Authentication of Unix or Linux Systems via Active Directory

Similar Messages

• Oracle Linux and Windows Active Directory

  I am looking for a good article on joining an Oracle Linux server to a Windows Active directory domain.
  We are primarily a Windows shop but need to bring up a couple of Oracle Linux servers (VM Server and VM Manager). I would like to use the existing Windows domain controller for user authentication.

  I don't have experience in joining a Linux system with Windows AD, and it generally does not sound like the best idea to me, but since Oracle Enterprise Linux is a clone of Red Hat Enterprise Linux, the solution you are looking for could be called Winbind.
  Perhaps the following links are useful:
  http://spiralbound.net/blog/2007/04/11/rhel-winbind-authentication-against-active-directory
  http://www.linuxmail.info/active-directory-integration-samba-centos-5/
  http://magazine.redhat.com/2007/11/12/tips-and-tricks-how-can-i-configure-winbind-to-synchronize-user-and-group-ids-across-multiple-red-hat-enterprise-linux-hosts-on-active-directory-accounts/

• T5-2 ILOM authentication via Active Directory

  Hello,
  We are trying to leverage AD to authenticate our ILOMs. However I am seeing the following when I set the method to None (server authentication)
  (ActDir) ServerUserAuth - Error 0, failed to validate user group access
  We have a group defined and I have set it under Admin groups using the DN.
  Any ideas on this or has anyone been successful getting this to work with AD and AD Groups?
  TIA.
  Jeff

  Hello Man !
  your provided documents and links are very effective. thank you guy for your help. right now i have to problem below listed,
  I have Cisco aironet 1142n access point. I have no ACS / WLC
  but want to authenticate end users 802.1x with Active directory 2003/2008 using RADIUS (IAS/NPS).
  These APs are standalone. Please provide any configuration document
  "How to authenticate end users with active directory using cisco 1142n Standalone (Without WLC/ACS)".
  Thanks & Regards,
  Rizwan Haider Siddiqui.

• Can I configure WS-Sec authentication via Active Directory with OSB or OWSM

  Hi
  I'm planning a project where I need to add security to a group of proxy services in OSB. I need to authenticate them via WS-Security using Active Directory. Is this possible with OSB or adding OWSM?
  Regards,
  Néstor Boscán

  Hi.
  OSB http://docs.oracle.com/cd/E23943_01/dev.1111/e15866/model.htm#i1088877
  OWSM
  http://docs.oracle.com/cd/E17904_01/doc.1111/e15866/owsm.htm
  and
  http://docs.oracle.com/cd/E21764_01/web.1111/e13713/owsm_appendix.htm
  hope this helps
  best
  rolando

• SSO on WAS 6.20 (unix) using kerberos and Windows Active Directory (AD)

  Hi Gurus!!
  We are looking for the way to implement the Single Sign On in our R/3 Systems installed on unix of the Active Directory (obviously windows) users using Microsoft Kerberos.
  I'm not able to find a documentation about this arquitecture.
  Can somebody help me?
  Is any documentation related with this topic?
  Did Somwbody configure this kind of SSO?
  Thank you very much in advanced,
  Edorta Ramos

  Ramos,
  I should have made it clearer. When I referred to AS, I was referring to the SAP ABAP AS (e.g. application server). Of course the KDC (e.g. Microsoft Active Directory) has an AS service as well...
  yes, you can Kerberos enable (Kerberize) the SAP ABAP AS and SAP GUI using Kerberos libraries for Windows and AIX. As I mentioned already, since AIX is involved you should consider evaluating and buying SAP certified SNC libraries available from a SAP partner. Your first place to look is in SAP EcoHub (click link at top of this SDN forum to enter EcoHub) and search for SNC or Kerberos.
  You asked about gssapi library - as I have said a few times, there is no gssapi (e.g. SNC library) provided by SAP for UNIX or Linux, so if you are using AIX you need to look elsewhere (e.g. SAP partner) and the SAP partner will also provide the compatible/supported library for the Windows workstations as well so you get a complete solution from the vendor.
  Thanks,
  Tim

• ISE 1.2 Admin Access via Active Directory

  Hi Experts,
  Good Day!
  I want to configure my ISE 1.2 to authenticate (for admin) against the active directory. I know it is possible but our AD doesn't have any groups named for admins.
  Is it possible for the ISE 1.2 to configure a local user ID and check it to the AD for the password of the UserID?
  Thanks for your great help.
  niks

  Niks,
  I just got done doing this.  First of all you have to have the Active Directory setup as an external data source.  Once you do that Click on Administration - - Admin Access.
  For the Authentication Type ensure that Password Based is toggled and change your data source to Active Directory (or whatever you named it).
  Then click in Administrators - - Admin Users.  Click Add a user - - Create Admin User.  Ensure to check the External box and you will notice the Password field goes away.  Fill out the appropriate information and then assign them to an Admin Group.
  Once you are done with that you can test that user by logging out of your ISE session.  You will notice that when you try to log back in you will have a choice of the data sources used to authenticate the user.  Change the selection to Active Directory and enter the AD user/password for the newly created account you should be good to go.
  Make sure that you don't delete or disable your original admin account in this process.  (Change the password if you like.)

• Can't connect to Small Business Server 2003 via Active Directory

  I have done lots of searching, both in these forums and the wider internet, and cannot find a solution to my specific problem.
  I am trying to connect my G5 (10.3.9) to a Windows network. We have a Microsoft Small Business Server 2003 with Active Directory. The PCs have no problem using this, and I can connect to shares setup on the server via AFP.
  But I am having problems when I try to configure the AD plug-in in Directory Access on the Mac. When I click 'Bind', I enter the Server's Administrator username & password and when I click 'OK', it gets to Step 3 of 5 "Verifying Credentials". It ticks away at this step for about 30 seconds, then comes up with error message saying "Invalid user name and password combination."
  I have tried other users with admin privileges, but they don't work either. I know the usernames and passwords aren't invalid, because I created them. I have tried fiddling around with other settings in the AD setup, but nothing gets any further.
  Without any other 3rd party software (that's my final option), is there something I need to check/change, either on the Mac or the server, to make this Mac to authenticate via AD? Please help!

  Hi Andbrowny, thanks for your response.
  Your advice didn't really help my Active Directory problem (AD doesn't require SMB does it?), but it gave me some progress on my SMB problem. I can connect via AFP, but previously when I tried to connect via SMB, it kept coming up with the error "Could not connect to the server because the name or password is not correct".
  Now, after changing the policies on the server, I get an error -43 message saying "The operation could not be completed because one or more required items cannot be found."
  So now I have two problems! SMB is not finding something it needs, and Active Directory is not "verifying credentials".
  Actually, I have three problems: When I am connected via AFP, filenames over 31 characters long are truncated on the server, and I can't copy long filenames onto the server without renaming them. I have read that SMB would fix this to a degree (256 characters for the complete file path), but is there anything (a protocol or software) that allows long filenames to be read/written with ease?
  Side note: The server is not 100% configured, the bloke installing it still has some work to do, but Active Directory works for all the XP machines, and I can connect to each XP workstation with SMB.

• Xserve file share control via active directory

  I have an Intel Xserve running 10.4.11
  It has one directory shared via SMB for windows users
  I want to join this server to an active directory, that seems fairly straightforward to do.
  However am I right that i will be able to control permissions and apply ACLs from the Active Directory to this share once it has bound to the AD.
  or will this still have to be done from the Xserve?
  TIA

  Hi
  +"am I right that i will be able to control permissions and apply ACLs from the Active Directory to this share once it has bound to the AD?"+
  Not really. Re-sharing a share is never a good idea especially with disparate platforms.
  +"I want to join this server to an active directory, that seems fairly straightforward to do"+
  If I've understood you correctly you 'bind' the Server to Active Directory using the Active Directory plug-in available in the Directory Access application (/Applications/Utilities). When binding use an AD account name and password that has authority for the AD Domain. The Server should then behave as an NT Domain Member would.
  +"Will this still have to be done from the Xserve?"+
  Once bound launch WorkGroup Manager and you should 'see' AD Users and Groups. In Workgroup Manager enable the ACLs option for desired volumes if you've not already done so. That's if you want to use ACLs? You could just as easily use the Standard POSIX Permissions model. If you do want to enable ACLs you must restart the Server afterwards for them to 'take'. Enabling/Disabling ACLs always requires a restart on 10.4 Server. On successful log-in start creating your shares if you've not already done so. You can use the Finder or WorkGroup Manager to do this. If using ACLs don't share the volume, share directories/folders instead as ACLs propagate better that way. Add desired Users/Groups from the AD node into the ACLs window. Leave the POSIX Permissions at their defaults. Apply desired privileges. Click Save. When saved click on the gear wheel at the bottom of the window. Select Propagate Permissions. The ACLs checkbox should be automatically ticked. Leave everything else as it is and fire it off.
  That should be it?
  Tony

• Restrict Spiceworks access via Active Directory

  Could you specify the base DN Spiceworks is searching in and limit what gets synced? Maybe put the users you want to have Spiceworks access in a separate OU?

  I'm trying to figure out a way to restrict access to Spiceworks by way of an Active Directory group. 
  I want to do this so that I dont have to create new users manually in Spiceworks and so not just anyone with the URL can log in with their AD credentials. 
  I need this kind of feature if possible so I can move our onboarding/offboarding submission process off of another server and integrate it into Spiceworks like we have with our Change Control Request submission process.
  EDIT: More specifically, I'd like to be able to restrict access to the Spiceworks Portal via an AD Group.
  This topic first appeared in the Spiceworks Community

• What Is The Domain Name System for Active Directory on My Computer a Mac OS X

  When I try to bind my mac to an active directory domain I get the error message (“An invalid Domain and Forest combination was specified.  You should enter a fully qualified DNS name for the domain and forest”). I have tried so many things,nothing works
  Any suggestions?

  In general, the domain name you use must be correctly looked up (both backward AND forward) by the Domain Name Server you are using or using Active Directory or Open Directory will not work properly.
  In general, the first-listed DNS Address for each workstation must be one that contains the Active Directory or Open Directory names.
  You can use Network Utility "Lookup" function to test whether the names and the IP Addresses are looked up correctly. Both symbolic (e.g., mydomain.com) and numeric (e.g., 192.168.2.22) addresses of the Active directory server MUST lookup to the other.
  In MacOS X Server installations with private, non-Internet-visible Domain names, this problem can be solved by providing a local DNS Server, and populating the DNS Server with the Active Directory or Open Directory names and IP Addresses set for forward and reverse lookup.
  If the above is gibberish to you, you will need to contact your Active Directory Administrator for guidance.

• Deploy iTunes Via Active Directory

  I would like to publish iTunes as well as Quicktime using Group policies in our Active Directory. This seems to be close to impossible as far as I can tell. Is this possible, or will it be possible in the future? Trying to point to the .MSI fails because it must be called by Setup as far as I can tell.
  Thanks in advance!
  Matthew

  hi Matthew!
  hmmmm. MacMuse and Buegie have-been-doing-research/have-some-resources on related issues ... if you don't get an answer here soon, maybe try reposting over in "using itunes?" you get a lot of the SDK hands over there too, so you may well also get some good feedback from random passers-by.
  love, b

• Kerberos based authentication from AS 10.1.2 to Active Directory 2008

  Hello,
  just a short question: Has anyone achieved to authenticate via kerberos to a Windows 2008 domain?
  Info: We like to continue to use the SSO and Windows Native Authentication feature. It worked with our Windows 2003 domain. But our domainserver was updated and we cannot make a connection from our Oracle application server (10.1.2.0.2) to the new domain via kerberos. The ktpass shows errors (according pType) while creating the sso.keytab. The keytab file is created. The kinit-tool (for testing the keytab file) shows errors again. Also the OPMN log shows during startup an error.
  Any hint would be appreciated,
  regards
  Joerg

  unzip in a new folder and start jdev, it'll ask if you want to copy the configurations from an earlier version. after that you only need to install custom extensions:
  copy all files from old_version_jdev\jdev\lib\ext to new_version_jdev\jdev\lib\ext which are in old_version_jdev\jdev\lib\ext but not in new_version_jdev\jdev\lib\ext
  better to first shut down jdev!
  if everything works in the new version you can delete the old one.
  if you are using an OC4J standalone or ias remember to update the adf version there too!

• Can not install Flash 10.1 via Active Directory GPO

  Greetings,
  Starting with the 10.0.45.2 update, we moved to install Flash via AD GPO using the instructions in the admin guide. We are doing zero custom configuration of Flash with this method, just setting up a Computer based GPO install linking to the downloaded and shared MSI installer from Adobe. For the install of 10.0.45.2, this ran with out a hitch. Setup the GPO ran it in a test OU and then on to production and all the pc's were updated just like it should work
  Trying to do the same thing with 10.1.53.64 flat out does not work execpt on a system you have manually uninstalled flash on first, then if you have the GPO load the 10.0.45.2 Flash, that works, then if you follow up with removing the GPO from the OU and adding a new 10.1.53.64 GPO to the OU, the pc will uninstall 10.0 and install 10.1 correctly as your would expect it to do. It will not do this on our deployed systems.
  On our deployed systems with the currently installed 10.0.45.2 will not uninstall cleanly when the new installer runs via GPO, nor will it uninstall cleanly if the install computer is moved out of GPO scope as it is configured to do. The GPO attempts to do so but the installer fails with 1603 errors.
  Does anyone have a workaround to cleanup the current installs so that 10.1 can be installed? We just don't have the time to hit 100+ desktops to update Flash.
  Miles

  Just to make sure: have you seen that there is a new Admin Guide for 10.1 at http://www.adobe.com/devnet/flashplayer/articles/flash_player_admin_guide.html ?
  One thing about the 10.1 installer is that it fails if any browsers are running; I don't know if this is also true when using GPO.

• ISE Authentcation via Active Directory based on SSID and AD Group

  Hi,
  I am deploying ISE with WLC 7.4. I have two SSID(s) running in my network 1. Corporate & 2. Services. I have a domain setup lets say "AD.com" with 4 groups 1. Corporate, 2. Services, 3. Employees, 4. Contractors.
  Here is an example of the scenario that I want:
  AD.com Group : Corporate's User : 1. C_USER1
                                                      2. C_USER2
                                                      3. C_USER3
                                                      4. C_USER4
                                                      5. C_USER5
  AD.com Group : Services's User :   1. S_USER1
                                                      2. S_USER2
                                                      3. S_USER3
                                                      4. S_USER4
                                                      5. S_USER5
  Now what I want to do is have 802.1x authentication on my Corporate SSID that will check in AD.com, ONLY AND in ONLY corporate group for authentication. That is only C_USER1 to C_USER5 are allowed to connect to it. Users from any other AD group shouldnt be authenticated on this SSID.
  The same for the services group & SSID.
  Thanks.
  Usama

  Kindly   review:
  https://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_2.0/trustsec_2.0_dig.pdf

• EFS Encrypted Files over home workgroup network via WebDAV avoiding Active Directory fixing Access Denied errors

  This is for information to help others
  KEYWORDS:
    - Sharing EFS encrypted files over a personal lan wlan wifi ap network
    - Access denied on create new file / new fold on encrypted EFS network file share remote mapped folder
    - transfer encryption keys / certificates
    - set trusted delegation for user + computer for EFS encrypted files via
  Kerberos
    - Windows Active Directory vs network file share
    - Setting up WinDAV server on Windows 7 Pro / Ultimate
  It has been a long painful road to discover this information.
  I hope sharing it helps you.
  Using EFS on Windows 7 pro / ultimate is easy and works great. See
  here and
  here
  So too is opening + editing encrypted files over a peer-to-peer Windows 7 network.
  HOWEVER, creating a new file / new folder over a peer-to-peer Windows 7 network
  won't work (unless you follow below steps).
  Typically, it is only discovered as an issue when a home user wants to use synchronisation software between their home computers which happens to have a few folders encrypted using windows EFS. I had this issue trying to use GoodSync.
  Typically an "Access Denied" error messages is thrown when a \\clientpc tries to create new folder / new file in an encrypted folder on a remote file share \\fileserver.
  Why such a EFS drama when a network is involved?
  Assume a home peer-to-peer network with 2pc:  \\fileserver  and  \\clientpc
  When a \\clientpc tries to create a new file or new folder on a \\fileserver (remote computer) it fails. In a terribly simplified explanation it is because the process on \\fileserver that is answering the network requests is a process working for a user on
  another machine (\\clientpc) and that \\fileserver process doesn't have access to an encryption certificate (as it isn't a user). Active Directory gets around this by using kerberos so the process can impersonate a \\fileserver user and then use their certificate
  (on behalf of the clienpc's data request).
  This behaviour is confusing, as a \\clientpc can open or edit an existing efs encrypted file or folder, just can't create a new file or folder. The reason editing + opening an encrypted file over a network file share is possible is because the encrypted
  file / folder already has an encryption certificate, so it is clear which certificate is required to open/edit the file. Creating a new file/folder requires a certificate to be assigned and a process doesn't have a profile or certificates assigned.
  Solutions
  There are two main approaches to solve this:
       1) SOLVE by setting up an Active Directory (efs files accessed through file shares)
            EFS operations occur on the computer storing the files.
            EFS files are decrypted then transmitted in plaintext to the client's computer
            This makes use of kerberos to impersonate a local user (and use their certificate for encrypt + decrypt)
       2) SOLVE by setting up WebDAV (efs files accessed through web folders)
             EFS operations occur on the client's local computer
             EFS files remain encrypted during transmission to the client's local computer where it is decrypted
             This avoids active directory domains, roaming or remote user profiles and having to be trusted for delegation.
             BUT it is a pain to set up, and most online WebDAV server setup sources are not for home peer-to-peer networks or contain details on how to setup WebDAV for EFS file provision
           READ BELOW as this does
  Create new encrypted file / folder on a network file share - via Active Directory
  It is easily possible to sort this out on a domain based (corporate) active directory network. It is well documented. See
  here. However, the problem is on a normal Windows 7 install (ie home peer-to-peer) to set up the server as part of an active directory domain is complicated, it is time consuming it is bulky, adds burden to operation of \\fileserver computer
  and adds network complexity, and is generally a pain for a home user. Don't. Use a WebDAV.
  Although this info is NOT for setting up EFS on an active directory domain [server],
  for those interested here is the gist:
  Use the Active Directory Users and Computers snap-in to configure delegation options for both users and computers. To trust a computer for delegation, open the computer’s Properties sheet and select Trusted for delegation. To allow a user
  account to be delegated, open the user’s Properties sheet. On the Account tab, under Account Options, clear the The account is sensitive and cannot be delegated check box. Do not select The account is trusted for delegation. This property is not used with
  EFS.
  NB: decrypted data is transmitted over the network in plaintext so reduce risk by enabling IP Security to use Encapsulating Security Payload (ESP)—which will encrypt transmitted data,
  Create new encrypted file / folder on a network file share - via WebDAV
  For home users it is possible to make it all work.
  Even better, the functionality is built into windows (pro + ultimate) so you don't need any external software and it doesn't cost anything. However, there are a few hotfixes you have to apply to make it work (see below).
  Setting up a wifi AP (for those less technical):
     a) START ... CMD
     b) type (no quotes): "netsh  wlan set hostednetwork mode=allow ssid=MyPersonalWifi key=12345 keyUsage=persistent"
     c) type (no quotes): "netsh  wlan start hostednetwork"
  Set up a WebDAV server on Windows 7 Pro / Ultimate
  -----ON THE FILESERVER------
     1  click START and type "Turn Windows Features On or Off" and open the link
         a) scroll down to "Internet Information Services" and expand it.
         b) put a tick in: "Web Management Tools" \ "IIS Management Console"
         c) put a tick in: "World Wide Web Services" \ "Common HTTP Features" \ "WebDAV Publishing"
         d) put a tick in: "World Wide Web Services" \ "Security" \ "Basic Authentication"
         e) put a tick in: "World Wide Web Services" \ "Security" \ "Windows Authentication"
         f) click ok
         g) run HOTFIX - ONLY if NOT running Windows 7 / windows 8
  KB892211 here ONLY for XP + Server 2003 (made in 2005)
  KB907306 here ONLY for Vista, XP, Server 2008, Server 2003 (made in 2007)
    2 Click START and type "Internet Information Services (IIS) Manager"
    3 in IIS, on the left under "connections" click your computer, then click "WebDAV Authoring Rules", then click "Open Feature"
         a) on the right side, under Actions, click "Enable WebDAV"
    4 in IIS, on the left under "connections" click your computer, then click "Authentication", then click "Open Feature"
         a) on the "Anonymous Authentication" and click "Disable"
         b) on the "Windows Authentication" and click "Enable"
        NB: Some Win 7 will not connect to a webDAV user using Basic Authentication.
          It can be by changing registry key:
             [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WebClient\Parameters]
             BasicAuthLevel=2
         c) on the "Windows Authentication" click "Advanced Settings"
             set Extended Protection to "Required"
         NB: Extended protection enhances the windows authentication with 2 security mechanisms to reduce "man in the middle" attacks
    5 in IIS, on the left under "connections" click your computer, then click "Authorization Rules", then click "Open Feature"
         a) on the right side, under Actions, click "Add Allow Rule"
         b) set this to "all users". This will control who can view the "Default Site" through a web browser
         NB: It is possible to specify a group (eg Administrators is popular) or a user account. However, if not set to "all users" this will require the specified group/user account to be used for logged in with on the
  clientpc.
         NB: Any user account specified here has to exist on the server. It has a bug in that it usernames specified here are not validated on input.
    6 in IIS, on the left under "connections" click your computer, then click "Directory Browsing", then click "Open Feature"
         a) on the right side, under Actions, click "Enable"
  HOTFIX - double escaping
    7 in IIS, on the left under "connections" click your computer, then click "Request Filtering", then click "Open Feature"
         a) on the right side, under Actions, click "Edit Feature Settings"
         b) tick the box "Allow double escaping"
       *THIS IS VERY IMPORTANT* if your filenames or foldernames contain characters like "+" or "&"
       These folders will appears blank with no subdirectories, or these files will not be readable unless this is ticked
       This is safe btw. Unchecked (default) it filters out requests that might possibly be misinterpreted by buggy code (eg double decode or build url's via string-concat without proper encoding). But any bug would need to be in IIS basic
  file serving and this has been rigorously tested by microsoft, so very unlikely. Its safe to "Allow double escaping".
    8 in IIS, on the left under "connections" right click "Default Web Site", then click "Add Virtual Directory"
         a) set the Alias to something sensible eg "D_Drive", set the physical path
         b) it is essential you click "connect as" and set
  this to a local user (on fileserver),
         if left as "pass through authentication" a client won't be able to create a new file or folder in an encrypted efs folder (on fileserver)
               NB: the user account selected here must have the required EFS certificates installed.
                          See
  here and
  here
          NB: Sharing the root of a drive as an active directory (eg D:\ as "D_Drive") often can't be opened on clientpcs.
        This is due to windows setting all drive roots as hidden "administrative shares". Grrr.
         The work around is on the \\fileserver create an NTFS symbollic link
            e.g. to share the entire contents of "D:\",
                  on fileserver browse to site path (iis default this to c:\inetpub\wwwroot)
                  in cmd in this folder create an NTFS symbolic link to "D:\"
                  so in cmd type "cd c:\inetpub\wwwroot"
                  then in cmd type "mklink /D D_Drive D:\"
          NB: WebDAV will open this using a \\fileserver local user account, so double check local NTFS permissions for the local account (clients will login using)
           NB: If clientpc can see files but gets error on opening them, on clientpc click START, type "Manage Network Passwords", delete any "windows credentials" for the fileserver being used, restart
  clientpc
    9 in IIS, on the left under "connections" click on "WebDAV Authoring Rules", then click "Open Feature"
         a) click "Add authoring rules". Control access to this folder by selecting "all users" or "specified groups" or "specified users", then control whether they can read/write/source
         b) if some exist review existing allow or deny.
             Take care to not only review the "allow access to" settings
             but also review "permissions" (read/write/source)
         NB: this can be set here for all added virtual directories, or can be set under each virtual directory
    10 Open your firewall software and/or your router. Make an exception for port 80 and 443
         a) In Windows Firewall with Advanced Security click Inbound Rules, click New Rule
               choose Port, enter "80, 443" (no speech marks), follow through to completion. Repeat for outbound.
            NB: take care over your choice to untick "Public", this can cause issues if no gateway is specified on the network (ie computer-to-computer with no router). See "Other problems+fixes"
  below, specifically "Cant find server due to network location"
         b) Repeat firewall exceptions on each client computer you expect to access the webDAV web folders on
  HOTFIX - MAJOR ISSUE - fix KB959439
    11 To fully understand this read "WebDAV HOTFIX: RAW DATA TRANSFERS" below
        a) On Windows 7 you need only change one tiny registry value:
             - click START, type "regedit", open link
             -browse to [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MRxDAV\Parameters]
             -on the EDIT menu click NEW, then click DWORD Value
             -Type "DisableEFSOnWebDav" to name it (no speech marks)
             -on the EDIT menu, click MODIFY, type 1, then click OK 
             -You MUST now restart this computer for the registry change to take effect.
        b) On Windows Server 2008 / Vista / XP you'll FIRST need to
  download Windows6.0-KB959439 here. Then do the above step.
           NB microsoft will ask for your email. They don't care about licence key legality, it is more to keep you updated if they modify that hotfix
    12 To test on local machine (eg \\fileserver) and deliberately bypass the firewall.
          a) make sure WebClient Service is running
              (click START, type "services" and open, scroll down to WebClient and check its status)
          b) Open your internet software. Go to address "http://localhost:80" or "http://localhost:80"
              It should show the default "IIS7" image.
              If not, as firewall and port blocking are bypassed (using localhost) it must be a webDAV server setting. Check "Authorization Rules" are set to "Allow All Users"           
          c) for one of the "virtual directories" you added (8), add its "alias" onto "http://localhost/"
                  e.g. http://localhost/D_drive
              If nothing is listed, check "Directory Browsing" is enabled
    13 To test on local machine or a networked client and deliberately try and access through the firewall or port opening of your router.
          a) make sure WebClient Service is running
              (click START, type "services" and open, scroll down to WebClient and check its status)
          b) open your internet software. Go to address "http://<computer>:80" or "http://<computer>:80".
                eg if your server's computer name is "fileserver" go to "http://fileserver:80"
                It should show the default "IIS7" image. If not, check firewall and port blocking. 
                Any issue ie if (12) works but (13) doesn't,  will indicate a possible firewall issue or router port blocking issue.
         c) for one of the "virtual directories" you added (8), add its "alias" onto "http://<computername>:80/"
                 eg if alias is "C_driver" and your server's computer name is "fileserver" go to "http://fileserver:80/C_drive"
                 A directory listing of files should appear.
  --- ON EACH CLIENT ----
  HOTFIX - improve upload + download speeds
    14 Click START and type "Internet Options" and open the link
          a) click the "Connections" tab at the top
          b) click the "LAN Settings" button at the bottom right
          c) untick "Automatically detect settings"
  HOTFIX - remove 50mb file limit
    15 On Windows 7 you need only change one tiny registry value:
        a) click START, type "regedit", open link
        b) browse to [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WebClient\Parameters]
         c) click on "FileSizeLimitInBytes"
         d) on the EDIT menu, click MODIFY, type "ffffffff", then click OK (no quotes)
  HOTFIX - remove prompt for user+pass on opening an office or pdf document via WebDAV
   16 On each clientpc click START, type "Internet Options" and open it
           a) click on "Security" (top) and then "Custom level" (bottom)
           b) scroll right to the bottom and under "User Authentication" select "Automatic logon with current username and password"
           SUCH an easy fix. SUCH an annoying problem on a clientpc
     NB: this is only an issue if the file is opened through windows explorer. If opened through the "open" dialogue of the software itself, it doesn't happen. This is as a WebDAV mapped drive is consdered a "web folder" by windows
  explorer.
  TEST SETUP
    17 On the client use the normal "map network drive"
              e.g. server= "http://fileserver:80/C_drive", tick reconnect at logon
              e.g. CMD: net use * "http://fileserver:80/C_drive"
           If it doens't work check "WebDAV Authoring Rules" and check NTFS permissions for these folders. Check that on the filserver the elected impersonation user that the client is logging in with (clientpc
  "manage network passwords") has NTFS permissions.
    18 Test that EFS is now working over the network
         a) On a clientpc, map network drive to http://fileserver/
         b) navigate to a folder you know on the \\flieserver is encrypted with EFS
         c) create a new folder, create a new file.
             IF it throws an error, check carefully you mapped to the WebDAV and not file share
                i.e. mapped to "http://fileserver" not "\\fileserver"
             Check that on clientpc the required efs certificate is installed. Then check carefully on clientpc what user account you specified during the map drive process. Then check on the \\fileserver this
  account exists and has the required EFS certificate installed for use. If necessary, on clientpc click START, type "Manage Network Passwords" and delete the windows credentials currently in the vault.
         d) on clientpc (through a webDAV mapped folder) open an encrypted file, edit it, save it, close it. On the \\fileserver now check that file is readable and not gobble-de-goup
         e) on clientpc copy an encrypted efs file into a folder (a webDAV mapped folder) you know is not encrypted on \\fileserver. Now check on the \\fileserver computer that the file is readable and not gobble-de-goup (ie the
  clientpc decrypted it then copied it).
          If this fails, it is likely one in IIS setting on fileserver one of the shared virtual directories is set to: "pass through authentication" when it should be set to "connect as"
          If this is not readable check step (11) and that you restarted the \\fileserver computer.
    19 Test that clients don't get the VERY annoying prompt when opening an Office or PDF doc
        a) on clientpc in windows explorer browse to a mapped folder you know is encrypted and open an office file and then PDF.
              If a prompt for user+pass then check hotfix (16)
    20 Consider setting up a recycling bin for this mapped drive, so files are sent to recycling bin not permanently deleted
        a) see the last comment at the very bottom of
  this page: 
  Points to consider:
     - NB: WebDAV runs on \\fileserver under a local user account, so double check local NTFS permissions for that local account and adjust file permissions accordingly. If the local account doesn't have permission, the webDAV / web folder share won't
  either.
    - CONSIDER: IP Security (IPSec) or Secure Sockets Layer (SSL) to protect files during transport.
  MORE INFO: HOTFIX: RAW DATA TRANSFERS
  More info on step (11) above.
  Because files remain encrypted during the file transfer and are decrypted by EFS locally, both uploads to and downloads from Web folders are raw data transfers. This is an advantage as if data is intercepted it is useless. This is a massive disadvantage as
  it can cause unexpected results. IT MUST BE FIXED or you could be in deep deep water!
  Consider using \\clientpc to access a webfolder on \\fileserver and copying an encrypted EFS file (over the network) to a web folder on \\fileserver that is not encrypted.
  Doing this locally would automatically decrypt the file first then copy the decrypted file to the non-encrypted folder.
  Doing this over the network to a web folder will copy the raw data, ie skip the decryption stage and result in the encrypted EFS file being raw copied to the non-encrypted folder. When viewed locally this file will not be recognised as encrypted (no encryption
  file flag, not green in windows explorer) but it will be un-readable as its contents are still encrypted. It is now not possible to locally read this file. It can only be viewed on the \\clientpc
  There is a fix:
        It is implimented above, see (11) above
        Microsoft's support page on this is excellent and short. Read "problem description" of "this microsoft webpage"
  Other problems + fixes
    PROBLEM: Can't find server due to network location.
       This one took me a long time to track down to "network location".
       Win 7 uses network locations "Home" / "Work" / "Public".
       If no gateway is specified in the IP address, the network is set to '"unidentified" and so receives "Public" settings.
       This is a disaster for remote file share access as typically "network discovery" and "file sharing" are disabled under "Public"
       FIX = either set IP address manually and specify a gateway
       FIX = or  force "unidentified" network locations to assume "home" or "work" settings -
  read here or
  here
       FIX = or  change the "Public" "advanced network settings" to turn on "network discovery" and "file sharing" and "Password Protected Sharing". This is safe as it will require a windows
  login to gain file access.
    PROBLEM: Deleting files on network drive permanently deletes them, there is no recycling bin
         By changing the location of "My Contacts" or similar to the root directory of your mapped drive, it will be added to recycling bin locations
        Read
  here (i've posted a batch script to automatically make the required reg files)
  I really hope this helps people. I hope the keywords + long title give it the best chance of being picked up in web searches.

  What probably happens is that processes are using those mounts. And that those processes are not killed before the mounts are unmounted. Is there anything that uses those mounts?