WebDAV permissions

Hey,
I set up WebDAV as an alternative to a VPN connection, which was slow compared to what you can get with WebDAV.
The only thing I do not get to work is a permission problem.
A user has read/write access to the very first directory I set up (I am using a Realm here...).
But all other directories are read only.
Is there a way to change that?
THANKS!

There is a user/group _www now that has access to the first directory only…can I change that to all folders?

Similar Messages

Help configuring webdav permissions

Hopefully an easy one to answer.
I want to enable access via webdav to a folder on our 10.6 OS X Server. We use it for wiki, iCal and AB Server services, and host files for general download etc.
The download files are in a folder within the site and are accessed normally via anonymous web browser download (e.g. https://<url>/folder/file.jpg).
Currently we manage the files within the folder using FTP connections. We want to change to using WebDAV to manage the files in the folder.
I tried enabling WebDAV on the site, and then setting a realm (based either on the Folder, or the Location) that limited read / write access to a specific group of users. But we found if we did this, any user could get full read / write access to the entire server without authentication at all... So we added a second realm for the entire site (/) giving no access to anyone who wasn't authenticated. Then if you try to download a file you have authenticate to get the file...
Could someone explain how we need to set these permissions so that:
people can download files from the server anonymously, but otherwise not browse the folders of the site
nominated users (i.e. a user group) on our server can access the folder containing the files via webdav, but not otherwise browse the site files
normal web services on the system are not affected by these changes.
Thanks in advance for your help.

Hi everybody!
I hope you are still following this post in hope to find a solution. Today you will be rewarded. Solution was plain simple as all things Apple. It was on the surface and I was searching in the deep and obviusly failed.
So lets get to work. You know that SLS comes with SquirrelMail which is piece of crap. Every time you click on mail link in Wiki Server it will take you to SquirrelMail login screen. This screen is login.php file.
So in order to redirect Wiki Mail to any URL of your choice you just need to edit or substitute login.php file which is located in /usr/share/squirrelmail/ like this
<?php
/* Redirect browser */
header("Location: http://your_preffered_url/");
exit;
?>
Enjoy!

Webdav Permissions for iPad Pages and Keynote

I have a new lion server runing 10.7.2 and have set up a share as an iOS (webdav) share. I created a user and gave that user full permission to the share. I can read documents from the share from the iPad, but when I copy via webdav the file created is Zero K. I know this has to do with permissions, but I can't see anywhere else I can change anything.

Copy from or to the server? Or duplicate?
There are many functions in the webdav function which aren't support yet, like rename etc. Have a look at the other posts here and write an feedback to Apple. Maybe they will implement it in 10.7.3

Change permission on WebDAV subdirectories

Hello I'm following this tutorial http://www.tnpi.biz/computing/mac/tips/idisk/idisk-v2.shtml .
I'm trying to set it up on a OS X Server 10.4 .
I've setup a WebDAV at /Groups/idisk , with user folders inside that WebDAV : /Groups/idisk/user1 .
At the moment all users can access everything.
I would like it to work as follows:
Access to every user:
/Groups/idisk
/Groups/idisk/*/Public (where * is every user folder)
Access to specific user:
/Groups/idisk/user1
/Groups/idisk/* (where * is user2, user3, etc.)
I just can't figure out how to change the WebDAV permissions on sub directories. If I edit the /etc/httpd/sites/mysite.conf, Apache/Server Admin won't accept it anymore.
Does anybody know how I can achieve this??
Thanks in advance and best regards,
Mark Pith

First problem: the root (/Groups/idisk) has to have "Can Browse" AND "Can Author" permissions, otherwise it will not mount. Is this normall?
Second problem: when I log in as user1 and try to access /Groups/idisk/user2, I get a login window for every folder in that user folder (so you have to press cancel 8 times). I just want it say "You can't access this folder." and then go back to the parent directory, as it would on afp.

WebDAV logs

OK. Here's the deal. Maybe I'm just missing the obvious but I'm having trouble identifying the account that was used via WebDAV to modify our website. That's right it got hacked. Based on what I'm seeing in the logs, it wasn't so much a hack as it was poor password for one of the users that has WebDAV permissions to make changes to the website.
Here's the problem. I'm looking in the apache access.log, I find when the files were uploaded/changed, but it doesn't show the account that was used to make the changes.
It shows:
192.168.10.1 - - [31/Jul/2008:23:07:05 --0700] "PUT /www.arplhmd.cjb.net_020112 HTTP/1.1" 201 309
192.168.10.1 - - [31/Jul/2008:23:07:05 --0700] "PUT /rys.asp HTTP/1.1" 201 309
192.168.10.1 - - [31/Jul/2008:23:07:05 --0700] "PUT /index.htm HTTP/1.1" 201 312
192.168.10.1 - - [31/Jul/2008:23:07:05 --0700] "PUT /index.htm HTTP/1.1" 204 -
From what I understand the part between the - - should show the user account but, as you can see, does not. Can anyone think of where I might find this information or barring that setting the logs to actually show this?
Thanks

FYI without the Apple Discussions formatted strike-through

Webdav not running with Iexplorer 7

Hello.
I try connect to my portal using the webdav protocol. I using the PortalDrive utility or directly with iexplorer.
when I try on a computer with explorer 6.0 all running correctly. (very well)
but, If I try on a computer with explorer 7.0 all not running. It´s impossible.
      1. The portalDrive never connect
      2. The iexplorer never connect.
I use the next url
http://xxxxxx:50000/irj/go/km/docs/folder1/?login_submit=on&j_user=uuuuuuu&j_password=ppppppp
How can I do?
Thanks.
Paco

Hello:
1. The http.0.log is:
[RECONNECT]
==== Request ==================================================================
OPTIONS /irj/go/km/docs/km_dti/DTI/Politicas%20Horizontales/ HTTP/1.1
X-Features: 1
User-Agent: SAP NetWeaver Portal Drive 4.4 (build 6317)
Host: www.navantia.es:80
Connection: Keep-Alive
Content-Length: 0
Response -
HTTP/1.1 403 Forbidden
Date: Tue, 09 Dec 2008 09:16:25 GMT
Server: SAP J2EE Engine/7.00
content-type: text/xml
x-features: 25, ctxmnu
cache-control: no-cache
vary: accept-encoding,accept-language,cookie,translate
set-cookie: saplb_*=(J2EE11258200)11258250; Version=1; Path=/
set-cookie: JSESSIONID=(J2EE11258200)ID0395734150DB02415238523481741825End; Version=1; Domain=.navantia.es; Path=/
Via: 1.1 www.navantia.es
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
ec
<D:error xmlns:D="DAV:"><D:need-privileges><resource xmlns="http://sapportals.com/xmlns/cm/webdav" perm="node_read_properties"><D:href>/irj/go/km/docs/km_dti/DTI/Politicas%20Horizontales</D:href></resource></D:need-privileges></D:error>
0
Initial response 0.021s, Transfer 0.000s, Total 0.021s
===============================================================================
[RECONNECT]
==== Request ==================================================================
OPTIONS /irj/go/km/docs/km_dti/DTI/Politicas%20Horizontales/ HTTP/1.1
X-Features: 1
User-Agent: SAP NetWeaver Portal Drive 4.4 (build 6317)
Host: www.navantia.es:80
Connection: Keep-Alive
Content-Length: 0
Response -
HTTP/1.1 403 Forbidden
Date: Tue, 09 Dec 2008 09:16:30 GMT
Server: SAP J2EE Engine/7.00
content-type: text/xml
x-features: 25, ctxmnu
cache-control: no-cache
vary: accept-encoding,accept-language,cookie,translate
set-cookie: saplb_*=(J2EE3414500)3414550; Version=1; Path=/
set-cookie: JSESSIONID=(J2EE3414500)ID0746367950DB00455630574432957320End; Version=1; Domain=.navantia.es; Path=/
Via: 1.1 www.navantia.es
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
ec
<D:error xmlns:D="DAV:"><D:need-privileges><resource xmlns="http://sapportals.com/xmlns/cm/webdav" perm="node_read_properties"><D:href>/irj/go/km/docs/km_dti/DTI/Politicas%20Horizontales</D:href></resource></D:need-privileges></D:error>
0
Initial response 0.038s, Transfer 0.000s, Total 0.039s
===============================================================================
[RECONNECT]
==== Request ==================================================================
OPTIONS /irj/go/km/docs/km_dti/DTI/Politicas%20Horizontales/ HTTP/1.1
X-Features: 1
User-Agent: SAP NetWeaver Portal Drive 4.4 (build 6317)
Host: www.navantia.es:80
Connection: Keep-Alive
Content-Length: 0
Response -
HTTP/1.1 403 Forbidden
Date: Tue, 09 Dec 2008 09:16:36 GMT
Server: SAP J2EE Engine/7.00
content-type: text/xml
x-features: 25, ctxmnu
cache-control: no-cache
vary: accept-encoding,accept-language,cookie,translate
set-cookie: saplb_*=(J2EE3414500)3414550; Version=1; Path=/
set-cookie: JSESSIONID=(J2EE3414500)ID0956288650DB00425136564290512025End; Version=1; Domain=.navantia.es; Path=/
Via: 1.1 www.navantia.es
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
ec
<D:error xmlns:D="DAV:"><D:need-privileges><resource xmlns="http://sapportals.com/xmlns/cm/webdav" perm="node_read_properties"><D:href>/irj/go/km/docs/km_dti/DTI/Politicas%20Horizontales</D:href></resource></D:need-privileges></D:error>
0
Initial response 0.016s, Transfer 0.000s, Total 0.017s
===============================================================================
[RECONNECT]
==== Request ==================================================================
OPTIONS /irj/go/km/docs/km_dti/DTI/Politicas%20Horizontales/ HTTP/1.1
X-Features: 1
User-Agent: SAP NetWeaver Portal Drive 4.4 (build 6317)
Host: www.navantia.es:80
Connection: Keep-Alive
Content-Length: 0
Response -
HTTP/1.1 403 Forbidden
Date: Tue, 09 Dec 2008 09:19:09 GMT
Server: SAP J2EE Engine/7.00
content-type: text/xml
x-features: 25, ctxmnu
cache-control: no-cache
vary: accept-encoding,accept-language,cookie,translate
set-cookie: saplb_*=(J2EE11258200)11258250; Version=1; Path=/
set-cookie: JSESSIONID=(J2EE11258200)ID2080813750DB00485132790527406367End; Version=1; Domain=.navantia.es; Path=/
Via: 1.1 www.navantia.es
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
ec
<D:error xmlns:D="DAV:"><D:need-privileges><resource xmlns="http://sapportals.com/xmlns/cm/webdav" perm="node_read_properties"><D:href>/irj/go/km/docs/km_dti/DTI/Politicas%20Horizontales</D:href></resource></D:need-privileges></D:error>
0
Initial response 0.020s, Transfer 0.000s, Total 0.021s
===============================================================================
[RECONNECT]
==== Request ==================================================================
OPTIONS /irj/go/km/docs/km_dti/DTI/Politicas%20Horizontales/ HTTP/1.1
X-Features: 1
User-Agent: SAP NetWeaver Portal Drive 4.4 (build 6317)
Host: www.navantia.es:80
Connection: Keep-Alive
Content-Length: 0
Response -
HTTP/1.1 403 Forbidden
Date: Tue, 09 Dec 2008 09:19:14 GMT
Server: SAP J2EE Engine/7.00
content-type: text/xml
x-features: 25, ctxmnu
cache-control: no-cache
vary: accept-encoding,accept-language,cookie,translate
set-cookie: saplb_*=(J2EE11258200)11258251; Version=1; Path=/
set-cookie: JSESSIONID=(J2EE11258200)ID1916988051DB00405133740172310754End; Version=1; Domain=.navantia.es; Path=/
Via: 1.1 www.navantia.es
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
ec
<D:error xmlns:D="DAV:"><D:need-privileges><resource xmlns="http://sapportals.com/xmlns/cm/webdav" perm="node_read_properties"><D:href>/irj/go/km/docs/km_dti/DTI/Politicas%20Horizontales</D:href></resource></D:need-privileges></D:error>
0
Initial response 0.125s, Transfer 0.001s, Total 0.126s
===============================================================================
2. the dti.log is:
SAP NetWeaver Portal Drive 4.4 (build 6317) on WXP
Service: WebDAV:
www.navantia.es\irj\go\km\docs\km_dti\DTI\Politicas Horizontales
Proxy: none
Sharing Level: 2
Secure connection: No
10:19:17 2008/12/09 Failed to connect
Error 000004C7.
10:19:17 2008/12/09 dirlist timeout=300, flags=4
3. I review the logs from the server and I read the next entrie:
anonymous_es     | ACCESS.ERROR     | /km_dti/DTI/Politicas Horizontales     | node_read_properties
this line exits anytime for each time when I try connect with portaldrivre.
Gracias.
Paco del Campo

Can a non group or team member subscribe to group calendar

So we have a group web calendar maintained by the managers.
By using permissions in the web service, we can allow "authenticated users" to view the web based calendar.
However if you are not a member of the group that publishes that web based calendar you can not subscribe to it using iCal.app. Only members of the group can successfully subscribe.
We need to have some kind of restrictions to prevent the general public from viewing the calendar but would like for anyone employed by the company to subscribe using iCal so that events are up to date in iCal.
Any thoughts on how to do this?
I have fiddled with webDAV permissions and the SACL in Server Admin but have only been able to successfully restrict access to the web interface of the calendar. Non team members can view but not edit.

It can't be done

WebDAV: diffrerent users with ro and rw permissions?

Hi,
I am trying to set up a WebDAV folder where I have one user that has read-write privileges, whil eanother user only has read-only priviliges.
Now whatever I try, the user thaz has read-only privileges is not able to mount the WebDAV.
Is it at all possible?
Thanks,
Stephan

Hi MacLemon,
thanks for taling the time to respond to my post.
I have folders under /WebDAV that I want to share to customers read-only, while people from our company should have read/write access to them. In this example I created a folder named /WebDAV/apoBank and two users (local in OS X) named apoBank and apobankjvm. apoBank should only have read access while apobankjvm should have read/write access.
The permissions of the Folder I want to share via WebDAV are as following:
ls -l /WebDav/apoBank
drwxrwxrwx 12 www www 408 May 12 11:18 apoBank
Apache states the follwoing when invoked with -v:
mx:~ root# /usr/sbin/httpd -v
Server version: Apache/1.3.33 (Darwin)
Server built: Aug 22 2005 04:48:24
This is the config for my virtual host:
## Default Virtual Host Configuration
<VirtualHost 212.1.38.4:80>
ServerName apobank.jvm.de
ServerAdmin [email protected]
DocumentRoot "/WebDav/apoBank"
CustomLog '|/usr/sbin/rotatelogs "/var/log/httpd/apoBank.jvm.deaccesslog" 2592000' "%h %l
ErrorLog '|/usr/sbin/rotatelogs "/var/log/httpd/apoBank.jvm.deerrorlog" 2592000'
ErrorDocument 404 /error.html
<IfModule mod_ssl.c>
SSLEngine Off
SSLLog "/var/log/httpd/sslenginelog"
SSLCertificateFile "/etc/certificates/Default.crt"
SSLCertificateKeyFile "/etc/certificates/Default.key"
SSLCipherSuite "ALL:!ADH:RC4RSA:+HIGH:+MEDIUM:+LOW:!SSLv2:+EXP:eNULL"
</IfModule>
<IfModule mod_dav.c>
DAVLockDB "/var/run/davlocks/.davlock100"
DAVMinTimeout 600
</IfModule>
<Directory "/WebDav/apoBank">
Options All -Indexes -ExecCGI -Includes +MultiViews
AuthName "apoBankAuthor"
<Limit GET HEAD OPTIONS CONNECT POST PROPFIND PUT DELETE PROPPATCH MKCOL COPY MOVE L
Require user apobankjvm
</Limit>
<Limit GET HEAD OPTIONS CONNECT POST>
Require user apobank
</Limit>
<IfModule mod_dav.c>
DAV On
</IfModule>
AuthType Basic
AllowOverride None
</Directory>
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
</IfModule>
<IfModule mod_alias.c>
</IfModule>
LogLevel warn
</VirtualHost>
Thanks,
Stephan

WebDAV & File permissions

Hi,
I have setup my webserever to all access via WebDAV. I have setup the realms and have added users from opendirectory for authoring permission. All files are owned by root & admin with RWXRWXR_X permissions.
The authoring does not seem to be working as users can create but cannot amend.
Do I need to setup ACL's for this to work?
Thanks
Phil

The realm needs to be given owner:group www:www
-david

WebDAV, php and permissions

I am having trouble with WebDAV executing PHP code when opening files remotely on the server using a text editor and not showing the php code.
If we access the server through a text editing tool via WebDAV, it executes the php code and displays the resulting code in html, but not the original php code. But if we log-in to the server using FTP, same user, just different protocol, then the code is displayed as php code, but then that user then owns the file and we generate other permission problems.
So the question is: How can you set up a machine to have users access the server only through WebDAV, but have the text editor they are using NOT execute the PHP files when they open, but show the php code?
Many thanks for your help.
Pilar

Hi.
Please check both the error_log and access_log found inside /var/log/httpd/
These are apache's log files and you may find the solution of your problems there
Mihalis.

Webdav ignoring permissions

Hi I have three shares on a server disk. I wish to access one via webdav and a restricted account ie invited guests. If I access via afp things work fine but using webdav all of the volumes become visible and writable!!!
structure is
disk>>share1- staff access
>>share2-admin access
>>share3-restricted access and webdav IOS access
Access via https://domain/webdav
and if I log in via the restricted account and all three shares show
any ideas? thanks

The realm needs to be given owner:group www:www
-david

C: drive filling up after using WebDAV ("Remote dr...

Hi,
the C: drive on my E55 had very low free space at some point. I started the file manager and the memory details reported "32 MB" for "Other files". I looked around on C: using the file manager, but didn't found anything. I removed and reinstalled some apps, but it wasn't any better after this. I tried to find a setting which could be responsible for storing many stuff on C:, without luck.
Then I installed X-plore and set it to show me all files (hidden and system files). I found a "rsfw_cache" directory with a lot of big files without sensible names in it. I just deleted it.
Then I found out that it was created again and a large file was in there. I opened the file and saw a picture that I had taken with the camera and uploaded to the WebDAV server. I uploaded another picture which also showed up in this directory.
So it looks like even just uploading a file results in a local copy in a hidden cache directory which is not removed automatically, and even can't be removed on user request or with the file manager. So I gues that just _using_ the remote drive will break the device at some point, because it wouldn't even be possible to receive text messages when C: is full. Major bug, I think (at least I would handle it like a major bug, and I work as a developer for a quite complex firmware for an embedded device).
I don't know what firmware versions or models are affected. This is an E55 with firmware 034.001. Is this a known bug that will be fixed in the next firmware? Will there be a new firmware version at all, as the E55 seems to be discontinued now?
Another question: "Other files" still shows 14 MB. X-plore states that there are only 4,5 MB used on C:. Can some people with the knowledge tell me where the remaining 10 MB could be located and post some info what directories can be safely removed without losing non-recoverable data (temporary files, cache files etc.)? I already deleted the cache in the internal web browser and in Opera mobile.

At this point I think you should get Applejack...
http://www.versiontracker.com/dyn/moreinfo/macosx/19596
After installing, reboot holding down CMD+s, (+s), then when the DOS like prompt shows, type in...
applejack AUTO
Then let it do all 5 of it's things.
At least it'll eliminate some questions if it doesn't fix it.
The 5 things it does are...
Correct any Disk problems.
Repair Permissions.
Clear out Cache Files.
Repair/check several plist files.
Dump the VM files for a fresh start.
Also, open Console in Utilities, and watch for clues if yhat doesn't help.

Improved user experience transferring from APF to webDAV volume

We've all experienced how files that we drag from our Desktops and drop on folders on the same volume are "received" at their destination and "lost" at their origin. They move.
Users in my organization desire a similar experience when dragging files from their Desktops to folders NOT on the same volume, particularly remote volumes; or ones mounted using a different protocol, like http (webDAV to be exact)--whether on same volume or not. They prefer not having to dispose of needlessly remnant files on their Desktops.
I'm responsible for providing a solution that delivers this experience. I suspect this will require an Applescript.
I have written one that is basically functional. It calls a handler within a folder action to delete files still selected after copying of them to the attached folder completes.
I include my script below. My interest in posting here is twofold.
First: maybe someone can help me make this script work better. I'm still learning, and I haven't gotten it to handle important cases properly.
Second: I wonder whether this has not already been done. I've looked at MacScripter, Applescriptsource, Apple Discussions, and certain individual scripters' sites; but keywords I've come up with haven't gotten me results.
In advance and for any assistance, thanks!
Here is my script. I know it fails if I get an overwrite dialog as a copy operation begins.
If in the Finder, deselection occurs or selection is changed as script runs, no files or wrong files get deleted. I've also had the script delete a file that never got copied to its destination when a permissions dialog came up.
I'd rather no one actually run this script. Just examine it.
The script gets attached to a webDAV site's icon that appears on the Desktop once connection is made. This seems to work like a folder; hence my use of folder actions.
That icon goes away if I disconnect, but I would need the script to work every time connection is made. There are probably other issues.
on adding folder items to this_folder after receiving these_items
call()
end adding folder items to
on call()
tell application "Finder"
activate
set fileList to selection
repeat with theFile in fileList
delete theFile
end repeat
end tell
end call

This OS behavior is there for a reason.
Good question. Thanks for noticing my post at all much less thinking critically on the subject.
webDAV site is to hold users' working folders. In our case, there will be a lot of dragging from Home folders (including Desktop) to webDAV.
The experience will naturally be compared with that of dragging files to the usual place for working files: a local AFP volume. Since drags to webDAV are going to fail by comparison on speed, I'd like to deliver comparability of the "move" experience.
What if your users want to copy (not move) an item to
a network volume?
As for dragging to other volumes, only the webDAV site would have the folder action. I should have made it clear: I'm talking about getting this functionality only in the case of users accessing their webDAV-hosted working folders.
I can understand readers thinking my aim was to change OS behavior. My fault, the vagueness on this point.
Anyway, Cyclosaurus, don't get me wrong. It relieves me know about the command-drag feature--that's great!

Secured WebDAV Mounted Volume Authorization Issues

I use a secure WebDAV mounted volume from myDisk.se and up until the latest Security Update have had zero issues being able to manipulate files and folders as I would on a normal volume. However, since the installation of the Security Update (2009-004 (PowerPC) 1.0) I find weird things happening with this mounted volume:
1) I am able to mount the secured WebDAV share using my security credentials.
2) I can create a default "untitled" folder but when I try to change its name, the WebDAV authorization dialog pops up and despite entering the same credentials (why, I am not sure as the volume has already been properly credentialed in order to be mounted), access is denied.
3) Trying to create a file within a folder on the mounted WebDAV volume I previously created pre-update causes the same authorization issue.
I have no other WebDAV shares I can try to mount from any other companies so I am not sure if this is a myDisk issue or one borne from the Security Update. I am not a .Mac/MobileMe user and that info is not filled out in System Preferences. The internal hard drive has been meticulously maintained with Disk and Permissions repair being run both before and after each and every software update installed. Likewise, the volume's structure is also checked both before and after and shows no need for repairs.
Any ideas? Perhaps there is a corrupted file somewhere that's affecting the authorizations needed by this third-party WebDAV volume?
The machine that has this problem is the last model iBook G4/1.33GHz 12" display, 1.5GB RAM, and a 100GB 5400rpm HD which replaced the stock OEM 40GB 4200rpm drive about one year ago.
I'm not willing to do an Archive and Install at this point as the loss of the WebDAV access to my online volume is not critical. Inconvenient as heck but not to the point where I'm willing (or able) stop my normal work to spend the hours it will take to get WebDAV access back.
Thanks in advance for any insights.

same problem here with webdav, I can't mount my idisk from university network on Mac Pro 10.5.3 (although it mounts fine from home network on both ibook and PMG5 10.5.3). Everything was fine with 10.5.2 and I already re-installed 10.5.3 combo. Other bugs as well with .Mac prefs (keeps crashing, sometimes it shows the available space on idisk but still no mounting, with error -35 or -8086), but .Mac sync is OK
Jun 11 12:34:21 webdavfs_agent[579]: mounting as authenticated user
Jun 11 12:34:22 kernel[0]: webdav server: http://idisk.mac.com/[username]/: connection is dead
Jun 11 12:34:22 KernelEventAgent[75]: tid 00000000 received VQ_DEAD event (32)
Jun 11 12:34:22 kernel[0]: webdav_sendmsg: sock_connect() = 61
Jun 11 12:34:22 KernelEventAgent[75]: tid 00000000 type 'webdav', mounted on '/Volumes/[username]', from 'http://idisk.mac.com/[username]/', dead
Jun 11 12:34:22 kernel[0]: webdav_sendmsg: sock_connect() = 61
Jun 11 12:34:22 KernelEventAgent[75]: tid 00000000 found 1 filesystem(s) with problem(s)
Jun 11 12:34:22 kernel[0]: webdav_sendmsg: sock_connect() = 61
Jun 11 12:34:52: --- last message repeated 1 time ---

EFS Encrypted Files over home workgroup network via WebDAV avoiding Active Directory fixing Access Denied errors

This is for information to help others
KEYWORDS:
- Sharing EFS encrypted files over a personal lan wlan wifi ap network
- Access denied on create new file / new fold on encrypted EFS network file share remote mapped folder
- transfer encryption keys / certificates
- set trusted delegation for user + computer for EFS encrypted files via
Kerberos
- Windows Active Directory vs network file share
- Setting up WinDAV server on Windows 7 Pro / Ultimate
It has been a long painful road to discover this information.
I hope sharing it helps you.
Using EFS on Windows 7 pro / ultimate is easy and works great. See
here and
here
So too is opening + editing encrypted files over a peer-to-peer Windows 7 network.
HOWEVER, creating a new file / new folder over a peer-to-peer Windows 7 network
won't work (unless you follow below steps).
Typically, it is only discovered as an issue when a home user wants to use synchronisation software between their home computers which happens to have a few folders encrypted using windows EFS. I had this issue trying to use GoodSync.
Typically an "Access Denied" error messages is thrown when a \\clientpc tries to create new folder / new file in an encrypted folder on a remote file share \\fileserver.
Why such a EFS drama when a network is involved?
Assume a home peer-to-peer network with 2pc: \\fileserver and \\clientpc
When a \\clientpc tries to create a new file or new folder on a \\fileserver (remote computer) it fails. In a terribly simplified explanation it is because the process on \\fileserver that is answering the network requests is a process working for a user on
another machine (\\clientpc) and that \\fileserver process doesn't have access to an encryption certificate (as it isn't a user). Active Directory gets around this by using kerberos so the process can impersonate a \\fileserver user and then use their certificate
(on behalf of the clienpc's data request).
This behaviour is confusing, as a \\clientpc can open or edit an existing efs encrypted file or folder, just can't create a new file or folder. The reason editing + opening an encrypted file over a network file share is possible is because the encrypted
file / folder already has an encryption certificate, so it is clear which certificate is required to open/edit the file. Creating a new file/folder requires a certificate to be assigned and a process doesn't have a profile or certificates assigned.
Solutions
There are two main approaches to solve this:
     1) SOLVE by setting up an Active Directory (efs files accessed through file shares)
          EFS operations occur on the computer storing the files.
          EFS files are decrypted then transmitted in plaintext to the client's computer
          This makes use of kerberos to impersonate a local user (and use their certificate for encrypt + decrypt)
     2) SOLVE by setting up WebDAV (efs files accessed through web folders)
           EFS operations occur on the client's local computer
           EFS files remain encrypted during transmission to the client's local computer where it is decrypted
           This avoids active directory domains, roaming or remote user profiles and having to be trusted for delegation.
           BUT it is a pain to set up, and most online WebDAV server setup sources are not for home peer-to-peer networks or contain details on how to setup WebDAV for EFS file provision
         READ BELOW as this does
Create new encrypted file / folder on a network file share - via Active Directory
It is easily possible to sort this out on a domain based (corporate) active directory network. It is well documented. See
here. However, the problem is on a normal Windows 7 install (ie home peer-to-peer) to set up the server as part of an active directory domain is complicated, it is time consuming it is bulky, adds burden to operation of \\fileserver computer
and adds network complexity, and is generally a pain for a home user. Don't. Use a WebDAV.
Although this info is NOT for setting up EFS on an active directory domain [server],
for those interested here is the gist:
Use the Active Directory Users and Computers snap-in to configure delegation options for both users and computers. To trust a computer for delegation, open the computer’s Properties sheet and select Trusted for delegation. To allow a user
account to be delegated, open the user’s Properties sheet. On the Account tab, under Account Options, clear the The account is sensitive and cannot be delegated check box. Do not select The account is trusted for delegation. This property is not used with
EFS.
NB: decrypted data is transmitted over the network in plaintext so reduce risk by enabling IP Security to use Encapsulating Security Payload (ESP)—which will encrypt transmitted data,
Create new encrypted file / folder on a network file share - via WebDAV
For home users it is possible to make it all work.
Even better, the functionality is built into windows (pro + ultimate) so you don't need any external software and it doesn't cost anything. However, there are a few hotfixes you have to apply to make it work (see below).
Setting up a wifi AP (for those less technical):
   a) START ... CMD
   b) type (no quotes): "netsh wlan set hostednetwork mode=allow ssid=MyPersonalWifi key=12345 keyUsage=persistent"
   c) type (no quotes): "netsh wlan start hostednetwork"
Set up a WebDAV server on Windows 7 Pro / Ultimate
-----ON THE FILESERVER------
   1 click START and type "Turn Windows Features On or Off" and open the link
       a) scroll down to "Internet Information Services" and expand it.
       b) put a tick in: "Web Management Tools" \ "IIS Management Console"
       c) put a tick in: "World Wide Web Services" \ "Common HTTP Features" \ "WebDAV Publishing"
       d) put a tick in: "World Wide Web Services" \ "Security" \ "Basic Authentication"
       e) put a tick in: "World Wide Web Services" \ "Security" \ "Windows Authentication"
       f) click ok
       g) run HOTFIX - ONLY if NOT running Windows 7 / windows 8
KB892211 here ONLY for XP + Server 2003 (made in 2005)
KB907306 here ONLY for Vista, XP, Server 2008, Server 2003 (made in 2007)
2 Click START and type "Internet Information Services (IIS) Manager"
3 in IIS, on the left under "connections" click your computer, then click "WebDAV Authoring Rules", then click "Open Feature"
       a) on the right side, under Actions, click "Enable WebDAV"
4 in IIS, on the left under "connections" click your computer, then click "Authentication", then click "Open Feature"
       a) on the "Anonymous Authentication" and click "Disable"
       b) on the "Windows Authentication" and click "Enable"
      NB: Some Win 7 will not connect to a webDAV user using Basic Authentication.
        It can be by changing registry key:
           [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WebClient\Parameters]
           BasicAuthLevel=2
       c) on the "Windows Authentication" click "Advanced Settings"
           set Extended Protection to "Required"
       NB: Extended protection enhances the windows authentication with 2 security mechanisms to reduce "man in the middle" attacks
5 in IIS, on the left under "connections" click your computer, then click "Authorization Rules", then click "Open Feature"
       a) on the right side, under Actions, click "Add Allow Rule"
       b) set this to "all users". This will control who can view the "Default Site" through a web browser
       NB: It is possible to specify a group (eg Administrators is popular) or a user account. However, if not set to "all users" this will require the specified group/user account to be used for logged in with on the
clientpc.
       NB: Any user account specified here has to exist on the server. It has a bug in that it usernames specified here are not validated on input.
6 in IIS, on the left under "connections" click your computer, then click "Directory Browsing", then click "Open Feature"
       a) on the right side, under Actions, click "Enable"
HOTFIX - double escaping
7 in IIS, on the left under "connections" click your computer, then click "Request Filtering", then click "Open Feature"
       a) on the right side, under Actions, click "Edit Feature Settings"
       b) tick the box "Allow double escaping"
     *THIS IS VERY IMPORTANT* if your filenames or foldernames contain characters like "+" or "&"
     These folders will appears blank with no subdirectories, or these files will not be readable unless this is ticked
     This is safe btw. Unchecked (default) it filters out requests that might possibly be misinterpreted by buggy code (eg double decode or build url's via string-concat without proper encoding). But any bug would need to be in IIS basic
file serving and this has been rigorously tested by microsoft, so very unlikely. Its safe to "Allow double escaping".
8 in IIS, on the left under "connections" right click "Default Web Site", then click "Add Virtual Directory"
       a) set the Alias to something sensible eg "D_Drive", set the physical path
       b) it is essential you click "connect as" and set
this to a local user (on fileserver),
       if left as "pass through authentication" a client won't be able to create a new file or folder in an encrypted efs folder (on fileserver)
             NB: the user account selected here must have the required EFS certificates installed.
                        See
here and
here
        NB: Sharing the root of a drive as an active directory (eg D:\ as "D_Drive") often can't be opened on clientpcs.
      This is due to windows setting all drive roots as hidden "administrative shares". Grrr.
       The work around is on the \\fileserver create an NTFS symbollic link
          e.g. to share the entire contents of "D:\",
                on fileserver browse to site path (iis default this to c:\inetpub\wwwroot)
                in cmd in this folder create an NTFS symbolic link to "D:\"
                so in cmd type "cd c:\inetpub\wwwroot"
                then in cmd type "mklink /D D_Drive D:\"
        NB: WebDAV will open this using a \\fileserver local user account, so double check local NTFS permissions for the local account (clients will login using)
         NB: If clientpc can see files but gets error on opening them, on clientpc click START, type "Manage Network Passwords", delete any "windows credentials" for the fileserver being used, restart
clientpc
9 in IIS, on the left under "connections" click on "WebDAV Authoring Rules", then click "Open Feature"
       a) click "Add authoring rules". Control access to this folder by selecting "all users" or "specified groups" or "specified users", then control whether they can read/write/source
       b) if some exist review existing allow or deny.
           Take care to not only review the "allow access to" settings
           but also review "permissions" (read/write/source)
       NB: this can be set here for all added virtual directories, or can be set under each virtual directory
10 Open your firewall software and/or your router. Make an exception for port 80 and 443
       a) In Windows Firewall with Advanced Security click Inbound Rules, click New Rule
             choose Port, enter "80, 443" (no speech marks), follow through to completion. Repeat for outbound.
          NB: take care over your choice to untick "Public", this can cause issues if no gateway is specified on the network (ie computer-to-computer with no router). See "Other problems+fixes"
below, specifically "Cant find server due to network location"
       b) Repeat firewall exceptions on each client computer you expect to access the webDAV web folders on
HOTFIX - MAJOR ISSUE - fix KB959439
11 To fully understand this read "WebDAV HOTFIX: RAW DATA TRANSFERS" below
      a) On Windows 7 you need only change one tiny registry value:
           - click START, type "regedit", open link
           -browse to [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MRxDAV\Parameters]
           -on the EDIT menu click NEW, then click DWORD Value
           -Type "DisableEFSOnWebDav" to name it (no speech marks)
           -on the EDIT menu, click MODIFY, type 1, then click OK
           -You MUST now restart this computer for the registry change to take effect.
      b) On Windows Server 2008 / Vista / XP you'll FIRST need to
download Windows6.0-KB959439 here. Then do the above step.
         NB microsoft will ask for your email. They don't care about licence key legality, it is more to keep you updated if they modify that hotfix
12 To test on local machine (eg \\fileserver) and deliberately bypass the firewall.
      a) make sure WebClient Service is running
            (click START, type "services" and open, scroll down to WebClient and check its status)
      b) Open your internet software. Go to address "http://localhost:80" or "http://localhost:80"
            It should show the default "IIS7" image.
            If not, as firewall and port blocking are bypassed (using localhost) it must be a webDAV server setting. Check "Authorization Rules" are set to "Allow All Users"
      c) for one of the "virtual directories" you added (8), add its "alias" onto "http://localhost/"
                e.g. http://localhost/D_drive
            If nothing is listed, check "Directory Browsing" is enabled
13 To test on local machine or a networked client and deliberately try and access through the firewall or port opening of your router.
      a) make sure WebClient Service is running
            (click START, type "services" and open, scroll down to WebClient and check its status)
      b) open your internet software. Go to address "http://<computer>:80" or "http://<computer>:80".
              eg if your server's computer name is "fileserver" go to "http://fileserver:80"
              It should show the default "IIS7" image. If not, check firewall and port blocking.
              Any issue ie if (12) works but (13) doesn't, will indicate a possible firewall issue or router port blocking issue.
     c) for one of the "virtual directories" you added (8), add its "alias" onto "http://<computername>:80/"
               eg if alias is "C_driver" and your server's computer name is "fileserver" go to "http://fileserver:80/C_drive"
               A directory listing of files should appear.
--- ON EACH CLIENT ----
HOTFIX - improve upload + download speeds
14 Click START and type "Internet Options" and open the link
      a) click the "Connections" tab at the top
      b) click the "LAN Settings" button at the bottom right
      c) untick "Automatically detect settings"
HOTFIX - remove 50mb file limit
15 On Windows 7 you need only change one tiny registry value:
      a) click START, type "regedit", open link
    b) browse to [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WebClient\Parameters]
       c) click on "FileSizeLimitInBytes"
       d) on the EDIT menu, click MODIFY, type "ffffffff", then click OK (no quotes)
HOTFIX - remove prompt for user+pass on opening an office or pdf document via WebDAV
16 On each clientpc click START, type "Internet Options" and open it
         a) click on "Security" (top) and then "Custom level" (bottom)
         b) scroll right to the bottom and under "User Authentication" select "Automatic logon with current username and password"
         SUCH an easy fix. SUCH an annoying problem on a clientpc
   NB: this is only an issue if the file is opened through windows explorer. If opened through the "open" dialogue of the software itself, it doesn't happen. This is as a WebDAV mapped drive is consdered a "web folder" by windows
explorer.
TEST SETUP
17 On the client use the normal "map network drive"
            e.g. server= "http://fileserver:80/C_drive", tick reconnect at logon
            e.g. CMD: net use * "http://fileserver:80/C_drive"
         If it doens't work check "WebDAV Authoring Rules" and check NTFS permissions for these folders. Check that on the filserver the elected impersonation user that the client is logging in with (clientpc
"manage network passwords") has NTFS permissions.
18 Test that EFS is now working over the network
       a) On a clientpc, map network drive to http://fileserver/
       b) navigate to a folder you know on the \\flieserver is encrypted with EFS
       c) create a new folder, create a new file.
           IF it throws an error, check carefully you mapped to the WebDAV and not file share
              i.e. mapped to "http://fileserver" not "\\fileserver"
           Check that on clientpc the required efs certificate is installed. Then check carefully on clientpc what user account you specified during the map drive process. Then check on the \\fileserver this
account exists and has the required EFS certificate installed for use. If necessary, on clientpc click START, type "Manage Network Passwords" and delete the windows credentials currently in the vault.
       d) on clientpc (through a webDAV mapped folder) open an encrypted file, edit it, save it, close it. On the \\fileserver now check that file is readable and not gobble-de-goup
       e) on clientpc copy an encrypted efs file into a folder (a webDAV mapped folder) you know is not encrypted on \\fileserver. Now check on the \\fileserver computer that the file is readable and not gobble-de-goup (ie the
clientpc decrypted it then copied it).
        If this fails, it is likely one in IIS setting on fileserver one of the shared virtual directories is set to: "pass through authentication" when it should be set to "connect as"
        If this is not readable check step (11) and that you restarted the \\fileserver computer.
19 Test that clients don't get the VERY annoying prompt when opening an Office or PDF doc
      a) on clientpc in windows explorer browse to a mapped folder you know is encrypted and open an office file and then PDF.
            If a prompt for user+pass then check hotfix (16)
20 Consider setting up a recycling bin for this mapped drive, so files are sent to recycling bin not permanently deleted
      a) see the last comment at the very bottom of
this page:
Points to consider:
   - NB: WebDAV runs on \\fileserver under a local user account, so double check local NTFS permissions for that local account and adjust file permissions accordingly. If the local account doesn't have permission, the webDAV / web folder share won't
either.
- CONSIDER: IP Security (IPSec) or Secure Sockets Layer (SSL) to protect files during transport.
MORE INFO: HOTFIX: RAW DATA TRANSFERS
More info on step (11) above.
Because files remain encrypted during the file transfer and are decrypted by EFS locally, both uploads to and downloads from Web folders are raw data transfers. This is an advantage as if data is intercepted it is useless. This is a massive disadvantage as
it can cause unexpected results. IT MUST BE FIXED or you could be in deep deep water!
Consider using \\clientpc to access a webfolder on \\fileserver and copying an encrypted EFS file (over the network) to a web folder on \\fileserver that is not encrypted.
Doing this locally would automatically decrypt the file first then copy the decrypted file to the non-encrypted folder.
Doing this over the network to a web folder will copy the raw data, ie skip the decryption stage and result in the encrypted EFS file being raw copied to the non-encrypted folder. When viewed locally this file will not be recognised as encrypted (no encryption
file flag, not green in windows explorer) but it will be un-readable as its contents are still encrypted. It is now not possible to locally read this file. It can only be viewed on the \\clientpc
There is a fix:
      It is implimented above, see (11) above
      Microsoft's support page on this is excellent and short. Read "problem description" of "this microsoft webpage"
Other problems + fixes
PROBLEM: Can't find server due to network location.
     This one took me a long time to track down to "network location".
     Win 7 uses network locations "Home" / "Work" / "Public".
     If no gateway is specified in the IP address, the network is set to '"unidentified" and so receives "Public" settings.
     This is a disaster for remote file share access as typically "network discovery" and "file sharing" are disabled under "Public"
     FIX = either set IP address manually and specify a gateway
     FIX = or force "unidentified" network locations to assume "home" or "work" settings -
read here or
here
     FIX = or change the "Public" "advanced network settings" to turn on "network discovery" and "file sharing" and "Password Protected Sharing". This is safe as it will require a windows
login to gain file access.
PROBLEM: Deleting files on network drive permanently deletes them, there is no recycling bin
       By changing the location of "My Contacts" or similar to the root directory of your mapped drive, it will be added to recycling bin locations
      Read
here (i've posted a batch script to automatically make the required reg files)
I really hope this helps people. I hope the keywords + long title give it the best chance of being picked up in web searches.

What probably happens is that processes are using those mounts. And that those processes are not killed before the mounts are unmounted. Is there anything that uses those mounts?

WebDAV permissions

Similar Messages

Maybe you are looking for