WebDAV Evaluation Criteria

Topic Last Modified: 2008-04-14

Items in the Exchange store can be accessed remotely by using the WebDAV protocol, defined in RFC 2518. This protocol extends the HTTP 1.1 protocol, defined by RFC 2616, to provide additional methods and capabilities. It provides a means to access both the contents of an item and an extensible set of associated properties.


When creating applications that use WebDAV to transmit sensitive information, or that communicate over the Internet, it is strongly recommended that the IIS virtual server use SSL/TLS encryption for better security. Within an intranet, NTLM or Kerberos authentication of WebDAV requests can also be used for authentication, but that does not provide data encryption.

Functional Criteria

Criteria HTTP/Web Distributed Authoring and Versioning (WebDAV)

Application Domain

Applications can use WebDAV to access folders, items, and item properties in the Exchange store. WebDAV is an extension to HTTP/1.1, and so can more easily be used across firewalls. Because WebDAV is a standard protocol, more choices are available for the client platform and client programming language.

Major Objects

WebDAV is a protocol, not an object model. Applications that use WebDAV can use the .NET Framework System.Net.HttpWebRequest object, Microsoft.HTTPRequest, or other HTTP request objects.

Data access model

WebDAV returns information in text and XML streams that contain the item data, properties, and error information. Additional information is available in the method response headers.

Threading Models

Application threading depends entirely on the client, and does not affect WebDAV. WebDAV is an extension of HTTP, so no connection state information is retained between transactions. However, items status is retained in the Exchange server, for example in response to a WebDAV resource lock command.

Application Architectures

Applications that use WebDAV are typically Web-based, thin-client applications. However, traditional Windows GUI applications can be developed that use WebDAV to communicate with the Exchange server. In addition, WebDAV is frequently used as the communication mechanism between an application middle tier and the Exchange server.

Remote Usage

WebDAV is often ideal for remotely accessing Exchange. Because it communicates by using the same ports that HTTP and HTTPS use, corporate firewalls and routers often do not require special configuration.


WebDAV supports transactions.

Management Capabilities

WebDAV virtual servers can be managed manually and programmatically by using the Exchange administration console, CDOEXM, and WMI.


Currently shipping with Exchange 2000 Server and Exchange Server 2003. Future versions of Exchange might not include, or provide access to, this technology.

Development Criteria

Criteria HTTP/Web Distributed Authoring and Versioning (WebDAV)

Languages and Tools

Because WebDAV is a protocol, any programming tool and language that correctly sends and receives HTTP requests and responses, for example, the MSXML HTTPRequest object, can be used to create applications that access Exchange by using WebDAV.

Managed Implementation

WebDAV is not a managed IIS extension. However, client applications that use WebDAV can use managed code as appropriate. Managed applications typically use the System.Net.HttpWebRequest object from the .NET Framework.


WebDAV can be used in scripts, by using the MSXML HTTPRequest object.

Test/Debug Tools

No special debugging tools are required to debug applications that use WebDAV. For particularly difficult protocol-interaction issues, a network monitoring tool may prove helpful. The NETMON.EXE tool can be very useful in debugging WebDAV protocol interactions. Because WebDAV queries are sometimes sensitive to minor syntactical differences, a WebDAV query tool can also be helpful.

Expert Availability

Finding developers who have created networked applications, or who have experience using networking protocols, should not be very difficult. For developers who have that type of experience, using WebDAV to access Exchange data should not pose significant problems.

Available Information

Because HTTP and WebDAV programming can be done within so many programming environments, there is a great deal of information about it. Microsoft and third-party books are available for information about using WebDAV to access Exchange information. In addition, provide information about using WebDAV to access Exchange information. Use the documentation appropriate to the version of Exchange you are developing for. To access the Exchange 2000 Server SDK and the Exchange Server 2003 SDK, see the Exchange Server Developer Center.

Developer / Deployment Licensing

Refer to your Exchange and MSDN subscription licensing agreements to determine whether additional licenses are required for the Exchange servers that store the data accessed by your WebDAV applications.

Security Criteria

Criteria HTTP/Web Distributed Authoring and Versioning (WebDAV)

Design-Time Permissions

No special developer permissions are required for using WebDAV with an Exchange server. The Exchange server must be configured to allow WebDAV access, and the developer must have permissions to access the data the application will use.

Setup Permissions

Because applications that use WebDAV run on either the client or middle tier, typically no special Exchange server permissions are needed for setup. If the Setup program makes changes in the Exchange store, the user running Setup must have the necessary permissions to make those changes.

Run-Time Permissions

The run-time permissions needed by applications that use WebDAV depend entirely upon the authentication/authorization methods used between the client and the WebDAV virtual server. When the application tier that uses WebDAV to access the Exchange server is a small number of computers, often the virtual server is configured to allow connections from only those middle-tier computers.

Built-in Security Features

WebDAV virtual servers by default use Basic or NTLM authentication, and anonymous access is disabled. Because WebDAV transmits data in plaintext across the network, it is also recommended that Exchange WebDAV virtual servers that transmit sensitive data use SSL/TLS.

Security Monitoring Features

WebDAV virtual servers use the IIS security monitoring features.

Deployment Criteria

Criteria HTTP/Web Distributed Authoring and Versioning (WebDAV)

Server Platform Requirements

The Exchange server that manages the store where your application data resides must have a WebDAV virtual server if the client application accesses it directly. Alternatively, WebDAV configured on Exchange front-end servers can be use to access all the stores in the domain on which the user has permissions.

Client Platform Requirements

WebDAV is not a client technology. The design and implementation of the application client determines the client requirements.

Deployment Methods

WebDAV client applications are deployed based on their client architecture and technology. The client or middle tier communicates via WebDAV with an Exchange server.

Deployment Notes

When using WebDAV with NTLM or Kerberos authentication to access Exchange data through a front-end server, the Keep-alive protocol header must be set to True. If it is not, the request might not be passed to the Exchange server.