Request.form doesn't wotk with this IIS config

[Laurent Bertin]

Hi i got a strange problem but it's true i don't make thing like anyone...

First Config:
+ IIS5.0 SP2 (yes i know...)
WebSite Security
Root : Digest Authentication, NT Authenticated
SubFolders : Anonymous Login
Anonymous login is set to use a domain user to enable a sql server
authenticated connection. Permissions are based on Page/action/user Membership

So i know it is a bit strange but let me explain
1 I need a secured connection to a sql server
2 The Webserver is running multiple websites and i don't want to make it run
under an account
3 I should avoid to request user and pass

Now the way it works
1 Page default on the root is NT authenticated and i retrieve user and group
membership. I put this in a Cookie.
2 When i click on one of the page linked it checks if an entry in the
database exists for specified page, user(from the cookie), action. this page
is with Anonymous login and so it uses the Account i set as anonymous user.
3 If it's ok i show the form mixing querystring and form
4 on submit (javascript function) when i echo all the content of the request
i only see the querystring.

NOW if i put Basic authentication on the Page... i see the request.form and
the request.querystring...

But i don't want basic authentication as password is sent in clear text and
this is an administrative (System Admin) web site.


here is a page as you'll see it is simple... if anyone has an idea...



<HTML>
<head>

<link rel="stylesheet" href="/ERA/Lib/ERA.css" type="text/css">
<title>EB Automation : Da Vinci</title>



<SCRIPT TYPE="text/javascript" LANGUAGE="JavaScript">
<!--



function SubmitBody(pstrSubmitAction)
{
document.frmBody.action = pstrSubmitAction ;
document.frmBody.submit() ;
}

function SubmitForm(pForm, pstrSubmitAction)
{
if ((document.getElementById)&& (document.getElementById(pForm)!=null)){
oForm = document.getElementById(pForm);
oForm.action = pstrSubmitAction ;
oForm.submit() ;
}
}


function targetopener(){
if (! (window.focus && window.opener))return true;
window.opener.focus();
window.close();
return false;
}

function popupform(myform, windowname){
if (! window.focus)return true;
window.open('', windowname, 'height=200,width=400,scrollbars=yes');
myform.target=windowname;
return true;
}

function PopupFormCustomize(myform, windowname, iHeight, iWidth){
if (! window.focus)return true;
window.open('', windowname, 'height=' + iHeight + ',' + 'width=' + iWidth +
',scrollbars=no');
myform.target=windowname;
return true;
}

function AlertPopup(msg){
if (window.confirm(msg))
{
form.submit();
}
else
{
//window.back();
parent.location='default.asp'
}
}

function DisplayMessage(sMessage)
{
window.alert(sMessage);
}


function RedirectAfterConfirm(sMessage, sURL)
{
if (window.confirm(sMessage))
{
window.location = sURL
}
else
{
//do nothing
}
}

function SubmitAfterConfirm(sMessage, sURL)
{
if (window.confirm(sMessage))
{
document.frmBody.action = sURL;
document.frmBody.submit();
}
else
{
//do nothing
}
}
function submitformwithaction(sValue)
{
document.myform.action.value=sValue;
document.myform.submit();
}


function VerifySoftFamily(sSoftFamilyVersion)
{
window.alert(document.Computer.SoftFamilyId.text);
if (sSoftFamilyVersion == '1.0')
{
//window.alert('The current Software Family Version is 1.0');
//window.alert(window.SoftFamilyId);
}
else
{
//do nothing
}
}

function ChangeVisibility(oValueToCheck,oValue,oIdToChange){
if ((document.getElementById)&&
(document.getElementById(oIdToChange)!=null)){
oToChange = document.getElementById(oIdToChange);
if((oToChange.style)&&(oToChange.style.visibility!=null)){
oToChange.style.visibility = 'visible';
}
if (oValueToCheck==oValue){
if (oToChange.style.visibility==null){
oToChange.style.visibility='hidden';
}else{
oToChange.style.visibility='visible';
}
}else{
oToChange.style.visibility='hidden';
}

}else{
/* alert('Erreur not compliant '); */
}

}
function outputList(ar, name, size) {
var strIDs = "<SELECT SIZE=\"" + size + "\" NAME=\"ro_lst" + name + "\">"
var sel = " SELECTED"
for (var i=0;i<ar.length;i++) {
strIDs += "<OPTION " + sel + " VALUE=\"" + ar[0] + "\">" + ar[1]
sel = ""
}
strIDs+="</SELECT>"
strIDs+="<INPUT NAME=\"" + name + "\" TYPE=hidden>"
return strIDs
}

function outputButton(bDir,name,val) {
return "<INPUT TYPE=button VALUE=\"" + val + "\" ONCLICK=\"move(this.form,"
+ bDir + ",'" + name + "')\">"
}

function move(f,bDir,sName) {
var el = f.elements["ro_lst" + sName]
var idx = el.selectedIndex
if (idx==-1)
alert("You must first select the item to reorder.")
else {
var nxidx = idx+( bDir? -1 : 1)
if (nxidx<0) nxidx=el.length-1
if (nxidx>=el.length) nxidx=0
var oldVal = el[idx].value
var oldText = el[idx].text
el[idx].value = el[nxidx].value
el[idx].text = el[nxidx].text
el[nxidx].value = oldVal
el[nxidx].text = oldText
el.selectedIndex = nxidx
}
}

function processForm(f) {
for (var i=0;i<f.length;i++) {
var el = f
if (el.name.substring(0,6)=="ro_lst") {
var strIDs = ""
for (var j=0;j<f.options.length;j++)
strIDs += f.options[j].value + ", "
f.elements[f.elements.name.substring(6)].value =
strIDs.substring(0,strIDs.length-2)
}
}
}
function processFormAndSubmit(f,sAction) {

for (var i=0;i<f.length;i++) {
var el = f
if (el.name.substring(0,6)=="ro_lst") {
var strIDs = ""
for (var j=0;j<f.options.length;j++)
strIDs += f.options[j].value + ", "
f.elements[f.elements.name.substring(6)].value =
strIDs.substring(0,strIDs.length-2)
}
}
SubmitForm(f.name, sAction);
}

function FilterAsYouType( sFormName, sListBox, sTextBox, level ) {

if ( isNaN( level ) ) { level = 1 }


var f = document.getElementById (sFormName);
var listbox = document.getElementById(sListBox);
var textbox = document.getElementById (sTextBox);

var soFar = textbox.value.toString();
level = soFar.length;
var soFarLeft = soFar.substring(0,level).toLowerCase();

var matched = false;
var suggestion = '';


for ( var m = 0; m < listbox.length; m++ ) {
suggestion = listbox.options[m].text.toString();
suggestion = suggestion.substring(0,level).toLowerCase();
if ( soFarLeft == suggestion ) {
listbox.options[m].selected = true;
matched = true;
break;
}
}
if ( matched && level < soFar.length ) { level++; suggestName(level) }
}

//-->
</SCRIPT>

</head>

<a name="Show_Environment_Create">

<TABLE width="800px" cellspacing="0" cellpadding="1" class="Pink" >
<TH>Create an Environment</TH>
<tr><td> </td></tr>
<tr>
<td colspan="2">
<FORM id="frmBody" name="frmBody" target="Contents" method="POST">
<TABLE width="800px" cellspacing="0" cellpadding="1" class="Pink" >
<tr>
</td>
</TR>
<tr>
</td>
</TR>
<tr>
<td class="pink">Type</td>
<td class="pink">
<select size='1' name='cmbType' class='pink'>
<option value=''> </option>
<option value='1'>Physical </option>
<option value='2'>Logical </option>
<option value='3'>Rollout </option>
</select>
</td>
</TR>
</table>
<input type="button" value="Next" name="btNext" OnClick="return
SubmitBody('Environments.asp?Action=CreateDb')">
</form>
</td>
</tr>
</table>

</body>
</html>

 

[Ray Costanzo [MVP]]

I think there used to be an article a bit more like what you describe than
this one, but here is the one I can find.
http://support.microsoft.com/?id=308074 Basically, this is a known issue...

Ray at work

 

[Laurent Bertin]

Well...
It is true that it seems to be an IE problem as i don't have with Netscape...

After having a check it seems that IE consider it sends a negociation while
the server doesn't ask one (no 401 send to client)

Also weird it the fact that the POST command from the client sends the
negociation WITHOUT the parameter parts...

So it seems IE is assuming it needs to send authentication without the
server asking anything AND that it doesn't send the full POST statement.

Anyway after going a bit round i am now planning to make the website running
in isolated level and change DCom to make it use "identify" instead of
impersonate and use identity to make it run under a defined account.
And we'll see if it works...

If you got some info about doing such things... cause i am just looking for
this since an hour ago.

Thanks anyway