IServerXMLHTTPR equest authentication problem

Lamberti Fabrizio

I've an authentication problem with IServerXMLHTTPR equest.

I've got two web server named WS_1 and WS_2 part of the same NT domain.

On WS_1 I've published on the virtual directory virt1 the asp file
example1.asp.

On WS_2 I've published example2.asp on the virtual directory virt2.

Both virtual directories have enabled only the Integrated Windows
Authentication and I can't use any other type of authentication.

The file example1.asp try to retrieve some information from example2.asp by
using IServerXMLHTTPR equest object.

The problem is that example1.asp can't retrieve example2.asp because the
request is not made by the same domain user requesting example1.asp and so
correctely WS_2 can't authorized current request.

Inside the method open of IServerXMLHTTPR equest object I can set the user
and the pwd. I can retrieve the current user from
Request.ServerV ariables("REMOT E_USER") but I don't know how to retrieve the
pwd. how can I do it ?

Thx

Jul 22 '05 #1

Subscribe Reply

1806

David Wang [Msft]

Sorry, but what you want to do is illegal, by design.

The reason is the same as I have already described for your "Accessing
network file form ASP page" thread.

You are attempting a "double hop", this time using HTTP as the network
protocol instead of SMB, but the results must be the same -- access denied.

You need to use an authentication protocol that allows you to do what you
want -- allow code on the server to be delegated permissions to act on
behalf of the remote user. Otherwise, the OS and all software is obligated
to resist against your attempts to hack the system.

I realize that you must be frustrated at how hard this all appears, but
really, it is not that hard. Your actions are fundamentally bound by the
authentication protocol you use since they govern user principle security. I
agree that what you want to do is reasonable; they just happen to fail the
security boundaries of the authentication protocol you are using, hence you
keep getting "access denied".
However, remember this is the same reason that if you logged onto my web
server and run my web application, I cannot turn around and make a HTTP
request to your bank using your name/credentials to transfer all your money
into my bank account. You'd definitely want me to get an "access denied" for
my actions -- so that's why you currently get an "access denied" for yours
as well.

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Lamberti Fabrizio" <lambu@from_ita ly.it> wrote in message
news:Od******** ******@TK2MSFTN GP10.phx.gbl...
I've an authentication problem with IServerXMLHTTPR equest.

I've got two web server named WS_1 and WS_2 part of the same NT domain.

On WS_1 I've published on the virtual directory virt1 the asp file
example1.asp.

On WS_2 I've published example2.asp on the virtual directory virt2.

Both virtual directories have enabled only the Integrated Windows
Authentication and I can't use any other type of authentication.

The file example1.asp try to retrieve some information from example2.asp by
using IServerXMLHTTPR equest object.

The problem is that example1.asp can't retrieve example2.asp because the
request is not made by the same domain user requesting example1.asp and so
correctely WS_2 can't authorized current request.

Inside the method open of IServerXMLHTTPR equest object I can set the user
and the pwd. I can retrieve the current user from
Request.ServerV ariables("REMOT E_USER") but I don't know how to retrieve the
pwd. how can I do it ?

Thx

Jul 22 '05 #2

Similar topics

9292

HTTP - basic authentication example.

by: Michael Foord | last post by:

#!/usr/bin/python -u # 15-09-04 # v1.0.0 # auth_example.py # A simple script manually demonstrating basic authentication. # Copyright Michael Foord # Free to use, modify and relicense. # No warranty express or implied for the accuracy, fitness to purpose

Python

4842

Secure and Unsecure Web Directories using Forms Authentication

by: Billy Jacobs | last post by:

I have a website which has both secure and non-secure pages. I want to uses forms authentication. How do I accomplish this? Originally I had my web.config file in the root with Forms Authentication set up and it worked just fine. Then I realized that I needed to have some pages unsecure. I then created 2 directories. One named Secure and the other named Public. I placed my web.config file in my

.NET Framework

2748

forms authentication not authenticating

by: Greg Burns | last post by:

I have built a web app that uses forms authentication. There isn't a "remember me" feature (i.e. the authentication cookie is not permanent). When you close the browser, and open a new one, you must log in again. This is the behavior I expected. I just discovered that if I have a browser window open (to anything) prior to opening my web app in a new browser window, it appears to share session information. I can then open and close my...

ASP.NET

2176

ASP.NET + SQL Server Windows authentication

by: Lior Amar | last post by:

Hey All, Trying to understand why I can not get SQL server to trust my IIS server. I have two machines set up, 1 App and 1 DB, and I'm trying to validate the applications access to the DB server via NT Authentication. The App comes in via NTLM which from my understanding only supports Single hop security delegation. So far I understand why it doesn't work, although seems to me like a very bad problem. Now, Basic Authentication will...

ASP.NET

4639

forms authentication with loginurl on a remote machine

by: Hermit Dave | last post by:

Hi, I am making a web application (rather two applications) one which is host and used by customers when they are just browsing through products. The second application resides on a secure server. This is going to hold all account related information for the customers and will also be used for admin The login is implemented using forms authentication and i was just reading up about that... but as everyone already knows.... its all...

ASP.NET

1958

strange authentication problem...

by: Paul M | last post by:

hi there, i've got a website i created, that i've put onto my test server on the web. I have a login page, that when the user comes to it, it first pops up a windows authentication dialog box, and i dont know why? i click cancel on it and the page still works as normal. How can i remove this, and why is it appearing? i am also not using any .NET authentication methods or anything..

ASP.NET

3350

Authentication

by: Ming Zhang | last post by:

Hi guys, I have couple of ASP.NET applications that only support digest windows authentication, and credentials are managed in a central AD. When users login to one app, they can easily navigate to other apps without reenter UID/PWD. Everything works except it doesn't meet our security policy for new created users. When creating a new user, it's required to have "user must change password when first time login". In this case, the user will...

ASP.NET

1567

strange authentication dialog

by: KNC | last post by:

Hi all, I'm developing a website and deployed on webserver, it always display an authentication dialog that user must login with valid Windows user. Would anyone helps to instruct how to prohibit this dialog? Some information provides for you: 1) Dev softs: - VS 2005, ASP.NET 2.0, SQL Server 2005 Enterprise edition 2) Server:

ASP.NET

7521

client authentication

by: Frank Swarbrick | last post by:

I am trying to understand "client authentication" works. My environment is DB2/UDB LUW 8.2 on zSeries SLES9 as the database server and DB2 for VSE 7.4 as the client. We currently have DB2/LUW set up as follows: Client Userid-Password Plugin (CLNT_PW_PLUGIN) = Client Kerberos Plugin (CLNT_KRB_PLUGIN) = Group Plugin (GROUP_PLUGIN) = GSS Plugin for Local Authorization ...

DB2 Database

9551

Changing the language in Windows 10

by: Hystou | last post by:

Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...

Windows Server

10505

Problem With Comparison Operator <=> in G++

by: Oralloy | last post by:

Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...

C / C++

10276

Maximizing Business Potential: The Nexus of Website Design and Digital Marketing

by: jinu1996 | last post by:

In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...

Online Marketing

10253

The easy way to turn off automatic updates for Windows 10/11

by: Hystou | last post by:

Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...

Windows Server

9090

AI Job Threat for Devs

by: agi2029 | last post by:

Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...

Career Advice

6813

Couldn’t get equations in html when convert word .docx file to html file in C#.

by: conductexam | last post by:

I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...

C# / C Sharp

5471

Trying to create a lan-to-lan vpn between two differents networks

by: TSSRALBI | last post by:

Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...

Networking - Hardware / Configuration

5606

Windows Forms - .Net 8.0

by: adsilva | last post by:

A Windows Forms form does not have the event Unload, like VB6. What one acts like?

Visual Basic .NET

3764

How to add payments to a PHP MySQL app.

by: muto222 | last post by:

How can i add a mobile payment intergratation into php mysql website.

PHP