Mod_Auth_MSFix for Apache 2.0+WebDAV and MS Clients

Problem

When Microsoft Windows XP attempts to connect to a webdav server, it insanely refuses to just send the user name and password. It insists that it send either "url\username" or "username@domain". This is listed in the Microsoft Knowledge Base as a problem affecting XP and 2000. They recommend as a 'workaround' that you use the NETBIOS name for the server or enter the username in the format of 'url\username'.

Most authentication/authorization modules that come with Apache don't want this extra information. It would be handy to strip it off - conditionally. This helps to keep the Apache authentication processes available to even problematic clients.

NOTE: This problem does not affect Macromedia Dreamweaver MX. That product works like a charm with Apache WebDAV. This problem affects MS IE and MS WebFolders

Solution

This module will re-write the Basic authorization header that comes from Microsoft's Webdav clients'. It has only been tested with Windows XP, but sufficient flexibility is available to make it work with most systems.
When it is enabled and working in a 'AuthType BASIC' location it will check any client header against a pattern and see if this request should be affected.

f the header record from the client matches the pattern(s) it will iterates through a list of solutions until it finds a matching one. If none are found it will ignore the request and let it pass through unaltered. This module corrects the fact that MS won't fix a big ol' bug in their WEBDAV support. It took about 3 hours to write/test (but another 1.5 days to write it all up and test over and over.)


SEE: Testing Notes

Configuration

 Version 0.2.1 only has four configuration commands:
  AuthMSFix On/Off

Turn this module on. You must also have 'AuthType Basic' and authorization on for the directory/location in order for this module to have any effect.
  AuthMSFixDebug On/Off
 

This is for debugging purposes only. It will fill your error log with a whole bunch of ugly messages. (At error level 'LOG_ERR'.) However, if you think the module isn't working or you having trouble getting it to work for you, go ahead and use it. It may give you a clue as to what is happening with headers and patterns.
 

AuthMSFixOnHeader HEADER REGEX
 

If a HEADER line from the client (for example "User-Agent") matches the regular expression then it will process the client request. If it cannot find a matching entry the module will do nothing.

A typical entry would be:

AuthMSFixOnHeader User-Agent "Microsoft.*Webdav
  AuthMSFixMatch USER-PATTERN SUBSTITUTION-PATTERN
 

Match the username against the user-pattern and then apply the substitution-pattern. This is similar to what PERL does with s/USER-PATTERN/SUBSTITUTION-PATTERN/i

 

There can be up to 10 subscripted matches in the USER-PATTERN. The one I use against MS-XP is:

AuthMSFixMatch "^.*\\\\(.*)$" "$1"

If you want to match a single backslash in a string ( ie domain\user ) you need to escape it, and escape each of those escapes (escape-backslash + escape-backslash ). This is specified as four backslashes (\\\\).

Examples
(1) Get rid of local domains in usernames, but let others pass through:
AuthMSFix ON
AuthMSFixOnHeader User-Agent "Microsoft.*Webdav"
AuthMSFixMatch "www.yourdomain.com\\\\" "$1"
AuthMSFixMatch "(.*)@(www\\.)*yourdomain.com" "$1"
(2) Just check for the usual MS XP stuff:

AuthMSFix ON
AuthMSFixOnHeader User-Agent "Microsoft.*Webdav"
AuthMSFixMatch ".*\\\\(.*)" "$1"

Contents

README - this file in text format
INSTALL - installation instructions
CHANGES - release notes
makefile - the makefile
mod_auth_msfix.c - source for the module
mod_auth_msfix.html - This file in HTML format.

Distribution

This software is distributed under the GNU License (GPL). You may redistribute or modify it under the terms of this license. (Just remember to include my name and copyright.)

No warranty is implied or expressed. If this module makes your life hell and eats your children, you waive your right to legal action, spamming, threats, and overall unpleasant behaviour.

If you find this helpful -- good. If you find it a godsend you need to get out more. Perhaps to buy me a beer.

Testing Notes

Macromedia Dreamweaver MX works like a charm and does NOT need this module. Good work to Macromedia. You can safely bypass Macromedia's client (Dreamweaver). It will be bypassed if you setup the 'OnHeader' patterns to only affect MS.

MS IE 6.0 and MS XP "Network Places" may or may not allow 'user@location', doesn't always try to authorize, doesn't always send passwords, doesn't seem to remember passwords, and may not work the first time. In all tested cases I just ... retried. Over and over. Eventually it worked. Well...usually.

I found that 'server\username' works the best. In order to find this out - since I thought it was THIS module screwing up - I created and used the AuthMSFixDebug ON option. Dump, dump, dump.... . Aside from lots of cleanup and frustration it finally DID connect and I watched as MS clients didn't do what they were supposed to do.

Also, while the Dreamweaver product connects and updates web pages fairly quick the Microsoft XP WebDAV clients are s..l..o..w. This is not the fault of using this module; it has very little overhead and is really very fast. (I tried it with Dreamweaver and had it change the username to username.) Perhaps the MS Clients may be trying other protocols first in hopes of chatting up the MS IIS product?

Microsoft - What an XPerience.