I have seen similar questions posted here on this issue, but I think
my situation might be a little different.
I have an ISAPI Dll (server extension, not a filter) running under one
IIS Server, say on Computer "A", and there is another ISAPI DLL
running on Computer "B". Both IIS Servers are setup to NOT allow
anonymous access - and to use Integrated Windows Authentication - I
presume NTLM, but I am not sure.
Any rate the user is meant to initiate a call from somewhere out there
in the intranet, say computer "C". The design is that the user must
belong to some domain group say "Operators", and the ISAPI Dlls (on
Both Servers) live in a VDir for which NTFS persmissions have an ACL
for "Operators" with full control.
So, from Internet Explorer the user makes a call to ISAPI service on
"A". This does the usual 401.2, 401.1, 200 and the ISAPI dll is
accessed. Obviously the logged on interactive user (who was in IE when
he made the call), is negotiated via NTLM between computer "C" and "A"
Now the fun begins. The function called in ISAPI DLL on Computer "A"
must make a HTTP call to the IIS and ISAPI DLL on Computer "B" to do
some work. This call always fails when the anonymous user is turned
off (401.2, 401.1 401.1) on the IIS Server on computer "B". However,
if anonymous user on IIS server on "B" is enabled the call succeeds
always succeeds.
Okay, I know that answer to the first part of the problem. This is the
case where anonymous user on "B" is turned off and IIS on "B" can only
do integrated windows authentication.
The HTTP call initiated in the ISAPI dll on computer "A" runs in the
IIS process under the "local system" account. There is in effect no
logged-on workstation user, and "A"\System has no rights on computer
"B". So in the abscence of anonymous user, IIS on "B" cannot
authenticate calls from "A". Things are way different than when the
client is IE...
To try to fix this, What I did in my code in the ISAPI dll on Computer
"A" is to make the appropriate WinInet call HttpOpenConnection() and
explicitly provide the user name and password of a User in the
"Operators" group described way above.
However, this still doesn't authenticate properly on IIS Server on
"B". the logfiles say the same thing. Does anybody have any ideas?
Sorry this post is so long winded, but the problem is a little complex
and I wanted to get it all down.
Kevin
FAQ
Profile
Private Messages
Log in
