471,309 Members | 1,343 Online
Bytes | Software Development & Data Engineering Community
Post +

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 471,309 software developers and data experts.

HTTP 401.2 - Unauthorized: Logon failed due to...

I have set up an ASP script (with some help from microsoft.public.inetserver.asp.general!) that grabs the windows username of the user and puts it into an Access database.

It is setup on IIS5 as a virtual directory and will only be used internally on our network.

The script works fine with the authentication set as "basic authentication" but this prompts the user for a login and password.

I want it to be automated which I believe would use the "Integrated Windows Authentication". However when I select this I get the following error below. I think the answer may lie in adding some headers to my ASP code, but as an ASP newbie I don't really know where to start with that. I've included my ASP code at the bottom for reference.

Thanks

--------------------------------------------------------------------------------
HTTP 401.2 - Unauthorized: Logon failed due to server configuration
Internet Information Services
--------------------------------------------------------------------------------

Technical Information (for support personnel)

Background:
This is usually caused by a server-side script not sending the proper WWW-Authenticate header field. Using Active Server Pages scripting this is done by using the AddHeader method of the Response object to request that the client use a certain authentication method to access the resource.

--------------------------------------------------------------------------------
CODE:
<% @ Language="VBScript" %><%'force authentication- put this at top of ASP code

'declare your variables
dim connection
dim sSQL,sConnString
dim Username

If Request.ServerVariables("LOGON_USER") = "" Then
Response.Status = "401 access denied"
End If
Username=(Request.ServerVariables("LOGON_USER"))
'declare SQL statement that will query the database
'sSQL="INSERT INTO Log (FirstName, SurName) VALUES (Username, 'Wall')"

sSQL="INSERT INTO Log (Name) VALUES ('" & replace(Username,"'","''") & "')"
'define the connection string, specify database
' driver and the location of database
sConnString="DRIVER={Microsoft Access Driver (*.mdb)};" & _
"DBQ=" & Server.MapPath("ServerLog.mdb") & ";"

'create an ADO connection object
Set connection = Server.CreateObject("ADODB.Connection")
'Open the connection to the database
connection.Open(sConnString)

'execute the SQL
connection.execute(sSQL)

'check to see if there were any errors
If err.number=0 Then
response.write "the data was inserted successfully."
Else
response.write "there was a problem entering the data."
End If

'close the object and free up resources
Connection.Close
Set Connection = Nothing
%>
Jul 19 '05 #1
1 14820
401.2 indicates that the browser is unable to authenticate with the server
using a mutually agreed-upon protocol.

This can happen when you use Netscape against IIS that has only Integrated
Windows Authentication enabled because Netscape does not know how to do
Integrated Windows Authentication.

BTW, Integrated Windows Authentication does not mean "automated".
Automating authentication simply means that the browser automatically passes
your credentials to the server -- which can be done for any authentication
protocol. It is not done for Basic since it is clear-text (so clearly, for
security reasons, browsers cannot automatically broadcast your
username/password in clear-text). Integrated Windows Authentication, on the
other hand, does not send username/password at all (it sends a hash of it),
so it's a bit safer to send.

Your ASP page is also broken because it sends a 401 response when LOGON_USER
is empty string (which happens only on anonymous access), but it does NOT
set any WWW-Authenticate headers and is breaking authentication protocol.
Your ASP page is also open to SQL injection attacks.

--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Newbie" <an*******@discussions.microsoft.com> wrote in message
news:43**********************************@microsof t.com...
I have set up an ASP script (with some help from
microsoft.public.inetserver.asp.general!) that grabs the windows username of
the user and puts it into an Access database.

It is setup on IIS5 as a virtual directory and will only be used internally
on our network.

The script works fine with the authentication set as "basic authentication"
but this prompts the user for a login and password.

I want it to be automated which I believe would use the "Integrated Windows
Authentication". However when I select this I get the following error
below. I think the answer may lie in adding some headers to my ASP code,
but as an ASP newbie I don't really know where to start with that. I've
included my ASP code at the bottom for reference.

Thanks

----------------------------------------------------------------------------
----
HTTP 401.2 - Unauthorized: Logon failed due to server configuration
Internet Information Services
----------------------------------------------------------------------------
----

Technical Information (for support personnel)

Background:
This is usually caused by a server-side script not sending the proper
WWW-Authenticate header field. Using Active Server Pages scripting this is
done by using the AddHeader method of the Response object to request that
the client use a certain authentication method to access the resource.

----------------------------------------------------------------------------
----
CODE:
<% @ Language="VBScript" %><%'force authentication- put this at top of ASP
code

'declare your variables
dim connection
dim sSQL,sConnString
dim Username

If Request.ServerVariables("LOGON_USER") = "" Then
Response.Status = "401 access denied"
End If
Username=(Request.ServerVariables("LOGON_USER"))
'declare SQL statement that will query the database
'sSQL="INSERT INTO Log (FirstName, SurName) VALUES (Username, 'Wall')"

sSQL="INSERT INTO Log (Name) VALUES ('" & replace(Username,"'","''") & "')"
'define the connection string, specify database
' driver and the location of database
sConnString="DRIVER={Microsoft Access Driver (*.mdb)};" & _
"DBQ=" & Server.MapPath("ServerLog.mdb") & ";"

'create an ADO connection object
Set connection = Server.CreateObject("ADODB.Connection")
'Open the connection to the database
connection.Open(sConnString)

'execute the SQL
connection.execute(sSQL)

'check to see if there were any errors
If err.number=0 Then
response.write "the data was inserted successfully."
Else
response.write "there was a problem entering the data."
End If

'close the object and free up resources
Connection.Close
Set Connection = Nothing
%>
Jul 19 '05 #2

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

5 posts views Thread by Sparkplug | last post: by
2 posts views Thread by Gidrazas | last post: by
1 post views Thread by sck10 | last post: by
2 posts views Thread by Iain Adams | last post: by
reply views Thread by rosydwin | last post: by

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.