Configuring WebDAV authentication on a shared hosted server
Posted on 2006-05-16
Our Web site is currently hosted by an ISP running Windows 2K3 server and IIS 6.0. We would like to enable WebDAV over SSL to allow our clients to upload and download files to and from this site, as a more-secure alternative to FTP. I am somewhat familiar with WebDAV functionality, but am stumbling when it comes to configuring the security. Unfortunately, the employees at the ISP, while they have confirmed that WebDAV is enabled on their server, have no experience with it at all and aren't in a position to help me figure it out.
Since the ISP (naturally) does not allow us to configure IIS, Windows, or NTFS permissions directly (they provide an application called Plesk for administration, but I am not clear how it relates to IIS or Windows), I have been testing this on a Web server on our LAN. My feeling is that, if I could somehow get it working locally, I could walk the ISP through configuring it on their end.
As I understand it, there are 5 options for WebDAV authentication in IIS 6: Anonymous access, Integrated Windows authentication, digest authentication, basic authentication, or .NET Passport authentication. I have been successful in uploading files to and downloading files from our internal server over WebDAV using both anonymous access and Integrated Windows authentication, but neither of those seem like options for the Web site -- anonymous for obvious reasons and Integrated Windows because I don't see how adding our Clients to the ISP's Active Directory is a practical option, even if they would let us do that (which I am sure they would not).
Unfortunately, I cannot seem to figure out how to configure things so that I can upload or download files using digest, basic, or Passport authentication. I am also unsure which of the options, assuming I could get *any* of them to work, would be the most appropriate. For instance, I have seen contradictory information on whether using basic authentication over an HTTPS connection is secure. Can basic auth passwords be deciphered even if the connection is SSL encrypted? I don't see how, but some of the information I have read seems to suggest that.
I have Googled until I am blue in the face, and have found many articles about configuring WebDAV, but none that seem to address a situation like ours where we do not have direct access to IIS, NTFS, or Windows configuration settings. Can anyone help me get this figured out?