How To Use Kerberos with the ServerXMLHTTP Component in MSXML


Summary


This article describes how to use the ServerXMLHttp object to work with Kerberos authentication in a specific scenario that requires delegation. The article also provides two sample Active Server Pages (ASP) pages and troubleshooting instructions.


NOTE: You need Microsoft Windows 2000 or later to use Kerberos protocol for authentication.

More Information


The three computers in the scenario are configured as follows:
  • Computer A has Microsoft Internet Explorer installed.
  • Two Internet Information Services (IIS) servers (Computer B and Computer C) reside in the same domain.
  • The domain controller has the Active Directory service installed.
  • Computer B is trusted for delegation.
  • Under the account that you want to delegate, the Account is sensitive cannot be delegated check box is not selected.
The scenario is as follows:
  • Computer A requests an ASP page from a Microsoft Internet Information Services (IIS) Web server that resides on a second computer (Computer B).
  • The ASP page uses the MSXML ServerXMLHTTP object to communicate with another ASP page on another IIS Web server that resides on a third computer (Computer C).
  • You want the second IIS server (Computer C) to see the identity of the user who is logged on to the first computer (Computer A).
To make the delegation work, follow these steps:
  1. Configure the first IIS server (Computer B) and set up a user account for delegation so that Kerberos authentication can generate a delegate-level token.For additional information about how to do this, click the article number below to view the article in the Microsoft Knowledge Base:

    283201 How To Use Delegation in Windows 2000 with COM+
  2. On the first IIS server (Computer B), enable the XML ServerXMLHTTP object to forward user credentials automatically. To do this, use one of the following commands to use the Proxycfg.exe utility:
    command prompt> proxycfg -d -p "CorpProxy" "<local>;*"
    -or-
    command prompt> proxycfg -d -p "CorpProxy" "<local>;*.microsoft.com"
    NOTE: The ServerXMLHTTP object does not automatically send the NTLM credentials of the client unless it knows that the target server is on the same network or intranet. By default, in other words, the ServerXMLHTTP object does not "trust" Internet sites. The heuristic that determines whether a target server is trusted is that Proxycfg.exe has been run to specify a proxy server, but the particular target server to which you want to send the request is listed in the proxy bypass list. The asterisk character (*) is a wildcard character that stands for all URLs. If you use the asterisk character (*), the user credentials are forwarded to all target servers.


    For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

    289481 INFO: Proxy Configuration Utility Must Be Run for ServerXMLHTTP to Work
  3. Enable Internet Explore to use Kerberos authentication.For additional information about how to enable Internet Explorer 6.0 to use Kerberos, click the article number below to view the article in the Microsoft Knowledge Base:

    299838 Unable to Negotiate Kerberos Authentication After Upgrading to Internet Explorer 6
    For additional information about how to enable other versions of Internet Explorer to use Kerberos, click the article numbers below to view the articles in the Microsoft Knowledge Base:

    277741 Internet Explorer Logon Fails Due to an Insufficient Buffer for Kerberos
    299270 Kerberos Does Not Negotiate Using Internet Explorer 5.5 If an FQDN Is Used to Connect

Troubleshooting

When you use ServerXMLHttp with Kerberos authentication, you may receive an "Access Denied" error message. This error message is typically caused by incorrect configuration. You can use the following two ASP pages to help isolate the problem and detect the logon user identity and authentication mode. The majority of these two ASP pages is the same; the difference is that the first ASP page contains code that uses the ServerXMLHTTP object.

  1. Paste the following code in Notepad, name the file Test1.asp, and then save the file in the virtual directory folder on the first IIS server (Computer B):
    <%
    DIM userID
    Dim AuthMethod
    Dim AuthType
    Dim AuthLength
    Dim AuthOther

    ' Get the authentication method being used.
    userID= Request.ServerVariables("LOGON_USER")

    Response.Write "<br>Reach To IIS server on Computer B "

    Response.Write "<br> User Id = " & userID

    ' Get the authentication method being used.
    AuthMethod = Request.ServerVariables("AUTH_TYPE")

    ' Get the length of the HTTP_Authorization header (to determine Kerberos or NTLM).
    AuthLength = Request.ServerVariables ("HTTP_Authorization")

    ' If some other authentication method (other than Negotiate) is used, call it "Other".
    If LTrim(RTrim(AuthMethod)) <> "Negotiate" Then AuthOtherMethod

    ' If Negotiate is used, go straight to the subroutine to handle it.
    If LTrim(RTrim(AuthMethod)) = "Negotiate" Then AuthNegotiateMethod

    Response.Write "<br><br> Attempt to connect to IIS on Computer C by using ServerXMLHTTP "

    set http = server.createobject("MSXML2.ServerXMLHTTP.4.0")

    http.open "GET", "http://iisserver2/test2.asp", false
    http.send

    Response.write "<br> Receiver Status Text: " & http.statusText & " (" &http.status & ")"
    Response.write "<br>" & http.responseText

    Sub AuthOtherMethod()
    ' Because anonymous authentication will be blank, be sure that you realize that it is enabled to the following:
    If LTrim(RTrim(AuthMethod)) = "" Then AuthMethod = "Anonymous"
    Response.Write "<table width=500>The user was logged in using the <B>" & AuthMethod & "</B> authentication method."
    Response.Write "<P>&#xa0;&#xa0;&#xa0;&#xa0;If you were expecting a different method to be used,"
    Response.Write " please check the settings for the resource you are accessing. Remember, selecting"
    Response.Write " multiple authentication methods, or allowing anonymous access can result in a "
    Response.Write " different method being used.</table>"
    End Sub

    Sub AuthNegotiateMethod()
    ' Typically, NTLM yields a 150 - 300 byte header, and Kerberos is more like 5000 bytes.
    If LEN(AuthLength) > 1000 Then AuthType = "Kerberos"
    If LEN(AuthLength) < 1000 Then AuthType = "NTLM"
    Response.Write "<table width=500>The <B>Negotiate</B> method was used!<BR>"

    ' Indicate the authentication method that is used to authenticate the user (and show a warning about the script).
    Response.Write "The user was logged on using <B>" & AuthType & "</B>."
    Response.Write "<P><font color=#800000><B>Please do not refresh this page</B></font>.<BR>"
    Response.Write "&#xa0;&#xa0;&#xa0;&#xa0;If you do use refresh, <B>Kerberos</B> will always show up as <B>NTLM</B>."
    Response.Write " This is because the HTTP_Authorization header is being used to determine the authentication method used."
    Response.Write " Since the second request is technically unauthenticated, the length is zero. Please open a new browser"
    Response.Write " for any subsequent requests.</table>"
    End Sub


    %>
    NOTE: This ASP page requires you to have the MSXML 4.0 parser installed. If you want to use the MSXML 3.0 parser, change the MSXML2.ServerXMLHTTP.4.0 ProgId to MSXML2.ServerXMLHTTP.3.0.

  2. Modify the URL in the following line to point to the correct URL for Test2.asp. Test2.asp is the second ASP page that is listed in this article.
    http.open "GET", "http://iisserver2/test2.asp", false 
  3. Paste the following code in Notepad, and then save the file as Test2.asp in the virtual directory folder on the second IIS server (Computer C):
    <%
    DIM userID
    Dim AuthMethod
    Dim AuthType
    Dim AuthLength
    Dim AuthOther

    ' Get the authentication method being used.
    userID= Request.ServerVariables("LOGON_USER")

    Response.Write "<br>Reach To IIS server on Computer C "

    Response.Write "<br> User Id = " & userID

    ' Get the authentication method being used.
    AuthMethod = Request.ServerVariables("AUTH_TYPE")

    ' Get the length of the HTTP_Authorization header (to determine Kerberos or NTLM).
    AuthLength = Request.ServerVariables ("HTTP_Authorization")

    ' If some other authentication method (other than Negotiate) is used, call it "Other".
    If LTrim(RTrim(AuthMethod)) <> "Negotiate" Then AuthOtherMethod

    ' If Negotiate is used, go straight to the subroutine to handle it.
    If LTrim(RTrim(AuthMethod)) = "Negotiate" Then AuthNegotiateMethod

    Sub AuthOtherMethod()
    ' Because anonymous authentication will be blank, be sure that you realize that it is enabled to the following:
    If LTrim(RTrim(AuthMethod)) = "" Then AuthMethod = "Anonymous"
    Response.Write "<table width=500>The user was logged in using the <B>" & AuthMethod & "</B> authentication method."
    Response.Write "<P>&#xa0;&#xa0;&#xa0;&#xa0;If you were expecting a different method to be used,"
    Response.Write " please check the settings for the resource you are accessing. Remember, selecting"
    Response.Write " multiple authentication methods, or allowing anonymous access can result in a "
    Response.Write " different method being used.</table>"
    End Sub

    Sub AuthNegotiateMethod()
    ' Typically, NTLM yields a 150 - 300 byte header, while Kerberos is more like 5000 bytes.
    If LEN(AuthLength) > 1000 Then AuthType = "Kerberos"
    If LEN(AuthLength) < 1000 Then AuthType = "NTLM"
    Response.Write "<table width=500>The <B>Negotiate</B> method was used!<BR>"

    ' Indicate the authentication method that is used to authenticate the user (and show a warning about the script).
    Response.Write "The user was logged on using <B>" & AuthType & "</B>."
    'Response.Write "<P><font color=#800000><B>Please do not refresh this page</B></font>.<BR>"
    'Response.Write "&#xa0;&#xa0;&#xa0;&#xa0;If you do use refresh, <B>Kerberos</B> will always show up as <B>NTLM</B>."
    'Response.Write " This is because the HTTP_Authorization header is being used to determine the authentication method used."
    'Response.Write " Since the second request is technically unauthenticated, the length is zero. Please open a new browser"
    'Response.Write " for any subsequent requests.</table>"
    End Sub


    %>
  4. Load the first ASP page (Test1.asp) in an Internet Explorer browser. If everything is set up correctly, you see output similar to the following:
    Reach To IIS server on Computer B
    UserId = Domain1\user1
    The Negotiate method was used!
    The user was logged on using Kerberos

    Attempt to connect to IIS on Computer C by using ServerXMLHTTP
    Receiver Status Text: OK (200)

    Reach To IIS server on Computer C
    UserId = Domain1\user1
    The Negotiate method was used!
    The user was logged on using Kerberos
If you see an incorrect user ID, an empty user ID, or the following error message, the configuration is not set up correctly:
The user was logged on using NTLM
To resolve these problems, isolate the problem on each individual computer, and then reconfigure the settings.

References


For additional information, click the article numbers below to view the articles in the Microsoft Knowledge Base:

290761 Frequently Asked Questions About ServerXMLHTTP
291008 PRB: 'Access Denied' Error Message When Using ServerXMLHTTP to Access an Authenticated Site