Question Synology NAS and WebDav No longer working with All Office 365 Apps

[Allan_A2Z_Computing]

Microsoft are saying that synology NAS box/s are now non-compliant with all up to date Microsoft 365 Apps as they do not pass even the basic authentication methods so all office apps are no longer going to be able to open files from those locations using webdav. No solution is currently available from Synology to allow remote access via webdav that office apps can use, microsoft basically say the solution is to migrate all the data and not to use Synology. Even synology has provided following documentation from Microsoft via there support application as linked below.

https://learn.microsoft.com/en-us/deployoffice/security/basic-authentication-prompts-blocked

• Adding the location to trusted locations within microsft app will not make any difference.
• Downgrading the office packages is not viable for any business as it will no longer be compliant with data regulations, GDPR and company insurances.
• Changing the SSL cert for the DDNS used to map the drive makes no difference.
• Changing the TLS/SSL profile level makes no difference
• Adding the source as a network location instead of a mapped drive does not work.

Therror message is as follows:



I wonder if anybody can figure out a working solution? or I fear that Synology is doomed for any remote file working that uses mapped drives.

 

[Ralston18]

From the link:

"Therefore, to help improve security in Microsoft 365 Apps, we’re changing its default behavior to block sign-in prompts from Basic authentication"

Just a change to default behavior as I understand it all. End users still have a choice....

Also I found this link:

https://servicecenter.fsu.edu/s/article/How-do-I-use-WebDAV-with-Windows-11-Individual

Does not appear to be Synology specific.

 

[Allan_A2Z_Computing]

From the link:

"Therefore, to help improve security in Microsoft 365 Apps, we’re changing its default behavior to block sign-in prompts from Basic authentication"

Just a change to default behavior as I understand it all. End users still have a choice....

Also I found this link:

https://servicecenter.fsu.edu/s/article/How-do-I-use-WebDAV-with-Windows-11-Individual

Does not appear to be Synology specific.

Thank you for the suggestion but it still has the exact same outcome with the exact same message even when mapping as a shared location rather than a mapped drive. Just to be clear if I map the network location within the building/network infrastructure then the office apps have no issue at all but if I map the drive from outside the building/network (such as on a home workers machine) the office apps refuse to play ball.

The issue is the newly updated office packages now report that they require more secure authentication than the Synology boxes provide no matter what settings you use at the source(NAS). Also as stated when connecting to the Synology NAS boxes via the WAN IP or URL the Office packages see the files as unsecure even when adding the source locations to theTrusted sites list withing the Office applications, the applications simple decide that they dont trust the source and does not care if the end user is actually saying that they do trust it. So you can map a WebDav location from anywhere just dont expect office apps to be able to open files from the mapped drive or shared location.

The default behaviour now appears to be that no Microsoft Office apps will work with WebDav unless it is from an internal location.

 

[Ralston18]

Interesting.

However, full disclosure, I am going out of my comfort zones.

And the described problems and referenced links just lead me to more questions and possibilities.

Still I did a bit more research and found the following links (among others):

https://learn.microsoft.com/en-us/i...new-in-iis-7/what39s-new-for-webdav-and-iis-7

https://kb.synology.com/en-br/DSM/help/WebDAVServer/webdav_server?version=7

[ Side bar: I would not expect Microsoft to so fully undermine the process to the point of not being workable. Nor would I expect Synology not to come up with a fix if the problem is truly on their end.... Neither party has anything to gain by making security etc. so secure it becomes unworkable or untenable for end users.]

Are you able to determine where the blocking occurs? Reference the flowcharts presented in the Post #1 link(s). Walk through the processes and try to confirm what happens (or does not happen) with each step.

Take a look at the links and keep posting what you find and what fixes you have tried and are trying.

Hopefully someone may spot a specific fixable configuration issue. Or identify other ways to discover the problem and some corresponding fix.

 

[Allan_A2Z_Computing]

Here is the response from Synology.

Hello,

Thank you for your reply.

The issue is not that our WebDAV implementation does not pass basic authentication methods, this has occurred due to Microsoft stopping any connection to their applications that use basic authentication as outlined in the article I have provided from Microsoft themselves.

I have also been discussing this with our Head Office to confirm that the WebDAV connection to our NAS unit does use basic authentication and currently, it is not possible to change this.

Due to this we would recommend either using Synology Drive Client which is a sync task to sync files from the NAS to PC (their is an On-Demand Feature which allows you to only sync files you want)

Or an alternative method which I would recommend more would be to access the NAS through SMB using a VPN. More information on this can also be found below:

https://kb.synology.com/en-af/DSM/tutorial/smb_connect_via_vpn

If you have any further questions please do not hesitate to get in touch.

The solutions suggested are just going to cost companies more money through downtime and implementation. VPN would be an extra cost, and changing to a Drive client would be an inconvenience, both resulting in downtime and profit loss.

It seems that Synology v. Microsoft is the argument from both sides, and neither one is willing to do anything for their paying customers. Microsoft seems to be more than happy to put hardware and software vendors out of business, and the reverse vendors seem to be blind to the fact that Microsoft is moving forward to an all-PayG system in Windows 12 and their products.