My WebDAV share refers to /webdav//webdav/

My WebDAV share isn't accessible via webdavclient.
When I try to access the share via browser on FQDN/webdav I'm asked to enter user credentials and then an error page opens
"Forbidden You don't have permissions to access /webdav//webdav/.
Is there something I can do?

I ran into this exact issue. In 10.7 you could enter www.my_domain.com/webdav/Share_name
with 10.8 it fails in eth share name is names "webdav" only showinga duplicate of your user directory.
I found that you now have to just use the share name (as long as the share is not named "webdav"
www.my_domain.com/Share_name
hope it helps,
-m

Similar Messages

Stopping OS X from including "._" files on WebDav shares

We are working with the content system in the new Blackboard 7.1 and are running into an issue. Whenever you copy or save a file from a Mac to the WebDav share, it also copies the "._" resource fork file (like it should since WebDav cannot handle resource forks).
My question is, how do you stop OS X from splitting the file into two? Can you? It is very confusing to our faculty to have two instances of the same file when viewing the Content Manager via Blackboard. Plus it just doubles the file listing and can get big rather quickly.
Advise? Anyone else run into this issue?

I run a webdav server hosted on a mac so I don't experience this problem.
I do experience this issue when copying files from a mac to a windows sharepoint so I guess your webdav shares are running on a windows pc.
have you tried zipping files or enclosing them inside a disk image (.dmg) this fixes the problems when I copy files so an external fat32 formatted drive that I use on pc's as well as macs.

WebDAV Share Points Missing in OS X Server 10.8

WebDAV share points are missing in OS X Server 10.8.
To see for yourself:
1) Do a clean-install of OS X Server 10.8 with a single admin account and a .local host name.
2) In Server.app -> File Sharing, enable WebDAV access for the three default share points: /Groups, /Public, /Users.
3) In Finder -> Go -> Connect to Server -> http://server.local/webdav/ and log-in as the admin account.
Note that only the admin account's networked Home directory appears. There is no WebDAV access to the enabled share points.
4) In Finder -> Go -> Connect to Server -> afp://server.local and log-in as the admin account.
Note that the three default share points appear, along with the networked Home directory. AFP allows access to the enabled share points.
Any suggestions for a fix, or work-around?

I agree with Larry Goldman on this 100%. OS X 10.4, 10.5, 10.6 were rock solid when released. Starting with 10.7 it's been Vistaville all the way. Combined with fanboi arrogance, this has been totally frustrating.
There was a file/directory permissions error in 10.7.0 through 10.7.3, This permissions error caused endless random untracable problems and Apple said NOTHING about it. This wasn't fixed until 10.7.4, and a month later Mountain Lion came out.
"Don't reopen windows at startup" didn't work until 10.7.4 either - causing no end of headaches and problems, but Apple shipped 10.7 out the door with this glaring bug. Nobody at Apple saw this? Nobody tested this? It took a year for Apple to finally to fix it?!?!
Lion was a broken piece of **** until 10.7.4, and I cannot imagine all of the user frustration that must have occured as a result of these two problems, but how many other problems wreaked havoc, undetected?!?
I guess all the seasoned Apple devs went over to iOS, and the beginners are working on OS X. It really shows.
When I booted Lion and Mountain Lion for the first time, all kinds of buggy weirdness reared its ugly head. Windows not closing, artifacts remaining on screen, preference setting reverting without reason, fields not accepting input, Safari suddenly unable to connect to the internet (even though Chrome worked perfectly at the same time for the same URL), yada yada yada...
It used to be Microsoft that made their customers find all their OS bugs for them because it was cheaper than writing clean code from the beginning.
Today, quality control and testing have obviously gone out the window at Apple. They need to spend more of that $100 billion on QA and less on marketing.

How Can I Change the Ports for WebDAV file shares.

Title says it all. I have another piece of software using port 80 and 443, I'd like to create iOS shares using WebDAV but I can't find anywhere in the GUI to change the port numbers and I can't work out whether I need to do something involving Apache virtual hosts and if so which config files are relevant to the WebDAV server.
Someone must have done this by now, anyone know how its done???!!!!
Thanks in advance.

OK, so I worked out which files to edit and I actually managed to change the Apache/WebDAV ports on a clean 10.8 Server.
By clean I mean I installed 10.8.0, updated to 10.8.3 via the combo updater, then installed the latest version of Server app and configured the services.
Having done that I was able to make the required changes and all is working well. I then replicated the process on my live server but it throws up an error when I try to start up the WebDAV sharing.
This thread outlines the same issue:
https://discussions.apple.com/thread/4199421?start=0&tstart=0
I am getting this exact problem, in that any manual change at all to the 0000_any_443_.conf file will cause WebDAV to fail to start. This is annoying because I need to change that file. Its also annoying because the problem isnt there on my 'clean' server.
I deleted the entire /Library/Server/ folder and the Server.app and reinstalled Server.app from the App Store, recreating the /Library/Server folder from scratch. This cleared out the apache config files which I tried to re-modify, but all the file sharing settings were retained. Does anyone think it would be worth deleting all the sharepoints? Any other ideas?

Unable to move or rename files on WebDAV shares

I have not been able to get WebDAV shares to work properly on Lion.
Let's say I have a "User" that has given ownership to a WebDAV folder named "Share". I can connect to my WebDAV share using Finder at "https://website.com/webdav" and I can successfully read files and folders in "Share". I can also delete and create files in "Share". But whenever I try to move or rename a file or folder I get a dialog with error code -43, complaining the "item required cannot be found". I got the same error on machines running both 10.6.8 and 10.7.2.
I tried login with "User" with SSH and confirmed that I was indeed able to move/rename folder in the "Share" directory but just unable to do so using WebDAV. Any ideas? Thanks!

@A
Is it a normal behavior in the Web-DAV protocoll?
@ctrld
As I read you aliased the folder to a folder inside the user folder "/Users/username/Sync"?
How can i realize it with a shared folder for uploading and downloading file with multiple users?

Can't compress files on webdav share using Finder

Hi to all!
I have webdav share (server is on FreeBSD) connected to my MBP. I can read, write, delete files on this share but when I try to compress file on this share (rightclick on file and select "Compress" in menu) I allways get an error popup: "The operation can't be completed because the disk if full." with "zip" icon on it. I know that disk isn't full.
How to fix this?

as a workaround I use Automator script "Junecloud Automator Actions" to make clean archive

Share the NAS File over WebDav

Hi,
Computer: Mac Mini
OS: OSX server 10.8 moutain lion
NAS: Terastation
Connections: Ethernet 1Gbt
Set Mac Mini like file server, DDNS, opendirectory
Is it possible share the NAS's files over WebDav protocol of the server.

You're not going to find any doc that says what the 'easiset' way to do this is because that's going to be different for different people.
For example, AFP might be easiest for an all-Mac network - you don't say whether the other users are Mac users or not.
HTTP might be easiest in a mixed platform environment.
FTP could work, too.
Additionally, all of the options are going to have a similar set of issues, so they're all about the same anyway. You're going to need to decide that question of security, though - Do you want anyone to be able to download the file? or do you want to setup usernames and passwords?
Then there's the network element - if you're behind a firewall or NAT device you're going to have to configure it to pass whatever protocol you choose through to your server. If you opt for AFP, that's port 548, http is 80. Forget FTP if you're using NAT - it's not worth the hassle.
Then, of course, there are issues with security. Many ISPs block port 80 connections, so the default http setup might not work, so you might need to change the port it runs on.
What about encryption? Do you want to encrypt the connection to secure the download? If do you're pretty much limited to HTTPS - unless you opt for SFTP, an option we hadn't even mentioned until now (of course, encrypting the file with a password-based tool would help, too).
So, you see, there are many elements to your question. Until you answer them you can't know which is the 'right' protocol for you.
If you're not worried by security/encryption then I'd say in most cases HTTP is the easiest option as long as your ISP isn't blocking it. Start up apache (via System Preferences -> Sharing) and drop the file into /Library/WebServer/Documents and you're done.

Is it possible to share a Mounted Blank Disk Image using WebDav?

I am trying to find a good solution to give individuals the ability to change files in there hosted websites on the Mac Mini Server (10.6.4), but also having a limited folder size. I have seen a few post on using Blank Disk Image as the share folder. I have created the folder and I can see it contents using a WebDav client, but no matter what permissions I put, anytime I try to upload or delete a file from the image I get a 403 error, saying "Forbidden". I can get the WebDav to work on normal shared folders, so I am wondering if it is even possible to share a mounted blank image using WebDav?

It seems if I make an MS-DOS(FAT) image, I can actually make changes to this image file using WebDav, but I cant see how to changer the permissions of the folder. All the methods I have tried do not actually seem to change the file permissions, they default to read and write for everyone.
I am trying to figure out if I am trying to get something to work that is not even possible. I need to be able to limit the size of a folder, share it with specific groups/users in the Open Directory. It also has to be viewable on both Windows and Mac Systems. FTP does not seem to work, since it gives access to the root. I want to be able to have a student/student group post to a wiki, have a website for there project, but they should only have access to this image....
Does anyone know if you can share a mounted image through WebDav, or if there is another way I can setup multiple folders and have websites point to this folder and give only selected users access to the folder for uploading and sharing files?
Any guidance would be greatly appreciated

[SOLVED]mounting webdav share fails, cadaver works?

cadaver http://localhost/dav
dav:/dav/> mkcol test
Creating `test': succeeded.
dav:/dav/> ls
Listing collection `/dav/': succeeded.
Coll: test 0 Mar 8 16:59
mount -t davfs http://localhost:80/dav /tmp/test2
Please enter the username to authenticate with proxy
http or hit enter for none.
Username:
Please enter the username to authenticate with server
http://localhost:80/dav or hit enter for none.
Username:
/sbin/mount.davfs: connection timed out two times;
trying one last time
/sbin/mount.davfs: server temporarily unreachable;
mounting anyway
WTF?
ive used the webdav howto from archs wiki.
greets
Last edited by metalfan (2008-03-21 14:09:41)

works with davfs-1.3, ive filled a bug report.

Message flow in SAP PI 7.31 JAVA only for ABAP Proxy synchronous scenario with Oracle DB

Dear Experts,
I am working on a synchronous scenario Sender ABAP Proxy <===> SAP PI 7.31 JAVA only <===> Oracle Database.I have successfully
configured all the proxy configurations as well both Sender SOAP and JDBC receiver channels are showing no error when pinged from
Cc monitoring in NWA.
1.During testing at Tx SPROXY , I am triggering a message and after 5 minutes I receive an PARSING error message with 2 messages in ECC
local IE i.e. Tx SXMB_MONI.
Note : In NWA , I can see only 1 message that too in cancelled status.
2.Seeing the trace of the messages I assume that the messages have not moved from sender ECC system. I am still confused with flow of message
from the Message Audit log. Audit log of error messages.Could any one share the full Audit log of a successful message generated in SAP PI 7.31 JAVA only.
3.I observed that the QIN Scheduler status in ECC is in INACTIVE status. There is no queue id for 2 messages generated in ECC. Does
it should in ACTIVE status in Tx SMQR..
Regards
Rebecca

Hi Thomas,
Valuable inputs..
1. Since I don't have any audit log for successful message, would you be able to share referring to the
below screenshot whether the message was put into receiver JDBC adapter and JDBC adapter tried to retrieve the Select response from Oracle Database.
2.I have done some setting in Advance mode of the receiver JDBC to increase the time out and other parameters as per SAP note but still the issue is same. If you perhaps have some experience in such scenarios, please share some input so that I can ask the Oracle Database administrator exactly what is required from our side.
3.Regarding the slow response from Oracle , there was some suggestion that the datatype of the request and response should match the column name of the Oracle database. I did that.. Do you have any more suggestion that may be hampering the generation of the response message from the Oracle like SAP note or document.
Regards
Rebecca

What, exactly, is a webdav realm?

The web technologies admin document's glossary defines a WebDAV realm as "A region of a website, usually a folder or directory, that’s defined to provide access for WebDAV users and groups."
This strikes me as a bit unclear, as a "region of a website" can be many things. Do they mean a location on a *web server* that holds files for a particular website hosted on the server?
And in the context of the small lab network I administer, would I use one realm for every web service offered by the server? Or would I use different realms for each blog, wiki, group, etc?
Thanks,
Jon

Hi Jon,
generally, I think a Realm refers to an area within a website, as defined by some base portion of its URL, where access authorization is restricted. Usually, the simplest method to do this on Apache is with the .htaccess files. You define a Realm as the URL at which this authorization is enforced.
At its most basic level, a "region of a website" might just be a directory, such as http://example.com/test-dir/. The web directory test-dir may map directly to a real filesystem location, such as /Library/WebServer/Document/test-dir/.
Or a "region of a website" may instead map to a specific environmental context within an application. The URL components following the domain name may be a series of values that represent a certain state in the application. This can either be done by simply appending a query string of name=value pairs to the URL (like the URL for this post- there is no folder named ?threadID=2547419 on the disscussions.apple.com server). Or it can be more semantic, SEO friendly URLs like http://example.com/articles/2010/08/What-is-a-realm
A specific website have have many Realms defined within itself. It is up to you, the admin, to decide when and where you need to create a Realm to restrict access or activity.
WebDav is almost always configured inside a Realm because of the extra abilities the clients accessing the website may have: i.e. DELETE or PUT methods.
If your "small lab network" is only accessed by the people in your small lab, and not be anonymous people out on the internet, then you could probably get by without anything too complicated. Maybe one Realm for the entire website.
But if your wiki is used by some people, your blog is used by a different group and you don't what to share data or content between them, then yes, create a separate Realm for each area of content:
create a Wiki-realm for /wiki
create a blog-realm for /blog
This will allow you to manage access to each content area separately. If you have Open Directory set up, you can configure your realms to use those user accounts so you don't have to create new username/passwords for each Realm.
The documentation to do this is all pretty readily available from Apple.
Does this answer your question?
Cheers,
Matt

Guide to setting up WebDAV for Windows XP clients

I've recently set up an XServe as a Windows domain controller, and was looking to WebDAV as an easy way of setting up remote access to certain shared files. However, it was not as straightforward as it seems - Windows is somewhat fickle about WebDAV and the Mac OS X manual states that "Microsoft platforms use an authentication mechanism that may make it difficult or impossible to mount WebDAV volumes from Mac OS X" (Web Technologies PDF manual, p. 45). After a great deal of scouting on the internet, I managed to get it working and thought I'd better share my method, since it's not all that straightforward. It's been mentioned on the Apple Forums before, but I don't think it was resolved. Much of this information comes from Mac OS X Hints but is updated in accordance with my experiences. (Some line breaks may be inserted by accident - make sure that lines are correct or you could have syntax errors). By default, Windows XP uses NTLM authentication for WebDAV access - you know this when it keeps popping back up with a password box, with the username in the form domain\username. This circumvents that, although I'm a little sketchy on the details - this is a compiled guide, based on my admittedly humble understanding of the authentication protocols.
1. Enable mod_encoding and mod_headers in the Modules panel of the Web service in 'Server Admin'.
2. Make a backup copy of your httpd.conf file (the main Apache configuration file):
% cd /private/etc/httpd
% sudo cp httpd.conf httpd.conf.backup
Uncomment the following two lines in httpd.conf:
AddModule mod_headers.c
AddModule mod_encoding.c
3. (The following from benoitc's macosxhints.com article.) Paste the following in at the end of /private/etc/httpd/httpd.conf:
# Set DAVLockDB for webdav support
DAVLockDB /private/var/run/davlocks/DAVLockDB
# Fix header for webdav
BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully
BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
BrowserMatch "Microsoft-WebDAV-MiniRedir/5.1.2600" redirect-carefully
BrowserMatch "^WebDrive" redirect-carefully
BrowserMatch "^WebDAVFS" redirect-carefully
<IfModule mod_headers.c>
Header add MS-Author-Via "DAV"
</IfModule>
<IfModule mod_encoding.c>
EncodingEngine on
NormalizeUsername on
</IfModule>
4. Create the folder you want to share with WebDAV:
% sudo mkdir /Library/WebServer/Documents/dav
% sudo chmod -R 775 /Library/WebServer/Documents/dav
Open httpd.conf again and zoom down to the end of the file and add this text (make sure you're consistent if you change the folder name to something else):
Alias /dav /Library/WebServer/Documents/dav
<Location /dav>
DAV On
AuthType Basic
AuthName "WebDAV Restricted"
AuthUserFile /private/etc/httpd/passwords/webdav.access
require valid-user
Order allow,deny
Allow from all
</Location>
5. Create the password file and the user:
% sudo mkdir /private/etc/httpd/passwords
% sudo htpasswd -c /private/etc/httpd/passwords/webdav.access davuser
Provide a password when prompted.
6. Restart apache:
% sudo apachectl graceful
This is all you need to do on the OS X box. However, I found that this alone didn't work - I was trying to use 'basic' authentication (I tend to start easy, get that working, then add complexity/security later), which has been turned off by default in Windows XP Service Pack 2. XP also does not seem to support SSL encryption for WebDAV access.
7. To get the above to work with Windows XP Service Pack 2, back up the Windows registry and add the following DWORD key with regedit.exe:
HKEYLOCALMACHINE\SYSTEM \CurrentControlSet\Services \WebClient\Parameters\UseBasicAuth
Set the value to "1", close regedit.exe and reboot your PC.
8. Open Internet Explorer, select Open... from the File menu, enter http://ip.address.of.server/dav and tick the 'Open as Web Folder' option.Press OK and enter the username and password you set up with in step 5.
All improvements/comments are welcome - good luck!
XServe Mac OS X (10.4.4)

Well it says "System Requirements: Windows XP or later"
So I assume that means that it would be installed on the Windows partition.
It also says "If you do not have any Boot Camp drivers installed, it will install version 2.1 drivers onto your already installed Windows OS." So doesn't that mean I could use the download instead of the disk to install the drivers? Or is there more to it?

Secured WebDAV Mounted Volume Authorization Issues

I use a secure WebDAV mounted volume from myDisk.se and up until the latest Security Update have had zero issues being able to manipulate files and folders as I would on a normal volume. However, since the installation of the Security Update (2009-004 (PowerPC) 1.0) I find weird things happening with this mounted volume:
1) I am able to mount the secured WebDAV share using my security credentials.
2) I can create a default "untitled" folder but when I try to change its name, the WebDAV authorization dialog pops up and despite entering the same credentials (why, I am not sure as the volume has already been properly credentialed in order to be mounted), access is denied.
3) Trying to create a file within a folder on the mounted WebDAV volume I previously created pre-update causes the same authorization issue.
I have no other WebDAV shares I can try to mount from any other companies so I am not sure if this is a myDisk issue or one borne from the Security Update. I am not a .Mac/MobileMe user and that info is not filled out in System Preferences. The internal hard drive has been meticulously maintained with Disk and Permissions repair being run both before and after each and every software update installed. Likewise, the volume's structure is also checked both before and after and shows no need for repairs.
Any ideas? Perhaps there is a corrupted file somewhere that's affecting the authorizations needed by this third-party WebDAV volume?
The machine that has this problem is the last model iBook G4/1.33GHz 12" display, 1.5GB RAM, and a 100GB 5400rpm HD which replaced the stock OEM 40GB 4200rpm drive about one year ago.
I'm not willing to do an Archive and Install at this point as the loss of the WebDAV access to my online volume is not critical. Inconvenient as heck but not to the point where I'm willing (or able) stop my normal work to spend the hours it will take to get WebDAV access back.
Thanks in advance for any insights.

same problem here with webdav, I can't mount my idisk from university network on Mac Pro 10.5.3 (although it mounts fine from home network on both ibook and PMG5 10.5.3). Everything was fine with 10.5.2 and I already re-installed 10.5.3 combo. Other bugs as well with .Mac prefs (keeps crashing, sometimes it shows the available space on idisk but still no mounting, with error -35 or -8086), but .Mac sync is OK
Jun 11 12:34:21 webdavfs_agent[579]: mounting as authenticated user
Jun 11 12:34:22 kernel[0]: webdav server: http://idisk.mac.com/[username]/: connection is dead
Jun 11 12:34:22 KernelEventAgent[75]: tid 00000000 received VQ_DEAD event (32)
Jun 11 12:34:22 kernel[0]: webdav_sendmsg: sock_connect() = 61
Jun 11 12:34:22 KernelEventAgent[75]: tid 00000000 type 'webdav', mounted on '/Volumes/[username]', from 'http://idisk.mac.com/[username]/', dead
Jun 11 12:34:22 kernel[0]: webdav_sendmsg: sock_connect() = 61
Jun 11 12:34:22 KernelEventAgent[75]: tid 00000000 found 1 filesystem(s) with problem(s)
Jun 11 12:34:22 kernel[0]: webdav_sendmsg: sock_connect() = 61
Jun 11 12:34:52: --- last message repeated 1 time ---

Unable to edit Excel file via WebDAV in IE

LS,
Aim
To be able to open an Excel file in Oracle Portal via IE for editing (ergo, if changed it needs to be saved in the same location where it resides = database)
What have we done so far
OraDAV has been implemented (basic manner), a pagegroup has been created in Oracle Portal for security, next we stored some Excel files for test purposes.
Opening and editing using Windows Explorer (when testing) works fine, but opening from browser (Internet Explorer) opens Excel-file in read-only mode!
Workaround
Create windows shortcuts to Excel files in the OraDAV Webfolder, shortcuts are then placed in a public Windows-share which is running on a workstation.
Accessing these shortcuts from both Windows Explorer and Internet Explorer works fine then.
But...
Unfortunately, implementing a windows share on a server is considered to be not an option by the network security team, and it's also not an option to continue using a workstation for that purpose.
What does Metalink say (we created TAR for this)
CLARIFICATION
====================
This issue happens on WEBDAV.
Using=>Windows Explorer it works fine.
Using=>Internet Explorer it does not do as the customer aspected.
Webdav:
Using=>Windows Explorer
going to folder
http://<machine>:7778/dav_portal/.../QA1.XLS
double clicked QA1.XLS and this opens in Microsoft Excel.
After made modifications the file is saved correctly without any issue.
Using=>Internet Explorer
Calling the
URL:http://<machine>:7778/.../QA1.XLS
the file QA1.XLS opens within Internet Explorer the Microsoft Excel plugin.
Problem is it the file opened in read-only mode and when you click save it wants to save
in local drive.
ISSUE VERIFICATION
===================
Verified the issue by the OWC session.
RESEARCH
=========
TESTCASE
I have tested the same issue on 9.0.2.3 and 10.1.2 portal versions.
They are all behaving the same.
CAUSE DETERMINATION
====================
This is intended behaviour.
CAUSE JUSTIFICATION
====================
Details => http://www.webdav.org
http://portalstudio.oracle.com/pls/ops/docs/FOLDER/COMMUNITY/OTN_CONTENT/MAINPAGE/PUBLISH_CONTMGMT/TECHNOTE_WEBDAV.HTML
What does Portal documentation say
Source: Oracle9iAS Portal Release 2 âTechnical Overview
An Oracle White Paper; April 2002; Page 17
=======================================================
Integrating with the desktop
File-type item content can also be published to the portal repository via the Webbased Distributed Authoring and Versioning (WebDAV) protocol. Using a WebDAV client such as Windows Explorer, a portal page group can be mapped as a Web Folder. Users can then simply drag and drop content, files, and folders between portal pages and the desktop. File-type items can also be opened, edited, and saved directly from WebDAV desktop applications like MS Office 2000.
Thus...
Even though Metalink is implying it is not possible, one would think it IS possible, since IE is also a valid WebDAV client.
Bottom line
Does anyone know how to set up Portal in combination with WebDAV to ensure editing of Excel files will happen via Internet Explorer AND changes will be saved back onto the original location
Thanks, Patrick

hi patrick,
this problem is not solvable on the serverside since this is a desktop integration problem. since you want to use excel as your editor you have to use excel's client side software.
oracle drive purely addresses desktop integration and is not meant to be a server side component. it is a webdav client and for that only ensures that the communication between the client and the portal server has as much useful functionality as possible.
the only other option that i see is downloading the document to the client, update it and copy it back up to the portal server, which is cumbersome.
all webdav clients are client side software that is either shipped with the OS (MS webfolders) or needs to be installed on the client (oracle drive).
you could check if there is software availble that is an excel plug-in for internet explorer which at the same time talks webdav to portal. not sure if this exists ?
regards,
christian

EFS Encrypted Files over home workgroup network via WebDAV avoiding Active Directory fixing Access Denied errors

This is for information to help others
KEYWORDS:
- Sharing EFS encrypted files over a personal lan wlan wifi ap network
- Access denied on create new file / new fold on encrypted EFS network file share remote mapped folder
- transfer encryption keys / certificates
- set trusted delegation for user + computer for EFS encrypted files via
Kerberos
- Windows Active Directory vs network file share
- Setting up WinDAV server on Windows 7 Pro / Ultimate
It has been a long painful road to discover this information.
I hope sharing it helps you.
Using EFS on Windows 7 pro / ultimate is easy and works great. See
here and
here
So too is opening + editing encrypted files over a peer-to-peer Windows 7 network.
HOWEVER, creating a new file / new folder over a peer-to-peer Windows 7 network
won't work (unless you follow below steps).
Typically, it is only discovered as an issue when a home user wants to use synchronisation software between their home computers which happens to have a few folders encrypted using windows EFS. I had this issue trying to use GoodSync.
Typically an "Access Denied" error messages is thrown when a \\clientpc tries to create new folder / new file in an encrypted folder on a remote file share \\fileserver.
Why such a EFS drama when a network is involved?
Assume a home peer-to-peer network with 2pc: \\fileserver and \\clientpc
When a \\clientpc tries to create a new file or new folder on a \\fileserver (remote computer) it fails. In a terribly simplified explanation it is because the process on \\fileserver that is answering the network requests is a process working for a user on
another machine (\\clientpc) and that \\fileserver process doesn't have access to an encryption certificate (as it isn't a user). Active Directory gets around this by using kerberos so the process can impersonate a \\fileserver user and then use their certificate
(on behalf of the clienpc's data request).
This behaviour is confusing, as a \\clientpc can open or edit an existing efs encrypted file or folder, just can't create a new file or folder. The reason editing + opening an encrypted file over a network file share is possible is because the encrypted
file / folder already has an encryption certificate, so it is clear which certificate is required to open/edit the file. Creating a new file/folder requires a certificate to be assigned and a process doesn't have a profile or certificates assigned.
Solutions
There are two main approaches to solve this:
     1) SOLVE by setting up an Active Directory (efs files accessed through file shares)
          EFS operations occur on the computer storing the files.
          EFS files are decrypted then transmitted in plaintext to the client's computer
          This makes use of kerberos to impersonate a local user (and use their certificate for encrypt + decrypt)
     2) SOLVE by setting up WebDAV (efs files accessed through web folders)
           EFS operations occur on the client's local computer
           EFS files remain encrypted during transmission to the client's local computer where it is decrypted
           This avoids active directory domains, roaming or remote user profiles and having to be trusted for delegation.
           BUT it is a pain to set up, and most online WebDAV server setup sources are not for home peer-to-peer networks or contain details on how to setup WebDAV for EFS file provision
         READ BELOW as this does
Create new encrypted file / folder on a network file share - via Active Directory
It is easily possible to sort this out on a domain based (corporate) active directory network. It is well documented. See
here. However, the problem is on a normal Windows 7 install (ie home peer-to-peer) to set up the server as part of an active directory domain is complicated, it is time consuming it is bulky, adds burden to operation of \\fileserver computer
and adds network complexity, and is generally a pain for a home user. Don't. Use a WebDAV.
Although this info is NOT for setting up EFS on an active directory domain [server],
for those interested here is the gist:
Use the Active Directory Users and Computers snap-in to configure delegation options for both users and computers. To trust a computer for delegation, open the computer’s Properties sheet and select Trusted for delegation. To allow a user
account to be delegated, open the user’s Properties sheet. On the Account tab, under Account Options, clear the The account is sensitive and cannot be delegated check box. Do not select The account is trusted for delegation. This property is not used with
EFS.
NB: decrypted data is transmitted over the network in plaintext so reduce risk by enabling IP Security to use Encapsulating Security Payload (ESP)—which will encrypt transmitted data,
Create new encrypted file / folder on a network file share - via WebDAV
For home users it is possible to make it all work.
Even better, the functionality is built into windows (pro + ultimate) so you don't need any external software and it doesn't cost anything. However, there are a few hotfixes you have to apply to make it work (see below).
Setting up a wifi AP (for those less technical):
   a) START ... CMD
   b) type (no quotes): "netsh wlan set hostednetwork mode=allow ssid=MyPersonalWifi key=12345 keyUsage=persistent"
   c) type (no quotes): "netsh wlan start hostednetwork"
Set up a WebDAV server on Windows 7 Pro / Ultimate
-----ON THE FILESERVER------
   1 click START and type "Turn Windows Features On or Off" and open the link
       a) scroll down to "Internet Information Services" and expand it.
       b) put a tick in: "Web Management Tools" \ "IIS Management Console"
       c) put a tick in: "World Wide Web Services" \ "Common HTTP Features" \ "WebDAV Publishing"
       d) put a tick in: "World Wide Web Services" \ "Security" \ "Basic Authentication"
       e) put a tick in: "World Wide Web Services" \ "Security" \ "Windows Authentication"
       f) click ok
       g) run HOTFIX - ONLY if NOT running Windows 7 / windows 8
KB892211 here ONLY for XP + Server 2003 (made in 2005)
KB907306 here ONLY for Vista, XP, Server 2008, Server 2003 (made in 2007)
2 Click START and type "Internet Information Services (IIS) Manager"
3 in IIS, on the left under "connections" click your computer, then click "WebDAV Authoring Rules", then click "Open Feature"
       a) on the right side, under Actions, click "Enable WebDAV"
4 in IIS, on the left under "connections" click your computer, then click "Authentication", then click "Open Feature"
       a) on the "Anonymous Authentication" and click "Disable"
       b) on the "Windows Authentication" and click "Enable"
      NB: Some Win 7 will not connect to a webDAV user using Basic Authentication.
        It can be by changing registry key:
           [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WebClient\Parameters]
           BasicAuthLevel=2
       c) on the "Windows Authentication" click "Advanced Settings"
           set Extended Protection to "Required"
       NB: Extended protection enhances the windows authentication with 2 security mechanisms to reduce "man in the middle" attacks
5 in IIS, on the left under "connections" click your computer, then click "Authorization Rules", then click "Open Feature"
       a) on the right side, under Actions, click "Add Allow Rule"
       b) set this to "all users". This will control who can view the "Default Site" through a web browser
       NB: It is possible to specify a group (eg Administrators is popular) or a user account. However, if not set to "all users" this will require the specified group/user account to be used for logged in with on the
clientpc.
       NB: Any user account specified here has to exist on the server. It has a bug in that it usernames specified here are not validated on input.
6 in IIS, on the left under "connections" click your computer, then click "Directory Browsing", then click "Open Feature"
       a) on the right side, under Actions, click "Enable"
HOTFIX - double escaping
7 in IIS, on the left under "connections" click your computer, then click "Request Filtering", then click "Open Feature"
       a) on the right side, under Actions, click "Edit Feature Settings"
       b) tick the box "Allow double escaping"
     *THIS IS VERY IMPORTANT* if your filenames or foldernames contain characters like "+" or "&"
     These folders will appears blank with no subdirectories, or these files will not be readable unless this is ticked
     This is safe btw. Unchecked (default) it filters out requests that might possibly be misinterpreted by buggy code (eg double decode or build url's via string-concat without proper encoding). But any bug would need to be in IIS basic
file serving and this has been rigorously tested by microsoft, so very unlikely. Its safe to "Allow double escaping".
8 in IIS, on the left under "connections" right click "Default Web Site", then click "Add Virtual Directory"
       a) set the Alias to something sensible eg "D_Drive", set the physical path
       b) it is essential you click "connect as" and set
this to a local user (on fileserver),
       if left as "pass through authentication" a client won't be able to create a new file or folder in an encrypted efs folder (on fileserver)
             NB: the user account selected here must have the required EFS certificates installed.
                        See
here and
here
        NB: Sharing the root of a drive as an active directory (eg D:\ as "D_Drive") often can't be opened on clientpcs.
      This is due to windows setting all drive roots as hidden "administrative shares". Grrr.
       The work around is on the \\fileserver create an NTFS symbollic link
          e.g. to share the entire contents of "D:\",
                on fileserver browse to site path (iis default this to c:\inetpub\wwwroot)
                in cmd in this folder create an NTFS symbolic link to "D:\"
                so in cmd type "cd c:\inetpub\wwwroot"
                then in cmd type "mklink /D D_Drive D:\"
        NB: WebDAV will open this using a \\fileserver local user account, so double check local NTFS permissions for the local account (clients will login using)
         NB: If clientpc can see files but gets error on opening them, on clientpc click START, type "Manage Network Passwords", delete any "windows credentials" for the fileserver being used, restart
clientpc
9 in IIS, on the left under "connections" click on "WebDAV Authoring Rules", then click "Open Feature"
       a) click "Add authoring rules". Control access to this folder by selecting "all users" or "specified groups" or "specified users", then control whether they can read/write/source
       b) if some exist review existing allow or deny.
           Take care to not only review the "allow access to" settings
           but also review "permissions" (read/write/source)
       NB: this can be set here for all added virtual directories, or can be set under each virtual directory
10 Open your firewall software and/or your router. Make an exception for port 80 and 443
       a) In Windows Firewall with Advanced Security click Inbound Rules, click New Rule
             choose Port, enter "80, 443" (no speech marks), follow through to completion. Repeat for outbound.
          NB: take care over your choice to untick "Public", this can cause issues if no gateway is specified on the network (ie computer-to-computer with no router). See "Other problems+fixes"
below, specifically "Cant find server due to network location"
       b) Repeat firewall exceptions on each client computer you expect to access the webDAV web folders on
HOTFIX - MAJOR ISSUE - fix KB959439
11 To fully understand this read "WebDAV HOTFIX: RAW DATA TRANSFERS" below
      a) On Windows 7 you need only change one tiny registry value:
           - click START, type "regedit", open link
           -browse to [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MRxDAV\Parameters]
           -on the EDIT menu click NEW, then click DWORD Value
           -Type "DisableEFSOnWebDav" to name it (no speech marks)
           -on the EDIT menu, click MODIFY, type 1, then click OK
           -You MUST now restart this computer for the registry change to take effect.
      b) On Windows Server 2008 / Vista / XP you'll FIRST need to
download Windows6.0-KB959439 here. Then do the above step.
         NB microsoft will ask for your email. They don't care about licence key legality, it is more to keep you updated if they modify that hotfix
12 To test on local machine (eg \\fileserver) and deliberately bypass the firewall.
      a) make sure WebClient Service is running
            (click START, type "services" and open, scroll down to WebClient and check its status)
      b) Open your internet software. Go to address "http://localhost:80" or "http://localhost:80"
            It should show the default "IIS7" image.
            If not, as firewall and port blocking are bypassed (using localhost) it must be a webDAV server setting. Check "Authorization Rules" are set to "Allow All Users"
      c) for one of the "virtual directories" you added (8), add its "alias" onto "http://localhost/"
                e.g. http://localhost/D_drive
            If nothing is listed, check "Directory Browsing" is enabled
13 To test on local machine or a networked client and deliberately try and access through the firewall or port opening of your router.
      a) make sure WebClient Service is running
            (click START, type "services" and open, scroll down to WebClient and check its status)
      b) open your internet software. Go to address "http://<computer>:80" or "http://<computer>:80".
              eg if your server's computer name is "fileserver" go to "http://fileserver:80"
              It should show the default "IIS7" image. If not, check firewall and port blocking.
              Any issue ie if (12) works but (13) doesn't, will indicate a possible firewall issue or router port blocking issue.
     c) for one of the "virtual directories" you added (8), add its "alias" onto "http://<computername>:80/"
               eg if alias is "C_driver" and your server's computer name is "fileserver" go to "http://fileserver:80/C_drive"
               A directory listing of files should appear.
--- ON EACH CLIENT ----
HOTFIX - improve upload + download speeds
14 Click START and type "Internet Options" and open the link
      a) click the "Connections" tab at the top
      b) click the "LAN Settings" button at the bottom right
      c) untick "Automatically detect settings"
HOTFIX - remove 50mb file limit
15 On Windows 7 you need only change one tiny registry value:
      a) click START, type "regedit", open link
    b) browse to [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WebClient\Parameters]
       c) click on "FileSizeLimitInBytes"
       d) on the EDIT menu, click MODIFY, type "ffffffff", then click OK (no quotes)
HOTFIX - remove prompt for user+pass on opening an office or pdf document via WebDAV
16 On each clientpc click START, type "Internet Options" and open it
         a) click on "Security" (top) and then "Custom level" (bottom)
         b) scroll right to the bottom and under "User Authentication" select "Automatic logon with current username and password"
         SUCH an easy fix. SUCH an annoying problem on a clientpc
   NB: this is only an issue if the file is opened through windows explorer. If opened through the "open" dialogue of the software itself, it doesn't happen. This is as a WebDAV mapped drive is consdered a "web folder" by windows
explorer.
TEST SETUP
17 On the client use the normal "map network drive"
            e.g. server= "http://fileserver:80/C_drive", tick reconnect at logon
            e.g. CMD: net use * "http://fileserver:80/C_drive"
         If it doens't work check "WebDAV Authoring Rules" and check NTFS permissions for these folders. Check that on the filserver the elected impersonation user that the client is logging in with (clientpc
"manage network passwords") has NTFS permissions.
18 Test that EFS is now working over the network
       a) On a clientpc, map network drive to http://fileserver/
       b) navigate to a folder you know on the \\flieserver is encrypted with EFS
       c) create a new folder, create a new file.
           IF it throws an error, check carefully you mapped to the WebDAV and not file share
              i.e. mapped to "http://fileserver" not "\\fileserver"
           Check that on clientpc the required efs certificate is installed. Then check carefully on clientpc what user account you specified during the map drive process. Then check on the \\fileserver this
account exists and has the required EFS certificate installed for use. If necessary, on clientpc click START, type "Manage Network Passwords" and delete the windows credentials currently in the vault.
       d) on clientpc (through a webDAV mapped folder) open an encrypted file, edit it, save it, close it. On the \\fileserver now check that file is readable and not gobble-de-goup
       e) on clientpc copy an encrypted efs file into a folder (a webDAV mapped folder) you know is not encrypted on \\fileserver. Now check on the \\fileserver computer that the file is readable and not gobble-de-goup (ie the
clientpc decrypted it then copied it).
        If this fails, it is likely one in IIS setting on fileserver one of the shared virtual directories is set to: "pass through authentication" when it should be set to "connect as"
        If this is not readable check step (11) and that you restarted the \\fileserver computer.
19 Test that clients don't get the VERY annoying prompt when opening an Office or PDF doc
      a) on clientpc in windows explorer browse to a mapped folder you know is encrypted and open an office file and then PDF.
            If a prompt for user+pass then check hotfix (16)
20 Consider setting up a recycling bin for this mapped drive, so files are sent to recycling bin not permanently deleted
      a) see the last comment at the very bottom of
this page:
Points to consider:
   - NB: WebDAV runs on \\fileserver under a local user account, so double check local NTFS permissions for that local account and adjust file permissions accordingly. If the local account doesn't have permission, the webDAV / web folder share won't
either.
- CONSIDER: IP Security (IPSec) or Secure Sockets Layer (SSL) to protect files during transport.
MORE INFO: HOTFIX: RAW DATA TRANSFERS
More info on step (11) above.
Because files remain encrypted during the file transfer and are decrypted by EFS locally, both uploads to and downloads from Web folders are raw data transfers. This is an advantage as if data is intercepted it is useless. This is a massive disadvantage as
it can cause unexpected results. IT MUST BE FIXED or you could be in deep deep water!
Consider using \\clientpc to access a webfolder on \\fileserver and copying an encrypted EFS file (over the network) to a web folder on \\fileserver that is not encrypted.
Doing this locally would automatically decrypt the file first then copy the decrypted file to the non-encrypted folder.
Doing this over the network to a web folder will copy the raw data, ie skip the decryption stage and result in the encrypted EFS file being raw copied to the non-encrypted folder. When viewed locally this file will not be recognised as encrypted (no encryption
file flag, not green in windows explorer) but it will be un-readable as its contents are still encrypted. It is now not possible to locally read this file. It can only be viewed on the \\clientpc
There is a fix:
      It is implimented above, see (11) above
      Microsoft's support page on this is excellent and short. Read "problem description" of "this microsoft webpage"
Other problems + fixes
PROBLEM: Can't find server due to network location.
     This one took me a long time to track down to "network location".
     Win 7 uses network locations "Home" / "Work" / "Public".
     If no gateway is specified in the IP address, the network is set to '"unidentified" and so receives "Public" settings.
     This is a disaster for remote file share access as typically "network discovery" and "file sharing" are disabled under "Public"
     FIX = either set IP address manually and specify a gateway
     FIX = or force "unidentified" network locations to assume "home" or "work" settings -
read here or
here
     FIX = or change the "Public" "advanced network settings" to turn on "network discovery" and "file sharing" and "Password Protected Sharing". This is safe as it will require a windows
login to gain file access.
PROBLEM: Deleting files on network drive permanently deletes them, there is no recycling bin
       By changing the location of "My Contacts" or similar to the root directory of your mapped drive, it will be added to recycling bin locations
      Read
here (i've posted a batch script to automatically make the required reg files)
I really hope this helps people. I hope the keywords + long title give it the best chance of being picked up in web searches.

What probably happens is that processes are using those mounts. And that those processes are not killed before the mounts are unmounted. Is there anything that uses those mounts?

My WebDAV share refers to /webdav//webdav/

Similar Messages

Maybe you are looking for