August 03, 2008

WebDAV with SSL on VISTA

A while ago I posted an article about WebDAV and SSL on Windows and in the comments some debate was raised about whether Vista supported SSL for WebDAV or not. I hope this article clarifies the question.

In short, Windows Vista DOES support SSL for WebDAV, at least with SP1 and fully patched through Windows Update as of July 26, 2008.

This is the setup I have tested.

IIS 6.0 running on Windows Server 2003 R2 Ent. Edition. Service Pack 1. English version. Serving on port 80 (HTTP) and on port 443 (HTTPS). Server certificate signed by a Windows enterprise root CA ("Example Root CA"). Sharing through WebDAV the following folder: http(s):// Anonymous access allowed.

Windows Vista Ultimate Service Pack 1. English version. Certificate of the root CA ("Example Root CA") imported on the local computer Trusted Root Certification Authorities certificate store (this is important, see note below about a "Select Certificate" dialog box).

Command used to map the webdav folder:

net use *

Output from that command: (blank lines removed)

C:\Users\admin>net use *
Drive Z: is now connected to
The command completed successfully.
C:\Users\admin>net use
New connections will be remembered.
Status Local Remote Network
Z: file:// Web Client Network
The command completed successfully.
C:\Users\admin>type z:\hello1.txt
This is file hello1.txt

The network traces showed all traffic going through SSL, as expected.

If, however, the certificate presented by the web server is not signed by a CA trusted by the client, you are presented with a "Select Certificate" dialog box with an empty list of certificates, with only the option "Cancel" available:

As soon as you click Cancel the command fails with the following error message, which, granted, doesn't give much of a clue as to what the real problem is:

C:\Users\admin>net use *
System error 1223 has occurred.
The operation was canceled by the user.

I hope this helps.




Blogger Brett said...

As an alternative, Vista DOES support SSL; however, you have to get the certificate first.

For example, go to https://dav.domain.tld/share in say Firefox 3 and when it asks for a security exception, go through the stages to allow it; but don't go all the way. In the last step (after you "Get Certificate" click the view, then go to the advanced tab, and click "Export..." and save it to your desktop.

Then go to Control Panel -> Network and Internet -> Internet Options and click on the "Content" tab and click the button "Certificates" in the Certificates section.

Import the cert you just downloaded to your desktop. Then run the Network Drive configuration wizard again, this time it will pop-up a box with one certificate in there, the one you added.

Hope that helps anyone else that doesn't wish to do it via cli.

1:19 PM  

Post a Comment

<< Home