Turns out hosting KeePass on IIS isn't too hard of a project. It only took me an age to realize I was searching in the wrong places. The last two links I sourced above are for setups in IIS 6 and IIS 7 and you can try them out if you would me I did and never got them working. Having IIS 8.5 on my system, I probably should have given the notion that chances were slim, but I blew my hours away anyway. Finally I figured out how to do it using WebDAV.

Now you should note WebDAV is quite vulnerable because it essentially allows any client to get your data, interact with it and put it back on your server. Basically it's hall pass for anyone wanting to put viruses on your server. With this in mind you should really make sure you have setup the appropriate securities on your server before enabling WebDAV. This tutorial isn't going to go over in depth any of these securities, it is intended to show how to get KeePass2 available over HTTP on IIS. I have left though some tips on where to go to start securing your website further for the interested reader.

Install WebDAV

The first link is a great source for instructions on this. It includes steps for IIS 7, 8 and 8.5 and for installing it on IIS on Windows 8 or in my case Windows Server. I'll list below the Windows Server instructions I followed from the site below:

  1. Click the Server Manager icon on the desktop
  2. In the Server Manager window, click the Manage menu, and then click Add Roles and Features.
  3. On the Before You Begin page, click Next.
  4. Select the Installation Type and then click Next.
  5. Select the Destination Server, and then click Next.
  6. On the Select Role Services page, expand Web Server (IIS), expand Web Server, expand Common HTTP Features, and then select WebDAV Publishing. Click Next
  7. On the Select Features page, click Next.
  8. Confirm the installation selection, and then click Install.
  9. On the Results page, verify that the installation succeeds, and then click Close.
  10. On the Confirm Installation Selections page, click Install.
  11. On the Results page, click Close.

Create/Setup IIS Site

Basically here create your IIS website as per usual.

  1. Open IIS, Select your server and right click the Sites folder and select Add Website
  2. Enter in a Site Name, a Physical Path to where the folder your site (and KeePass) file will be stored, enter a Host Name (your domain name) or enter "localhost" to make the site available only locally
  3. You should then be presented with the Home page of your newly created site. If not, click the Sites folder you right clicked on in step one and select your site you created from the list. In the IIS section, click the WebDAV Authoring Rules icon
  4. From this page you can set all WebDAV rules. If this is your first time installing WebDAV will likely be disabled, on the right Actions bar click the Enabled WebDAV button
  5. In the Actions bar aswell click Add Authoring Rules. This will present you options to set permissions on the site. Here you can set a number of securities about who is allowed in but for this tutorial all we need is to make sure the Allow access to section has the All content radio button selected, and at the bottom all 3 check boxes for Read, Source and Write in the Permissions section are checked. Then click OK
  6. Go back to the website Home page and select in the IIS section the MIME Types options. We need to add the KeePass file format as a known format to IIS, otherwise it will not be able to find the file
  7. On the MIME Types page select Add from the right side Actions menu.
  8. Enter the File name extension as .kdbx and set the MIME Type to application/kdbx
  9. Return back to the website Home page one last time and under the IIS section again select the Compression button. Here we are going to make sure IIS will serve dynamic objects (KeePass2 Files).
  10. On the Compression page make sure both Enable dynamic content compression and Enable static content compression are both checked.
  11. From the Sites drop down right click on your site, go to Manage Website and then click Restart. This will ensure all of our changes have been accounted for in our website

Add KeePass2 File

From here it is just a task of copying and pasting your KeePass2 file into the directory your website serves from. Once you have done that start up KeePass2 and do the following:

  1. Open KeePass2 and go to the menu select File and Open and then Open URL
  2. From here you can enter the domain URL to where your KeePass file is located. Note that within this domain must also include the name of your KeePass file as swell (eg. Press OK when you are finished
  3. Your KeePass file will then appear, enter your KeePass password and you are good to go!

KeePass2 Problems

If you end up unable to save your changes in your KeePass file, check the file permissions in the directory. Go to the folder location your KeePass file is stored and right click properties of your KeePass file. Try giving IIS Users priveleges to the file that you are unable to do. From one of the tutorials I sourced above I ran into issues where saving the file was failing because IIS Users did not have write access to my KeePass file.

Next Steps: Securing Everything

The Next things you should look at is securing your KeePass file. Granted that your KeePass2 file is already encrypted with all of its content, it is still not a good idea to leave your webserver wide open. Look into some of the following options for IIS to help lockdown your server and secure your KeePass file further:

  • Add Basic Authentication
    • You can enable and setup the credentials in IIS and then when you connect in KeePass the connection includes options to include these credentials
    • Note with Basic Auth on Windows you need to not only configure Basic Auth in IIS but also make sure your KeePass file's security permissions allow the Basic Auth user to have appropriate access to the file
  • Add SSL Certificate
    • Adding SSL is fairly simple and will encrypt the transmission of your Basic Auth credentials as well as the transfers of your KeePass file as its passed back and forth from you and the server between retrieval and saves.
    • Note if you use a self-signed certificate you will need to dig through KeePass' settings to make sure it ignores validating them, otherwise they will default be rejected as invalid