What does AuthForwardServerList do?

Posted on

A server stack is the collection of software that forms the operational infrastructure on a given machine. In a computing context, a stack is an ordered pile. A server stack is one type of solution stack — an ordered selection of software that makes it possible to complete a particular task. Like in this post about What does AuthForwardServerList do? was one problem in server stack that need for a solution. Below are some tips in manage your windows server when you find problem about windows, windows-7, webdav, zimbra, ntlm.

A bit of context, we have several Windows 7 clients connected to an LDAP backed Samba PDC. We also have a Zimbra 8 server that authenticates off the same LDAP. When users logon to the Windows 7 clients, a batch script maps number of network drivers on the Samba server. All this is working well.

Now I would like to map each user’s Zimbra’s Briefcase folder when the user logs in using WebDAV. We added: net use Z: https://mail.ourserver.com/dav/user/Briefcase /u:user to our batch script, however, it only works after the user has manually entered their password into the open command prompt.

Obviously, what I want to be able to do here is mount the drive using the Windows login credentials, and without prompting for the password a second time after they have already logged in. Using net use Z: https://our.server.com/dav/user/Briefcase /u:user password works, but we do not have access to the user’s plain text password and is therefore not an option.

I came across the AuthForwardServerList registry key mentioned in this KB article, that is supposed to solve a similar problem when connecting to SharePoint servers over WebDAV. I tried adding the registry key with the value https://*.ourserver.com and various combinations of it, restarted the machine, but this seems to have no effect. net use still prompts for the password, and so does the “Map Network Drive” option in Windows Explorer.

So my question is, how does AuthForwardServerList actually work? Does it only work with Windows servers, does the server have to support NTLM, or will any work with any WebDAV server using BasicAuth? Does it only work with IE and not with Windows Explorer?

Alternatively, is there any way I can access the password the user just used to login to the machine, and somehow pass it to the script? The script is dynamically generated on the samba server and executed on the client, so even if the password can be captured in plain text on the server, it would be possible to append it to the script.

I recently came across this and wanted to provide an answer, even though the question is dated. My answer comes from TechNet KB 943280.

After the AuthForwardServerList registry key is created, the WebClient service will read the entry value. If the client computer tries to access a URL that matches any of the expressions in the list, the user credential will be sent successfully to authenticate the user, even if no proxy is configured.

This function was provided as a hotfix for Windows Vista and was built into Windows 7 because of [in my opinion] a big flaw in how the Win HTTP service works. The Win HTTP service ignores IE’s built-in zone-checking mechanism that would look to see if a site is in the local intranet zone and then automatically send credentials to that intranet site. Instead, Win HTTP evaluates the URL as follows:

  • “If the URL contains no period in the server’s name, such as in the following example, the server is assumed to be on a local intranet site.” http://sharepoint/davshare
  • “If the URL contains periods, the server is assumed to be on the Internet. The periods indicate that you use an FQDN address. Therefore, no credentials are automatically sent to this server unless a proxy is configured and unless this server is indicated for proxy bypass.”

This is either a silly oversight or ridiculously lazy. There would be no issue, no hotfix, and no AuthForwardServerList key if the Win HTTP service simply referenced IE’s security zones.

Leave a Reply

Your email address will not be published. Required fields are marked *