Windows 7 HTTPS WebDAV Authentication Loop: Debugging Dual Password Prompts and Connection Failures


5 views

When implementing SabreDAV on Cherokee with HTTPS and Digest authentication, Windows 7 clients exhibit a peculiar behavior: requesting credentials twice before failing with "The folder you entered does not appear to be valid." This occurs despite proper configuration and third-party client functionality.

The following registry tweaks were applied without success:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient\Parameters]
"BasicAuthLevel"=dword:00000002
"UseBasicAuth"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"DisableLoopbackCheck"=dword:00000001

NET USE attempts yield specific error codes:

C:\>net use * https://dav.example.com/ /user:username password
System error 59 has occurred.
An unexpected network error occurred.

C:\>net use * https://dav.example.com/
System error 1790 has occurred.
The specified network password is not correct.

The SabreDAV server configuration should explicitly declare Digest authentication:

<?php
$authBackend = new Sabre\DAV\Auth\Backend\PDO($pdo);
$authBackend->setRealm('SabreDAV');
$server = new Sabre\DAV\Server($tree);
$authPlugin = new Sabre\DAV\Auth\Plugin($authBackend, 'SabreDAV');
$server->addPlugin($authPlugin);
?>

For temporary workarounds, consider these approaches:

// PowerShell WebDAV connection
$cred = Get-Credential
New-PSDrive -Name W -PSProvider FileSystem -Root "\\dav.example.com@SSL\path" -Credential $cred -Persist

// Java client example
WebdavResource wdr = new WebdavResource("https://dav.example.com/", "username", "password");
wdr.setProperties(WebdavResource.PROPERTY_QUOTA_AVAILABLE_BYTES);

Additional troubleshooting steps specific to Windows 7:

  1. Ensure WebClient service is running (net start webclient)
  2. Add site to Trusted Sites in Internet Options
  3. Disable IE Enhanced Security Configuration
  4. Try mapping with FQDN instead of IP address

Use these tools to diagnose the authentication handshake:

// Fiddler script to monitor WebDAV traffic
FiddlerObject.UI.lvSessions.AddBoundColumn("Auth", 50, "X-Credentials");
if (oSession.oRequest.headers.Exists("Authorization")) {
    return oSession.oRequest["Authorization"].Substring(0,15) + "...";
}
return "No Auth";

After extensive testing with various clients and server configurations, I've identified a specific pattern with Windows 7's WebDAV client implementation. The core symptoms manifest as:

  • Double password prompt with Digest authentication
  • Subsequent "invalid folder" error despite correct credentials
  • Successful connections from other clients (BitKinex, AnyClient, browsers)

First, ensure your SabreDAV server is properly configured with HTTPS. Here's a sample configuration snippet:


$server = new \Sabre\DAV\Server($rootNode);
$server->setBaseUri('/dav/');

// Enable Digest authentication
$authBackend = new \Sabre\DAV\Auth\Backend\PDO($pdo);
$auth = new \Sabre\DAV\Auth\Plugin($authBackend, 'SabreDAV');
$server->addPlugin($auth);

// Add SSL support
$server->addPlugin(new \Sabre\DAV\Browser\Plugin());

After testing numerous registry modifications, these approaches showed the most promise:

Option 1: BasicAuthLevel Registry Hack


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient\Parameters]
"BasicAuthLevel"=dword:00000002

This forces the WebClient service to use Basic authentication over SSL, which may resolve the double prompt issue.

Option 2: WebDAV Redirector Service Modification


sc config WebClient start= auto
net stop WebClient
net start WebClient

If native mapping continues to fail, consider these alternatives:

Using NET USE Command with Correct Syntax


net use * https://dav.example.com/path /user:domain\username password /persistent:yes

Note the critical differences from standard syntax:

  • Asterisk (*) for automatic drive letter assignment
  • Full path including subdirectory
  • Domain prefix in username (even if using local accounts)

To analyze the authentication flow:


1. Install Fiddler and enable HTTPS decryption
2. Configure Tools > Options > HTTPS:
   - Check "Decrypt HTTPS traffic"
   - Check "Ignore server certificate errors"
3. Reproduce the WebDAV connection attempt
4. Analyze the 401 challenges in the traffic log

For environments where you control both server and clients:


// In SabreDAV configuration:
$server->addPlugin(new \Sabre\DAV\Browser\Plugin());
$server->addPlugin(new \Sabre\DAV\Browser\GuessContentType());

// Configure client certificate authentication
$auth = new \Sabre\DAV\Auth\Plugin(
    new \Sabre\DAV\Auth\Backend\Apache(),
    'My WebDAV Service'
);

Before concluding the setup:

  1. Verify server SSL certificate chain is complete
  2. Check that OPTIONS request returns correct WebDAV headers
  3. Confirm PROPFIND works with cURL: curl -X PROPFIND https://dav.example.com -u user:pass
  4. Test with different WebDAV clients to isolate Windows 7 specific issues