Microsoft KB Archive/292521

= FIX: Asynchronous ServerXMLHTTP Operations Do Not Inherit Proper Security Context =

Article ID: 292521

Article Last Modified on 10/16/2002

-

APPLIES TO


 * Microsoft XML Core Services 4.0

-



This article was previously published under Q292521



SYMPTOMS
When you attempt to run two asynchronous ServerXMLHTTP calls from Active Server Pages (ASP), the HTTP requests are not run in the correct security context.

For example, when you query for the authenticated user of a page that is opened asynchronously, and you use the same ServerXMLHTTP object to open the page and to retrieve the user, an incorrect user name is returned.



CAUSE


STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

This bug was corrected in Microsoft XML 3.0 Service Pack 1.

For additional information on other fixes included in Microsoft XML 3.0 Service Pack 1, click the article number below to view the article in the Microsoft Knowledge Base:

292935 INFO: List of Issues Fixed in Microsoft XML 3.0 Service Pack 1

For the latest information and downloads of MSXML, refer to the following MSDN Web site:

http://msdn.microsoft.com/xml/default.asp



Steps to Reproduce Behavior
 Create a Microsoft Windows NT login account on your system.  Paste the following code in an ASP page. Name the file Sender.asp and place it in the default Web site. <% Dim xmlServerHttp set xmlserverhttp = server.createobject(&quot;MSXML2.ServerXMLHTTP&quot;) xmlServerHttp.open &quot;GET&quot;, &quot;http://localhost/receiver.asp&quot;, true xmlServerHttp.send

While xmlServerHttp.readyState <> 4 xmlServerHttp.waitForResponse 1000 Wend

response.contenttype = &quot;text/html&quot; response.write &quot;Current Page: &quot; & Request.ServerVariables(&quot;Logon_User&quot;) & &quot; &quot; response.write &quot;Receiver Page: &quot; & xmlServerHttp.responseText & &quot; &quot;

%>                     Paste the following code in an ASP page. Name the file Receiver.asp and place it in the default Web site. <%   response.write Request.ServerVariables(&quot;Logon_user&quot;) %>  In the Internet Information Services console, click the File Security Authentication tab of the Receiver.asp page and select only NT Challenge/Response (Integrated Windows Authentication). In the Internet Information Services console, click the File Security Authentication tab of the Sender.asp page and select only Basic Authentication. Open Sender.asp in a new browser and log on to the page using the NT account that you created in step 1. You see that the Sender.asp page and the Receiver.asp page have different authentications.</li>  In Sender.asp, change the Open statement to reflect the following: xmlServerHttp.open &quot;GET&quot;, &quot;http://localhost/receiver.asp&quot;, false </li> Close the browser and reopen Sender.asp. Log on using the account that you created in step 1. Both the Current page and the Receiver page have the same authentication.</li></ol>

Keywords: kbbug kbfix kbmsxml300sp1fix KB292521

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.