diff --git a/.drone.starlark b/.drone.starlark
index d6dc5ce1af3c..71cd2184865d 100644
--- a/.drone.starlark
+++ b/.drone.starlark
@@ -79,6 +79,7 @@ config = {
 			'suites': [
 				'apiAuth',
 				'apiAuthOcs',
+				'apiAuthWebDav',
 				'apiCapabilities',
 				'apiComments',
 				'apiFavorites',
diff --git a/.drone.yml b/.drone.yml
index 05407b226575..9e67ac491a1b 100644
--- a/.drone.yml
+++ b/.drone.yml
@@ -3912,6 +3912,152 @@ depends_on:
 - phan-php7.2
 - phan-php7.3
 
+---
+kind: pipeline
+type: docker
+name: apiAuthWebDav-mariadb10.2-php7.1
+
+platform:
+  os: linux
+  arch: amd64
+
+workspace:
+  base: /drone
+  path: src
+
+steps:
+- name: cache-restore
+  pull: always
+  image: plugins/s3-cache:1
+  settings:
+    access_key:
+      from_secret: cache_s3_access_key
+    endpoint:
+      from_secret: cache_s3_endpoint
+    restore: true
+    secret_key:
+      from_secret: cache_s3_secret_key
+  when:
+    instance:
+    - drone.owncloud.services
+    - drone.owncloud.com
+
+- name: composer-install
+  pull: always
+  image: owncloudci/php:7.1
+  commands:
+  - make install-composer-deps
+  environment:
+    COMPOSER_HOME: /drone/src/.cache/composer
+
+- name: vendorbin-install
+  pull: always
+  image: owncloudci/php:7.1
+  commands:
+  - make vendor-bin-deps
+  environment:
+    COMPOSER_HOME: /drone/src/.cache/composer
+
+- name: yarn-install
+  pull: always
+  image: owncloudci/php:7.1
+  commands:
+  - make install-nodejs-deps
+  environment:
+    NPM_CONFIG_CACHE: /drone/src/.cache/npm
+    YARN_CACHE_FOLDER: /drone/src/.cache/yarn
+    bower_storage__packages: /drone/src/.cache/bower
+
+- name: install-server
+  pull: always
+  image: owncloudci/php:7.1
+  commands:
+  - bash tests/drone/install-server.sh
+  - php occ a:l
+  - php occ config:system:set trusted_domains 1 --value=server
+  - php occ log:manage --level 2
+  - php occ config:list
+  - php occ security:certificates:import /drone/server.crt
+  - php occ security:certificates
+  environment:
+    DB_TYPE: mariadb
+
+- name: install-extra-apps
+  pull: always
+  image: owncloudci/php:7.1
+  commands:
+  - git clone https://github.com/owncloud/testing.git /drone/src/apps/testing
+  - cd /drone/src/apps/testing
+  - composer install
+  - cd /drone/src
+  - php occ a:l
+  - php occ a:e testing
+  - php occ a:l
+
+- name: fix-permissions
+  pull: always
+  image: owncloudci/php:7.1
+  commands:
+  - chown -R www-data /drone/src
+
+- name: owncloud-log-server
+  pull: always
+  image: owncloud/ubuntu:18.04
+  detach: true
+  commands:
+  - tail -f /drone/src/data/owncloud.log
+
+- name: acceptance-tests
+  pull: always
+  image: owncloudci/php:7.1
+  commands:
+  - touch /drone/saved-settings.sh
+  - . /drone/saved-settings.sh
+  - make test-acceptance-api
+  environment:
+    BEHAT_SUITE: apiAuthWebDav
+    TESTING_REMOTE_SYSTEM: true
+    TEST_SERVER_URL: https://server
+
+services:
+- name: mariadb
+  pull: always
+  image: mariadb:10.2
+  environment:
+    MYSQL_DATABASE: owncloud
+    MYSQL_PASSWORD: owncloud
+    MYSQL_ROOT_PASSWORD: owncloud
+    MYSQL_USER: owncloud
+
+- name: server
+  pull: always
+  image: owncloudci/php:7.1
+  command:
+  - /usr/local/bin/apachectl
+  - -e
+  - debug
+  - -D
+  - FOREGROUND
+  environment:
+    APACHE_CONFIG_TEMPLATE: ssl
+    APACHE_SSL_CERT: /drone/server.crt
+    APACHE_SSL_CERT_CN: server
+    APACHE_SSL_KEY: /drone/server.key
+    APACHE_WEBROOT: /drone/src
+
+trigger:
+  ref:
+  - refs/pull/**
+  - refs/tags/**
+  - refs/heads/master
+
+depends_on:
+- coding-standard-php7.3
+- phpstan-php7.1
+- phan-php7.1
+- phan-php7.2
+- phan-php7.3
+
 ---
 kind: pipeline
 type: docker
@@ -14553,6 +14699,7 @@ depends_on:
 - phpunit-php7.1-sqlite-scality
 - apiAuth-mariadb10.2-php7.1
 - apiAuthOcs-mariadb10.2-php7.1
+- apiAuthWebDav-mariadb10.2-php7.1
 - apiCapabilities-mariadb10.2-php7.1
 - apiComments-mariadb10.2-php7.1
 - apiFavorites-mariadb10.2-php7.1
diff --git a/tests/acceptance/features/apiAuthWebDav/webDavDELETEAuth.feature b/tests/acceptance/features/apiAuthWebDav/webDavDELETEAuth.feature
index 4e9a808702d8..7a989de86f55 100644
--- a/tests/acceptance/features/apiAuthWebDav/webDavDELETEAuth.feature
+++ b/tests/acceptance/features/apiAuthWebDav/webDavDELETEAuth.feature
@@ -26,11 +26,11 @@ Feature: delete file/folder
   Scenario: send DELETE requests to another user's webDav endpoints as normal user
     When user "user1" requests these endpoints with "DELETE" including body then the status codes should be as listed
       | endpoint                                      | http-code | body          |
-      | /remote.php/webdav/textfile0.txt              | 401       | doesnotmatter |
-      | /remote.php/dav/files/user0/textfile0.txt     | 401       | doesnotmatter |
-      | /remote.php/webdav/PARENT                     | 401       | doesnotmatter |
-      | /remote.php/dav/files/user0/PARENT            | 401       | doesnotmatter |
-      | /remote.php/dav/files/user0/PARENT/parent.txt | 401       | doesnotmatter |
+      | /remote.php/webdav/textfile0.txt              | 404       | doesnotmatter |
+      | /remote.php/dav/files/user0/textfile0.txt     | 404       | doesnotmatter |
+      | /remote.php/webdav/PARENT                     | 404       | doesnotmatter |
+      | /remote.php/dav/files/user0/PARENT            | 404       | doesnotmatter |
+      | /remote.php/dav/files/user0/PARENT/parent.txt | 404       | doesnotmatter |
 
   Scenario: send DELETE requests to webDav endpoints using invalid username but correct password
     When user "usero" requests these endpoints with "DELETE" including body using the password of user "user0" then the status codes should be as listed
diff --git a/tests/acceptance/features/apiAuthWebDav/webDavMOVEAuth.feature b/tests/acceptance/features/apiAuthWebDav/webDavMOVEAuth.feature
index 1f5cf5e203bc..2c39478c0633 100644
--- a/tests/acceptance/features/apiAuthWebDav/webDavMOVEAuth.feature
+++ b/tests/acceptance/features/apiAuthWebDav/webDavMOVEAuth.feature
@@ -26,11 +26,11 @@ Feature: MOVE file/folder
   Scenario: send MOVE requests to another user's webDav endpoints as normal user
     When user "user1" requests these endpoints with "MOVE" including body then the status codes should be as listed
       | endpoint                                      | http-code | body          |
-      | /remote.php/webdav/textfile0.txt              | 401       | doesnotmatter |
-      | /remote.php/dav/files/user0/textfile0.txt     | 401       | doesnotmatter |
-      | /remote.php/webdav/PARENT                     | 401       | doesnotmatter |
-      | /remote.php/dav/files/user0/PARENT            | 401       | doesnotmatter |
-      | /remote.php/dav/files/user0/PARENT/parent.txt | 401       | doesnotmatter |
+      | /remote.php/webdav/textfile0.txt              | 403       | doesnotmatter |
+      | /remote.php/dav/files/user0/textfile0.txt     | 403       | doesnotmatter |
+      | /remote.php/webdav/PARENT                     | 403       | doesnotmatter |
+      | /remote.php/dav/files/user0/PARENT            | 403       | doesnotmatter |
+      | /remote.php/dav/files/user0/PARENT/parent.txt | 403       | doesnotmatter |
 
   Scenario: send MOVE requests to webDav endpoints using invalid username but correct password
     When user "usero" requests these endpoints with "MOVE" including body using the password of user "user0" then the status codes should be as listed
diff --git a/tests/acceptance/features/bootstrap/Auth.php b/tests/acceptance/features/bootstrap/Auth.php
index 2a5f9c5939fc..ba46d12418b8 100644
--- a/tests/acceptance/features/bootstrap/Auth.php
+++ b/tests/acceptance/features/bootstrap/Auth.php
@@ -376,7 +376,7 @@ public function userRequestsURLWithUsingBasicAuth($user, $url, $method, $passwor
 		if ($password === null) {
 			$authString = "$user:" . $this->getPasswordForUser($user);
 		} else {
-			$authString = $password;
+			$authString = $user.":".$password;
 		}
 		$this->sendRequest(
 			$url, $method, 'basic ' . \base64_encode($authString), false, $body