Microsoft KB Archive/156904

= FIX: Returning User Name and Password from IAuthenticate Fails =

Article ID: 156904

Article Last Modified on 8/18/2005

-

APPLIES TO


 * Microsoft ActiveX SDK

-



This article was previously published under Q156904



SYMPTOMS
In order to access a secured Internet resource via a URL moniker, a host must implement the IAuthenticate interface on the same object that exposes IBindStatusCallback. The documentation on IAuthenticate in the ActiveX SDK indicates that there are two possible ways to implement IAuthenticate:
 * 1) Return a valid HWND to serve as the parent HWND for a default authentication dialog box.
 * 2) Return a valid user name and password.

While the first implementation works as expected, the alternative implementation fails during the bind operation.



CAUSE
When authentication is required to access an Internet resource, the server may have replied to the client with some data indicating the failure to access the desired data. If, for example the client makes an HTTP request, the server typically replies with a boilerplate HTML page. It is the client's responsibility to completely read all this data from the socket before attempting to re-send the request with the correct authentication information. There is a bug in Wininet.dll that fails to do this. This problem does not occur when IAuthenticate::Authenticate returns a valid HWND to Urlmon.dll because internally Urlmon.dll calls the WININET API InternetErrorDlg to retrieve authentication information from the user. In addition to obtaining a user name and password, InternetErrorDlg drains the socket of any extraneous data on behalf of Urlmon.dll.



STATUS
Microsoft has confirmed this to be a bug in the Microsoft products listed at the beginning of this article. This problem has been fixed in Internet Explorer 4.0.

