WebDAV Authentication and Security
Topic Last Modified: 2006-06-11
Basic authentication and Integrated Windows Authentication are enabled and anonymous access is disabled by default on new and existing HTTP virtual servers and directories for Microsoft® Exchange Server 2007 . If Basic Authentication is used to communicate with the Exchange server, then the user's credentials are transmitted over the wire in clear text, making it possible for third parties to discover a user's credentials using network monitoring or packet sniffing tools. If NTLM or Kerberos authentication is used, the user's credentials are not transmitted in clear text.
When a WebDAV method request is made on a server using the Microsoft XML (MSXML) XMLHTTP object or the Microsoft .NET Framework System.Net.HttpWebRequest object, the server will return the authentication methods possible and the client will choose the more secure one that it supports. So, if both Basic and Integrated Windows Authentication are enabled on a virtual server or directory the client is connecting to, the client will choose NTLM authentication or Kerberos authentication (if it is enabled) over Basic Authentication. It is recommended that Integrated Windows Authentication not be disabled on virtual directories or servers, since Basic Authentication will then be used.
If NTLM or Kerberos authentication is being used in WebDAV method requests made on a Exchange store through a front-end server, the Keep-Alive header must be set to True or the request will not be passed on to the back-end server.
Regardless of the authentication technique being used in WebDAV method requests, the data is transmitted over the wire in plain text in an XML stream. It is possible for third parties to discover this data using network monitoring or packet sniffing tools. For WebDAV client applications that exchange critical or sensitive information with the Exchange server, it is recommended that Secure Sockets Layer (SSL) is used to encrypt the data. If SSL is used in a WebDAV method request then "https://", not "http://", must be used in the begining of the resource Uniform Resource Identifier (URI).