How to Configure Kubernetes on Windows Server 2022

How to Set Up WebDAV in IIS on Windows Server 2022

WebDAV (Web Distributed Authoring and Versioning) extends HTTP to allow clients to read and write files on a remote web server. On Windows Server 2022 with IIS, WebDAV is a built-in feature that integrates tightly with NTFS permissions, IIS authentication, and SSL. This guide walks through every step of deploying a fully functional WebDAV server, from feature installation to client mapping and testing with curl.

Installing the WebDAV Publishing Feature

WebDAV is not installed by default. It lives under the Web Server (IIS) role as a sub-feature called Web-DAV-Publishing. You can install it using Server Manager or PowerShell. Using PowerShell is faster and scriptable.

Open an elevated PowerShell prompt and run:

Install-WindowsFeature -Name Web-DAV-Publishing -IncludeManagementTools

This installs both the WebDAV module and the IIS Management Console components needed to configure it graphically. Verify the installation with:

Get-WindowsFeature Web-DAV-Publishing

You should see the Install State listed as Installed. After installation, the WebDAV Authoring Rules icon will appear in IIS Manager at both the server and site level.

Enabling WebDAV on an IIS Site

Installing the feature does not automatically enable WebDAV on any site. You must explicitly activate it per site. In IIS Manager, expand the Sites node, click the target site, then double-click WebDAV Authoring Rules. In the Actions pane on the right, click Enable WebDAV.

Alternatively, enable WebDAV via PowerShell using the WebAdministration module:

Import-Module WebAdministration
Set-WebConfigurationProperty -Filter "system.webServer/webdav" -PSPath "IIS:SitesDefault Web Site" -Name "enabled" -Value $true

You can also enable WebDAV in the site’s web.config directly:

Configuring WebDAV Authoring Rules

Authoring rules define who can access WebDAV and with what permissions. Without at least one authoring rule, WebDAV will return a 403 Forbidden even for authenticated users.

In IIS Manager, go to your site, double-click WebDAV Authoring Rules, and click Add Authoring Rule. You will see three options for who the rule applies to: All users, Specific users, or Specific roles or groups. For permissions, you can grant Read, Source (access to source code), and Write independently.

To allow all authenticated users to read and write via WebDAV:

Set-WebConfigurationProperty -Filter "system.webServer/webdav/authoringRules" -PSPath "IIS:SitesDefault Web Site" -Name "." -Value @{users="*"; path="/"; access="Read, Write"}

More practically, add a rule via the XML in web.config:

Setting Up a Virtual Directory for WebDAV

You may want WebDAV to serve a specific folder rather than the entire site root. Create a virtual directory in IIS Manager by right-clicking the site name and selecting Add Virtual Directory. Set the alias (e.g., files) and the physical path (e.g., C:WebDAVShare).

New-Item -Path "C:WebDAVShare" -ItemType Directory
New-WebVirtualDirectory -Site "Default Web Site" -Name "files" -PhysicalPath "C:WebDAVShare"

Ensure the application pool identity (or the specific account you use) has NTFS permissions on C:WebDAVShare. Grant Modify permissions so WebDAV clients can create, edit, and delete files:

icacls "C:WebDAVShare" /grant "IIS AppPoolDefaultAppPool:(OI)(CI)M"

Configuring Authentication for WebDAV

WebDAV requires authentication to function securely. Anonymous access is possible but should only be used for read-only public repositories. IIS supports several authentication methods for WebDAV: Basic Authentication, Windows Authentication (NTLM/Negotiate), and Digest Authentication.

Basic Authentication sends credentials as Base64-encoded text — it must always be paired with HTTPS. Enable it with:

Set-WebConfigurationProperty -Filter "system.webServer/security/authentication/basicAuthentication" -PSPath "IIS:SitesDefault Web Site" -Name "enabled" -Value $true

Windows Authentication is more secure for internal networks:

Set-WebConfigurationProperty -Filter "system.webServer/security/authentication/windowsAuthentication" -PSPath "IIS:SitesDefault Web Site" -Name "enabled" -Value $true

Digest Authentication works over HTTP without transmitting plain-text passwords but requires the domain to be configured correctly. Disable anonymous authentication if you require all users to authenticate:

Set-WebConfigurationProperty -Filter "system.webServer/security/authentication/anonymousAuthentication" -PSPath "IIS:SitesDefault Web Site" -Name "enabled" -Value $false

Enforcing HTTPS for WebDAV

Because Basic Authentication is the most compatible WebDAV authentication method, HTTPS is essential. Bind an SSL certificate to your site first. You can use a self-signed certificate for internal use:

$cert = New-SelfSignedCertificate -DnsName "webdav.example.com" -CertStoreLocation "Cert:LocalMachineMy"
$thumbprint = $cert.Thumbprint

netsh http add sslcert ipport=0.0.0.0:443 certhash=$thumbprint appid="{00112233-4455-6677-8899-AABBCCDDEEFF}"

Then add an HTTPS binding in IIS Manager or via PowerShell:

New-WebBinding -Name "Default Web Site" -Protocol "https" -Port 443 -IPAddress "*" -SslFlags 0

To require SSL on the WebDAV virtual directory and reject plain HTTP:

Set-WebConfigurationProperty -Filter "system.webServer/security/access" -PSPath "IIS:SitesDefault Web Sitefiles" -Name "sslFlags" -Value "Ssl"

Mapping a Network Drive to WebDAV from Windows

Windows has a built-in WebDAV client (WebClient service). To map a WebDAV share as a drive letter, open File Explorer, right-click This PC, and choose Map network drive. Enter the URL as the folder path, e.g., https://webdav.example.com/files.

From the command line:

net use Z: https://webdav.example.com/files /user:domainusername

The WebClient service must be running on the client machine:

Start-Service WebClient
Set-Service WebClient -StartupType Automatic

If you are connecting to a server that uses a self-signed certificate, you must first import the certificate into the Trusted Root Certification Authorities store on the client, or the WebClient will refuse the connection with error 0x80070035 or similar.

Using WebDAV with Windows Explorer

Windows Explorer integrates with WebDAV transparently once a drive is mapped. Users can drag and drop files, create folders, rename, and delete just as with a local drive. However, the Windows WebDAV client has a known 50MB file size limit by default for uploads. Increase this limit by modifying a registry key:

Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetServicesWebClientParameters" -Name "FileSizeLimitInBytes" -Value 4294967295

Restart the WebClient service after the change:

Restart-Service WebClient

NTFS Permissions for WebDAV

WebDAV respects both IIS authorization rules and NTFS file system permissions. Both must allow access for a WebDAV operation to succeed. A common setup is to grant the WebDAV virtual directory to a dedicated Active Directory group, then control file-level access through NTFS ACLs on subfolders.

For a shared documents folder accessible to a group called WebDAVUsers:

icacls "C:WebDAVShare" /grant "DOMAINWebDAVUsers:(OI)(CI)M"
icacls "C:WebDAVShare" /grant "BUILTINIIS_IUSRS:(OI)(CI)R"

Testing WebDAV with curl

curl supports WebDAV methods including PROPFIND, MKCOL, PUT, and DELETE. This makes it ideal for scripted testing or automation. Test that WebDAV is reachable and listing files with a PROPFIND request:

curl -X PROPFIND https://webdav.example.com/files/ -u "domainusername:password" -H "Depth: 1" --insecure

Upload a file with PUT:

curl -T "C:localfile.txt" https://webdav.example.com/files/remotefile.txt -u "domainusername:password" --insecure

Create a directory with MKCOL:

curl -X MKCOL https://webdav.example.com/files/newdir/ -u "domainusername:password" --insecure

Delete a file:

curl -X DELETE https://webdav.example.com/files/remotefile.txt -u "domainusername:password" --insecure

Remove the –insecure flag and replace it with –cacert pathtocert.crt when using a trusted certificate in production.

Troubleshooting Common WebDAV Issues

If you receive 405 Method Not Allowed responses, the WebDAV module is likely not enabled or the authoring rules are missing. Check that the WebDAVModule is loaded and that at least one authoring rule exists for the path.

If you see 401 Unauthorized repeatedly, check that the authentication provider is enabled and that the account being used has not been locked out. Also confirm that the web.config does not override authentication settings set at the site level.

For 403 Forbidden, verify both the IIS authoring rule and the NTFS permissions. One missing piece will block access even if the other is correct. Use the IIS Failed Request Tracing feature to pinpoint exactly which module or handler is generating the 403.

To view the current WebDAV configuration in XML form for a site:

Get-WebConfiguration -Filter "system.webServer/webdav" -PSPath "IIS:SitesDefault Web Site"

WebDAV on Windows Server 2022 with IIS is a straightforward but layered service. Ensuring the feature is installed, authoring rules are in place, authentication is configured correctly, NTFS permissions are set, and HTTPS is enforced covers the vast majority of deployment scenarios. Once mapped as a drive letter or accessed through a WebDAV client, the experience is seamless for end users.