Article ID: 292521 - Last Review: October 16, 2002 - Revision: 1.4

FIX: Asynchronous ServerXMLHTTP Operations Do Not Inherit Proper Security Context

View products that this article applies to.
This article was previously published under Q292521

On This Page

Expand all | Collapse all

SYMPTOMS

When you attempt to run two asynchronous ServerXMLHTTP calls from Active Server Pages (ASP), the HTTP requests are not run in the correct security context.

For example, when you query for the authenticated user of a page that is opened asynchronously, and you use the same ServerXMLHTTP object to open the page and to retrieve the user, an incorrect user name is returned.
Back to the top

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

This bug was corrected in Microsoft XML 3.0 Service Pack 1.

For additional information on other fixes included in Microsoft XML 3.0 Service Pack 1, click the article number below to view the article in the Microsoft Knowledge Base:
292935  (http://support.microsoft.com/kb/292935/EN-US/ ) INFO: List of Issues Fixed in Microsoft XML 3.0 Service Pack 1
For the latest information and downloads of MSXML, refer to the following MSDN Web site:
http://msdn.microsoft.com/xml/default.asp (http://msdn.microsoft.com/xml/default.asp)
Back to the top

MORE INFORMATION

Steps to Reproduce Behavior

  1. Create a Microsoft Windows NT login account on your system.
  2. Paste the following code in an ASP page. Name the file Sender.asp and place it in the default Web site.
    <%
Dim xmlServerHttp
set xmlserverhttp = server.createobject("MSXML2.ServerXMLHTTP")
xmlServerHttp.open "GET", "http://localhost/receiver.asp", true
xmlServerHttp.send

While xmlServerHttp.readyState <> 4
    xmlServerHttp.waitForResponse 1000
Wend

response.contenttype = "text/html"
response.write "Current Page: " & Request.ServerVariables("Logon_User") & "<br/>"
response.write "Receiver Page: " & xmlServerHttp.responseText & "<br/>"

%>
  3. Paste the following code in an ASP page. Name the file Receiver.asp and place it in the default Web site.
    <%
	response.write Request.ServerVariables("Logon_user")
%>
  4. In the Internet Information Services console, click the File Security Authentication tab of the Receiver.asp page and select only NT Challenge/Response (Integrated Windows Authentication).
  5. In the Internet Information Services console, click the File Security Authentication tab of the Sender.asp page and select only Basic Authentication.
  6. Open Sender.asp in a new browser and log on to the page using the NT account that you created in step 1. You see that the Sender.asp page and the Receiver.asp page have different authentications.
  7. In Sender.asp, change the Open statement to reflect the following:
    xmlServerHttp.open "GET", "http://localhost/receiver.asp", false
  8. Close the browser and reopen Sender.asp. Log on using the account that you created in step 1. Both the Current page and the Receiver page have the same authentication.
Back to the top
APPLIES TO
  • Microsoft XML Parser 3.0
Back to the top
Keywords: 
kbbug kbfix kbmsxml300sp1fix KB292521
Back to the top
 

Get Help Now

Contact a support professional by E-mail, Online, or Phone

Article Translations