Microsoft KB Archive/314404

= How To Use Kerberos with the ServerXMLHTTP Component in MSXML =

Article ID: 314404

Article Last Modified on 7/13/2004

-

APPLIES TO


 * Microsoft XML Parser 3.0 Service Pack 2
 * Microsoft XML Core Services 4.0

-



This article was previously published under Q314404



SUMMARY
This article describes how to use the ServerXMLHttp object to work with Kerberos authentication in a specific scenario that requires delegation. The article also provides two sample Active Server Pages (ASP) pages and troubleshooting instructions.

NOTE: You need Microsoft Windows 2000 or later to use Kerberos protocol for authentication.



MORE INFORMATION
The three computers in the scenario are configured as follows:
 * Computer A has Microsoft Internet Explorer installed.
 * Two Internet Information Services (IIS) servers (Computer B and Computer C) reside in the same domain.
 * The domain controller has the Active Directory service installed.
 * Computer B is trusted for delegation.
 * Under the account that you want to delegate, the Account is sensitive cannot be delegated check box is not selected.

The scenario is as follows:
 * Computer A requests an ASP page from a Microsoft Internet Information Services (IIS) Web server that resides on a second computer (Computer B).
 * The ASP page uses the MSXML ServerXMLHTTP object to communicate with another ASP page on another IIS Web server that resides on a third computer (Computer C).
 * You want the second IIS server (Computer C) to see the identity of the user who is logged on to the first computer (Computer A).

To make the delegation work, follow these steps:  Configure the first IIS server (Computer B) and set up a user account for delegation so that Kerberos authentication can generate a delegate-level token.For additional information about how to do this, click the article number below to view the article in the Microsoft Knowledge Base:

283201 How To Use Delegation in Windows 2000 with COM+

  On the first IIS server (Computer B), enable the XML ServerXMLHTTP object to forward user credentials automatically. To do this, use one of the following commands to use the Proxycfg.exe utility: command prompt> proxycfg -d -p &quot;CorpProxy&quot; &quot; ;*&quot; -or- command prompt> proxycfg -d -p &quot;CorpProxy&quot; &quot; ;*.microsoft.com&quot; NOTE: The ServerXMLHTTP object does not automatically send the NTLM credentials of the client unless it knows that the target server is on the same network or intranet. By default, in other words, the ServerXMLHTTP object does not &quot;trust&quot; Internet sites. The heuristic that determines whether a target server is trusted is that Proxycfg.exe has been run to specify a proxy server, but the particular target server to which you want to send the request is listed in the proxy bypass list. The asterisk character (*) is a wildcard character that stands for all URLs. If you use the asterisk character (*), the user credentials are forwarded to all target servers.

For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

289481 INFO: Proxy Configuration Utility Must Be Run for ServerXMLHTTP to Work

 Enable Internet Explore to use Kerberos authentication.For additional information about how to enable Internet Explorer 6.0 to use Kerberos, click the article number below to view the article in the Microsoft Knowledge Base:

299838 Unable to Negotiate Kerberos Authentication After Upgrading to Internet Explorer 6

For additional information about how to enable other versions of Internet Explorer to use Kerberos, click the article numbers below to view the articles in the Microsoft Knowledge Base:

277741 Internet Explorer Logon Fails Due to an Insufficient Buffer for Kerberos

299270 Kerberos Does Not Negotiate Using Internet Explorer 5.5 If an FQDN Is Used to Connect



Troubleshooting
When you use ServerXMLHttp with Kerberos authentication, you may receive an &quot;Access Denied&quot; error message. This error message is typically caused by incorrect configuration. You can use the following two ASP pages to help isolate the problem and detect the logon user identity and authentication mode. The majority of these two ASP pages is the same; the difference is that the first ASP page contains code that uses the ServerXMLHTTP object.

  Paste the following code in Notepad, name the file Test1.asp, and then save the file in the virtual directory folder on the first IIS server (Computer B): <%  DIM userID Dim AuthMethod Dim AuthType Dim AuthLength Dim AuthOther

' Get the authentication method being used. userID= Request.ServerVariables(&quot;LOGON_USER&quot;)

Response.Write &quot; Reach To IIS server on Computer B &quot; Response.Write &quot; User Id = &quot; & userID

' Get the authentication method being used. AuthMethod = Request.ServerVariables(&quot;AUTH_TYPE&quot;)

' Get the length of the HTTP_Authorization header (to determine Kerberos or NTLM). AuthLength = Request.ServerVariables (&quot;HTTP_Authorization&quot;)

' If some other authentication method (other than Negotiate) is used, call it &quot;Other&quot;. If LTrim(RTrim(AuthMethod)) <> &quot;Negotiate&quot; Then AuthOtherMethod

' If Negotiate is used, go straight to the subroutine to handle it. If LTrim(RTrim(AuthMethod)) = &quot;Negotiate&quot; Then AuthNegotiateMethod

Response.Write &quot; Attempt to connect to IIS on Computer C by using ServerXMLHTTP &quot; set http = server.createobject(&quot;MSXML2.ServerXMLHTTP.4.0&quot;)

http.open &quot;GET&quot;, &quot;http://iisserver2/test2.asp&quot;, false http.send Response.write &quot; Receiver Status Text: &quot; & http.statusText & &quot; (&quot; &http.status & &quot;)&quot; Response.write &quot; &quot; & http.responseText

Sub AuthOtherMethod ' Because anonymous authentication will be blank, be sure that you realize that it is enabled to the following: If LTrim(RTrim(AuthMethod)) = &quot;&quot; Then AuthMethod = &quot;Anonymous&quot; Response.Write &quot; &quot; End Sub

Sub AuthNegotiateMethod ' Typically, NTLM yields a 150 - 300 byte header, and Kerberos is more like 5000 bytes. If LEN(AuthLength) > 1000 Then AuthType = &quot;Kerberos&quot; If LEN(AuthLength) < 1000 Then AuthType = &quot;NTLM&quot; Response.Write &quot; &quot; End Sub

%> NOTE: This ASP page requires you to have the MSXML 4.0 parser installed. If you want to use the MSXML 3.0 parser, change the MSXML2.ServerXMLHTTP.4.0 ProgId to MSXML2.ServerXMLHTTP.3.0.

  Modify the URL in the following line to point to the correct URL for Test2.asp. Test2.asp is the second ASP page that is listed in this article. http.open &quot;GET&quot;, &quot;http://iisserver2/test2.asp&quot;, false   Paste the following code in Notepad, and then save the file as Test2.asp in the virtual directory folder on the second IIS server (Computer C): <%  DIM userID Dim AuthMethod Dim AuthType Dim AuthLength Dim AuthOther

' Get the authentication method being used. userID= Request.ServerVariables(&quot;LOGON_USER&quot;)

Response.Write &quot; Reach To IIS server on Computer C &quot; Response.Write &quot; User Id = &quot; & userID

' Get the authentication method being used. AuthMethod = Request.ServerVariables(&quot;AUTH_TYPE&quot;)

' Get the length of the HTTP_Authorization header (to determine Kerberos or NTLM). AuthLength = Request.ServerVariables (&quot;HTTP_Authorization&quot;)

' If some other authentication method (other than Negotiate) is used, call it &quot;Other&quot;. If LTrim(RTrim(AuthMethod)) <> &quot;Negotiate&quot; Then AuthOtherMethod

' If Negotiate is used, go straight to the subroutine to handle it. If LTrim(RTrim(AuthMethod)) = &quot;Negotiate&quot; Then AuthNegotiateMethod

Sub AuthOtherMethod ' Because anonymous authentication will be blank, be sure that you realize that it is enabled to the following: If LTrim(RTrim(AuthMethod)) = &quot;&quot; Then AuthMethod = &quot;Anonymous&quot; Response.Write &quot; &quot; End Sub

Sub AuthNegotiateMethod ' Typically, NTLM yields a 150 - 300 byte header, while Kerberos is more like 5000 bytes. If LEN(AuthLength) > 1000 Then AuthType = &quot;Kerberos&quot; If LEN(AuthLength) < 1000 Then AuthType = &quot;NTLM&quot; Response.Write &quot; &quot; End Sub

%>                   </li>  Load the first ASP page (Test1.asp) in an Internet Explorer browser. If everything is set up correctly, you see output similar to the following: Reach To IIS server on Computer B UserId = Domain1\user1 The Negotiate method was used! The user was logged on using Kerberos

Attempt to connect to IIS on Computer C by using ServerXMLHTTP Receiver Status Text: OK (200)

Reach To IIS server on Computer C UserId = Domain1\user1 The Negotiate method was used! The user was logged on using Kerberos </li></ol>

If you see an incorrect user ID, an empty user ID, or the following error message, the configuration is not set up correctly:

The user was logged on using NTLM

To resolve these problems, isolate the problem on each individual computer, and then reconfigure the settings.

<div class="references_section">