Microsoft Knowledge Base Article
This article contents is Microsoft Copyrighted material.
©2005-©2007 Microsoft Corporation. All rights reserved.
Terms
of Use |
Trademarks
Article ID: 292521 - Last Review: October 16, 2002 - Revision: 1.4
FIX: Asynchronous ServerXMLHTTP Operations Do Not Inherit Proper Security Context
This article was previously published under Q292521
When you attempt to run two asynchronous
ServerXMLHTTP calls from Active Server Pages (ASP), the HTTP requests are not run in the correct security context.
For example, when you query for the authenticated user of a page that is opened asynchronously, and you use the same
ServerXMLHTTP object to open the page and to retrieve the user, an incorrect user name is returned.
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.
This bug was corrected in Microsoft XML 3.0 Service Pack 1.
For additional information on other fixes included in Microsoft XML 3.0 Service Pack 1, click the article number below
to view the article in the Microsoft Knowledge Base:
292935Â
(http://kbalertz.com/Feedback.aspx?kbNumber=292935/EN-US/
)
INFO: List of Issues Fixed in Microsoft XML 3.0 Service Pack 1
For the latest information and downloads of MSXML, refer to the following MSDN Web site:
Steps to Reproduce Behavior
- Create a Microsoft Windows NT login account on your system.
- Paste the following code in an ASP page. Name the file Sender.asp and place it in the default Web site.
<%
Dim xmlServerHttp
set xmlserverhttp = server.createobject("MSXML2.ServerXMLHTTP")
xmlServerHttp.open "GET", "http://localhost/receiver.asp", true
xmlServerHttp.send
While xmlServerHttp.readyState <> 4
xmlServerHttp.waitForResponse 1000
Wend
response.contenttype = "text/html"
response.write "Current Page: " & Request.ServerVariables("Logon_User") & "<br/>"
response.write "Receiver Page: " & xmlServerHttp.responseText & "<br/>"
%>
- Paste the following code in an ASP page. Name the file Receiver.asp and place it in the default Web site.
<%
response.write Request.ServerVariables("Logon_user")
%> - In the Internet Information Services console, click the File Security Authentication tab of the Receiver.asp page and select only NT Challenge/Response (Integrated Windows Authentication).
- In the Internet Information Services console, click the File Security Authentication tab of the Sender.asp page and select only Basic Authentication.
- Open Sender.asp in a new browser and log on to the page using the NT account that you created in step 1. You see that the Sender.asp page and the Receiver.asp page have different authentications.
- In Sender.asp, change the Open statement to reflect the following:
xmlServerHttp.open "GET", "http://localhost/receiver.asp", false
- Close the browser and reopen Sender.asp. Log on using the account that you created in step 1. Both the Current page and the Receiver page have the same authentication.
| kbbug kbfix kbmsxml300sp1fix KB292521 |
Community Feedback System
Very often, it takes hours to solve a problem. Very often, you've looked high
and low, and have tried a lot of solutions. When you finally found it, chances
are, it was because someone else helped you. Here's your chance to give back.
Use our community feedback tool to let others know what worked for you and what
didn't.
Please also understand that the community feedback system is not warranted to be
correct, it's simply a system that we've built to let people try and help each
other. If something in a feedback response doesn't make sense to you, or you're
not comfortable making changes that the feedback talks about (like registry
edits), please consult a professional.
Thank you for using kbAlertz.com Feedback System.
-- Scott Cate