HTTP PUT IIS6

The same functionality of IIS5.1 in XP Pro is possible with IIS6 with
the same configuration. IIS6 only adds the knob to enable/disable
WebDAV.

To allow anonymous PUT (quite dangerous - easy for anyone to exploit
your server), simply:
1. Enable WebDAV (new to IIS6)
2. Enable "Write" Permission in IIS Manager UI (same on IIS5.1 and
IIS6)
3. Enable Anonymous Authentication (same on IIS5.1 and IIS6)
4. Set NTFS ACLs on the PUT destination folder to allow the configured
Anonymous user Write access (same on Windows)

It sounds like your application has a bug where it does not properly
configure the webserver with its dependencies, so it fails between
IIS5.1 and IIS6.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//



On Feb 6, 6:31 am, Tray wrote:
> Is authentication required for PUT in IIS6?
> Is there a way to anonymous PUT in IIS6?
> The application was working with anonymous PUT command to buried folder (not
> wwwroot) with XP IIS5.
>
>
>
> "David Wang" wrote:
> > On Feb 5, 3:11 pm, Tray wrote:
> > > Unable to PUT .jpg on IIS6. IIS5 on XP works fine. Anonymous Connection,
> > > specialized application for LAN. Why does it work in XP IIS5 but not IIS6 on
> > > Windows 2003?
>
> > IIS6 installs in a secure configuration by default.
>
> > PUT is WebDAV, which is not enabled by default on IIS6.
>
> > IIS5 has everything enabled by default and no easy way to disable
> > WebDAV, so PUT works... along with all those security exploits.
>
> > Enable WebDAV in Web Service Extensions, enable Write permissions in
> > IIS Manager UI for the specific folder, enable authentication, and set
> > ACLs correctly on the folder in NTFS, and you should be able to PUT on
> > IIS6.
>
> > //David
> >http://w3-4u.blogspot.com
> >http://blogs.msdn.com/David.Wang
> > //- Hide quoted text -
>
> - Show quoted text -
 >> Stay informed about: HTTP PUT IIS6 

I have verified the setup as requested.
WebDAV enabled (Set to Allow)
Enabled Read / Write in UI in IIS for that virtual directory.
Enabled Anonymous Access (Noted Configured User for Anonymous Access)
Navigated to folder in Explorer and added the configured Anonymous User with
Full Control so there was no doubt anonymous (internet guest) has access.

Tested, and same result.
IIS log for site shows the PUT request happening but lists 501

Telnet xxx.xxx.xxx.xxx 80
Manually typed the command
GET /folder/image.jpg
Downloads image data to console

Telnet xxx.xxx.xxx.xxx 80
Manually typed the command
PUT /folder/image.jpg
Returns <h1> Bad Request (Invalid Verb) </h1>

XP does not return Bad Request Invalid Verb, but waits for the image data.




"David Wang" wrote:

> The same functionality of IIS5.1 in XP Pro is possible with IIS6 with
> the same configuration. IIS6 only adds the knob to enable/disable
> WebDAV.
>
> To allow anonymous PUT (quite dangerous - easy for anyone to exploit
> your server), simply:
> 1. Enable WebDAV (new to IIS6)
> 2. Enable "Write" Permission in IIS Manager UI (same on IIS5.1 and
> IIS6)
> 3. Enable Anonymous Authentication (same on IIS5.1 and IIS6)
> 4. Set NTFS ACLs on the PUT destination folder to allow the configured
> Anonymous user Write access (same on Windows)
>
> It sounds like your application has a bug where it does not properly
> configure the webserver with its dependencies, so it fails between
> IIS5.1 and IIS6.
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>
>
>
> On Feb 6, 6:31 am, Tray wrote:
> > Is authentication required for PUT in IIS6?
> > Is there a way to anonymous PUT in IIS6?
> > The application was working with anonymous PUT command to buried folder (not
> > wwwroot) with XP IIS5.
> >
> >
> >
> > "David Wang" wrote:
> > > On Feb 5, 3:11 pm, Tray wrote:
> > > > Unable to PUT .jpg on IIS6. IIS5 on XP works fine. Anonymous Connection,
> > > > specialized application for LAN. Why does it work in XP IIS5 but not IIS6 on
> > > > Windows 2003?
> >
> > > IIS6 installs in a secure configuration by default.
> >
> > > PUT is WebDAV, which is not enabled by default on IIS6.
> >
> > > IIS5 has everything enabled by default and no easy way to disable
> > > WebDAV, so PUT works... along with all those security exploits.
> >
> > > Enable WebDAV in Web Service Extensions, enable Write permissions in
> > > IIS Manager UI for the specific folder, enable authentication, and set
> > > ACLs correctly on the folder in NTFS, and you should be able to PUT on
> > > IIS6.
> >
> > > //David
> > >http://w3-4u.blogspot.com
> > >http://blogs.msdn.com/David.Wang
> > > //- Hide quoted text -
> >
> > - Show quoted text -
>
>
>
 >> Stay informed about: HTTP PUT IIS6 

David,

I noticed that I had to allow WebDav manually, after you said it was required.
I verified permissions for folder write and anonymous full and test failed.

I ended up fixing the problem another way.
I had tried everything, and needed another approach.

I completely uninstalled IIS, and components FTP, WWW, etc.

I then reinstalled IIS. Now I don't have a clue if this makes a difference,
but instead of checking WWW server, I checked WebDav.
This checked all necessary boxes for WWW Etc.

When I open IIS manager, I then setup my write access and anonymous
permissions again. I went to enable WebDav and it was already enabled.
Thats strange, before I had to manually enable it.

And it worked, I could put files in my directory via Httpmethod PUT.

Another note.

The everyone group is giving anonymous internet access. I swore that was
supposed to be fixed in Windows 2003. This was a design flaw with XP if I
remember correctly.


"Tray" wrote:

> I have verified the setup as requested.
> WebDAV enabled (Set to Allow)
> Enabled Read / Write in UI in IIS for that virtual directory.
> Enabled Anonymous Access (Noted Configured User for Anonymous Access)
> Navigated to folder in Explorer and added the configured Anonymous User with
> Full Control so there was no doubt anonymous (internet guest) has access.
>
> Tested, and same result.
> IIS log for site shows the PUT request happening but lists 501
>
> Telnet xxx.xxx.xxx.xxx 80
> Manually typed the command
> GET /folder/image.jpg
> Downloads image data to console
>
> Telnet xxx.xxx.xxx.xxx 80
> Manually typed the command
> PUT /folder/image.jpg
> Returns <h1> Bad Request (Invalid Verb) </h1>
>
> XP does not return Bad Request Invalid Verb, but waits for the image data.
>
>
>
>
> "David Wang" wrote:
>
> > The same functionality of IIS5.1 in XP Pro is possible with IIS6 with
> > the same configuration. IIS6 only adds the knob to enable/disable
> > WebDAV.
> >
> > To allow anonymous PUT (quite dangerous - easy for anyone to exploit
> > your server), simply:
> > 1. Enable WebDAV (new to IIS6)
> > 2. Enable "Write" Permission in IIS Manager UI (same on IIS5.1 and
> > IIS6)
> > 3. Enable Anonymous Authentication (same on IIS5.1 and IIS6)
> > 4. Set NTFS ACLs on the PUT destination folder to allow the configured
> > Anonymous user Write access (same on Windows)
> >
> > It sounds like your application has a bug where it does not properly
> > configure the webserver with its dependencies, so it fails between
> > IIS5.1 and IIS6.
> >
> >
> > //David
> > http://w3-4u.blogspot.com
> > http://blogs.msdn.com/David.Wang
> > //
> >
> >
> >
> > On Feb 6, 6:31 am, Tray wrote:
> > > Is authentication required for PUT in IIS6?
> > > Is there a way to anonymous PUT in IIS6?
> > > The application was working with anonymous PUT command to buried folder (not
> > > wwwroot) with XP IIS5.
> > >
> > >
> > >
> > > "David Wang" wrote:
> > > > On Feb 5, 3:11 pm, Tray wrote:
> > > > > Unable to PUT .jpg on IIS6. IIS5 on XP works fine. Anonymous Connection,
> > > > > specialized application for LAN. Why does it work in XP IIS5 but not IIS6 on
> > > > > Windows 2003?
> > >
> > > > IIS6 installs in a secure configuration by default.
> > >
> > > > PUT is WebDAV, which is not enabled by default on IIS6.
> > >
> > > > IIS5 has everything enabled by default and no easy way to disable
> > > > WebDAV, so PUT works... along with all those security exploits.
> > >
> > > > Enable WebDAV in Web Service Extensions, enable Write permissions in
> > > > IIS Manager UI for the specific folder, enable authentication, and set
> > > > ACLs correctly on the folder in NTFS, and you should be able to PUT on
> > > > IIS6.
> > >
> > > > //David
> > > >http://w3-4u.blogspot.com
> > > >http://blogs.msdn.com/David.Wang
> > > > //- Hide quoted text -
> > >
> > > - Show quoted text -
> >
> >
> >
 >> Stay informed about: HTTP PUT IIS6 

The design flaw is fixed - there is a security setting "Everyone
includes Anonymous" - what is your setting?

Remember, there are compatibility and other things to consider, not
just make a change and break the world. Some people may depend on that
functionality for their business.



//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//


On Feb 8, 8:08 am, Tray wrote:
> David,
>
> I noticed that I had to allow WebDav manually, after you said it was required.
> I verified permissions for folder write and anonymous full and test failed.
>
> I ended up fixing the problem another way.
> I had tried everything, and needed another approach.
>
> I completely uninstalled IIS, and components FTP, WWW, etc.
>
> I then reinstalled IIS. Now I don't have a clue if this makes a difference,
> but instead of checking WWW server, I checked WebDav.
> This checked all necessary boxes for WWW Etc.
>
> When I open IIS manager, I then setup my write access and anonymous
> permissions again. I went to enable WebDav and it was already enabled.
> Thats strange, before I had to manually enable it.
>
> And it worked, I could put files in my directory via Httpmethod PUT.
>
> Another note.
>
> The everyone group is giving anonymous internet access. I swore that was
> supposed to be fixed in Windows 2003. This was a design flaw with XP if I
> remember correctly.
>
>
>
> "Tray" wrote:
> > I have verified the setup as requested.
> > WebDAV enabled (Set to Allow)
> > Enabled Read / Write in UI in IIS for that virtual directory.
> > Enabled Anonymous Access (Noted Configured User for Anonymous Access)
> > Navigated to folder in Explorer and added the configured Anonymous User with
> > Full Control so there was no doubt anonymous (internet guest) has access.
>
> > Tested, and same result.
> > IIS log for site shows the PUT request happening but lists 501
>
> > Telnet xxx.xxx.xxx.xxx 80
> > Manually typed the command
> > GET /folder/image.jpg
> > Downloads image data to console
>
> > Telnet xxx.xxx.xxx.xxx 80
> > Manually typed the command
> > PUT /folder/image.jpg
> > Returns <h1> Bad Request (Invalid Verb) </h1>
>
> > XP does not return Bad Request Invalid Verb, but waits for the image data.
>
> > "David Wang" wrote:
>
> > > The same functionality of IIS5.1 in XP Pro is possible with IIS6 with
> > > the same configuration. IIS6 only adds the knob to enable/disable
> > > WebDAV.
>
> > > To allow anonymous PUT (quite dangerous - easy for anyone to exploit
> > > your server), simply:
> > > 1. Enable WebDAV (new to IIS6)
> > > 2. Enable "Write" Permission in IIS Manager UI (same on IIS5.1 and
> > > IIS6)
> > > 3. Enable Anonymous Authentication (same on IIS5.1 and IIS6)
> > > 4. Set NTFS ACLs on the PUT destination folder to allow the configured
> > > Anonymous user Write access (same on Windows)
>
> > > It sounds like your application has a bug where it does not properly
> > > configure the webserver with its dependencies, so it fails between
> > > IIS5.1 and IIS6.
>
> > > //David
> > >http://w3-4u.blogspot.com
> > >http://blogs.msdn.com/David.Wang
> > > //
>
> > > On Feb 6, 6:31 am, Tray wrote:
> > > > Is authentication required for PUT in IIS6?
> > > > Is there a way to anonymous PUT in IIS6?
> > > > The application was working with anonymous PUT command to buried folder (not
> > > > wwwroot) with XP IIS5.
>
> > > > "David Wang" wrote:
> > > > > On Feb 5, 3:11 pm, Tray wrote:
> > > > > > Unable to PUT .jpg on IIS6. IIS5 on XP works fine. Anonymous Connection,
> > > > > > specialized application for LAN. Why does it work in XP IIS5 but not IIS6 on
> > > > > > Windows 2003?
>
> > > > > IIS6 installs in a secure configuration by default.
>
> > > > > PUT is WebDAV, which is not enabled by default on IIS6.
>
> > > > > IIS5 has everything enabled by default and no easy way to disable
> > > > > WebDAV, so PUT works... along with all those security exploits.
>
> > > > > Enable WebDAV in Web Service Extensions, enable Write permissions in
> > > > > IIS Manager UI for the specific folder, enable authentication, and set
> > > > > ACLs correctly on the folder in NTFS, and you should be able to PUT on
> > > > > IIS6.
>
> > > > > //David
> > > > >http://w3-4u.blogspot.com
> > > > >http://blogs.msdn.com/David.Wang
> > > > > //- Hide quoted text -
>
> > > > - Show quoted text -- Hide quoted text -
>
> - Show quoted text -
 >> Stay informed about: HTTP PUT IIS6 

If you are refering to Admin Tools, Local Security Settings,
Security Settings, Local Polices, Security Options
Network Access: Let Everyone Permission Apply to Anonymous=Disabled

I tripple double checked adding everyone has write access.
PUT my file
Then removed everyone permission.
PUT my file and got error for ACL.
So I removed the everyone group for now and add anonymous.

Also
HKLM\System\CurrentControlSet\Control\LSA
EveryoneIncludesAnonymous=0

which means it should be disabled.

Anyways, about WebDav
Me and our team of frustrated techs have figured out that there is an issue
with WebDav.
Even though you click allow. It may not work.
Click Prohibit and Then Allow again seems to correct the problem.

In my case I had to reinstall WebDav, on a Win2003 Enterprise Edition to get
it to work.

Thanks,

Tray



"David Wang" wrote:

> The design flaw is fixed - there is a security setting "Everyone
> includes Anonymous" - what is your setting?
>
> Remember, there are compatibility and other things to consider, not
> just make a change and break the world. Some people may depend on that
> functionality for their business.
>
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>
>
> On Feb 8, 8:08 am, Tray wrote:
> > David,
> >
> > I noticed that I had to allow WebDav manually, after you said it was required.
> > I verified permissions for folder write and anonymous full and test failed.
> >
> > I ended up fixing the problem another way.
> > I had tried everything, and needed another approach.
> >
> > I completely uninstalled IIS, and components FTP, WWW, etc.
> >
> > I then reinstalled IIS. Now I don't have a clue if this makes a difference,
> > but instead of checking WWW server, I checked WebDav.
> > This checked all necessary boxes for WWW Etc.
> >
> > When I open IIS manager, I then setup my write access and anonymous
> > permissions again. I went to enable WebDav and it was already enabled.
> > Thats strange, before I had to manually enable it.
> >
> > And it worked, I could put files in my directory via Httpmethod PUT.
> >
> > Another note.
> >
> > The everyone group is giving anonymous internet access. I swore that was
> > supposed to be fixed in Windows 2003. This was a design flaw with XP if I
> > remember correctly.
> >
> >
> >
> > "Tray" wrote:
> > > I have verified the setup as requested.
> > > WebDAV enabled (Set to Allow)
> > > Enabled Read / Write in UI in IIS for that virtual directory.
> > > Enabled Anonymous Access (Noted Configured User for Anonymous Access)
> > > Navigated to folder in Explorer and added the configured Anonymous User with
> > > Full Control so there was no doubt anonymous (internet guest) has access.
> >
> > > Tested, and same result.
> > > IIS log for site shows the PUT request happening but lists 501
> >
> > > Telnet xxx.xxx.xxx.xxx 80
> > > Manually typed the command
> > > GET /folder/image.jpg
> > > Downloads image data to console
> >
> > > Telnet xxx.xxx.xxx.xxx 80
> > > Manually typed the command
> > > PUT /folder/image.jpg
> > > Returns <h1> Bad Request (Invalid Verb) </h1>
> >
> > > XP does not return Bad Request Invalid Verb, but waits for the image data.
> >
> > > "David Wang" wrote:
> >
> > > > The same functionality of IIS5.1 in XP Pro is possible with IIS6 with
> > > > the same configuration. IIS6 only adds the knob to enable/disable
> > > > WebDAV.
> >
> > > > To allow anonymous PUT (quite dangerous - easy for anyone to exploit
> > > > your server), simply:
> > > > 1. Enable WebDAV (new to IIS6)
> > > > 2. Enable "Write" Permission in IIS Manager UI (same on IIS5.1 and
> > > > IIS6)
> > > > 3. Enable Anonymous Authentication (same on IIS5.1 and IIS6)
> > > > 4. Set NTFS ACLs on the PUT destination folder to allow the configured
> > > > Anonymous user Write access (same on Windows)
> >
> > > > It sounds like your application has a bug where it does not properly
> > > > configure the webserver with its dependencies, so it fails between
> > > > IIS5.1 and IIS6.
> >
> > > > //David
> > > >http://w3-4u.blogspot.com
> > > >http://blogs.msdn.com/David.Wang
> > > > //
> >
> > > > On Feb 6, 6:31 am, Tray wrote:
> > > > > Is authentication required for PUT in IIS6?
> > > > > Is there a way to anonymous PUT in IIS6?
> > > > > The application was working with anonymous PUT command to buried folder (not
> > > > > wwwroot) with XP IIS5.
> >
> > > > > "David Wang" wrote:
> > > > > > On Feb 5, 3:11 pm, Tray wrote:
> > > > > > > Unable to PUT .jpg on IIS6. IIS5 on XP works fine. Anonymous Connection,
> > > > > > > specialized application for LAN. Why does it work in XP IIS5 but not IIS6 on
> > > > > > > Windows 2003?
> >
> > > > > > IIS6 installs in a secure configuration by default.
> >
> > > > > > PUT is WebDAV, which is not enabled by default on IIS6.
> >
> > > > > > IIS5 has everything enabled by default and no easy way to disable
> > > > > > WebDAV, so PUT works... along with all those security exploits.
> >
> > > > > > Enable WebDAV in Web Service Extensions, enable Write permissions in
> > > > > > IIS Manager UI for the specific folder, enable authentication, and set
> > > > > > ACLs correctly on the folder in NTFS, and you should be able to PUT on
> > > > > > IIS6.
> >
> > > > > > //David
> > > > > >http://w3-4u.blogspot.com
> > > > > >http://blogs.msdn.com/David.Wang
> > > > > > //- Hide quoted text -
> >
> > > > > - Show quoted text -- Hide quoted text -
> >
> > - Show quoted text -
>
>
>
 >> Stay informed about: HTTP PUT IIS6 

To have WebDAV work, there's both a registry tweak that makes HTTP.SYS
allow WebDAV verbs (that's why you were getting 501) as well as "Web
Service Extensions" enabling of WebDAV (which changes whether
httpext.dll is allowed to be used by IIS).

You need both for WebDAV to work. Placing checkmark in Add/Remove
Programs does both. Enabling "WebDAV" in Web Service Extensions only
allows httpext.dll. Unfortunately, that is often mistakenly viewed as
the "make WebDAV work" checkbox when it isn't.


> HKLM\System\CurrentControlSet\Control\LSA\EveryoneIncludesAnonymous=0

Some of those settings require rebooting to take effect, and I notice
strange behaviors if you toggle them without rebooting. Just make
sure.


Unfortunately, IUSR is anonymous only to IIS and not anonymous as far
as Windows is concerned. That's addressed in Vista/IIS7.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//



On Feb 8, 1:31 pm, Tray wrote:
> If you are refering to Admin Tools, Local Security Settings,
> Security Settings, Local Polices, Security Options
> Network Access: Let Everyone Permission Apply to Anonymous=Disabled
>
> I tripple double checked adding everyone has write access.
> PUT my file
> Then removed everyone permission.
> PUT my file and got error for ACL.
> So I removed the everyone group for now and add anonymous.
>
> Also
> HKLM\System\CurrentControlSet\Control\LSA
> EveryoneIncludesAnonymous=0
>
> which means it should be disabled.
>
> Anyways, about WebDav
> Me and our team of frustrated techs have figured out that there is an issue
> with WebDav.
> Even though you click allow. It may not work.
> Click Prohibit and Then Allow again seems to correct the problem.
>
> In my case I had to reinstall WebDav, on a Win2003 Enterprise Edition to get
> it to work.
>
> Thanks,
>
> Tray
>
>
>
> "David Wang" wrote:
> > The design flaw is fixed - there is a security setting "Everyone
> > includes Anonymous" - what is your setting?
>
> > Remember, there are compatibility and other things to consider, not
> > just make a change and break the world. Some people may depend on that
> > functionality for their business.
>
> > //David
> >http://w3-4u.blogspot.com
> >http://blogs.msdn.com/David.Wang
> > //
>
> > On Feb 8, 8:08 am, Tray wrote:
> > > David,
>
> > > I noticed that I had to allow WebDav manually, after you said it was required.
> > > I verified permissions for folder write and anonymous full and test failed.
>
> > > I ended up fixing the problem another way.
> > > I had tried everything, and needed another approach.
>
> > > I completely uninstalled IIS, and components FTP, WWW, etc.
>
> > > I then reinstalled IIS. Now I don't have a clue if this makes a difference,
> > > but instead of checking WWW server, I checked WebDav.
> > > This checked all necessary boxes for WWW Etc.
>
> > > When I open IIS manager, I then setup my write access and anonymous
> > > permissions again. I went to enable WebDav and it was already enabled.
> > > Thats strange, before I had to manually enable it.
>
> > > And it worked, I could put files in my directory via Httpmethod PUT.
>
> > > Another note.
>
> > > The everyone group is giving anonymous internet access. I swore that was
> > > supposed to be fixed in Windows 2003. This was a design flaw with XP if I
> > > remember correctly.
>
> > > "Tray" wrote:
> > > > I have verified the setup as requested.
> > > > WebDAV enabled (Set to Allow)
> > > > Enabled Read / Write in UI in IIS for that virtual directory.
> > > > Enabled Anonymous Access (Noted Configured User for Anonymous Access)
> > > > Navigated to folder in Explorer and added the configured Anonymous User with
> > > > Full Control so there was no doubt anonymous (internet guest) has access.
>
> > > > Tested, and same result.
> > > > IIS log for site shows the PUT request happening but lists 501
>
> > > > Telnet xxx.xxx.xxx.xxx 80
> > > > Manually typed the command
> > > > GET /folder/image.jpg
> > > > Downloads image data to console
>
> > > > Telnet xxx.xxx.xxx.xxx 80
> > > > Manually typed the command
> > > > PUT /folder/image.jpg
> > > > Returns <h1> Bad Request (Invalid Verb) </h1>
>
> > > > XP does not return Bad Request Invalid Verb, but waits for the image data.
>
> > > > "David Wang" wrote:
>
> > > > > The same functionality of IIS5.1 in XP Pro is possible with IIS6 with
> > > > > the same configuration. IIS6 only adds the knob to enable/disable
> > > > > WebDAV.
>
> > > > > To allow anonymous PUT (quite dangerous - easy for anyone to exploit
> > > > > your server), simply:
> > > > > 1. Enable WebDAV (new to IIS6)
> > > > > 2. Enable "Write" Permission in IIS Manager UI (same on IIS5.1 and
> > > > > IIS6)
> > > > > 3. Enable Anonymous Authentication (same on IIS5.1 and IIS6)
> > > > > 4. Set NTFS ACLs on the PUT destination folder to allow the configured
> > > > > Anonymous user Write access (same on Windows)
>
> > > > > It sounds like your application has a bug where it does not properly
> > > > > configure the webserver with its dependencies, so it fails between
> > > > > IIS5.1 and IIS6.
>
> > > > > //David
> > > > >http://w3-4u.blogspot.com
> > > > >http://blogs.msdn.com/David.Wang
> > > > > //
>
> > > > > On Feb 6, 6:31 am, Tray wrote:
> > > > > > Is authentication required for PUT in IIS6?
> > > > > > Is there a way to anonymous PUT in IIS6?
> > > > > > The application was working with anonymous PUT command to buried folder (not
> > > > > > wwwroot) with XP IIS5.
>
> > > > > > "David Wang" wrote:
> > > > > > > On Feb 5, 3:11 pm, Tray wrote:
> > > > > > > > Unable to PUT .jpg on IIS6. IIS5 on XP works fine. Anonymous Connection,
> > > > > > > > specialized application for LAN. Why does it work in XP IIS5 but not IIS6 on
> > > > > > > > Windows 2003?
>
> > > > > > > IIS6 installs in a secure configuration by default.
>
> > > > > > > PUT is WebDAV, which is not enabled by default on IIS6.
>
> > > > > > > IIS5 has everything enabled by default and no easy way to disable
> > > > > > > WebDAV, so PUT works... along with all those security exploits.
>
> > > > > > > Enable WebDAV in Web Service Extensions, enable Write permissions in
> > > > > > > IIS Manager UI for the specific folder, enable authentication, and set
> > > > > > > ACLs correctly on the folder in NTFS, and you should be able to PUT on
> > > > > > > IIS6.
>
> > > > > > > //David
> > > > > > >http://w3-4u.blogspot.com
> > > > > > >http://blogs.msdn.com/David.Wang
> > > > > > > //- Hide quoted text -
>
> > > > > > - Show quoted text -- Hide quoted text -
>
> > > - Show quoted text -- Hide quoted text -
>
> - Show quoted text -
 >> Stay informed about: HTTP PUT IIS6 

It might be because it doesn't let you know that it's not installed next to
"allow or prohibit", or when you click allow.


The Everyone Includes anonymous setting has never been changed.
Fresh install of windows. Set to 0 or disabled.


Thanks again.


"David Wang" wrote:

> To have WebDAV work, there's both a registry tweak that makes HTTP.SYS
> allow WebDAV verbs (that's why you were getting 501) as well as "Web
> Service Extensions" enabling of WebDAV (which changes whether
> httpext.dll is allowed to be used by IIS).
>
> You need both for WebDAV to work. Placing checkmark in Add/Remove
> Programs does both. Enabling "WebDAV" in Web Service Extensions only
> allows httpext.dll. Unfortunately, that is often mistakenly viewed as
> the "make WebDAV work" checkbox when it isn't.
>
>
> > HKLM\System\CurrentControlSet\Control\LSA\EveryoneIncludesAnonymous=0
>
> Some of those settings require rebooting to take effect, and I notice
> strange behaviors if you toggle them without rebooting. Just make
> sure.
>
>
> Unfortunately, IUSR is anonymous only to IIS and not anonymous as far
> as Windows is concerned. That's addressed in Vista/IIS7.
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>
>
>
> On Feb 8, 1:31 pm, Tray wrote:
> > If you are refering to Admin Tools, Local Security Settings,
> > Security Settings, Local Polices, Security Options
> > Network Access: Let Everyone Permission Apply to Anonymous=Disabled
> >
> > I tripple double checked adding everyone has write access.
> > PUT my file
> > Then removed everyone permission.
> > PUT my file and got error for ACL.
> > So I removed the everyone group for now and add anonymous.
> >
> > Also
> > HKLM\System\CurrentControlSet\Control\LSA
> > EveryoneIncludesAnonymous=0
> >
> > which means it should be disabled.
> >
> > Anyways, about WebDav
> > Me and our team of frustrated techs have figured out that there is an issue
> > with WebDav.
> > Even though you click allow. It may not work.
> > Click Prohibit and Then Allow again seems to correct the problem.
> >
> > In my case I had to reinstall WebDav, on a Win2003 Enterprise Edition to get
> > it to work.
> >
> > Thanks,
> >
> > Tray
> >
> >
> >
> > "David Wang" wrote:
> > > The design flaw is fixed - there is a security setting "Everyone
> > > includes Anonymous" - what is your setting?
> >
> > > Remember, there are compatibility and other things to consider, not
> > > just make a change and break the world. Some people may depend on that
> > > functionality for their business.
> >
> > > //David
> > >http://w3-4u.blogspot.com
> > >http://blogs.msdn.com/David.Wang
> > > //
> >
> > > On Feb 8, 8:08 am, Tray wrote:
> > > > David,
> >
> > > > I noticed that I had to allow WebDav manually, after you said it was required.
> > > > I verified permissions for folder write and anonymous full and test failed.
> >
> > > > I ended up fixing the problem another way.
> > > > I had tried everything, and needed another approach.
> >
> > > > I completely uninstalled IIS, and components FTP, WWW, etc.
> >
> > > > I then reinstalled IIS. Now I don't have a clue if this makes a difference,
> > > > but instead of checking WWW server, I checked WebDav.
> > > > This checked all necessary boxes for WWW Etc.
> >
> > > > When I open IIS manager, I then setup my write access and anonymous
> > > > permissions again. I went to enable WebDav and it was already enabled.
> > > > Thats strange, before I had to manually enable it.
> >
> > > > And it worked, I could put files in my directory via Httpmethod PUT.
> >
> > > > Another note.
> >
> > > > The everyone group is giving anonymous internet access. I swore that was
> > > > supposed to be fixed in Windows 2003. This was a design flaw with XP if I
> > > > remember correctly.
> >
> > > > "Tray" wrote:
> > > > > I have verified the setup as requested.
> > > > > WebDAV enabled (Set to Allow)
> > > > > Enabled Read / Write in UI in IIS for that virtual directory.
> > > > > Enabled Anonymous Access (Noted Configured User for Anonymous Access)
> > > > > Navigated to folder in Explorer and added the configured Anonymous User with
> > > > > Full Control so there was no doubt anonymous (internet guest) has access.
> >
> > > > > Tested, and same result.
> > > > > IIS log for site shows the PUT request happening but lists 501
> >
> > > > > Telnet xxx.xxx.xxx.xxx 80
> > > > > Manually typed the command
> > > > > GET /folder/image.jpg
> > > > > Downloads image data to console
> >
> > > > > Telnet xxx.xxx.xxx.xxx 80
> > > > > Manually typed the command
> > > > > PUT /folder/image.jpg
> > > > > Returns <h1> Bad Request (Invalid Verb) </h1>
> >
> > > > > XP does not return Bad Request Invalid Verb, but waits for the image data.
> >
> > > > > "David Wang" wrote:
> >
> > > > > > The same functionality of IIS5.1 in XP Pro is possible with IIS6 with
> > > > > > the same configuration. IIS6 only adds the knob to enable/disable
> > > > > > WebDAV.
> >
> > > > > > To allow anonymous PUT (quite dangerous - easy for anyone to exploit
> > > > > > your server), simply:
> > > > > > 1. Enable WebDAV (new to IIS6)
> > > > > > 2. Enable "Write" Permission in IIS Manager UI (same on IIS5.1 and
> > > > > > IIS6)
> > > > > > 3. Enable Anonymous Authentication (same on IIS5.1 and IIS6)
> > > > > > 4. Set NTFS ACLs on the PUT destination folder to allow the configured
> > > > > > Anonymous user Write access (same on Windows)
> >
> > > > > > It sounds like your application has a bug where it does not properly
> > > > > > configure the webserver with its dependencies, so it fails between
> > > > > > IIS5.1 and IIS6.
> >
> > > > > > //David
> > > > > >http://w3-4u.blogspot.com
> > > > > >http://blogs.msdn.com/David.Wang
> > > > > > //
> >
> > > > > > On Feb 6, 6:31 am, Tray wrote:
> > > > > > > Is authentication required for PUT in IIS6?
> > > > > > > Is there a way to anonymous PUT in IIS6?
> > > > > > > The application was working with anonymous PUT command to buried folder (not
> > > > > > > wwwroot) with XP IIS5.
> >
> > > > > > > "David Wang" wrote:
> > > > > > > > On Feb 5, 3:11 pm, Tray wrote:
> > > > > > > > > Unable to PUT .jpg on IIS6. IIS5 on XP works fine. Anonymous Connection,
> > > > > > > > > specialized application for LAN. Why does it work in XP IIS5 but not IIS6 on
> > > > > > > > > Windows 2003?
> >
> > > > > > > > IIS6 installs in a secure configuration by default.
> >
> > > > > > > > PUT is WebDAV, which is not enabled by default on IIS6.
> >
> > > > > > > > IIS5 has everything enabled by default and no easy way to disable
> > > > > > > > WebDAV, so PUT works... along with all those security exploits.
> >
> > > > > > > > Enable WebDAV in Web Service Extensions, enable Write permissions in
> > > > > > > > IIS Manager UI for the specific folder, enable authentication, and set
> > > > > > > > ACLs correctly on the folder in NTFS, and you should be able to PUT on
> > > > > > > > IIS6.
> >
> > > > > > > > //David
> > > > > > > >http://w3-4u.blogspot.com
> > > > > > > >http://blogs.msdn.com/David.Wang
> > > > > > > > //- Hide quoted text -
> >
> > > > > > > - Show quoted text -- Hide quoted text -
> >
> > > > - Show quoted text -- Hide quoted text -
> >
> > - Show quoted text -
>
>
>
 >> Stay informed about: HTTP PUT IIS6 

> I noticed that I had to allow WebDav manually, after you said it was required.
> I verified permissions for folder write and anonymous full and test failed.
>
> I ended up fixing the problem another way.
> I had tried everything, and needed another approach.
>
> I completely uninstalled IIS, and components FTP, WWW, etc.
>
> I then reinstalled IIS. Now I don't have a clue if this makes a difference,
> but instead of checking WWW server, I checked WebDav.
> This checked all necessary boxes for WWW Etc.
>
> When I open IIS manager, I then setup my write access and anonymous
> permissions again. I went to enable WebDav and it was already enabled.
> Thats strange, before I had to manually enable it.
>
> And it worked, I couldputfiles in my directory via HttpmethodPUT.
>
+1 for this on Windows 2003 R2. I gave full control to the directory I
was trying to PUT the file into for Everyone, Anonymous Logon, Users
and the IUSR_ account and was still getting a 404.0 error. I
uninstalled the WebDAV publishing and WWW service and reinstalling as
mentioned above and PUT began working immediately. Clearly just
enabling the WebDAV extension is not enough.
 >> Stay informed about: HTTP PUT IIS6 

I really wish any of you can help.

I have tried everything that you guys have done, but in my case, I get 405 Method Not Allowed when I attempt to send PUT method.

GET, HEAD, and even POST work, but not PUT.

I have run out of ideas now after having googled and spoken with my manager.

Could any of you point me to some direction please?

Thank you.

> On Monday, February 05, 2007 6:11 PM Tra wrote:

> Unable to PUT .jpg on IIS6. IIS5 on XP works fine. Anonymous Connection,
> specialized application for LAN. Why does it work in XP IIS5 but not IIS6 on
> Windows 2003?


>> On Monday, February 05, 2007 7:37 PM David Wang wrote:

>> On Feb 5, 3:11 pm, Tray wrote:
>>
>> IIS6 installs in a secure configuration by default.
>>
>> PUT is WebDAV, which is not enabled by default on IIS6.
>>
>> IIS5 has everything enabled by default and no easy way to disable
>> WebDAV, so PUT works... along with all those security exploits.
>>
>> Enable WebDAV in Web Service Extensions, enable Write permissions in
>> IIS Manager UI for the specific folder, enable authentication, and set
>> ACLs correctly on the folder in NTFS, and you should be able to PUT on
>> IIS6.
>>
>>
>> //David
>> http://w3-4u.blogspot.com
>> http://blogs.msdn.com/David.Wang
>> //


>>> On Tuesday, February 06, 2007 9:31 AM Tra wrote:

>>> Is authentication required for PUT in IIS6?
>>> Is there a way to anonymous PUT in IIS6?
>>> The application was working with anonymous PUT command to buried folder (not
>>> wwwroot) with XP IIS5.
>>>
>>>
>>> "David Wang" wrote:


>>>> On Tuesday, February 06, 2007 7:31 PM David Wang wrote:

>>>> The same functionality of IIS5.1 in XP Pro is possible with IIS6 with
>>>> the same configuration. IIS6 only adds the knob to enable/disable
>>>> WebDAV.
>>>>
>>>> To allow anonymous PUT (quite dangerous - easy for anyone to exploit
>>>> your server), simply:
>>>> 1. Enable WebDAV (new to IIS6)
>>>> 2. Enable "Write" Permission in IIS Manager UI (same on IIS5.1 and
>>>> IIS6)
>>>> 3. Enable Anonymous Authentication (same on IIS5.1 and IIS6)
>>>> 4. Set NTFS ACLs on the PUT destination folder to allow the configured
>>>> Anonymous user Write access (same on Windows)
>>>>
>>>> It sounds like your application has a bug where it does not properly
>>>> configure the webserver with its dependencies, so it fails between
>>>> IIS5.1 and IIS6.
>>>>
>>>>
>>>> //David
>>>> http://w3-4u.blogspot.com
>>>> http://blogs.msdn.com/David.Wang
>>>> //
>>>>
>>>>
>>>>
>>>> On Feb 6, 6:31 am, Tray wrote:


>>>>> On Thursday, February 08, 2007 11:08 AM Tra wrote:

>>>>> David,
>>>>>
>>>>> I noticed that I had to allow WebDav manually, after you said it was required.
>>>>> I verified permissions for folder write and anonymous full and test failed.
>>>>>
>>>>> I ended up fixing the problem another way.
>>>>> I had tried everything, and needed another approach.
>>>>>
>>>>> I completely uninstalled IIS, and components FTP, WWW, etc.
>>>>>
>>>>> I then reinstalled IIS. Now I don't have a clue if this makes a difference,
>>>>> but instead of checking WWW server, I checked WebDav.
>>>>> This checked all necessary boxes for WWW Etc.
>>>>>
>>>>> When I open IIS manager, I then setup my write access and anonymous
>>>>> permissions again. I went to enable WebDav and it was already enabled.
>>>>> Thats strange, before I had to manually enable it.
>>>>>
>>>>> And it worked, I could put files in my directory via Httpmethod PUT.
>>>>>
>>>>> Another note.
>>>>>
>>>>> The everyone group is giving anonymous internet access. I swore that was
>>>>> supposed to be fixed in Windows 2003. This was a design flaw with XP if I
>>>>> remember correctly.
>>>>>
>>>>>
>>>>> "Tray" wrote:


>>>>>> On Thursday, February 08, 2007 2:47 PM David Wang wrote:

>>>>>> The design flaw is fixed - there is a security setting "Everyone
>>>>>> includes Anonymous" - what is your setting?
>>>>>>
>>>>>> Remember, there are compatibility and other things to consider, not
>>>>>> just make a change and break the world. Some people may depend on that
>>>>>> functionality for their business.
>>>>>>
>>>>>>
>>>>>>
>>>>>> //David
>>>>>> http://w3-4u.blogspot.com
>>>>>> http://blogs.msdn.com/David.Wang
>>>>>> //
>>>>>>
>>>>>>
>>>>>> On Feb 8, 8:08 am, Tray wrote:


>>>>>>> On Thursday, February 08, 2007 4:31 PM Tra wrote:

>>>>>>> If you are refering to Admin Tools, Local Security Settings,
>>>>>>> Security Settings, Local Polices, Security Options
>>>>>>> Network Access: Let Everyone Permission Apply to Anonymous=Disabled
>>>>>>>
>>>>>>> I tripple double checked adding everyone has write access.
>>>>>>> PUT my file
>>>>>>> Then removed everyone permission.
>>>>>>> PUT my file and got error for ACL.
>>>>>>> So I removed the everyone group for now and add anonymous.
>>>>>>>
>>>>>>> Also
>>>>>>> HKLM\System\CurrentControlSet\Control\LSA
>>>>>>> EveryoneIncludesAnonymous=0
>>>>>>>
>>>>>>> which means it should be disabled.
>>>>>>>
>>>>>>> Anyways, about WebDav
>>>>>>> Me and our team of frustrated techs have figured out that there is an issue
>>>>>>> with WebDav.
>>>>>>> Even though you click allow. It may not work.
>>>>>>> Click Prohibit and Then Allow again seems to correct the problem.
>>>>>>>
>>>>>>> In my case I had to reinstall WebDav, on a Win2003 Enterprise Edition to get
>>>>>>> it to work.
>>>>>>>
>>>>>>> Thanks,
>>>>>>>
>>>>>>> Tray
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> "David Wang" wrote:


>>>>>>>> On Thursday, February 08, 2007 7:49 PM David Wang wrote:

>>>>>>>> To have WebDAV work, there's both a registry tweak that makes HTTP.SYS
>>>>>>>> allow WebDAV verbs (that's why you were getting 501) as well as "Web
>>>>>>>> Service Extensions" enabling of WebDAV (which changes whether
>>>>>>>> httpext.dll is allowed to be used by IIS).
>>>>>>>>
>>>>>>>> You need both for WebDAV to work. Placing checkmark in Add/Remove
>>>>>>>> Programs does both. Enabling "WebDAV" in Web Service Extensions only
>>>>>>>> allows httpext.dll. Unfortunately, that is often mistakenly viewed as
>>>>>>>> the "make WebDAV work" checkbox when it isn't.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Some of those settings require rebooting to take effect, and I notice
>>>>>>>> strange behaviors if you toggle them without rebooting. Just make
>>>>>>>> sure.
>>>>>>>>
>>>>>>>>
>>>>>>>> Unfortunately, IUSR is anonymous only to IIS and not anonymous as far
>>>>>>>> as Windows is concerned. That's addressed in Vista/IIS7.
>>>>>>>>
>>>>>>>>
>>>>>>>> //David
>>>>>>>> http://w3-4u.blogspot.com
>>>>>>>> http://blogs.msdn.com/David.Wang
>>>>>>>> //
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Feb 8, 1:31 pm, Tray wrote:


>>>>>>>>> On Friday, February 09, 2007 3:57 PM Tra wrote:

>>>>>>>>> It might be because it doesn't let you know that it's not installed next to
>>>>>>>>> "allow or prohibit", or when you click allow.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> The Everyone Includes anonymous setting has never been changed.
>>>>>>>>> Fresh install of windows. Set to 0 or disabled.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Thanks again.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> "David Wang" wrote:


>>>>>>>>>> On Monday, March 05, 2007 11:53 AM Jim wrote:

>>>>>>>>>> +1 for this on Windows 2003 R2. I gave full control to the directory I
>>>>>>>>>> was trying to PUT the file into for Everyone, Anonymous Logon, Users
>>>>>>>>>> and the IUSR_ account and was still getting a 404.0 error. I
>>>>>>>>>> uninstalled the WebDAV publishing and WWW service and reinstalling as
>>>>>>>>>> mentioned above and PUT began working immediately. Clearly just
>>>>>>>>>> enabling the WebDAV extension is not enough.
 >> Stay informed about: HTTP PUT IIS6