhttp://192.168.88.2/Erik
> > - connect with different Username password
> > - Click connect
> > - Error comes up -> Network Pathhttp://192.168.88.2/Eriknot
> > found
>
> > dump here ( waited some time for reply, nearly the same as last
> > time )
>
> >http://evetters.googlepages.com/dump_MAP_different_user.cap
>
> > 2.
> > The same as 1. but not with "Connect with different user" --
> > login box comes up, tried 2 times one with TEST\erik_vetters and one
> > with
> > FMB\erik_vetters ( the domain name) (SMB is working probaly )
>
> > dump here ..
>
> >http://evetters.googlepages.com/dump_MAP_logged_in_user.cap
>
> > 3.
> > Tried with Internet Explorer, open as Webfolder not happens, after
> > some time
> > it tries to open as \\192.168.88.2\
>
> > dump here ...
>
> >http://evetters.googlepages.com/dump_IE.cap
>
> > It would be great if you can point me to some stuff ... I have no
> > clue, where to lock.
>
> > Could me something with Security Policies or something else, Has this
> > an effect of
> > IIS, WebDAV
>
> > many Greetings
> > Erik
>
> >> Hi,
>
> >> The client is definately trying to use NTLM (over Negotiate). The user
> >> account it is attempting to authenticate with is Test\erik_vetters. Is
> >> that
> >> the correct domain and username?
>
> >> Unfortunately the capture stops before the final server response is
> >> returned. Packet 18 is the client attempting to make an authenticated
> >> PROPFIND request using NTLM, but we don't see the final server response
> >> to
> >> that request.
>
> >> Cheers
> >> Ken
>
> >> --
> >> My IIS Blog:www.adOpenStatic.com/cs/blogs/ken
>
> >> "Erik Vetters" wrote in message
>
> >>news:1189679636.773995.71520@w3g2000hsg.googlegroups.com.. .
>
> >> > On 13 Sep., 11:39, "Ken Schaefer"
> >> > wrote:
> >> >> wrote in message
>
> >> >>news:1189670014.708077.275600@g4g2000hsf.googlegroups.com. ..
>
> >> >> > Hi,
>
> >> >> >> If you have a workgroup, there are no SPNs to set. SPNs are used
> >> >> >> for
> >> >> >> Kerberos authentication only (not NTLM), and to use Kerberos you
> >> >> >> must
> >> >> >> have
> >> >> >> an Active Directory domain. The SPNs are stored in Active
> >> >> >> Directory.
>
> >> >> > Though, it is a Windows 2003 Server, so I have a Domain and AD but
> >> >> > no
> >> >> > clients
> >> >> > are actually in this domain. They only connect to some shares.
>
> >> >> If the client is not in the domain, it usually will not attempt
> >> >> Kerberos
> >> >> authentication. This is because it doesn't know where the KDC is, so
> >> >> it's
> >> >> unable to get a service ticket for the remote server.
>
> >> > Ok, so Kerberos is never used when clients are not part of an
> >> > Domain ....
>
> >> >> >> I would suggest that if you need assistance in solving the problem,
> >> >> >> you
> >> >> >> need
> >> >> >> to tell us what is actually happening, and what is going wrong. In
> >> >> >> your
> >> >> >> post
> >> >> >> below there is no description of what the actual error/problem is
> >> >> >> that
> >> >> >> you
> >> >> >> are running into.
>
> >> >> > Your are are right, this was my problem. The problem is that on the
> >> >> > clients, the
> >> >> > "Login Box" appears again again and again, when I connect to
> >> >> > webfolder
> >> >> > with
> >> >> > Windows-Authentification switched on.
>
> >> >> > I always get an http 401 back and the IIS Log show's that too. But
> >> >> > when I set
> >> >> > "Standard Authentification ( plain password)" then it works like a
> >> >> > charme.
>
> >> >> > Clients can connect via "Internet Explorer -> Open as Webfolder"
> >> >> > and "Explorer -> Tools -> Map Drive"
>
> >> >> > But when I set back to Windows-Authentificaton, it won't work again.
>
> >> >> > Though directly on the server it is working, if I connect via
> >> >> > localhost or IP to the
> >> >> > Webfolder, with different username. But assume it uses Kerberos now.
>
> >> >> > NTFS ACL'S are correct because the work under Standard-
> >> >> > Authentification, so I assume this is not the problem.
>
> >> >> Can you get a packet capture using WireShark/Ethereal? That would show
> >> >> exactly what authentication is being used.
>
> >> > No Problem ...
>
> >> > But I have to upload to googlepages, download it here, Can use my
> >> > Newsclient at work, since the
> >> > newsserver I use comes from my home ISP and I have to be in their
> >> > network to connect to that server.
>
> >> > So I'm using Google Groups now ... But download it here ...
>
> >> >http://evetters.googlepages.com/dump_webdav.cap
>
> >> > It uses some kind of NTLM, but I'm not very good in debugging Network
> >> > Protocols ;-( I only
> >> > see that it fails .. But why .. ;-)
>
> >> >> Alternatively, force the use of NTLM by removing the Negotiate
> >> >> authentication provider.
>
> >> > Will try that later ..
>
> >> > Many thx
> >> > Erik
>
> >> >> Cheers
> >> >> Ken
>
> >> >> > Maybe someone can help me a little bit ..
>
> >> >> > Many thx
> >> >> > Erik
>
> >> >> >> wrote in message
>
> >> >> >>news:1189620135.732995.38610@19g2000hsx.googlegroups.com.. .
>
> >> >> >> > Hi,
>
> >> >> >> > Can somebody point to an HowTo, how I manage NTLM-Auth for
> >> >> >> > WebDAV. I
> >> >> >> > could not
> >> >> >> > get it working, maybe I'm doing something wrong.
>
> >> >> >> > I have a workgroup szenario, no Domain szenario.
>
> >> >> >> > - ServerUser and Workstation Username are correct ( SMB/CIFS
> >> >> >> > works )
> >> >> >> > - NtAuthenticationProviders are "Negotiate,NTLM"
> >> >> >> > - The Webfolder is correct, Plain Auth works with that webfolder
> >> >> >> > - I have only a Standard Website, the webfolder in that Website
>
> >> >> >> > I think it has something to do with setspn.exe, what do i have to
> >> >> >> > type
> >> >> >> > if I want to register a IP Adress as
> >> >> >> > SPN for http
>
> >> >> >> > I have tried it it with "setspn.exe -A http/192.168.0.1 server1"
>
> >> >> >> > How can I debug this a little bit more, I don't know where to
> >> >> >> > start
> >> >> >> > ( not very often in the Windows world .. )
>
> >> >> >> > Many Many thx for help ..
>
> >> >> >> > Greetings
> >> >> >> > Erik

Re: WebDAV IIS

"Erik Vetters" wrote in message
news:1189693318.923867.205530@r34g2000hsd.googlegroups.com.. .
>> You mention you use Test\erik_vetters and FMB\erik_vetters.
>
> It is working with "PLAIN auth " and SMB


NTLM isn't the same as "plain auth" (whatever that is - I assume it is Basic
Auth).

Because the user's domain is included in the NTLM hash, you need to supply
the correct domain (or workgroup) as part of the username. Because the
server is not able to generate the same original hash itself (multiple MD5
hashes are generated - but the first relies on the Domain, Username and
Password being hashed - the server cannot generate this on the fly - it is
generated when the user's account is created)

So, please just answer the question.

Cheers
Ken



>
>> You need to use an account that has Read permissions to the files/folders
>> on
>> IIS. Are both of those accounts valid on the IIS machine?
>
>> In terms of the permissions you need to configure on IIS:
>> a) NTFS Read permissions for the folder/ilfes in question
>> b) in IIS Manager, there is a "Read" checkbox (for static files) and a
>> "Script Source Access" (for ASP etc files) that needs to be checked
>> c) The WebDAV web service extension needs to be enabled
>
> All ok ...
>
> Tough I can authenticate with PLAIN Auth, so it should not be a
> problem
> of the NTFS Permissions ...
>
> Any other hints ...
>
>
>> Cheers
>> Ken
>>
>> "Erik Vetters" wrote in message
>>
>> news:1189685561.671707.207580@r34g2000hsd.googlegroups.com.. .
>>
>> > Him
>>
>> > many thx for the help ...
>>
>> > this is very strange ...
>>
>> > This was I have done ...
>>
>> > 1. Tools -> Map Network Drive
>> > - put inhttp://192.168.88.2/Erik
>> > - connect with different Username password
>> > - Click connect
>> > - Error comes up -> Network Pathhttp://192.168.88.2/Eriknot
>> > found
>>
>> > dump here ( waited some time for reply, nearly the same as last
>> > time )
>>
>> >http://evetters.googlepages.com/dump_MAP_different_user.cap
>>
>> > 2.
>> > The same as 1. but not with "Connect with different user" --
>> > login box comes up, tried 2 times one with TEST\erik_vetters and one
>> > with
>> > FMB\erik_vetters ( the domain name) (SMB is working probaly )
>>
>> > dump here ..
>>
>> >http://evetters.googlepages.com/dump_MAP_logged_in_user.cap
>>
>> > 3.
>> > Tried with Internet Explorer, open as Webfolder not happens, after
>> > some time
>> > it tries to open as \\192.168.88.2\
>>
>> > dump here ...
>>
>> >http://evetters.googlepages.com/dump_IE.cap
>>
>> > It would be great if you can point me to some stuff ... I have no
>> > clue, where to lock.
>>
>> > Could me something with Security Policies or something else, Has this
>> > an effect of
>> > IIS, WebDAV
>>
>> > many Greetings
>> > Erik
>>
>> >> Hi,
>>
>> >> The client is definately trying to use NTLM (over Negotiate). The user
>> >> account it is attempting to authenticate with is Test\erik_vetters. Is
>> >> that
>> >> the correct domain and username?
>>
>> >> Unfortunately the capture stops before the final server response is
>> >> returned. Packet 18 is the client attempting to make an authenticated
>> >> PROPFIND request using NTLM, but we don't see the final server
>> >> response
>> >> to
>> >> that request.
>>
>> >> Cheers
>> >> Ken
>>
>> >> --
>> >> My IIS Blog:www.adOpenStatic.com/cs/blogs/ken
>>
>> >> "Erik Vetters" wrote in message
>>
>> >>news:1189679636.773995.71520@w3g2000hsg.googlegroups.com.. .
>>
>> >> > On 13 Sep., 11:39, "Ken Schaefer"
>> >> > wrote:
>> >> >> wrote in message
>>
>> >> >>news:1189670014.708077.275600@g4g2000hsf.googlegroups.com. ..
>>
>> >> >> > Hi,
>>
>> >> >> >> If you have a workgroup, there are no SPNs to set. SPNs are used
>> >> >> >> for
>> >> >> >> Kerberos authentication only (not NTLM), and to use Kerberos you
>> >> >> >> must
>> >> >> >> have
>> >> >> >> an Active Directory domain. The SPNs are stored in Active
>> >> >> >> Directory.
>>
>> >> >> > Though, it is a Windows 2003 Server, so I have a Domain and AD
>> >> >> > but
>> >> >> > no
>> >> >> > clients
>> >> >> > are actually in this domain. They only connect to some shares.
>>
>> >> >> If the client is not in the domain, it usually will not attempt
>> >> >> Kerberos
>> >> >> authentication. This is because it doesn't know where the KDC is,
>> >> >> so
>> >> >> it's
>> >> >> unable to get a service ticket for the remote server.
>>
>> >> > Ok, so Kerberos is never used when clients are not part of an
>> >> > Domain ....
>>
>> >> >> >> I would suggest that if you need assistance in solving the
>> >> >> >> problem,
>> >> >> >> you
>> >> >> >> need
>> >> >> >> to tell us what is actually happening, and what is going wrong.
>> >> >> >> In
>> >> >> >> your
>> >> >> >> post
>> >> >> >> below there is no description of what the actual error/problem
>> >> >> >> is
>> >> >> >> that
>> >> >> >> you
>> >> >> >> are running into.
>>
>> >> >> > Your are are right, this was my problem. The problem is that on
>> >> >> > the
>> >> >> > clients, the
>> >> >> > "Login Box" appears again again and again, when I connect to
>> >> >> > webfolder
>> >> >> > with
>> >> >> > Windows-Authentification switched on.
>>
>> >> >> > I always get an http 401 back and the IIS Log show's that too.
>> >> >> > But
>> >> >> > when I set
>> >> >> > "Standard Authentification ( plain password)" then it works like
>> >> >> > a
>> >> >> > charme.
>>
>> >> >> > Clients can connect via "Internet Explorer -> Open as Webfolder"
>> >> >> > and "Explorer -> Tools -> Map Drive"
>>
>> >> >> > But when I set back to Windows-Authentificaton, it won't work
>> >> >> > again.
>>
>> >> >> > Though directly on the server it is working, if I connect via
>> >> >> > localhost or IP to the
>> >> >> > Webfolder, with different username. But assume it uses Kerberos
>> >> >> > now.
>>
>> >> >> > NTFS ACL'S are correct because the work under Standard-
>> >> >> > Authentification, so I assume this is not the problem.
>>
>> >> >> Can you get a packet capture using WireShark/Ethereal? That would
>> >> >> show
>> >> >> exactly what authentication is being used.
>>
>> >> > No Problem ...
>>
>> >> > But I have to upload to googlepages, download it here, Can use my
>> >> > Newsclient at work, since the
>> >> > newsserver I use comes from my home ISP and I have to be in their
>> >> > network to connect to that server.
>>
>> >> > So I'm using Google Groups now ... But download it here ...
>>
>> >> >http://evetters.googlepages.com/dump_webdav.cap
>>
>> >> > It uses some kind of NTLM, but I'm not very good in debugging
>> >> > Network
>> >> > Protocols ;-( I only
>> >> > see that it fails .. But why .. ;-)
>>
>> >> >> Alternatively, force the use of NTLM by removing the Negotiate
>> >> >> authentication provider.
>>
>> >> > Will try that later ..
>>
>> >> > Many thx
>> >> > Erik
>>
>> >> >> Cheers
>> >> >> Ken
>>
>> >> >> > Maybe someone can help me a little bit ..
>>
>> >> >> > Many thx
>> >> >> > Erik
>>
>> >> >> >> wrote in message
>>
>> >> >> >>news:1189620135.732995.38610@19g2000hsx.googlegroups.com.. .
>>
>> >> >> >> > Hi,
>>
>> >> >> >> > Can somebody point to an HowTo, how I manage NTLM-Auth for
>> >> >> >> > WebDAV. I
>> >> >> >> > could not
>> >> >> >> > get it working, maybe I'm doing something wrong.
>>
>> >> >> >> > I have a workgroup szenario, no Domain szenario.
>>
>> >> >> >> > - ServerUser and Workstation Username are correct ( SMB/CIFS
>> >> >> >> > works )
>> >> >> >> > - NtAuthenticationProviders are "Negotiate,NTLM"
>> >> >> >> > - The Webfolder is correct, Plain Auth works with that
>> >> >> >> > webfolder
>> >> >> >> > - I have only a Standard Website, the webfolder in that
>> >> >> >> > Website
>>
>> >> >> >> > I think it has something to do with setspn.exe, what do i have
>> >> >> >> > to
>> >> >> >> > type
>> >> >> >> > if I want to register a IP Adress as
>> >> >> >> > SPN for http
>>
>> >> >> >> > I have tried it it with "setspn.exe -A http/192.168.0.1
>> >> >> >> > server1"
>>
>> >> >> >> > How can I debug this a little bit more, I don't know where to
>> >> >> >> > start
>> >> >> >> > ( not very often in the Windows world .. )
>>
>> >> >> >> > Many Many thx for help ..
>>
>> >> >> >> > Greetings
>> >> >> >> > Erik
>
>