make an http post from server using user credentials - integrated security

StackOverflow https://stackoverflow.com/questions/1046513

Question

I'm trying to make a post, from an asp classic server side page, using the user credentials...

I'm using msxml2.ServerXMLHTTP to programatically make the post

I've tried with several configurations in the IIS 5.1 site, but there's no way I can make IIS run with a specified account...

I made a little asp page that runs whoami to verify what account the iis process i using...

with IIS 5.1, using integrated security the process uses:

my_machine\IWAM_my_machine

I disable integrated security, and leave a domain account as anonymous access, and I get the same (¿?)

to test the user I do the following


private function whoami()
dim shell, cmd

    set shell = createObject("wscript.shell") 
    set cmd = shell.exec( server.mapPath( "whoami.exe" ) )
    whoami = cmd.stdOut.readAll() 
    set shell = nothing: set cmd = nothing 

end function

is it because I'm issuing a shell command?

I'd like to make http post calls, to another site that works with integrated security...

So I need some way to pass the credentials, or at least to run with a specified account, and then configure the remote site to thrust that account...

I thought that just setting the site to work with integrated security would be enough...

How can I achieve such a thing?

ps: with IIS6,happens the same but if I change the pool canfiguration I get the following info from whoami

NT AUTHORITY\NETWORK SERVICE

NT AUTHORITY\LOCAL SERVICE

NT AUTHORITY\SYSTEM

if I set a domain account, I get a "service unavailable" message...

edit: found this

http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/275269ee-1b9f-4869-8d72-c9006b5bd659.mspx?mfr=true

it says what I supossed, "If an authenticated user makes a request, the thread token is based on the authenticated account of the user", but somehow I doesn't seem to work like that... what could I possibly be missing?

edit:

well the whoami thing is obviously fooling me, I tried with the following function


private function whoami_db( serverName, dbName )
dim conn, data



set conn = server.createObject("adodb.connection")
conn.open       "Provider=SQLOLEDB.1;Integrated Security=SSPI;" & _
                        "Initial Catalog=" & dbName & ";Data Source=" & serverName
set data = conn.execute( "select suser_sname() as user_name" )

whoami_db = data("user_name")

data.close: conn.close
set data = nothing: set conn = nothing




end function

and everything seemed to be working fine...

but how can I make msxml2.ServerXMLHTTP work with the user credentials???

Was it helpful?

Solution

You are correct whoami.exe was confusing you. Launching a separate process caused the new process to run as the user of the current process. On XP that would be the COM+ application host (DLLHOST) and would normally run as IWAM_<machine>. On IIS6 it would the w3wp.exe work process and typically runs as NT AUTHORITY\Network Service.

However a thread processing a HTTP request will impersonate a different security token. With integrated security as you have discovered this would the security token of the user making the request, as your SSPI experiment bears out. With anonymous access the anonymous user configured on the site/application is used, this is typically <MACHINE>\IUSR_<machine>.

As to your specific problem with ServerXMLHTTP this goes back to the underlying component WinHTTP. This by default will only send the current users credentials if the server being accessed is the proxy bypass list. Even then it possible to the ServerXMLHTTP configures it to never send the user credentials, I've not test that scenario myself.

Unfortunately ServerXMLHTTP provides very limited access to the configuration details on WinHTTP. However if this is a show stopper then you could always use the WinHTTP component directly yourself:-

Dim oWinHTTP
Dim oDOM

    Const AutoLogonPolicy_Always = 0

Set oWinHTTP = CreateObject("WinHttp.WinHttpRequest.5.1")

oWinHTTP.SetAutoLogonPolicy AutoLogonPolicy_Always

oWinHTTP.Open "GET", "http://remoteserver.org/getsomexml.xxx", False
oWinHTTP.Send

If oWinHTTP.Status = 200 Then
    Set oDOM = CreateObject("MSXML2.DOMDocument.3.0")
    oDOM.async = false
    oDOM.Load oWinHTTP.ResponseStream     
End If

Set oWinHTTP = Nothing

That should work for http, for https it gets real messy.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top