IServerXMLHTTPRequest authentication problem

[Lamberti Fabrizio]

I've an authentication problem with IServerXMLHTTPRequest.

I've got two web server named WS_1 and WS_2 part of the same NT domain.

On WS_1 I've published on the virtual directory virt1 the asp file
example1.asp.

On WS_2 I've published example2.asp on the virtual directory virt2.

Both virtual directories have enabled only the Integrated Windows
Authentication and I can't use any other type of authentication.

The file example1.asp try to retrieve some information from example2.asp by
using IServerXMLHTTPRequest object.

The problem is that example1.asp can't retrieve example2.asp because the
request is not made by the same domain user requesting example1.asp and so
correctely WS_2 can't authorized current request.

Inside the method open of IServerXMLHTTPRequest object I can set the user
and the pwd. I can retrieve the current user from
Request.ServerVariables("REMOTE_USER") but I don't know how to retrieve the
pwd. how can I do it ?

Thx

 

[David Wang [Msft]]

Sorry, but what you want to do is illegal, by design.

The reason is the same as I have already described for your "Accessing
network file form ASP page" thread.

You are attempting a "double hop", this time using HTTP as the network
protocol instead of SMB, but the results must be the same -- access denied.

You need to use an authentication protocol that allows you to do what you
want -- allow code on the server to be delegated permissions to act on
behalf of the remote user. Otherwise, the OS and all software is obligated
to resist against your attempts to hack the system.

I realize that you must be frustrated at how hard this all appears, but
really, it is not that hard. Your actions are fundamentally bound by the
authentication protocol you use since they govern user principle security. I
agree that what you want to do is reasonable; they just happen to fail the
security boundaries of the authentication protocol you are using, hence you
keep getting "access denied".


However, remember this is the same reason that if you logged onto my web
server and run my web application, I cannot turn around and make a HTTP
request to your bank using your name/credentials to transfer all your money
into my bank account. You'd definitely want me to get an "access denied" for
my actions -- so that's why you currently get an "access denied" for yours
as well.

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
I've an authentication problem with IServerXMLHTTPRequest.

I've got two web server named WS_1 and WS_2 part of the same NT domain.

On WS_1 I've published on the virtual directory virt1 the asp file
example1.asp.

On WS_2 I've published example2.asp on the virtual directory virt2.

Both virtual directories have enabled only the Integrated Windows
Authentication and I can't use any other type of authentication.

The file example1.asp try to retrieve some information from example2.asp by
using IServerXMLHTTPRequest object.

The problem is that example1.asp can't retrieve example2.asp because the
request is not made by the same domain user requesting example1.asp and so
correctely WS_2 can't authorized current request.

Inside the method open of IServerXMLHTTPRequest object I can set the user
and the pwd. I can retrieve the current user from
Request.ServerVariables("REMOTE_USER") but I don't know how to retrieve the
pwd. how can I do it ?

Thx