mod_auth_msfix - An Apache 2.0 module for fixing the authorization header coming from Microsoft Webdav agents. by Charles Gentry email: (you have to put this together - reducing spam!) mod_auth_msfix AT luluware.com Copyright 2003 - Charles Gentry PROBLEM: When Microsoft Windows XP attempts to connect to a webdav server, it insanely refuses to just send the user name and password. It insists that it send either "url\username" or "username@domain". This is listed in the Microsoft Knowledge Base as a problem affecting XP and 2000. They recommend as a 'workaround' that you use the NETBIOS name for the server or enter the username in the format of 'url\username'. Most authentication/authorization modules that come with Apache don't want this extra information .It would be handy to strip it off - conditionally. This helps to keep the Apache authentication processes available to even problematic clients. NOTE: This problem does not affect Macromedia Dreamweaver MX. That product works like a charm with Apache WebDAV. This problem affects MS IE and MS WebFolders SOLUTION: This module will re-write the Basic authorization header that comes from Microsoft's Webdav clients'. It has only been tested with Windows XP, but sufficient flexibility is available to make it work with most systems. When it is enabled and working in a 'AuthType BASIC' location it will check any client header against a pattern and see if this request should be affected. If the header record from the client matches the pattern(s) it will iterates through a list of solutions until it finds a matching one. If none are found it will ignore the request and let it pass through unaltered. This module corrects the fact that MS won't fix a big ol' bug in their WEBDAV support. It took about 3 hours to write/test (but another 1.5 days to write it all up and test over and over.) SEE: Testing Notes at the end. Configuration: Version 0.2 only has four configuration commands: AuthMSFix on Turn this feature on. Only in a Directory/Location context. AuthMSFixDebug ON This is debug. it will fill your logs with a whole bunch of ugly messages. However ... if you think the module isn't working and you can't figure out why ... go ahead and use it. It should give you a clue. AuthMSFixOnHeader HEADER REGEX If the HEADER (for example "User-Agent") matches the REGEX then it will process the request against the list of solutions. A typical entry would be: AuthMSFixOnHeader User-Agent "Microsoft.*Webdav" AuthMSFixMatch USER-PATTERN SUBSTITUTION-PATTERN Match the username against the user-pattern and then apply the substitution-pattern. This is similar to what PERL does with s/USER-PATTERN/SUBSTITUTION-PATTERN/i There can be up to 10 subscripted matches in the USER-PATTERN. The one I use against MS-XP is: AuthMSFixMatch "^.*\\\\(.*)$" "$1" If you want to match a single backslash in a string ( ie domain\user ) you need to escape it, and escape each of those (escape-backslash + escape-backslash ). This is specified as four backslashes (\\\\). All patterns are case-insensitive. Currently it is compiled this way and there is no way to disable it. EXAMPLES: (1) Get rid of local domains in usernames, but let others pass through: AuthMSFix ON AuthMSFixOnHeader User-Agent "Microsoft.*Webdav" AuthMSFixMatch "www.yourdomain.com\\\\" "$1" AuthMSFixMatch "(.*)@(www\\.)*yourdomain.com" "$1" (2) Just check for the usual MS XP stuff: AuthMSFix ON AuthMSFixOnHeader User-Agent "Microsoft.*Webdav" AuthMSFixMatch ".*\\\\(.*)" "$1" TESTING NOTES: Macromedia Dreamweaver MX works like a charm and does NOT need this module. Good work to Macromedia! You can safely bypass Macromedia's client (Dreamweaver). It will be bypassed if you use the 'OnHeader' setting to only affect MS. MS IE 6.0 and MS XP "Network Places" may or may not allow 'user@location', doesn't always try to authorize, doesn't always send passwords, doesn't seem to remember passwords, and may not work the first time. In all tested cases I just ... retried. Over and over. Eventually it worked. Well...usually. I found that 'server\username' works the best. In order to find this out - since I thought it was THIS module screwing up - I added the AuthMSFixDebug option. Ddump, dump, dump.... . Aside from lots of cleanup and frustration it finally DID connect and I watched as MS clients didn't do what they were supposed to do. Microsoft - are you Xperienced? In What?? Contents: README - this file INSTALL - installation instructions CHANGES - release notes makefile - the makefile mod_auth_msfix.c - source for the module Distribution: This software is distributed under the GNU License (GPL). You may redistribute or modify it under this license - and as it says you must include the author's name and copyright. No warranty is implied or expressed. If this module makes your life hell and eats your children you waive your right to legal action, spamming, threats, and overall unpleasant behaviour. If you find this helpful, good. If you find it a godsend you need to get out more. Perhaps to buy me a beer.