Microsoft KB Archive/259789

= Posting Acceptor Repost Fails When You Use Internet Explorer 5 with NTLM Security =

Article ID: 259789

Article Last Modified on 10/16/2002

-

APPLIES TO


 * Microsoft Site Server 3.0 Standard Edition

-



This article was previously published under Q259789



SYMPTOMS
When you use Posting Acceptor to upload files, reposting fails if you use Windows NT NTLM security. Even though the content is uploaded successfully, the repost fails and the confirmation page returns the following error message:

You are not authorized to view this page



CAUSE
When you upload a file by using the Site Server Posting Acceptor, Cpshost.dll calls WinInet to process Repost.asp. A security problem in Internet Explorer 4.0 allows Repost.asp to be called when you use NTLM security and perform a repost operation without proper authentication.

This security bug has been fixed in Internet Explorer 5. As a result, uploads fail on Repost.asp. NTLM authentication allows a client to access a server that has authenticated with the system. The ImpersonateLoggedonUser API supports impersonation against a server on behalf of a client. However, another server cannot be accessed without performing another authentication. The reposting process to the second server is done without performing such an authentication.



WORKAROUND
To work around this problem, do one of the following:
 * Use Basic authentication or configure Allow Anonymous.
 * Use Basic authentication with SSL to provide a secured connection.
 * Use Windows NT 4.0 and Internet Explorer 4.0 with Site Server 3.0 Service Pack 3 (SP3).



RESOLUTION
Microsoft Internet Publishing Provider does not make use of WinInet, and therefore, does not share the NTLM authentication issue.



STATUS
Microsoft has confirmed that this is a problem in Site Server 3.0.



MORE INFORMATION
Internet Explorer 5 provides an easy way to upload files to a Web server if sufficient permissions are provided. To do this, perform the following steps:
 * 1) Double-click My Computer on the desktop.
 * 2) Double-click Web Folders.
 * 3) Double-click Add Web Folder to run the wizard and configure Web uploads.
 * 4) Drag the selected files to the Web site.

For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

195851 How to Install and Use Web Folders in Internet Explorer 5

ADO Internet Publishing Sample
Microsoft Internet Publishing Provider demonstrates how to use ADO Record and Stream objects with semi-structured data by using the Microsoft OLE DB Provider for Internet Publishing. It is installed in the Platform SDK\Samples\DataAccess\Ado\Msdaipp directory.

To run Internet Publishing Provider, perform the following steps:
 * 1) Open Msdaipp.vbp in Microsoft Visual Basic.
 * 2) Modify the line in the Form_Load sub-procedure of form1.frm that refers to your server. Replace the value of the string &quot;http://MyServer/DAVfs/&quot; with the name of your Web server and the path to a file store. Your Web server must support either the FrontPage Web Extender Client (WEC) or Web Distributed Authoring and Versioning (WebDAV) protocol extensions.
 * 3) From the Run menu, select Start with Full Compile.

For more information, refer to the following MSDN SDK sample:

http://msdn.microsoft.com/library/psdk/dasdk/mdas9eqt.htm

Steps to Reproduce the Problem
Two servers are required. The Posting Acceptor server requires that Site Server 3.0 SP3 is installed on either Windows 2000 or Windows NT 4.0 with Internet Explorer 5. Also, a file server is required for a repost destination.


 * 1) Apply NTLM security (only) on the Scripts directory.
 * 2) In Internet Explorer, open http://localhost/scripts/uploadn.asp.
 * 3) The Repost fails on the Windows 2000-based computer with the &quot;You are not authorized to view this page&quot; error message, but Windows NT 4.0 works.

Additional query words: ASDAIPP MSIPP

Keywords: kbbug kbfix kbqfe KB259789

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.