|
Home > Archive > IIS Server > June 2005 > IIS6.0: server side component using WinInet API fails with 401.2
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
IIS6.0: server side component using WinInet API fails with 401.2
|
|
| laxmikanth 2005-06-29, 5:53 pm |
| Hi,
We have an sophisticated application that works great on a Win2K+IIS 5.0
combination. We are the process of adapting the application for Win2k3+IIS
6.0. We are struck by a problem with one of our sub-system on this platform.
The app is configured to use Integrated Windows Authentication.
In simple terms, we have the following situation
An ASP Page calling into a COM Component , this calling into another COM
Component and this component making using of WinInet API to post a HTTP
request to a resource within the same application
This situation works perfectly fine on a Win2K+IIS 5.0 box but fails with an
error 401.2 on a Win2K3 box. However, when we run a windows application (on
Win2K3 box) making use of WinInet API to post a HTTP request to the same
resource it appears to work fine.
I am kind of puzzled on what could be reasons for this and how to get about
this situations.
Your help would be greatly appreciated.
thanks
| |
| David Wang [Msft] 2005-06-29, 5:53 pm |
| If the app is configured to use Integrated Windows Authentication and your
COM component makes an WinInet POST that does not use Integrated
authentication, then you will get 401.2 by-design.
Either change server or WinInet configuration to accept/use the same
authentication.
http://msdn.microsoft.com/library/d...hentication.asp
Running code when launched via IIS is NOT the same as running code launched
by a windows application. A key difference is delegation of identity. In the
case of running code as IIS, the real user is on a different machine,
remotely logging into IIS, which is running the program on their behalf. In
the case of launching a Windows application, the real user is directly
running the piece of code as themselves. The injection of "using IIS to run
code on their behalf" makes all the difference as far as security protocols
are concerned. Some protocols allow delegation, others do not. So, your
comparison of functionality is pretty much apples to oranges.
I know that it looks like this is an IIS-problem since it only happens with
IIS involved, but realize that if it wasn't a problem from IIS, THAT would
be the serious security issue.
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"laxmikanth" <alkreddy@hotmail.com> wrote in message
news:eHMnJLNfFHA.3780@TK2MSFTNGP10.phx.gbl...
Hi,
We have an sophisticated application that works great on a Win2K+IIS 5.0
combination. We are the process of adapting the application for Win2k3+IIS
6.0. We are struck by a problem with one of our sub-system on this platform.
The app is configured to use Integrated Windows Authentication.
In simple terms, we have the following situation
An ASP Page calling into a COM Component , this calling into another COM
Component and this component making using of WinInet API to post a HTTP
request to a resource within the same application
This situation works perfectly fine on a Win2K+IIS 5.0 box but fails with an
error 401.2 on a Win2K3 box. However, when we run a windows application (on
Win2K3 box) making use of WinInet API to post a HTTP request to the same
resource it appears to work fine.
I am kind of puzzled on what could be reasons for this and how to get about
this situations.
Your help would be greatly appreciated.
thanks
| |
| laxmikanth 2005-06-30, 2:53 am |
| Hi David,
Thanks for the explanation.
I do understand that running a piece of code from Windows applciation is not
same as running it under the web context.
My primary interest is to understand what my app work perfectly fine in a
Win2K+IIS5.0 configuration and fails in Win2K3+IIS6.0 configuration. What is
it that changed between these two versions that could have had an effect?
thanks,
Laxmikanth
"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:OQuNkGQfFHA.2472@TK2MSFTNGP15.phx.gbl...
> If the app is configured to use Integrated Windows Authentication and your
> COM component makes an WinInet POST that does not use Integrated
> authentication, then you will get 401.2 by-design.
>
> Either change server or WinInet configuration to accept/use the same
> authentication.
>
>
http://msdn.microsoft.com/library/d...hentication.asp
>
>
> Running code when launched via IIS is NOT the same as running code
launched
> by a windows application. A key difference is delegation of identity. In
the
> case of running code as IIS, the real user is on a different machine,
> remotely logging into IIS, which is running the program on their behalf.
In
> the case of launching a Windows application, the real user is directly
> running the piece of code as themselves. The injection of "using IIS to
run
> code on their behalf" makes all the difference as far as security
protocols
> are concerned. Some protocols allow delegation, others do not. So, your
> comparison of functionality is pretty much apples to oranges.
>
> I know that it looks like this is an IIS-problem since it only happens
with
> IIS involved, but realize that if it wasn't a problem from IIS, THAT would
> be the serious security issue.
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> //
> "laxmikanth" <alkreddy@hotmail.com> wrote in message
> news:eHMnJLNfFHA.3780@TK2MSFTNGP10.phx.gbl...
> Hi,
>
> We have an sophisticated application that works great on a Win2K+IIS 5.0
> combination. We are the process of adapting the application for Win2k3+IIS
> 6.0. We are struck by a problem with one of our sub-system on this
platform.
>
> The app is configured to use Integrated Windows Authentication.
>
> In simple terms, we have the following situation
>
> An ASP Page calling into a COM Component , this calling into another COM
> Component and this component making using of WinInet API to post a HTTP
> request to a resource within the same application
>
> This situation works perfectly fine on a Win2K+IIS 5.0 box but fails with
an
> error 401.2 on a Win2K3 box. However, when we run a windows application
(on
> Win2K3 box) making use of WinInet API to post a HTTP request to the same
> resource it appears to work fine.
>
> I am kind of puzzled on what could be reasons for this and how to get
about
> this situations.
>
> Your help would be greatly appreciated.
>
> thanks
>
>
>
| |
| David Wang [Msft] 2005-06-30, 6:01 pm |
| What changed between IIS5 and IIS6? The entire OS, Tons of Security-related
changes, and IIS6 is a rewrite from IIS5.
However, 401.2 indicates failure to authenticate with the required
authentication protocol. This usually implies a misconfiguration of the
server's authentication settings, or the client is doing something wrong. I
am suspecting the latter, and a network trace (Network Monitor is an
Add/Remove Program on Windows Server 2003) of the requests will pretty much
show all the details and say whether this is a client or server problem.
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"laxmikanth" <alkreddy@hotmail.com> wrote in message
news:OsMyvHUfFHA.572@TK2MSFTNGP15.phx.gbl...
Hi David,
Thanks for the explanation.
I do understand that running a piece of code from Windows applciation is not
same as running it under the web context.
My primary interest is to understand what my app work perfectly fine in a
Win2K+IIS5.0 configuration and fails in Win2K3+IIS6.0 configuration. What is
it that changed between these two versions that could have had an effect?
thanks,
Laxmikanth
"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:OQuNkGQfFHA.2472@TK2MSFTNGP15.phx.gbl...
> If the app is configured to use Integrated Windows Authentication and your
> COM component makes an WinInet POST that does not use Integrated
> authentication, then you will get 401.2 by-design.
>
> Either change server or WinInet configuration to accept/use the same
> authentication.
>
>
http://msdn.microsoft.com/library/d...hentication.asp
>
>
> Running code when launched via IIS is NOT the same as running code
launched
> by a windows application. A key difference is delegation of identity. In
the
> case of running code as IIS, the real user is on a different machine,
> remotely logging into IIS, which is running the program on their behalf.
In
> the case of launching a Windows application, the real user is directly
> running the piece of code as themselves. The injection of "using IIS to
run
> code on their behalf" makes all the difference as far as security
protocols
> are concerned. Some protocols allow delegation, others do not. So, your
> comparison of functionality is pretty much apples to oranges.
>
> I know that it looks like this is an IIS-problem since it only happens
with
> IIS involved, but realize that if it wasn't a problem from IIS, THAT would
> be the serious security issue.
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> //
> "laxmikanth" <alkreddy@hotmail.com> wrote in message
> news:eHMnJLNfFHA.3780@TK2MSFTNGP10.phx.gbl...
> Hi,
>
> We have an sophisticated application that works great on a Win2K+IIS 5.0
> combination. We are the process of adapting the application for Win2k3+IIS
> 6.0. We are struck by a problem with one of our sub-system on this
platform.
>
> The app is configured to use Integrated Windows Authentication.
>
> In simple terms, we have the following situation
>
> An ASP Page calling into a COM Component , this calling into another COM
> Component and this component making using of WinInet API to post a HTTP
> request to a resource within the same application
>
> This situation works perfectly fine on a Win2K+IIS 5.0 box but fails with
an
> error 401.2 on a Win2K3 box. However, when we run a windows application
(on
> Win2K3 box) making use of WinInet API to post a HTTP request to the same
> resource it appears to work fine.
>
> I am kind of puzzled on what could be reasons for this and how to get
about
> this situations.
>
> Your help would be greatly appreciated.
>
> thanks
>
>
>
|
|
|
|
|