I've got a front-finish apache server running inside a home windows server. The machine is setup with NTLM or Fundamental Auth (same issue with both). A download from the MS Word or Stand out documents works fine in most browsers.

Basically search on the internet-Explorer and download a office document the download the document request another url. Watchging the apache access logs I saw that you will find demands with OPTIONS and PROPFIND inside.

And So I modified the config by using this:

  <Location /latest>
    <Limit OPTIONS PROPFIND>
      deny from all
    </Limit>
  </Location>

This labored to date, however with Office 2010 I experienced the issue again.

Searching the net I discovered this short article: http://support.microsoft.com/kb/2019105 Because of this I do not have to send 403 (deny all transmits 403 I suppose?), so I must send 405.

So may I simply do that? Is correct?

  <Location /latest>
    <Limit OPTIONS PROPFIND>
      redirect 405
    </Limit>
  </Location>

Finally debugging more the problem I discovered that this is actually the correct configuration. To say I must make also obvious which i sometimes setup the authentication without anyone's knowledge webserver (IIS 7) and often within the Apache (is dependent on customer situation).

1. As Apache is my frontend proxy and also the after sales server may be the IIS7, when IIS7 authenticate this labored:


Disable support from the OPTIONS and PROPFIND verbs – When the web application isn't supposed to have been employed for WebDAV, the net Service Extension that delivers the WebDAV functionality could be set to Prohibited on the default server that's running IIS. (This can be WebDAV or FrontPage Server Extensions.) When the site provides WebDAV functionality through another extension, the provider of this extension ought to be involved. For instance, to get this done with Home windows SharePoint Services (WSS), the website ought to be set up to disable Client Integration, or even the OPTIONS and PROPFIND verb ought to be restricted. (On IIS 6, take away the verbs in the registration line within the web.config file. On IIS 7., make use of the HTTP Verbs tab from the Request Blocking feature to deny the verbs.) Remember that this method will open this content in read-only mode as this approach hinders direct-edit functionality.


from: http://support.microsoft.com/kb/2019105/en-us

And So I set this content filter for that verbs after which it labored acceptable for me finally.

2. I Quickly examined while using NTLM Auth in Apache. My original config labored fine when Apache authenticate itself.

And So I went only in to the problem mixing the behaviors :)