Microsoft KB Archive/830576

= Cannot access remotely stored content by using WebDAV in Windows Server 2003 =

Article ID: 830576

Article Last Modified on 10/30/2006

-

APPLIES TO


 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Web Edition

-





SYMPTOMS
When you try to use Web Distributed Authoring and Versioning (WebDav) to access remotely stored content, you are unsuccessful.



CAUSE
This issue occurs if the both the following conditions are true:
 * You try to access the remotely stored content as a user from a trusted domain that is located in a different forest.
 * There is an external cross-forest trust configured between the two domains.

External trusts only support Integrated Windows authentication (formerly called NTLM) for the user access. Therefore, typical Server Message Block (SMB) access to the target share that you reference in the WebDav directory is unsuccessful.

In this scenario, Microsoft Internet Information Services (IIS) pass-through authentication is unsuccessful even if protocol transition is enabled for IIS. Protocol transition for Integrated Windows authentication only works in the same forest. This is because a transitive Kerberos trust is available in the forest. A transitive Kerberos trust enables IIS to issue a Kerberos ticket on behalf of the requesting user (delegation). A transitive Kerberos trust is not available over an external cross-forest trust because the external Kerberos realm is unknown in your forest.



RESOLUTION
To resolve this issue, and to enable Kerberos routing, configure bidirectional trusts between the forests.



MORE INFORMATION
The behavior occurs because the trusted domain object (TDO) of an external trust does not contain the required forest trust information. The Forest Trust Information attribute contains information about all the domains in the remote forest, the tree names, and any alternative name suffixes. This information is used to route authentication requests and lookup requests to the remote forest when required.

