BUG: Proxy Authentication Through IAuthenticate May Fail on Secure URL

Important: The hotfix described in this article has been superseded by the 813951 Critical Update. For additional information about this update, click the following article number to view the article in the Microsoft Knowledge Base:

In a Web browser control host, when you initially navigate to a secure URL through a proxy server that requires authentication, and if you provide the authentication credentials through the IAuthenticate interface, you may receive a "Page Not Found" error message. Important Note: This hotfix contains a bug that is addressed in the following Microsoft Knowledge Base article: 813951 - BUG: Proxy Authentication Through IAuthenticate May Fail on Secure URL.

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Microsoft has confirmed that this is a bug in the Microsoft products that are listed at the beginning of this article.

The error occurs because the proxy credentials are not cached correctly when they go through a secure connection in this situation.

Steps to Reproduce the Behavior

1. Set up a proxy server.
2. Create a test account name, and then create a password that has permission to use the proxy server.
3. Create a Microsoft Foundation Classes (MFC) CHtmlView class application, and then implement the IAuthenticate and the IServiceProvider interfaces in a custom control site. The IServiceProvider interface permits the Web browser control to discover the IAuthenticate interface.
   
   The following example code is specific to Microsoft Foundation Classes 7.0:
   
   MyOleControlSite.h

   #include <afxocc.h>
   #include <afxhtml.h>
   
   class CHtmlControlSite : public COleControlSite
   {
   public:
   	CHtmlControlSite(COleControlContainer* pParentWnd);
   	~CHtmlControlSite();
   
   	CHtmlView* GetView() const;
   
   	BEGIN_INTERFACE_PART(DocHostUIHandler, IDocHostUIHandler)
   		STDMETHOD(ShowContextMenu)(DWORD, LPPOINT, LPUNKNOWN, LPDISPATCH);
   		STDMETHOD(GetHostInfo)(DOCHOSTUIINFO*);
   		STDMETHOD(ShowUI)(DWORD, LPOLEINPLACEACTIVEOBJECT,
   			LPOLECOMMANDTARGET, LPOLEINPLACEFRAME, LPOLEINPLACEUIWINDOW);
   		STDMETHOD(HideUI)(void);
   		STDMETHOD(UpdateUI)(void);
   		STDMETHOD(EnableModeless)(BOOL);
   		STDMETHOD(OnDocWindowActivate)(BOOL);
   		STDMETHOD(OnFrameWindowActivate)(BOOL);
   		STDMETHOD(ResizeBorder)(LPCRECT, LPOLEINPLACEUIWINDOW, BOOL);
   		STDMETHOD(TranslateAccelerator)(LPMSG, const GUID*, DWORD);
   		STDMETHOD(GetOptionKeyPath)(OLECHAR **, DWORD);
   		STDMETHOD(GetDropTarget)(LPDROPTARGET, LPDROPTARGET*);
   		STDMETHOD(GetExternal)(LPDISPATCH*);
   		STDMETHOD(TranslateUrl)(DWORD, OLECHAR*, OLECHAR **);
   		STDMETHOD(FilterDataObject)(LPDATAOBJECT , LPDATAOBJECT*);
   	END_INTERFACE_PART(DocHostUIHandler)
   
   	DECLARE_INTERFACE_MAP()
   };
   
   class CMyOleControlSite : public CHtmlControlSite
   {
   public:
   	CMyOleControlSite(COleControlContainer *pCnt = NULL):CHtmlControlSite(pCnt) {}
   
   	BEGIN_INTERFACE_PART(Authenticate, IAuthenticate)
   
   	STDMETHODIMP Authenticate( 
   		HWND __RPC_FAR *phwnd,
   		LPWSTR __RPC_FAR *pszUsername,
   		LPWSTR __RPC_FAR *pszPassword);
   
   	END_INTERFACE_PART(Authenticate)
   
   
   	BEGIN_INTERFACE_PART(ServiceProvider, IServiceProvider)
   		STDMETHODIMP QueryService(REFGUID guid, REFIID iid, LPVOID * ppv);
   	END_INTERFACE_PART(ServiceProvider)  
   
   	DECLARE_INTERFACE_MAP();
   };
   					

   MyOleControlSite.cpp

   #include "stdafx.h"
   #include "MyOleControlSite.h"
   
   BEGIN_INTERFACE_MAP(CMyOleControlSite, CHtmlControlSite)
   	INTERFACE_PART(CMyOleControlSite, IID_IAuthenticate, Authenticate)
   	INTERFACE_PART(CMyOleControlSite, IID_IServiceProvider, ServiceProvider)
   END_INTERFACE_MAP()
   
   ///////////////////////////////////////////////////////////////////////////// 
   // CMyOleControlSite: IAthenticate::IUnknown methods
   
   ULONG CMyOleControlSite::XAuthenticate::AddRef()
   {
   	METHOD_PROLOGUE(CMyOleControlSite, Authenticate)
   	return pThis->ExternalAddRef();
   }
   
   ULONG CMyOleControlSite::XAuthenticate::Release()
   {                            
   	METHOD_PROLOGUE(CMyOleControlSite, Authenticate)
   	return pThis->ExternalRelease();
   }
   
   HRESULT CMyOleControlSite::XAuthenticate::QueryInterface(REFIID riid, void **ppvObj)
   {
   	METHOD_PROLOGUE(CMyOleControlSite, Authenticate)
   	HRESULT hr = (HRESULT)pThis->ExternalQueryInterface(&riid, ppvObj);
   	return hr;
   }
   
   
   ///////////////////////////////////////////////////////////////////////////// 
   // CMyOleControlSite: Authenticate methods
   
   STDMETHODIMP CMyOleControlSite::XAuthenticate::Authenticate( 
       HWND __RPC_FAR *phwnd,
       LPWSTR __RPC_FAR *pszUsername,
       LPWSTR __RPC_FAR *pszPassword)
   {
   	METHOD_PROLOGUE(CMyOleControlSite, Authenticate)
   
   	// add code from next step
   
   	return S_OK;
   }
   
   // 
   // IServiceProvider
   // 
   
   ULONG CMyOleControlSite::XServiceProvider::AddRef()
   {
   	METHOD_PROLOGUE(CMyOleControlSite, ServiceProvider)
   	return pThis->ExternalAddRef();
   }
   
   ULONG CMyOleControlSite::XServiceProvider::Release()
   {                            
   	METHOD_PROLOGUE(CMyOleControlSite, ServiceProvider)
   	return pThis->ExternalRelease();
   }
   
   HRESULT CMyOleControlSite::XServiceProvider::QueryInterface(REFIID riid, void **ppvObj)
   {
   	METHOD_PROLOGUE(CMyOleControlSite, ServiceProvider)
   	HRESULT hr = (HRESULT)pThis->ExternalQueryInterface(&riid, ppvObj);
   	return hr;
   }
   
   STDMETHODIMP CMyOleControlSite::XServiceProvider::QueryService(REFGUID sid, REFIID iid, LPVOID * ppv)
   {
    	METHOD_PROLOGUE(CMyOleControlSite, ServiceProvider)
   
   	if (sid == IID_IAuthenticate || iid == IID_IAuthenticate) {
   		return (HRESULT)pThis->ExternalQueryInterface(&iid, ppv);
       } else {
   		*ppv = NULL;
   	}
   		
   	return E_NOINTERFACE;
   }
   					

   ProxyTestView.h

   class CProxyTestView : public CHtmlView
   {
   ...
   	BOOL CreateControlSite(COleControlContainer* pContainer, 
   		COleControlSite** ppSite, UINT nID, REFCLSID clsid);
   					

   ProxyTestView.cpp

   BOOL CProxyTestView::CreateControlSite(COleControlContainer* pContainer, 
   	COleControlSite** ppSite, UINT nID, REFCLSID clsid)
   {
   	ASSERT(ppSite != NULL);
   	*ppSite = new CMyOleControlSite(pContainer);
   	return TRUE;
   }
   					

4. In the implementation of the IAuthenticate interface, provide a user name and a password, as shown in the following example:

   STDMETHODIMP CMyOleControlSite::XAuthenticate::Authenticate( 
       HWND __RPC_FAR *phwnd,
       LPWSTR __RPC_FAR *pszUsername,
       LPWSTR __RPC_FAR *pszPassword)
   {
   	METHOD_PROLOGUE(CMyOleControlSite, Authenticate)
   
   	CString strUsername = "Altoid/LocalAltoid";
   	CString strPassword = "Test123";
   	
   	WCHAR *wszDlgUser = (WCHAR *) CoTaskMemAlloc(255 * sizeof(WCHAR));
   	WCHAR *wszDlgPassword = (WCHAR *) CoTaskMemAlloc(255 * sizeof(WCHAR));
   	MultiByteToWideChar(GetACP(), 0, (const char*)strUsername, -1, wszDlgUser, 255);
   	MultiByteToWideChar(GetACP(), 0, (const char*)strPassword, -1, wszDlgPassword, 255);
   	*pszUsername = wszDlgUser;
   	*pszPassword = wszDlgPassword;
   	*phwnd = NULL;
   
   	return S_OK;
   }
   					

5. In the OnInitialUpdate function, move to the "about:blank" page:

   void CProxyTestView::OnInitialUpdate()
   {
   	CHtmlView::OnInitialUpdate();
   	Navigate2(_T("about:blank"),NULL,NULL);
   }
   					

6. Add a menu item, and then add a handler to move to a secure URL, as shown in the following example:

   void CProxyTestView::OnActionTest()
   {
   	Navigate2(_T("https://www.etrade.com"),NULL,NULL);
   }
   					

7. Build and then test the project. You see that the page cannot be found. If you modify the page so that it moves to a non-secure URL, or if you visit the secure URL after you visit the non-secure URL, the move succeeds.

For additional information, click the article number below to view the article in the Microsoft Knowledge Base: For more information about the COleControlSite class, visit the following Microsoft Developer Network Web site:
For more information about the IAuthenticate interface, visit the following Microsoft Developer Network Web site:
For more information about developing Web-based solutions for Microsoft Internet Explorer, visit the following Microsoft Web sites: