Access Denied using MSXML

Ryan picture Ryan · Jul 29, 2009 · Viewed 10.4k times · Source

I have a VB6 backend for a classic ASP site. That VB then calls a web service on the same server using MSXML2.XMLHTTP. This works all of our servers but one. If I set the web service site to accept anonymous login it will work however if I force only integrated security MSXML returns an Access Denied error.

I'm using code from the example here.

Set objDom = CreateObject("MSXML2.DOMDocument")
Set objXmlHttp = CreateObject("MSXML2.XMLHTTP")

' Load XML
objDom.async = False
objDom.loadXML XmlBody

' Open the webservice
objXmlHttp.Open "POST", AsmxUrl, False

' Create headings
objXmlHttp.setRequestHeader "Content-Type", "text/xml; charset=utf-8"
objXmlHttp.setRequestHeader "SOAPAction", SoapActionUrl

' Send XML command
objXmlHttp.send objDom.xml

Edit: Following the advice of AnthonyWJones I went down the checklist and it still isn't working. Using Fiddler it shows a single request with a 401 response. The authentication tab shows:

No Proxy-Authenticate Header is present.
WWW-Authenticate Header is present: Negotiate
WWW-Authenticate Header is present: NTLM

I did notice an odd behavior though. When I call the website using the credentials of the user that's logged into remote desktop it will work. I get negotiate, challenge, then a 200 and it will work. Any ideas why this would work when the user is logged on through remote desktop but not other times?

Answer

AnthonyWJones picture AnthonyWJones · Jul 29, 2009

I guess you are relying on the underlying WinINET HTTP stack to present the current users credentials to the server when challenged by the server using Windows integrated security.

WinINET will only do that by default if it considers the host server to be in the Intranet Zone. Even then its possible that the users Intranet Zone security settings have been adjusted to disallow this.

Try visting the site with a browser from the client machine when logged on as the same user that you VB6 app runs as. What zone does it consider the server to be in? If its not Intranet you will need to add the host to the list of sites belonging to the zone. Whilst you are there open the zones security settings and scroll down to the User Authentication category. Logon should be configured as "Automatic logon only in Intranet zone".

Edit: From your comment these things are configured correctly. The few thingss I would would be:-

  1. Check the server is strictly configured to only accept Windows integrated security.
  2. Check the proxy settings on the machine, is permission denied a problem with a proxy server?
  3. Use the ProgID "MSXML2.XMLHTTP.3.0" to ensure that the correct version of the MSXML dll is being used (some installs of other third-party apps can damage the registry leading to older version of MSXML being used).
  4. Install Fiddler on the machine and watch the http conversation when the VB6 app attempts the call. Is there a single 401 response? WinINET is not use the user credentials? Are there 3 401 responses? WinINET has attempted use the current users credentials but they are not accepted by the server.

A this point we are into system admin territory. For example if the fiddler trace shows that the attempt to authenticat is not using NTLM then its using a Kerberos authentication, check that the server and client have clocks set within 5 minutes of each other and the domain controller.

Check the servers event log, is the server unable to contact the Domain controller.

Place a simple .htm on the server with only Windows integrated security and attempt to hit it from the browser, does that succeed?