FIX: Returning User Name and Password from IAuthenticate Fails (156904)

SYMPTOMS

In order to access a secured Internet resource via a URL moniker, a host must implement the IAuthenticate interface on the same object that exposes IBindStatusCallback. The documentation on IAuthenticate in the ActiveX SDK indicates that there are two possible ways to implement IAuthenticate:

Return a valid HWND to serve as the parent HWND for a default authentication dialog box.
Return a valid user name and password.

While the first implementation works as expected, the alternative implementation fails during the bind operation.

CAUSE

When authentication is required to access an Internet resource, the server may have replied to the client with some data indicating the failure to access the desired data. If, for example the client makes an HTTP request, the server typically replies with a boilerplate HTML page. It is the client's responsibility to completely read all this data from the socket before attempting to re-send the request with the correct authentication information. There is a bug in Wininet.dll that fails to do this. This problem does not occur when IAuthenticate::Authenticate returns a valid HWND to Urlmon.dll because internally Urlmon.dll calls the WININET API InternetErrorDlg() to retrieve authentication information from the user. In addition to obtaining a user name and password, InternetErrorDlg() drains the socket of any extraneous data on behalf of Urlmon.dll.

REFERENCES

ActiveX SDK online documentation

For additional information, please see the following article in the Microsoft Knowledge Base:

156905 How To Use IAuthenticate to Bind to a Secured HTML Page

FIX: Returning User Name and Password from IAuthenticate Fails (156904)

SYMPTOMS

CAUSE

STATUS

REFERENCES