You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Emmanuel Dreyfus <ma...@netbsd.org> on 2017/03/29 13:05:48 UTC

[PATCH] MS Office webDAV interoperability, MS-OFBA support

Hello

If you tried to use mod_dav_fs with recent MS Office on Windows,
you probably had the unpleaseant experience of being prompted for
authentication on every time an MS Office program is started. This
is because it has its own WebDAV client and it does not use the
Windows network drive.

There are various workarounds [1], one of them being to implement
MS-OFBA [2] which stands for Office Forms Based Authentication. It
works this way:

- An OFBA-capable client sends an unauthenticated OPTIONS request. 
  OFBA capability is advertised either by a specific HTTP header, or 
  through a list of specified User-Agent strings.

- The serveur replies with HTTP status 403 FORBIDDEN with OFBA-specific
  headers pointing to a form where authentication should happen

- The client invokes MS Internet Explorer or Edge and display the form. 
  Once authentication is done, it obtains a session cookie which is shared
  among all OFBA capable clients, until it expires.

- MS Office now access the WebDAV share using the session cookie, and it
  does not prompt for authentication anymore.

I crafted a patch that implements MS-OFBA in mod_auth_form [3]. It
depends on 4 previously filed changes [4, 5, 6, 7]. I have not yet
filled a bug report in bugzilla for the mod_auth_form.c [3] patch
because it probably needs to be improved a bit.

Here is the problem: if OFBA is enabled and mod_auth_form detected
an unauthenticated OFBA-capable client, it must reply with an HTTP
status 403, with OFBA headers. For now I do that by registering an
output filter so that I can regain control after authentication
and detect that the client was not authenticated. Is there a better
suited hook for that?

Any other comment on the patches? An Apache WebDAV server playing
better with MS Office would be a great benefit, hence I hope this
will get some interest.


[1] https://support.microsoft.com/en-us/help/2019105/authentication-requests-when-you-open-office-documents
[2] https://msdn.microsoft.com/en-us/library/office/cc313069(v=office.12).aspx
[3] https://ftp.espci.fr/shadow/manu/patch20170329-modules_aaa_mod_auth_form.c
[4] https://bz.apache.org/bugzilla/show_bug.cgi?id=60908
[5] https://bz.apache.org/bugzilla/show_bug.cgi?id=60909
[6] https://bz.apache.org/bugzilla/show_bug.cgi?id=60708
[7] https://bz.apache.org/bugzilla/show_bug.cgi?id=60910

-- 
Emmanuel Dreyfus
manu@netbsd.org

Re: [PATCH] MS Office webDAV interoperability, MS-OFBA support

Posted by Emmanuel Dreyfus <ma...@netbsd.org>.
Hello

This contribution has not met an enthousiast reaction. No comment, anyone?

On Wed, Mar 29, 2017 at 01:05:48PM +0000, Emmanuel Dreyfus wrote:
> Hello
> 
> If you tried to use mod_dav_fs with recent MS Office on Windows,
> you probably had the unpleaseant experience of being prompted for
> authentication on every time an MS Office program is started. This
> is because it has its own WebDAV client and it does not use the
> Windows network drive.
> 
> There are various workarounds [1], one of them being to implement
> MS-OFBA [2] which stands for Office Forms Based Authentication. It
> works this way:
> 
> - An OFBA-capable client sends an unauthenticated OPTIONS request. 
>   OFBA capability is advertised either by a specific HTTP header, or 
>   through a list of specified User-Agent strings.
> 
> - The serveur replies with HTTP status 403 FORBIDDEN with OFBA-specific
>   headers pointing to a form where authentication should happen
> 
> - The client invokes MS Internet Explorer or Edge and display the form. 
>   Once authentication is done, it obtains a session cookie which is shared
>   among all OFBA capable clients, until it expires.
> 
> - MS Office now access the WebDAV share using the session cookie, and it
>   does not prompt for authentication anymore.
> 
> I crafted a patch that implements MS-OFBA in mod_auth_form [3]. It
> depends on 4 previously filed changes [4, 5, 6, 7]. I have not yet
> filled a bug report in bugzilla for the mod_auth_form.c [3] patch
> because it probably needs to be improved a bit.
> 
> Here is the problem: if OFBA is enabled and mod_auth_form detected
> an unauthenticated OFBA-capable client, it must reply with an HTTP
> status 403, with OFBA headers. For now I do that by registering an
> output filter so that I can regain control after authentication
> and detect that the client was not authenticated. Is there a better
> suited hook for that?
> 
> Any other comment on the patches? An Apache WebDAV server playing
> better with MS Office would be a great benefit, hence I hope this
> will get some interest.
> 
> 
> [1] https://support.microsoft.com/en-us/help/2019105/authentication-requests-when-you-open-office-documents
> [2] https://msdn.microsoft.com/en-us/library/office/cc313069(v=office.12).aspx
> [3] https://ftp.espci.fr/shadow/manu/patch20170329-modules_aaa_mod_auth_form.c
> [4] https://bz.apache.org/bugzilla/show_bug.cgi?id=60908
> [5] https://bz.apache.org/bugzilla/show_bug.cgi?id=60909
> [6] https://bz.apache.org/bugzilla/show_bug.cgi?id=60708
> [7] https://bz.apache.org/bugzilla/show_bug.cgi?id=60910
> 
> -- 
> Emmanuel Dreyfus
> manu@netbsd.org

-- 
Emmanuel Dreyfus
manu@netbsd.org