OneNote 2007 is out, and of course I rushed out to get a copy. It was the main reason that I had participated in the Office 2007 beta, and there were a number of great new feature. One particularly great new feature is the ability to have notes stored on a server, with clients syncing up against it. For me, this means that I can use my notes on my laptop at home, or on my desktop at work, without having to manually sync thing. Chris Pratley, the ex-manager of the OneNote team, wrote a very good description of all of the new multi-machine possibilities. Good good stuff: Any WebDAV server can acts as the repository. But..
However, I'm wary of using a WebDAV server across the internet. I might have very private things in my notes (e.g. account numbers, etc), and sending them around unencrypted doesn't sound like a good idea. Dan Escapa of Microsoft pointed out that Vista doesn't even allow SharePoint access through the internet via unsecured HTTP. David Rasmussen, also of the OneNote team, wrote about using flash USB drives as a way of keeping things in sync, an alternative to the network. (In the comments of that post, he mentions that password-protecting the .one files might keep things private.)
Unfortunately, when I tried to use WebDAV over HTTPS (with Basic Authentication) during the Beta, it failed. Looking through my webserver logs (I was running Apache on Debian), OneNote seemed to occasionally make requests over to the unsecured HTTP URLs. I discussed this with Dave and another MS developer, and they did some testing.
So when I tried it out with the production version of OneNote, I was disappointed to find that the error still persists. Let me try to detail what the problem is. The MS team may have made some changes since the Beta, as I think that I have a way to work around it.
I have complete control over my server (Apache 2.0.54), and am running OneNote 2007 (build 12.0.4518.1014). I've split my website into an area that has my normal content (www.borlik.net), and an area that just has WebDAV content (webdav.borlik.net) using virtual hosts. In addition, each of those areas has separate virtual hosts for HTTP and HTTPS. Originally, I didn’t want to have an unsecure WebDAV location at all, and hoped to simply redirect all HTTP traffic to HTTPS.
I tested this by trying to create a new OneNote notebook (named xxx) at the secure webdav location, e.g. https://webdav.borlik.net/. This failed with message boxes. If you look carefully at the webserver logs, one might notice something odd in what OneNote is requesting from the server:
192.168.0.148 - jborlik [01/Feb/2007:20:58:13 -0800] "HEAD / HTTP/1.1" 200 - "-" "Microsoft Office Existence Discovery"
192.168.0.148 - jborlik [01/Feb/2007:20:58:13 -0800] "HEAD /xxx/ HTTP/1.1" 404 - "-" "Microsoft Office Existence Discovery"
192.168.0.148 - jborlik [01/Feb/2007:20:58:13 -0800] "HEAD / HTTP/1.1" 200 - "-" "Microsoft Office Existence Discovery"
192.168.0.148 - jborlik [01/Feb/2007:20:58:14 -0800] "OPTIONS / HTTP/1.1" 200 - "-" "Microsoft Data Access Internet Publishing Provider Protocol Discovery"
192.168.0.148 - jborlik [01/Feb/2007:20:58:14 -0800] "OPTIONS /xxx HTTP/1.1" 200 - "-" "Microsoft Data Access Internet Publishing Provider Protocol Discovery"
192.168.0.148 - jborlik [01/Feb/2007:20:58:14 -0800] "HEAD /xxx HTTP/1.1" 404 - "-" "Microsoft Data Access Internet Publishing Provider DAV"
192.168.0.148 - jborlik [01/Feb/2007:20:58:14 -0800] "MKCOL /xxx HTTP/1.1" 201 324 "-" "Microsoft Data Access Internet Publishing Provider DAV"
192.168.0.148 - jborlik [01/Feb/2007:20:58:14 -0800] "HEAD /xxx/ HTTP/1.1" 200 - "-" "Microsoft Office Existence Discovery"
192.168.0.148 - jborlik [01/Feb/2007:20:58:14 -0800] "HEAD /xxx/ HTTP/1.1" 200 - "-" "Microsoft Office Existence Discovery"
192.168.0.148 - jborlik [01/Feb/2007:20:58:14 -0800] "HEAD /xxx/ HTTP/1.1" 200 - "-" "Microsoft Office Existence Discovery"
192.168.0.148 - jborlik [01/Feb/2007:20:58:14 -0800] "OPTIONS /xxx/ HTTP/1.1" 200 - "-" "Microsoft Office Protocol Discovery"
192.168.0.148 - jborlik [01/Feb/2007:20:58:14 -0800] "PROPFIND /xxx/New%20Section%201.one HTTP/1.1" 404 363 "-" "Microsoft Data Access Internet Publishing Provider DAV"
192.168.0.148 - jborlik [01/Feb/2007:20:58:14 -0800] "OPTIONS / HTTP/1.1" 200 - "-" "Microsoft Data Access Internet Publishing Provider Protocol Discovery"
192.168.0.148 - jborlik [01/Feb/2007:20:58:14 -0800] "OPTIONS /xxx/New%20Section%201.one HTTP/1.1" 200 - "-" "Microsoft Data Access Internet Publishing Provider Protocol Discovery"
192.168.0.148 - - [01/Feb/2007:20:58:14 -0800] "OPTIONS / HTTP/1.1" 301 377 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
192.168.0.148 - jborlik [01/Feb/2007:20:58:14 -0800] "PROPFIND /xxx HTTP/1.1" 207 837 "-" "Microsoft Data Access Internet Publishing Provider DAV"
Can you find it? Most of the requests are on the secured (HTTPS) URL, authenticated with my username (jborlik). However, the second to last request is an OPTION request to the root of the HTTP site. Apache returns a 301 (redirect permanent), as it should, and OneNote stops. I don't know what it is looking for at the root, and I really don't want there to be anything there. On the server, a directory for the new notebook is actually created, but none of the template .one files are created. OneNote itself displays a red crossed-out circle over the notebook, indicating that it can't sync.
If I do not redirect HTTP to HTTPS, i.e. open the WebDAV directory to unauthenticated access, things seem to work fine. (I'm doing the same thing: Creating a new notebook "yyy" at the secured URL.)
…
192.168.0.148 - jborlik [01/Feb/2007:21:02:42 -0800] "OPTIONS /yyy/New%20Section%201.one HTTP/1.1" 200 - "-" "Microsoft Data Access Internet Publishing Provider Protocol Discovery"
192.168.0.148 - - [01/Feb/2007:21:02:42 -0800] "OPTIONS / HTTP/1.1" 200 - "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
192.168.0.148 - - [01/Feb/2007:21:02:42 -0800] "PROPFIND /yyy HTTP/1.1" 207 837 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
192.168.0.148 - - [01/Feb/2007:21:02:42 -0800] "PROPFIND /yyy HTTP/1.1" 207 837 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
192.168.0.148 - jborlik [01/Feb/2007:21:02:42 -0800] "PROPFIND /yyy HTTP/1.1" 207 837 "-" "Microsoft Data Access Internet Publishing Provider DAV"
192.168.0.148 - - [01/Feb/2007:21:02:42 -0800] "PROPFIND /yyy HTTP/1.1" 207 837 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
192.168.0.148 - jborlik [01/Feb/2007:21:02:42 -0800] "HEAD /yyy/OneNote%20Table%20Of%20Contents.onetoc2 HTTP/1.1" 404 - "-" "Microsoft Office Existence Discovery"
192.168.0.148 - jborlik [01/Feb/2007:21:02:42 -0800] "HEAD /yyy HTTP/1.1" 301 - "-" "Microsoft Data Access Internet Publishing Provider DAV"
192.168.0.148 - jborlik [01/Feb/2007:21:02:42 -0800] "MKCOL /yyy HTTP/1.1" 405 370 "-" "Microsoft Data Access Internet Publishing Provider DAV"
...
At the critical times, OneNote makes the OPTIONS and PROPFIND requests over unauthenticated HTTP. Those are successful now (code 200), so it moves on does the rest of its thing. Of course, this isn't secure at all, and we are back to where we were before.
The next thing that I tried was to only allow OPTIONS and PROPFIND requests over the unauthenticated HTTP. These aren't terribly unsecure, I suppose, especially if GET and PUT are rejected. This is done in Apache via the LimitExcept directives. So, my unsecured WebDAV virtual host definition contains something that looks like:
<Location />
Options Indexes
Dav on
DavDepthInfinity on
AllowOverride None
<LimitExcept OPTIONS PROPFIND>
deny from all
</LimitExcept>
</Location>
When I tried the same thing again (created a new notebook "ccc" on the secure URL), it actually seemed to work!!
192.168.0.148 - jborlik [01/Feb/2007:21:28:56 -0800] "HEAD / HTTP/1.1" 200 - "-" "Microsoft Office Existence Discovery"
192.168.0.148 - jborlik [01/Feb/2007:21:28:56 -0800] "HEAD /ccc/ HTTP/1.1" 404 - "-" "Microsoft Office Existence Discovery"
192.168.0.148 - jborlik [01/Feb/2007:21:28:56 -0800] "HEAD / HTTP/1.1" 200 - "-" "Microsoft Office Existence Discovery"
192.168.0.148 - jborlik [01/Feb/2007:21:28:56 -0800] "OPTIONS / HTTP/1.1" 200 - "-" "Microsoft Data Access Internet Publishing Provider Protocol Discovery"
192.168.0.148 - jborlik [01/Feb/2007:21:28:56 -0800] "OPTIONS /ccc HTTP/1.1" 200 - "-" "Microsoft Data Access Internet Publishing Provider Protocol Discovery"
192.168.0.148 - jborlik [01/Feb/2007:21:28:56 -0800] "HEAD /ccc HTTP/1.1" 404 - "-" "Microsoft Data Access Internet Publishing Provider DAV"
192.168.0.148 - jborlik [01/Feb/2007:21:28:56 -0800] "MKCOL /ccc HTTP/1.1" 201 324 "-" "Microsoft Data Access Internet Publishing Provider DAV"
192.168.0.148 - jborlik [01/Feb/2007:21:28:56 -0800] "HEAD /ccc/ HTTP/1.1" 200 - "-" "Microsoft Office Existence Discovery"
192.168.0.148 - jborlik [01/Feb/2007:21:28:56 -0800] "HEAD /ccc/ HTTP/1.1" 200 - "-" "Microsoft Office Existence Discovery"
192.168.0.148 - jborlik [01/Feb/2007:21:28:57 -0800] "HEAD /ccc HTTP/1.1" 301 - "-" "Microsoft Data Access Internet Publishing Provider DAV"
192.168.0.148 - jborlik [01/Feb/2007:21:28:57 -0800] "MKCOL /ccc HTTP/1.1" 405 370 "-" "Microsoft Data Access Internet Publishing Provider DAV"
192.168.0.148 - jborlik [01/Feb/2007:21:28:57 -0800] "PROPFIND / HTTP/1.1" 207 6474 "-" "Microsoft Data Access Internet Publishing Provider DAV"
192.168.0.148 - jborlik [01/Feb/2007:21:28:57 -0800] "HEAD /ccc HTTP/1.1" 301 - "-" "Microsoft Data Access Internet Publishing Provider DAV"
192.168.0.148 - jborlik [01/Feb/2007:21:28:57 -0800] "MKCOL /ccc HTTP/1.1" 405 370 "-" "Microsoft Data Access Internet Publishing Provider DAV"
192.168.0.148 - jborlik [01/Feb/2007:21:28:57 -0800] "HEAD /ccc/ HTTP/1.1" 200 - "-" "Microsoft Office Existence Discovery"
192.168.0.148 - jborlik [01/Feb/2007:21:28:57 -0800] "HEAD /ccc/Client%20A.one HTTP/1.1" 404 - "-" "Microsoft Office Existence Discovery"
192.168.0.148 - - [01/Feb/2007:21:28:57 -0800] "OPTIONS / HTTP/1.1" 200 - "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
192.168.0.148 - - [01/Feb/2007:21:28:57 -0800] "PROPFIND /ccc HTTP/1.1" 207 779 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
192.168.0.148 - - [01/Feb/2007:21:28:57 -0800] "PROPFIND /ccc/Client%20A.one HTTP/1.1" 404 357 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
192.168.0.148 - - [01/Feb/2007:21:28:57 -0800] "PROPFIND /ccc HTTP/1.1" 207 779 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
192.168.0.148 - - [01/Feb/2007:21:28:57 -0800] "PUT /ccc/Client%20A.one HTTP/1.1" 403 361 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
192.168.0.148 - - [01/Feb/2007:21:28:57 -0800] "PROPFIND /ccc/Client%20A.one HTTP/1.1" 404 357 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
192.168.0.148 - - [01/Feb/2007:21:28:57 -0800] "PROPFIND /ccc HTTP/1.1" 207 779 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
192.168.0.148 - - [01/Feb/2007:21:28:57 -0800] "PUT /ccc/Client%20A.one HTTP/1.1" 403 361 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
192.168.0.148 - - [01/Feb/2007:21:28:57 -0800] "PROPFIND /ccc/Client%20A.one HTTP/1.1" 404 357 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
192.168.0.148 - - [01/Feb/2007:21:28:57 -0800] "PROPFIND /ccc HTTP/1.1" 207 779 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
192.168.0.148 - - [01/Feb/2007:21:28:57 -0800] "PUT /ccc/Client%20A.one HTTP/1.1" 403 361 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
192.168.0.148 - jborlik [01/Feb/2007:21:28:57 -0800] "HEAD /ccc HTTP/1.1" 301 - "-" "Microsoft Data Access Internet Publishing Provider DAV"
192.168.0.148 - jborlik [01/Feb/2007:21:28:57 -0800] "MKCOL /ccc HTTP/1.1" 405 370 "-" "Microsoft Data Access Internet Publishing Provider DAV"
192.168.0.148 - jborlik [01/Feb/2007:21:28:57 -0800] "PROPFIND / HTTP/1.1" 207 6474 "-" "Microsoft Data Access Internet Publishing Provider DAV"
192.168.0.148 - jborlik [01/Feb/2007:21:28:57 -0800] "HEAD /ccc HTTP/1.1" 301 - "-" "Microsoft Data Access Internet Publishing Provider DAV"
192.168.0.148 - jborlik [01/Feb/2007:21:28:57 -0800] "MKCOL /ccc HTTP/1.1" 405 370 "-" "Microsoft Data Access Internet Publishing Provider DAV"
192.168.0.148 - jborlik [01/Feb/2007:21:28:57 -0800] "HEAD /ccc/ HTTP/1.1" 200 - "-" "Microsoft Office Existence Discovery"
192.168.0.148 - jborlik [01/Feb/2007:21:28:57 -0800] "LOCK /ccc/Client%20A.one HTTP/1.1" 200 420 "-" "Microsoft Data Access Internet Publishing Provider DAV"
192.168.0.148 - jborlik [01/Feb/2007:21:28:57 -0800] "PUT /ccc/Client%20A.one HTTP/1.1" 201 335 "-" "Microsoft Data Access Internet Publishing Provider DAV"
192.168.0.148 - jborlik [01/Feb/2007:21:28:57 -0800] "OPTIONS /ccc/ HTTP/1.1" 200 - "-" "Microsoft Office Protocol Discovery"
192.168.0.148 - jborlik [01/Feb/2007:21:28:57 -0800] "HEAD /ccc/Client%20A.one HTTP/1.1" 200 - "-" "Microsoft Office Existence Discovery"
If you look very closely at the log above, you will see OneNote make its OPTIONS and PROPFIND requests, succeed, and move on. It tries a number of other things over the unsecured URL, including PUT, but it tries again over HTTP (and succeeds). (I tried just allowing OPTIONS over HTTP and disallowing PROPFIND, but that failed.)
With this, I think that things are up and running. It seemed to sync and work correctly. When I restarted OneNote, it reprompted me for the site login (using the IE authentication box), which is fine. I did notice that I couldn't rename sections, as OneNote tried to do a (disallowed) MOVE request over the unsecured HTTP, and never tried again over HTTPS. Ah well… MOVE is a bit more dangerous, so I'll leave that one turned off. I'll just have to be very careful what I name sections when I first make them.
A person might be tempted to say that this was sloppy coding on the OneNote team's part. I don't believe that, though… My guess is that there are many different site setups, and many different WebDAV servers out there, and they tried to make OneNote as compatible as possible. Should they break SharePoint, or Apple iDisk, in order for this to work from my particular setup of Apache? Someone will end up unhappy no matter what they choose. There is a way for me to work around the problem, at least. In the end, I'm glad that the functionality is there, and I salute the OneNote team for a product that makes me more productive.
Update 1/21/2007: Dan Escapa's must-read OneNote blog has some additional information regarding this issue. His solution, from David Tse of Microsoft, is more or less what I did above. Mr. Tse suggests that it doesn't work for Vista, although his solution didn't involve SSL encryption (as far as I could tell), just authentication over plain-old HTTP.