Hi all
I digged in deeper here.
Duplicati Version: 2.0.4.23_beta_2019-07-14
Server Version: Windows 2016 Standard
1. Right after Duplicati installation
IIS Logs
2019-12-11 20:14:52 W3SVC31 www 10.0.1.30 PROPFIND /test/ - 443 - tomthedell.thuinformatik.local HTTP/1.1 Duplicati+WEBDAV+Client+v2.0.4.23 - - www.bucher-allround.ch 403 2 5 6543 177 29
2019-12-11 20:18:49 W3SVC31 www 10.0.1.30 PROPFIND /test/ - 443 - tomthedell.thuinformatik.local HTTP/1.1 Duplicati+WEBDAV+Client+v2.0.4.23 - - www.bucher-allround.ch 403 2 5 6543 177 0
2019-12-11 20:22:34 W3SVC31 www 10.0.1.30 PROPFIND /test/ - 443 - tomthedell.thuinformatik.local HTTP/1.1 Duplicati+WEBDAV+Client+v2.0.4.23 - - www.bucher-allround.ch 403 2 5 6543 177 15
2019-12-11 20:23:57 W3SVC31 www 10.0.1.30 PROPFIND /test/ - 443 - tomthedell.thuinformatik.local HTTP/1.1 Duplicati+WEBDAV+Client+v2.0.4.23 - - www.bucher-allround.ch 403 2 5 6543 177 203
2019-12-11 20:24:05 W3SVC31 www 10.0.1.30 PROPFIND /test/ - 443 - tomthedell.thuinformatik.local HTTP/1.1 Duplicati+WEBDAV+Client+v2.0.4.23 - - www.bucher-allround.ch 403 2 5 6543 177 0
2019-12-11 20:24:12 W3SVC31 www 10.0.1.30 PROPFIND /test/ - 443 - tomthedell.thuinformatik.local HTTP/1.1 Duplicati+WEBDAV+Client+v2.0.4.23 - - www.bucher-allround.ch 403 2 5 6543 177 0
2019-12-11 20:24:31 W3SVC31 www 10.0.1.30 PROPFIND /test/ - 443 - tomthedell.thuinformatik.local HTTP/1.1 Duplicati+WEBDAV+Client+v2.0.4.23 - - www.bucher-allround.ch 403 2 5 6543 177 15
2019-12-11 20:24:42 W3SVC31 www 10.0.1.30 PROPFIND /test/ - 443 - tomthedell.thuinformatik.local HTTP/1.1 Duplicati+WEBDAV+Client+v2.0.4.23 - - www.bucher-allround.ch 403 2 5 6543 177 0
2019-12-11 20:25:36 W3SVC31 www 10.0.1.30 PROPFIND /test/ - 443 - tomthedell.thuinformatik.local HTTP/1.1 Duplicati+WEBDAV+Client+v2.0.4.23 - - www.bucher-allround.ch 403 2 5 6543 177 0
2019-12-11 20:29:19 W3SVC31 www 10.0.1.30 PROPFIND /test/ - 443 - tomthedell.thuinformatik.local HTTP/1.1 Duplicati+WEBDAV+Client+v2.0.4.23 - - www.bucher-allround.ch 403 2 5 6543 177 0
2019-12-11 20:31:25 W3SVC31 www 10.0.1.30 PROPFIND /test/ - 443 - tomthedell.thuinformatik.local HTTP/1.1 Duplicati+WEBDAV+Client+v2.0.4.23 - - www.bucher-allround.ch 403 2 5 6543 177 15
2019-12-11 20:32:42 W3SVC31 www 10.0.1.30 PROPFIND /test/ - 443 - tomthedell.thuinformatik.local HTTP/1.1 Duplicati+WEBDAV+Client+v2.0.4.23 - - www.bucher-allround.ch 403 2 5 6543 177 0
2019-12-11 20:32:52 W3SVC31 www 10.0.1.30 PROPFIND /test/ - 443 - tomthedell.thuinformatik.local HTTP/1.1 Duplicati+WEBDAV+Client+v2.0.4.23 - - www.bucher-allround.ch 403 2 5 6543 177 0
2019-12-11 20:33:02 W3SVC31 www 10.0.1.30 PROPFIND /test/ - 443 - tomthedell.thuinformatik.local HTTP/1.1 Duplicati+WEBDAV+Client+v2.0.4.23 - - www.bucher-allround.ch 403 2 5 6543 177 0
2019-12-11 20:33:12 W3SVC31 www 10.0.1.30 PROPFIND /test/ - 443 - tomthedell.thuinformatik.local HTTP/1.1 Duplicati+WEBDAV+Client+v2.0.4.23 - - www.bucher-allround.ch 403 2 5 6543 177 0
2019-12-11 20:33:22 W3SVC31 www 10.0.1.30 PROPFIND /test/ - 443 - tomthedell.thuinformatik.local HTTP/1.1 Duplicati+WEBDAV+Client+v2.0.4.23 - - www.bucher-allround.ch 403 2 5 6543 177 0
2. I executed following command on the server to disable anonymous authentication on IIS:
%systemroot%\system32\inetsrv\appcmd.exe set config "www.bucher-allround.ch" /section:system.webServer/security/authentication/anonymousAuthentication /enabled:false /commit:apphost
Afterwards, the connection to the server was successful!
IIS Logs
2019-12-11 20:48:36 W3SVC31 www 10.0.1.30 PROPFIND /test/ - 443 - tomthedell.thuinformatik.local HTTP/1.1 Duplicati+WEBDAV+Client+v2.0.4.23 - - www.bucher-allround.ch 401 2 5 6383 177 15
2019-12-11 20:48:36 W3SVC31 www 10.0.1.30 PROPFIND /test/ - 443 WWW\wd.bucher-allround tomthedell.thuinformatik.local HTTP/1.1 Duplicati+WEBDAV+Client+v2.0.4.23 - - www.bucher-allround.ch 207 0 0 1157 772 15
Oh… a 401 was thrown by IIS, seems this is something that Duplicati expects to use the credentials in the second request.
3. I executed following command on the server to re-enable anonymous authentication on IIS:
%systemroot%\system32\inetsrv\appcmd.exe set config "www.bucher-allround.ch" /section:system.webServer/security/authentication/anonymousAuthentication /enabled:true /commit:apphost
Then I did a second verification of the connection. Still successful. Oouukay…
IIS Logs
2019-12-11 20:50:32 W3SVC31 www 10.0.1.30 PROPFIND /test/ - 443 WWW\wd.bucher-allround tomthedell.thuinformatik.local HTTP/1.1 Duplicati+WEBDAV+Client+v2.0.4.23 - - www.bucher-allround.ch 207 0 0 1157 772 15
Hmmm… but here is no 401 visible… hmm… probably because Duplicati is still authenticated?
4. I restarted Duplicati and the issue came back
Hmm… probably because Duplicati is not authenticated anymore?
IIS Logs
2019-12-11 20:53:36 W3SVC31 www 10.0.1.30 PROPFIND /test/ - 443 - tomthedell.thuinformatik.local HTTP/1.1 Duplicati+WEBDAV+Client+v2.0.4.23 - - www.bucher-allround.ch 403 2 5 6543 177 15
2019-12-11 20:54:16 W3SVC31 www 10.0.1.30 PROPFIND /test/ - 443 - tomthedell.thuinformatik.local HTTP/1.1 Duplicati+WEBDAV+Client+v2.0.4.23 - - www.bucher-allround.ch 403 2 5 6543 177 3
The webserver does not answer with 401 again, there is straight a 403 error.
5. Interesting
Here seems the issue explained: https://forums.iis.net/t/1201114.aspx
User “syntax53” brings the issue to the point: “The issue is the client is trying to do an authorized-enabled PROPFIND against the (…) the site, that it does not have access to.”
6. Compare the Windows integrated WebDAV client with Duplicati
I execute the Windows integrated WebDAV Client:
net use * https://www.bucher-allround.ch/ /user:wd.bucher-allround xxxxxxx
Drive Z: is now connected with https://www.bucher-allround.ch/.
The comand completed successfully.
Checking the IIS Logs
[1]
2019-12-11 21:28:25 W3SVC31 www 10.0.1.30 PROPFIND / - 443 - tomthedell.thuinformatik.local HTTP/2.0 Microsoft-WebDAV-MiniRedir/10.0.18363 - - www.bucher-allround.ch 403 2 5 6503 166 46
2019-12-11 21:28:25 W3SVC31 www 10.0.1.30 PROPFIND / - 443 - tomthedell.thuinformatik.local HTTP/2.0 Microsoft-WebDAV-MiniRedir/10.0.18363 - - www.bucher-allround.ch 403 2 5 6503 166 0
[2]
2019-12-11 21:28:25 W3SVC31 www 10.0.1.30 PROPFIND / - 443 WWW\wd.bucher-allround tomthedell.thuinformatik.local HTTP/1.1 Microsoft-WebDAV-MiniRedir/10.0.18363 - - www.bucher-allround.ch 207 0 0 1130 802 46
2019-12-11 21:28:25 W3SVC31 www 10.0.1.30 PROPFIND / - 443 WWW\wd.bucher-allround tomthedell.thuinformatik.local HTTP/1.1 Microsoft-WebDAV-MiniRedir/10.0.18363 - - www.bucher-allround.ch 207 0 0 1130 171 46
[3]
2019-12-11 21:28:25 W3SVC31 www 10.0.1.30 PROPFIND /Desktop.ini - 443 WWW\wd.bucher-allround tomthedell.thuinformatik.local HTTP/1.1 Microsoft-WebDAV-MiniRedir/10.0.18363 - - www.bucher-allround.ch 404 0 2 5222 182 0
2019-12-11 21:28:26 W3SVC31 www 10.0.1.30 PROPFIND /AutoRun.inf - 443 WWW\wd.bucher-allround tomthedell.thuinformatik.local HTTP/1.1 Microsoft-WebDAV-MiniRedir/10.0.18363 - - www.bucher-allround.ch 404 0 2 5222 813 15
If an anonymous request fails two times with a 403[1], then the client ignores those 403ers and tries to authenticate by using the supplied credentials [2]. Windows is looking then automatically for some default files like Desktop.ini/AutoRun.inf: those are not present, that’s why a 404 is visible[3].
7. Root cause
After a few test on a blank testserver: It seems this issue only comes up if following setting has not been set (if “true” then bad for Duplicati):
This seems to make sense: If set to “True” then the PROPERTY request is handled anonymously but there is no “Authoring Rule” for the anonymous user in place and so therefor the IIS throws out 403. Duplicati then can not proceed if IIS throws a 403 out.
I changed the value from “True” to “False” by using this command:
C:\Windows\System32\inetsrv\AppCmd.exe set config "www.bucher-allround.ch" /section:system.webServer/webdav/authoring /properties.allowAnonymousPropfind:"False" /commit:apphost
The logs showed me, that the 401 for the PROPERTY request came back(!!) and this seems to force Duplicati to authenticate, see below:
2019-12-11 23:14:46 W3SVC31 www 10.0.1.30 PROPFIND /test/ - 443 - tomthedell.thuinformatik.local HTTP/1.1 Duplicati+WEBDAV+Client+v2.0.4.23 - - www.bucher-allround.ch 401 0 5 5236 177 15
2019-12-11 23:14:46 W3SVC31 www 10.0.1.30 PROPFIND /test/ - 443 WWW\wd.bucher-allround tomthedell.thuinformatik.local HTTP/1.1 Duplicati+WEBDAV+Client+v2.0.4.23 - - www.bucher-allround.ch 207 0 0 1157 772 15
9. Conclusion
The Windows WebDAV client seems to have a fallback to ignore the 403 and does proceed like a 401 was thrown.
Would it make sense for Duplicati to have a similar behaviour? I think about like this:
If 403 or 401 - i don’t care, come on, let’s try to authenticate anyways…
What is this now?
A bug
Expected behavior
Unexpected behavior
Missing feature
Missing fallback possibilities
Incompatible WebDAV configuration
Please pick the one you prefer. In terms of making software more robust and better, i would prefer a similar behaviour compared to the Windows WebDAV client. But i’m not sure if this would violate any RFCs or other standards (maybe this is just a Microsoft thing? I don’t know).
And last but not least
Regarding the filesize settings from the previous post: If the “Request Filtering” module of IIS is installed, then this modification on IIS is required in any case. Without those changes, Duplicati is unable to store it’s 50MB junks to the WebDAV directory and will fail during the PUT request. This is because the default setting of Duplicati with it’s 50MB junks is not compatible with the IIS default setting of max. 30MB allowed. Change the one or the other.
Best regards
Tom