IIS 5 & IIS 6
IIS 6 401.2 Error - asp page requests another asp page
Last post Sep 16, 2009 01:06 PM by tomkmvp
Sep 15, 2009 12:00 PM|bruneaum|LINK
IIS is setup for 'Integrated Windows Authentication' only on Windows 2003. It is hosting an ASP site. Users can login and access every page fine. The issue arises when an asp file attempts to 'GET' another. The 401.2:
You are not authorized to view this page
You do not have permission to view this directory or page using the credentials that you supplied because your Web browser is sending a WWW-Authenticate header field that the Web server is not configured to accept.
Any help would be greatly appreciated.
Sep 15, 2009 01:22 PM|tomkmvp|LINK
In this case your ASP code is acting as the browser, and it obviously does not support Windows Integrated authentication. You'll need to also allow Basic and make sure you're explicitly including the connection credentials in your code.
Sep 15, 2009 04:26 PM|bruneaum|LINK
Thanks for the reply - what you've said makes sense. How would I go about explicitly providing the connection credentials, on
Sep 15, 2009 04:47 PM|tomkmvp|LINK
What object are you using?
Sep 15, 2009 04:59 PM|bruneaum|LINK
set objHttp = Server.CreateObject(Msxml2.ServerXMLHTTP.3.0)
objHttp.open "GET", <url>, false
objHttp.setRequestHeader "User-Agent", Request.ServerVariables("HTTP_USER_AGENT")
Sep 15, 2009 05:25 PM|bruneaum|LINK
Update: When I change from Server.CreateObject(Msxml2.ServerXMLHTTP.3.0) to
Server.CreateObject(Microsoft.XMLHTTP) it worked.
Sep 16, 2009 10:21 AM|tomkmvp|LINK
ServerXMLHTTP would be the better choice when the code is run from a server ...
Sep 16, 2009 10:40 AM|bruneaum|LINK
Yes I would agree. Any idea why it is not working? I've installed the last version of the XML Parsers from MS.
Sep 16, 2009 10:47 AM|tomkmvp|LINK
... as I said earlier, you need to explicitly authenticate ...
Sep 16, 2009 10:54 AM|bruneaum|LINK
...as I asked earlier...how to...
Thanks for the link - it helped. All works now.
Sep 16, 2009 10:59 AM|tomkmvp|LINK
MSDN is your friend ... : )
Sep 16, 2009 11:04 AM|bruneaum|LINK
Yes it is. The thing I'm not quite sure of - the production environment is working without passing any credentials. I setup a QA environment and it doesn't work. This is the real puzzle for us. At least we do have a work around for the time being.
Thanks for your help.
Sep 16, 2009 11:58 AM|tomkmvp|LINK
Is the production IIS log showing a cs-username value for these requests?
Sep 16, 2009 12:37 PM|bruneaum|LINK
This is the line:
2009-09-16 11:33:26 W3SVC1 <ip address> GET <url>.asp <param>=<value> 80 - <ip address> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727) 200 0 0
Doesn't look like any username/password is being passed.
Sep 16, 2009 01:06 PM|tomkmvp|LINK
Which would mean that you're allowing anonymous access on production ...