Feature Request: Strip Windows domain prefix from WebDAV Basic Auth credentials for SharePoint-compatible scanners #59291
Description
Summary
Many network scanners, MFPs (multi-function printers), and other devices that support "Scan to SharePoint" or "Scan to Network Folder" via WebDAV send Basic Auth credentials with a Windows domain prefix. Nextcloud WebDAV currently rejects these credentials, requiring a third-party reverse proxy workaround to strip the domain before the request reaches Nextcloud.
Affected Devices / Use Cases
- HP Pagewide Pro / Officejet Pro series (e.g. 377dw) — "Scan to SharePoint" feature
- Xerox, Ricoh, Kyocera, Canon MFPs with Windows-domain network-folder authentication
- Any device configured against a Windows domain where users enter credentials as
DOMAIN\username - Clients using Windows Credential Manager, which may include the domain in stored credentials
Problem Description
These devices send the Authorization: Basic header with credentials encoded in one of these Windows domain formats:
# NetBIOS domain prefix (backslash)
DOMAIN\user:password
domain\user:password
# UPN-style (at-sign)
user@domain.example.com:password
Nextcloud receives the full string (e.g. DOMAIN\user) as the username and attempts to look up that user. Since no Nextcloud user named DOMAIN\user exists, authentication fails with HTTP 401.
Current workaround required
To support these devices, a separate reverse proxy must be deployed in front of Nextcloud to decode the Basic Auth header, strip the domain prefix, re-encode the header, and forward the request. Example Python proxy logic:
def strip_domain_from_username(username: str) -> str:
# DOMAIN\user -> user
if "\\" in username:
domain, user = username.split("\\", 1)
return user
# user@domain -> user
elif "@" in username:
user, domain = username.rsplit("@", 1)
return user
return usernameThis workaround adds infrastructure complexity, an additional failure point, and maintenance burden just to support a standard credential format used by millions of enterprise devices.
Proposed Solution
Add native handling for Windows-domain-prefixed credentials in Nextcloud's WebDAV authentication layer. Two implementation approaches are possible:
Option A — Automatic domain stripping (preferred for device compatibility)
When a WebDAV authentication attempt with a domain-prefixed username fails, automatically retry with the bare username (domain stripped). If the bare-username login succeeds, accept the request.
This matches the behavior of SharePoint and Windows File Sharing servers, which transparently accept both DOMAIN\user and user.
Pseudocode:
function authenticate(raw_username, password):
if login(raw_username, password):
return success
stripped = strip_domain(raw_username) # remove DOMAIN\ or @domain
if stripped != raw_username and login(stripped, password):
return success
return 401
Option B — Admin-configurable domain strip list
Add a setting in Settings → Administration → Security (or a new "WebDAV Compatibility" section):
Strip domain prefixes from WebDAV credentials
Domains to strip (comma-separated NetBIOS names, FQDN suffixes, or*for all):
MYDOMAIN, corp.example.com
This gives administrators explicit control and avoids any ambiguity about which domains are trusted.
Option C — Both
Default: automatic stripping disabled. Allow admins to enable it (Option B) with a wildcard option * that effectively enables Option A behavior.
Security Considerations
- Domain stripping only applies to the username portion of credentials. The password is never modified.
- The stripped username is still validated against Nextcloud's full authentication stack (password check, 2FA if applicable, brute-force protection).
- Option A's fallback only triggers if the full
DOMAIN\userlogin fails — no security downgrade for accounts that do not exist. - Option B explicitly limits stripping to administrator-approved domains, preventing unexpected cross-domain collisions.
Expected Benefit
Eliminates the need for a dedicated reverse proxy to support "Scan to SharePoint" devices, reduces infrastructure complexity, and brings Nextcloud in line with the behavior expected by enterprise scanning hardware and Windows-domain-aware clients.
Environment
- Nextcloud version: 31.x (AIO)
- Affected protocol: WebDAV (
/remote.php/dav/) - Authentication method: HTTP Basic Auth
- Client device tested: HP Pagewide Pro 377dw (firmware current as of 2026)
- Operating environment: Self-hosted