IServerXMLHTTPRequest authentication problem

Discussion in 'ASP General' started by Lamberti Fabrizio, Mar 7, 2005.

  1. I've an authentication problem with IServerXMLHTTPRequest.

    I've got two web server named WS_1 and WS_2 part of the same NT domain.

    On WS_1 I've published on the virtual directory virt1 the asp file
    example1.asp.

    On WS_2 I've published example2.asp on the virtual directory virt2.

    Both virtual directories have enabled only the Integrated Windows
    Authentication and I can't use any other type of authentication.

    The file example1.asp try to retrieve some information from example2.asp by
    using IServerXMLHTTPRequest object.

    The problem is that example1.asp can't retrieve example2.asp because the
    request is not made by the same domain user requesting example1.asp and so
    correctely WS_2 can't authorized current request.

    Inside the method open of IServerXMLHTTPRequest object I can set the user
    and the pwd. I can retrieve the current user from
    Request.ServerVariables("REMOTE_USER") but I don't know how to retrieve the
    pwd. how can I do it ?

    Thx
     
    Lamberti Fabrizio, Mar 7, 2005
    #1
    1. Advertising

  2. Sorry, but what you want to do is illegal, by design.

    The reason is the same as I have already described for your "Accessing
    network file form ASP page" thread.

    You are attempting a "double hop", this time using HTTP as the network
    protocol instead of SMB, but the results must be the same -- access denied.

    You need to use an authentication protocol that allows you to do what you
    want -- allow code on the server to be delegated permissions to act on
    behalf of the remote user. Otherwise, the OS and all software is obligated
    to resist against your attempts to hack the system.

    I realize that you must be frustrated at how hard this all appears, but
    really, it is not that hard. Your actions are fundamentally bound by the
    authentication protocol you use since they govern user principle security. I
    agree that what you want to do is reasonable; they just happen to fail the
    security boundaries of the authentication protocol you are using, hence you
    keep getting "access denied".


    However, remember this is the same reason that if you logged onto my web
    server and run my web application, I cannot turn around and make a HTTP
    request to your bank using your name/credentials to transfer all your money
    into my bank account. You'd definitely want me to get an "access denied" for
    my actions -- so that's why you currently get an "access denied" for yours
    as well.

    --
    //David
    IIS
    http://blogs.msdn.com/David.Wang
    This posting is provided "AS IS" with no warranties, and confers no rights.
    //
    "Lamberti Fabrizio" <lambu@from_italy.it> wrote in message
    news:Od$...
    I've an authentication problem with IServerXMLHTTPRequest.

    I've got two web server named WS_1 and WS_2 part of the same NT domain.

    On WS_1 I've published on the virtual directory virt1 the asp file
    example1.asp.

    On WS_2 I've published example2.asp on the virtual directory virt2.

    Both virtual directories have enabled only the Integrated Windows
    Authentication and I can't use any other type of authentication.

    The file example1.asp try to retrieve some information from example2.asp by
    using IServerXMLHTTPRequest object.

    The problem is that example1.asp can't retrieve example2.asp because the
    request is not made by the same domain user requesting example1.asp and so
    correctely WS_2 can't authorized current request.

    Inside the method open of IServerXMLHTTPRequest object I can set the user
    and the pwd. I can retrieve the current user from
    Request.ServerVariables("REMOTE_USER") but I don't know how to retrieve the
    pwd. how can I do it ?

    Thx
     
    David Wang [Msft], Mar 10, 2005
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Andrew Connell
    Replies:
    1
    Views:
    567
    Natty Gur
    Oct 21, 2003
  2. raj mandadi
    Replies:
    0
    Views:
    448
    raj mandadi
    Dec 22, 2003
  3. Brett Porter
    Replies:
    2
    Views:
    804
    Andrea D'Onofrio [MSFT]
    Jan 20, 2004
  4. Mark
    Replies:
    0
    Views:
    706
  5. Brett Porter
    Replies:
    5
    Views:
    599
    Brett Porter
    Feb 3, 2004
Loading...

Share This Page