FIX: Asynchronous ServerXMLHTTP Operations Do Not Inherit Proper Security Context (292521)


The information in this article applies to:

  • Microsoft XML 3.0
This article was previously published under Q292521

SYMPTOMS

When you attempt to run two asynchronous ServerXMLHTTP calls from Active Server Pages (ASP), the HTTP requests are not run in the correct security context.

For example, when you query for the authenticated user of a page that is opened asynchronously, and you use the same ServerXMLHTTP object to open the page and to retrieve the user, an incorrect user name is returned.

CAUSE

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

This bug was corrected in Microsoft XML 3.0 Service Pack 1.

For additional information on other fixes included in Microsoft XML 3.0 Service Pack 1, click the article number below to view the article in the Microsoft Knowledge Base:

292935 INFO: List of Issues Fixed in Microsoft XML 3.0 Service Pack 1

For the latest information and downloads of MSXML, refer to the following MSDN Web site:

http://msdn.microsoft.com/xml/default.asp

MORE INFORMATION

Steps to Reproduce Behavior

  1. Create a Microsoft Windows NT login account on your system.
  2. Paste the following code in an ASP page. Name the file Sender.asp and place it in the default Web site.
    <%
Dim xmlServerHttp
set xmlserverhttp = server.createobject("MSXML2.ServerXMLHTTP")
xmlServerHttp.open "GET", "http://localhost/receiver.asp", true
xmlServerHttp.send

While xmlServerHttp.readyState <> 4
    xmlServerHttp.waitForResponse 1000
Wend

response.contenttype = "text/html"
response.write "Current Page: " & Request.ServerVariables("Logon_User") & "<br/>"
response.write "Receiver Page: " & xmlServerHttp.responseText & "<br/>"

%>
  3. Paste the following code in an ASP page. Name the file Receiver.asp and place it in the default Web site.
    <%
	response.write Request.ServerVariables("Logon_user")
%>
  4. In the Internet Information Services console, click the File Security Authentication tab of the Receiver.asp page and select only NT Challenge/Response (Integrated Windows Authentication).
  5. In the Internet Information Services console, click the File Security Authentication tab of the Sender.asp page and select only Basic Authentication.
  6. Open Sender.asp in a new browser and log on to the page using the NT account that you created in step 1. You see that the Sender.asp page and the Receiver.asp page have different authentications.
  7. In Sender.asp, change the Open statement to reflect the following:
    xmlServerHttp.open "GET", "http://localhost/receiver.asp", false
  8. Close the browser and reopen Sender.asp. Log on using the account that you created in step 1. Both the Current page and the Receiver page have the same authentication.
Modification Type:MajorLast Reviewed:10/16/2002
Keywords:kbBug kbDSupport KbMSXML300SP1fix KB292521 kbAudDeveloper
©2002 Microsoft Corporation. All rights reserved.