PRB: "Access Denied" Error Message When Using ServerXMLHTTP to Access an Authenticated Site

Symptoms

When you use the ServerXMLHTTP object to access a Web site that is configured to use Integrated Windows authentication, and a valid NT User ID and password are not supplied in the call to the Open method of the ServerXMLHTTP object, you may receive the following error message:
401 - Access Denied
Typically, this error indicates that the NT User ID that is used to access the Web site does not have the permissions to execute the requested HTTP operation. In such a situation, the NT User ID must be granted the required permissions for the request to succeed.


However, when you use the ServerXMLHTTP object, the error can also occur when the NT User ID (under whose credentials the ServerXMLHTTP object code is executing) has the rights that are required to execute the HTTP operation that is specified as the first parameter of the object's Open method.

Cause

The Microsoft XML Parser (MSXML) 3.0 installs and depends on Microsoft Windows HTTP Services (WinHTTP). If the WinHTTP proxy configuration settings that are required by the ServerXMLHTTP object have not been set or have been incorrectly set on the computer on which the ServerXMLHTTP code is being executed, the error occurs.

Resolution

Use the WinHTTP proxy configuration utility (Proxycfg.exe) to set the WinHTTP proxy configuration settings correctly as required.

Status

This behavior is by design.

More Information

The proxy configuration utility allows you to configure WinHTTP proxy settings that are required by the ServerXMLHTTP object. This object relies on WinHTTP to establish server-to-server HTTP connections. When you use ServerXMLHTTP code to execute HTTP operations against a Web site, you often receive the 401 - Access Denied HTTP error message when one of the following two conditions is true:
  • Proxycfg.exe was not executed to correctly set the proxy settings that are required by ServerXMLHTTP.
  • Microsoft Internet Information Server (IIS) was not restarted after Proxycfg.exe was run to specify the proxy settings required by ServerXMLHTTP.
For additional information on downloading and using the Proxycfg.exe utility to configure the WinHTTP settings required by ServerXMLHTTP in an environment that uses a proxy server, click the article number below to view the article in the Microsoft Knowledge Base:

289481 INFO: Proxy Configuration Utility Must Be Run for ServerXMLHTTP to Work
When you use MSXML 3.0, if Proxycfg.exe has not been run, the ServerXMLHTTP object defaults to accessing sites directly. This is the equivalent to running the proxycfg -d setting, which configures WinHTTP to use a non-proxy setup. In MSXML 3.0, ServerXMLHTTP requires Proxycfg.exe to be run even when there is no proxy server or, more specifically, where the process does not have write permissions to the registry (this is typically the case for the IWAM_machinename user account under which out-of-process ASP applications run).


The 401-Access Denied HTTP error may also occur under the following conditions:
  • There is no proxy server.
  • You are trying to access a site that is configured to use Integrated Windows authentication.
  • A Valid NT User ID and password are not supplied in the call to the Open method of the ServerXMLHTTP Object.
  • The logged on user (that is, the user under whose credentials the ServerXMLHTTP object code is executing) does not have the required access permissions to execute the requested HTTP operation.
Usually, by setting a proxy and bypass list, the ServerXMLHTTP object automatically handles the authentication so that you do not have to supply credentials in the Open method call. The ServerXMLHTTP only performs this automatic logon if it sees that the target server is on the same intranet domain as the client. The heuristic that the ServerXMLHTTP uses to make this determination is comprised of the following checks:
  1. Is a proxy server set?
  2. Can the proxy server be bypassed for the particular Web server to which the request is sent?
If the answer to both of these questions is "yes", ServerXMLHTTP attempts to authenticate automatically, and the script code does not need to specify a username and password explicitly in the call to the Open method.


The following Knowledge Base article describes settings that can correct the problem if the environment uses a proxy server:
289481 INFO: Proxy Configuration Utility Must Be Run for ServerXMLHTTP to Work
NOTE: If the environment does not use a proxy server, the settings that are described in the above article will not fix the problem that is described in the "Symptoms" section.


If you want to use the ServerXMLHTTP auto logon feature in an environment that does not use a proxy server (to access a site that is configured to use Integrated Windows authentication), you should set the Proxycfg.exe settings using a command identical to the following. Include the name(s) of the Intranet IIS Servers against which you wish to execute HTTP operations using the ServerXMLHTTP object in the semicolon (;) separated proxy bypass list:
proxycfg -d -p "<local>" "< ; separated list of servers to bypass using a proxy>" 
Because Proxycfg.exe writes to the registry, you must restart the IIS Admin Service and the W3C Service for the Proxycfg.exe settings to take effect.


Alternatively, explicitly supplying the NT username and password in the call to the Open method of the ServerXMLHTTP object as shown in the following example also fixes the problem:
SXH.Open "GET", MyUrl, false, "Valid NT UserName", "NT UserPassword"

References

For more information, see the following Knowledge Base articles:
299566 HOWTO: Identify HTTP Errors When You Use the ServerXMLHTTP Object
290761 Frequently Asked Questions about ServerXMLHTTP
Properties

Article ID: 291008 - Last Review: Nov 9, 2009 - Revision: 1

Feedback