permission denied connecting to Microsoft IIS WebDav

i3v
I believe that I've just found a workaround for the issue described here : https://forums.zotero.org/discussion/10284/ms-iis-webdav-authentication-failed/ . My "debug log" looks very similar.


Issue description:
I was trying to make zotero work with my own webdav (IIS 7.5).
After configuring IIS, I was able to open the webdav directory fine with firefox or windows explorer (e. g. when copying the URL from the zotero log into the browser). However, login via zotero (Verify Server) fails with the following message:

=======================
Permission Denied
------------------------------
The WebDAV server did not accept the username and password you entered. Please check your file sync settings or contact your server administrator.
=======================


Main points about the configuration :
* Microsoft IIS
* SSL: require, clientCertificate=ignore
* https
* windows authentication enabled
* anonymous authentication disabled


Symptoms:
* able to connect, read, write via windows explorer
* able to connect and download files via firefox
* "Verify Server" fails to complete authorization, just like described in the original issue report I've mentioned.
* In all cases described above, I was using the same credentials, and I'm pretty sure there were no typos.
* my password consists of latin letters and digits, no symbols, so, this definitely does not look like the issue, described here: https://forums.zotero.org/discussion/49595/sync-server-did-not-accept-your-username-and-password/


Solution:
Prioritize "NTLM" authorization "provider", as described here: http://www.codeproject.com/Answers/418802/Unauthorized-Access-is-denied-due-to-invalid-c .


Questions:
(1) Could this be treated as Zotero's bug, that having "Negotiate" provider above "NTLM" results in a complete inability to authorize?

(2) If answer for (1) is "No", maybe, it would be nice to mention this requirement in some docs? For example, this kb looks like a proper place: https://www.zotero.org/support/kb/webdav_services .
  • dstillman
    After configuring IIS, I was able to open the webdav directory fine with firefox or windows explorer (e. g. when copying the URL from the zotero log into the browser).
    Note that these are just GET requests, and it's possible you have IIS set to serve files without authorization (and you probably want to fix that if so). Do you have to put in your password when pasting that URL into a fresh Firefox session? It's also possible that Firefox is using HTTP Negotiate, which Zotero and most other WebDAV clients don't support (because it's a more-or-less Microsoft-specific authentication extension, and would almost never be expected when a non-Microsoft-specific tool was said to support "WebDAV").
    (2) If answer for (1) is "No", maybe, it would be nice to mention this requirement in some docs? For example, this kb looks like a proper place: https://www.zotero.org/support/kb/webdav_services .
    That page isn't really an appropriate place to mention this, since it's about WebDAV services, not WebDAV servers. This is really just a server configuration issue, but it's possible we can check for the HTTP Negotiate header and display an appropriate warning if authentication fails.
  • i3v
    >>Do you have to put in your password when pasting that URL into a fresh Firefox session?

    Thanks for your concern. :) Yep, I had to enter those password. And I believe that I've properly configured all those encryption and certification stuff.



    >>It's also possible that Firefox is using HTTP Negotiate

    Actually, it does not look like this, cause when I remove NTLM from "authorization providers" list, I get "HTTP Error 401.2 - Unauthorized. You are not authorized to view this page due to invalid authentication headers." error in FF.
    So, once again, both Firefox and Zotero need NTLM. But Firefox is able to authenticate even when NTLM is #2 in the list of "authorization providers". And Zotero is not....
    So, I'm not sure, if having "NTLM" as #2 instead of #1 should be treated as a "mistake in a server configuration"...



    >>That page isn't really an appropriate place to mention this, since it's about WebDAV services, not WebDAV servers.

    Hm.. I cannot really see any huge "technical differences" between "commercial" WebDav server and "home" WebDav. IMHO, "technical requirements" are the same in both cases. And, maybe, explicitly publishing this requirement, that NTLM should be #1, would even somehow simplify the process of finding an appropriate web disk service...
  • dstillman
    So, I'm not sure, if having "NTLM" as #2 instead of #1 should be treated as a "mistake in a server configuration"...
    Well, you can view the HTTP requests/headers from Firefox vs. Zotero using the Web Console to see exactly what's going on. Zotero doesn't use either NTLM or Negotiate, since those are both MS-specific. It uses HTTP Basic Auth, which is supported by every WebDAV server. If an IIS configuration breaks HTTP Basic Auth, that's definitely a server misconfiguration, by any definition of "standard WebDAV server".

    So even saying that NTLM should be first doesn't really make sense — that may have gotten Basic Auth to work on your system, but Zotero certainly isn't using NTLM.
  • i3v
    >> So even saying that NTLM should be first doesn't really make sense — that may have gotten Basic Auth to work on your system

    Hmm...That would be very strange, indeed. Moreover, it is even more strange, cause I don’t even have “Basic authentication” in “Authentication” list in IIS, only “Anonymus” (which is disabled) and "Windows".

    And it’s even not installed as a feature (“Turn Windows Features on or off -> Internet Information Services -> World Wide Web Services -> Security -> Basic Authentication” is unchecked) https://www.iis.net/configreference/system.webserver/security/authentication/basicauthentication .



    >> If an IIS configuration breaks HTTP Basic Auth, that's definitely a server misconfiguration, by any definition of "standard WebDAV server".

    Yep, I believe that it's disabled by default in IIS. IMHO, it would be nice to mention this requirement (that Zotero expects that "Basic Auth." is available) in documentation.... Even though it might sound "trivial"... If such a requirement would be mentioned in docs, I've, certainly, would have tried "Basic Auth." first, at least :).



    >> Well, you can view the HTTP requests/headers from Firefox vs. Zotero using the Web Console to see exactly what's going on.

    Nice idea :) .
    I've just carried out such an experiment.

    1) Tools > Web Developer > Browser Console
    2) Click "Verify Server" - verification was successful, but with warning that file was not immediately available (although it was created successfully).
    3) In browser console I see the following:

    ============================================================
    OPTIONS
    XHR
    https://myUserName:myPassWord@myServerUrl:myPort/zotero/ [HTTP/1.1 401 Unauthorized 10ms]
    no element found zotero:1:1
    -----------------------------------------------------------------------------
    GET
    XHR
    https://myUserName:myPassWord@myServerUrl:myPort/zotero/nonexistent.prop [HTTP/1.1 404 Not Found 2ms]
    =============================================================



    “Inspect Network Request #1”:
    =============================================================
    Request URL: https://myUserName:myPassWord@myServerUrl:myPort/zotero/
    Request Method: OPTIONS
    Status Code: HTTP/1.1 401 Unauthorized
    -----------------------------------------------------------------------------
    Request Headers 16:47:15.000
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0
    Host: imploopback.local:59975
    Connection: keep-alive
    Authorization: NTLM TlRMTVNTUAAblahblahblah==
    Accept-Language: en-US,en;q=0.98,ru-RU;….blah-blah-blah (other languages)
    Accept-Encoding: gzip, deflate
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    -----------------------------------------------------------------------------
    Response Headers Δ10ms
    WWW-Authenticate: NTLM TlRMTVNTUAAblahblahblah…==
    Server: Microsoft-HTTPAPI/2.0
    Date: Tue, 27 Oct 2015 13:47:15 GMT
    Content-Type: text/html; charset=us-ascii
    Content-Length: 341
    =============================================================



    “Inspect Network Request #2”:
    =============================================================
    Request URL: https://myUserName:myPassWord@myServerUrl:myPort/zotero/nonexistent.prop
    Request Method: GET
    Status Code: HTTP/1.1 404 Not Found
    -----------------------------------------------------------------------------
    Request Headers 16:47:15.000
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0
    Host: imploopback.local:59975
    Connection: keep-alive
    Accept-Language: en-US,en;q=0.98,ru-RU;….blah-blah-blah
    Accept-Encoding: gzip, deflate
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    -----------------------------------------------------------------------------
    Server: Microsoft-IIS/7.5
    Persistent-Auth: true
    Date: Tue, 27 Oct 2015 13:47:15 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 5200
    Cache-Control: private
    =============================================================


    So… I’m not saying I understand what’s happening here… But there’s “NTLM” word in both “request” and “response” in “Inspect Network Request #1”.

    So… Hm.... Are you absolutely sure Zotero is not using NTLM ?
Sign In or Register to comment.