How To Use Kerberos with the ServerXMLHTTP Component in MSXML

The three computers in the scenario are configured as follows:

• Computer A has Microsoft Internet Explorer installed.
• Two Internet Information Services (IIS) servers (Computer B and Computer C) reside in the same domain.
• The domain controller has the Active Directory service installed.
• Computer B is trusted for delegation.
• Under the account that you want to delegate, the Account is sensitive cannot be delegated check box is not selected.

The scenario is as follows:

• Computer A requests an ASP page from a Microsoft Internet Information Services (IIS) Web server that resides on a second computer (Computer B).
• The ASP page uses the MSXML ServerXMLHTTP object to communicate with another ASP page on another IIS Web server that resides on a third computer (Computer C).
• You want the second IIS server (Computer C) to see the identity of the user who is logged on to the first computer (Computer A).

To make the delegation work, follow these steps:

1. Configure the first IIS server (Computer B) and set up a user account for delegation so that Kerberos authentication can generate a delegate-level token.For additional information about how to do this, click the article number below to view the article in the Microsoft Knowledge Base:
   
   
   283201 How To Use Delegation in Windows 2000 with COM+
   
2. On the first IIS server (Computer B), enable the XML ServerXMLHTTP object to forward user credentials automatically. To do this, use one of the following commands to use the Proxycfg.exe utility:

   command prompt> proxycfg -d -p "CorpProxy" "<local>;*"
   

   -or-
   

   command prompt> proxycfg -d -p "CorpProxy" "<local>;*.microsoft.com"
   

   NOTE: The ServerXMLHTTP object does not automatically send the NTLM credentials of the client unless it knows that the target server is on the same network or intranet. By default, in other words, the ServerXMLHTTP object does not "trust" Internet sites. The heuristic that determines whether a target server is trusted is that Proxycfg.exe has been run to specify a proxy server, but the particular target server to which you want to send the request is listed in the proxy bypass list. The asterisk character (*) is a wildcard character that stands for all URLs. If you use the asterisk character (*), the user credentials are forwarded to all target servers.
   
   
   For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
   
   
   289481 INFO: Proxy Configuration Utility Must Be Run for ServerXMLHTTP to Work
   
3. Enable Internet Explore to use Kerberos authentication.For additional information about how to enable Internet Explorer 6.0 to use Kerberos, click the article number below to view the article in the Microsoft Knowledge Base:
   
   
   299838 Unable to Negotiate Kerberos Authentication After Upgrading to Internet Explorer 6
   
   For additional information about how to enable other versions of Internet Explorer to use Kerberos, click the article numbers below to view the articles in the Microsoft Knowledge Base:
   
   
   277741 Internet Explorer Logon Fails Due to an Insufficient Buffer for Kerberos
   
   299270 Kerberos Does Not Negotiate Using Internet Explorer 5.5 If an FQDN Is Used to Connect
   

Troubleshooting

When you use ServerXMLHttp with Kerberos authentication, you may receive an "Access Denied" error message. This error message is typically caused by incorrect configuration. You can use the following two ASP pages to help isolate the problem and detect the logon user identity and authentication mode. The majority of these two ASP pages is the same; the difference is that the first ASP page contains code that uses the ServerXMLHTTP object.

1. Paste the following code in Notepad, name the file Test1.asp, and then save the file in the virtual directory folder on the first IIS server (Computer B):

   <%
      DIM userID
      Dim AuthMethod
      Dim AuthType
      Dim AuthLength
      Dim AuthOther
   
      ' Get the authentication method being used.
      userID= Request.ServerVariables("LOGON_USER")
   
      Response.Write "<br>Reach To IIS server on Computer B "
      
      Response.Write "<br> User Id = " & userID
   
      ' Get the authentication method being used.
      AuthMethod = Request.ServerVariables("AUTH_TYPE")
   
      ' Get the length of the HTTP_Authorization header (to determine Kerberos or NTLM).
      AuthLength = Request.ServerVariables ("HTTP_Authorization")
   
      ' If some other authentication method (other than Negotiate) is used, call it "Other".
      If LTrim(RTrim(AuthMethod)) <> "Negotiate" Then AuthOtherMethod
   
      ' If Negotiate is used, go straight to the subroutine to handle it.
      If LTrim(RTrim(AuthMethod)) = "Negotiate" Then AuthNegotiateMethod
   
      Response.Write "<br><br> Attempt to connect to IIS on Computer C by using ServerXMLHTTP "
      
      set http = server.createobject("MSXML2.ServerXMLHTTP.4.0")
   
      http.open "GET", "http://iisserver2/test2.asp", false 
      http.send 
   
      Response.write "<br> Receiver Status Text: " & http.statusText & " (" &http.status & ")"
      Response.write "<br>" & http.responseText 
   
      Sub AuthOtherMethod()
      ' Because anonymous authentication will be blank, be sure that you realize that it is enabled to the following:
      If LTrim(RTrim(AuthMethod)) = "" Then AuthMethod = "Anonymous"
      Response.Write "<table width=500>The user was logged in using the <B>" & AuthMethod & "</B> authentication method."
      Response.Write "<P>&#xa0;&#xa0;&#xa0;&#xa0;If you were expecting a different method to be used,"
      Response.Write " please check the settings for the resource you are accessing. Remember, selecting"
      Response.Write " multiple authentication methods, or allowing anonymous access can result in a "
      Response.Write " different method being used.</table>"
      End Sub
   
      Sub AuthNegotiateMethod()
      ' Typically, NTLM yields a 150 - 300 byte header, and Kerberos is more like 5000 bytes.
      If LEN(AuthLength) > 1000 Then AuthType = "Kerberos"
      If LEN(AuthLength) < 1000 Then AuthType = "NTLM"
      Response.Write "<table width=500>The <B>Negotiate</B> method was used!<BR>"
   
      ' Indicate the authentication method that is used to authenticate the user (and show a warning about the script).
      Response.Write "The user was logged on using <B>" & AuthType & "</B>."
      Response.Write "<P><font color=#800000><B>Please do not refresh this page</B></font>.<BR>"
      Response.Write "&#xa0;&#xa0;&#xa0;&#xa0;If you do use refresh, <B>Kerberos</B> will always show up as <B>NTLM</B>."
      Response.Write " This is because the HTTP_Authorization header is being used to determine the authentication method used."
      Response.Write " Since the second request is technically unauthenticated, the length is zero. Please open a new browser"
      Response.Write " for any subsequent requests.</table>"
      End Sub
   
      
   %>
   

   NOTE: This ASP page requires you to have the MSXML 4.0 parser installed. If you want to use the MSXML 3.0 parser, change the MSXML2.ServerXMLHTTP.4.0 ProgId to MSXML2.ServerXMLHTTP.3.0.
   
   
2. Modify the URL in the following line to point to the correct URL for Test2.asp. Test2.asp is the second ASP page that is listed in this article.

   http.open "GET", "http://iisserver2/test2.asp", false 
   

3. Paste the following code in Notepad, and then save the file as Test2.asp in the virtual directory folder on the second IIS server (Computer C):

   <%
      DIM userID
      Dim AuthMethod
      Dim AuthType
      Dim AuthLength
      Dim AuthOther
   
      ' Get the authentication method being used.
      userID= Request.ServerVariables("LOGON_USER")
   
      Response.Write "<br>Reach To IIS server on Computer C "
      
      Response.Write "<br> User Id = " & userID
   
      ' Get the authentication method being used.
      AuthMethod = Request.ServerVariables("AUTH_TYPE")
   
      ' Get the length of the HTTP_Authorization header (to determine Kerberos or NTLM).
      AuthLength = Request.ServerVariables ("HTTP_Authorization")
   
      ' If some other authentication method (other than Negotiate) is used, call it "Other".
      If LTrim(RTrim(AuthMethod)) <> "Negotiate" Then AuthOtherMethod
   
      ' If Negotiate is used, go straight to the subroutine to handle it.
      If LTrim(RTrim(AuthMethod)) = "Negotiate" Then AuthNegotiateMethod
   
      Sub AuthOtherMethod()
      ' Because anonymous authentication will be blank, be sure that you realize that it is enabled to the following:
      If LTrim(RTrim(AuthMethod)) = "" Then AuthMethod = "Anonymous"
      Response.Write "<table width=500>The user was logged in using the <B>" & AuthMethod & "</B> authentication method."
      Response.Write "<P>&#xa0;&#xa0;&#xa0;&#xa0;If you were expecting a different method to be used,"
      Response.Write " please check the settings for the resource you are accessing. Remember, selecting"
      Response.Write " multiple authentication methods, or allowing anonymous access can result in a "
      Response.Write " different method being used.</table>"
      End Sub
   
      Sub AuthNegotiateMethod()
      ' Typically, NTLM yields a 150 - 300 byte header, while Kerberos is more like 5000 bytes.
      If LEN(AuthLength) > 1000 Then AuthType = "Kerberos"
      If LEN(AuthLength) < 1000 Then AuthType = "NTLM"
      Response.Write "<table width=500>The <B>Negotiate</B> method was used!<BR>"
   
      ' Indicate the authentication method that is used to authenticate the user (and show a warning about the script).
      Response.Write "The user was logged on using <B>" & AuthType & "</B>."
      'Response.Write "<P><font color=#800000><B>Please do not refresh this page</B></font>.<BR>"
      'Response.Write "&#xa0;&#xa0;&#xa0;&#xa0;If you do use refresh, <B>Kerberos</B> will always show up as <B>NTLM</B>."
      'Response.Write " This is because the HTTP_Authorization header is being used to determine the authentication method used."
      'Response.Write " Since the second request is technically unauthenticated, the length is zero. Please open a new browser"
      'Response.Write " for any subsequent requests.</table>"
      End Sub
   
      
   %>
   

4. Load the first ASP page (Test1.asp) in an Internet Explorer browser. If everything is set up correctly, you see output similar to the following:

   Reach To IIS server on Computer B
   UserId = Domain1\user1
   The Negotiate method was used!
   The user was logged on using Kerberos
   
   Attempt to connect to IIS on Computer C by using ServerXMLHTTP
   Receiver Status Text: OK (200)
   
   Reach To IIS server on Computer C
   UserId = Domain1\user1
   The Negotiate method was used!
   The user was logged on using Kerberos
   

If you see an incorrect user ID, an empty user ID, or the following error message, the configuration is not set up correctly:
To resolve these problems, isolate the problem on each individual computer, and then reconfigure the settings.