Authentication and Security Using WebDAV

Authentication

Basic authentication and Integrated Windows Authentication are enabled and anonymous access is disabled by default on new and existing HTTP virtual servers and directories for Microsoft® Exchange Server 2003. If Basic Authentication is used to communicate with the Exchange server, then the user's credentials are transmitted over the wire in clear text, making it possible for third parties to discover a user's credentials using network monitoring or packet sniffing tools. If NTLM or Kerberos authentication is used, the user's credentials are not transmitted in clear text. When a WebDAV method request is made on a server using the Microsoft XML (MSXML) XMLHTTP object or the Microsoft .NET Framework System.Net.HttpWebRequest object, the server will return the authentication methods possible and the client will choose the more secure one that it supports. So, if both Basic and Integrated Windows Authentication are enabled on a virtual server or directory the client is connecting to, the client will choose NTLM authentication or Kerberos authentication (if it is enabled) over Basic Authentication. It is recommended that Integrated Windows Authentication not be disabled on virtual directories or servers, since Basic Authentication will then be used. If NTLM or Kerberos authentication is being used in WebDAV method requests made on a Exchange store through a front-end server, the Keep-Alive header must be set to True or the request will not be passed on to the back-end server.