Symptoms

 

Consider the following scenario:

 

Setup WebDav site in IIS7 and set its physical path(i.e. D:\WebDav\) credential to Specific User iis_webdav in WeDav security configuration.

When a user "webdav_testuser" replace a file from client side, you may receive error and IIS logs http 403.3

 

2012-01-25 00:29:07 10.0.0.1 HEAD /extranet/test.txt - 443 webdav_testuser 147.132.17.2 Microsoft+Data+Access+Internet+Publishing+Provider+DAV 200 0 0 187

2012-01-25 00:29:10 10.0.0.1 PUT /extranet/test.txt - 443 webdav_testuser 147.132.17.2 Microsoft+Data+Access+Internet+Publishing+Provider+DAV 403 3 5 0

 

 

Root Cause

 

Http 403.3 Forbidden: Write access forbidden happens when you attempt to upload to or modify a file in a directory that does not allow write access.

 

Check Process Monitor log collected on the server and found “Access Denied” when w3wp.exe process operates on D:\WebDav\extranet\test.txt file.

This w3wp.exe process is running by application pool identity, for example, IIS APPPOOL\WebDav_AppPool_Identity

 

8:29:10.0661379                w3wp.exe           2448       CreateFile           D:\WebDav\extranet\test.txt                ACCESS DENIED                Desired Access: Generic Write, Read Attributes, Disposition: OverwriteIf, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: None, AllocationSize: 0, Impersonating: S-1-5-21-nnnnnnnn

 

8:29:10.0665201                w3wp.exe           2448       CreateFile           D:\WebDav\extranet\test.txt                ACCESS DENIED                Desired Access: Read Attributes, Delete, Disposition: Open, Options: Non-Directory File, Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: S-1-5-21-nnnnnnnn

 

8:29:10.0669154                w3wp.exe           2448       CreateFile           D:\WebDav\extranet\test.txt                ACCESS DENIED               Desired Access: Delete, Disposition: Open, Options: Non-Directory File, Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: S-1-5-21-nnnnnnnn

 

Under this scenario, overwritten is actually performed by the Specific User iis_webdev defined in physical path credential rather than application pool identity (e.g. IIS APPPOOL\WebDav_AppPool_Identity) or authorized user (e.g. webdav_testuser). It is required to ensure that specific user has permission to overwrite files under the D:\WebDav\

 

Resolution

 

Grant full control to specific user on WebDav physical path. Alternatively, configure WebDev site to use pass through authentication instead of specific user

 

Regards,

 

Anik Shen from APGC DSI Team