Cannot access remotely stored content by using WebDAV in Windows Server 2003 (830576)


The information in this article applies to:

  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, Web Edition

SYMPTOMS

When you try to use Web Distributed Authoring and Versioning (WebDav) to access remotely stored content, you are unsuccessful.

CAUSE

This issue occurs if the both the following conditions are true:
  • You try to access the remotely stored content as a user from a trusted domain that is located in a different forest.
  • There is an external cross-forest trust configured between the two domains.
External trusts only support Integrated Windows authentication (formerly called NTLM) for the user access. Therefore, typical Server Message Block (SMB) access to the target share that you reference in the WebDav directory is unsuccessful.

In this scenario, Microsoft Internet Information Services (IIS) pass-through authentication is unsuccessful even if protocol transition is enabled for IIS. Protocol transition for Integrated Windows authentication only works in the same forest. This is because a transitive Kerberos trust is available in the forest. A transitive Kerberos trust enables IIS to issue a Kerberos ticket on behalf of the requesting user (delegation). A transitive Kerberos trust is not available over an external cross-forest trust because the external Kerberos realm is unknown in your forest.

RESOLUTION

To resolve this issue, and to enable Kerberos routing, configure bidirectional trusts between the forests.

MORE INFORMATION

The behavior occurs because the trusted domain object (TDO) of an external trust does not contain the required forest trust information. The Forest Trust Information attribute contains information about all the domains in the remote forest, the tree names, and any alternative name suffixes. This information is used to route authentication requests and lookup requests to the remote forest when required.

REFERENCES

For additional information, visit the following Microsoft Web sites:

Deploying and Configuring Internet Information Services (IIS) 6.0 with Remotely Stored Content on UNC Servers and NAS Devices

Planning and Implementing Federated Forests in Windows Server2003

Exploring S4U Kerberos Extensions in Windows Server 2003

Modification Type:MajorLast Reviewed:5/14/2004
Keywords:kbwinservnetwork kbActiveDirectory kbFileSystems kbprb KB830576 kbAudITPRO kbAudDeveloper
©2004 Microsoft Corporation. All rights reserved.