form values lost when Windows Authentication turned off

I have a page that needs to access the file system on another server
to read the files in various directories.

It works absolutely fine on our old web server running NT4.0/IIS4 as
long as windows authentication is turned off and the Anonymous login
account is changed to a special domain account that has read access to
these directories.

Copying the .asp file to our new NT5.0/IIS5 server exhibits really odd
behaviour:

a) when Windows Authentication is turned on, the page can't read the
contents of the directories (it tries to use the logged in user's
account, which won't work). The code correctly detects and reports
this error condition (the FileSystemObject's GetFolder method returns
an error code).

b) when Windows Authentication is turned off, the page can access the
directories, but it receives an empty request.form collection
(request.form.count) is empty. If I change the form to method="GET"
instead of method="POST" everything works fine. But I need to POST
this information.

The logs show only a single POST request for the page (so it isn't
being redirected or re-requested to sort out log in information).

Why does this work on IIS4 and not IIS5? In what circumstances do the
contents of a POSTed form get dropped?

Help!

Tom
Fri Nov 07 11:18:14 CST 2003

"MikeT" <news@chthonic.f9.co.uk> wrote in message
news:af4a582c.0311070904.3588ae04@posting.google.com...
> I have a page that needs to access the file system on another server
> to read the files in various directories.
>
> It works absolutely fine on our old web server running NT4.0/IIS4 as
> long as windows authentication is turned off and the Anonymous login
> account is changed to a special domain account that has read access to
> these directories.
>
> Copying the .asp file to our new NT5.0/IIS5 server exhibits really odd
> behaviour:
>
> a) when Windows Authentication is turned on, the page can't read the
> contents of the directories (it tries to use the logged in user's
> account, which won't work). The code correctly detects and reports
> this error condition (the FileSystemObject's GetFolder method returns
> an error code).
>
> b) when Windows Authentication is turned off, the page can access the
> directories, but it receives an empty request.form collection
> (request.form.count) is empty. If I change the form to method="GET"
> instead of method="POST" everything works fine. But I need to POST
> this information.
>
> The logs show only a single POST request for the page (so it isn't
> being redirected or re-requested to sort out log in information).
>
> Why does this work on IIS4 and not IIS5? In what circumstances do the
> contents of a POSTed form get dropped?

a) it's a delegation issue - IIS does not have the user's password when
Windows Integrated authentication is used so it is unable to authenticate
the user to the other server.

b) not sure why the post vars are dropped ...

--
Tom Kaminski IIS MVP
http://www.iistoolshed.com/ - tools, scripts, and utilities for running IIS
http://mvp.support.microsoft.com/
http://www.microsoft.com/windowsserver2003/community/centers/iis/

news
Mon Nov 10 03:18:08 CST 2003

"Tom Kaminski [MVP]" <tomk (A@T) mvps (D.O.T) org> wrote in message news:<bogjuh$568@kcweb01.netnews.att.com>...
> "MikeT" <news@chthonic.f9.co.uk> wrote in message
> news:af4a582c.0311070904.3588ae04@posting.google.com...
> > I have a page that needs to access the file system on another server
> > to read the files in various directories.
> >
> > It works absolutely fine on our old web server running NT4.0/IIS4 as
> > long as windows authentication is turned off and the Anonymous login
> > account is changed to a special domain account that has read access to
> > these directories.
> >
> > Copying the .asp file to our new NT5.0/IIS5 server exhibits really odd
> > behaviour:
> >
> > a) when Windows Authentication is turned on, the page can't read the
> > contents of the directories (it tries to use the logged in user's
> > account, which won't work). The code correctly detects and reports
> > this error condition (the FileSystemObject's GetFolder method returns
> > an error code).
> >
> > b) when Windows Authentication is turned off, the page can access the
> > directories, but it receives an empty request.form collection
> > (request.form.count) is empty. If I change the form to method="GET"
> > instead of method="POST" everything works fine. But I need to POST
> > this information.
> >
> > The logs show only a single POST request for the page (so it isn't
> > being redirected or re-requested to sort out log in information).
> >
> > Why does this work on IIS4 and not IIS5? In what circumstances do the
> > contents of a POSTed form get dropped?
>
> a) it's a delegation issue - IIS does not have the user's password when
> Windows Integrated authentication is used so it is unable to authenticate
> the user to the other server.
>

I understood this problem - it's why I need to use a special account
with access to the directories that IIS _does_ know the password to.
Your explanation is the clearest I've heard it though - thanks.

> b) not sure why the post vars are dropped ...

This is the real problem. I've checked the logs - definitely no
redirect with the second request being a GET (which has caught me
before). Could it be that the special account I'm using has no rights
to something crucial? Must go check the permissions on the IIS
server... Although on second thoughts, that can't be it as appending
the vars to the URL works fine (once I've modified the code to accept
vars from the querystring that is).

Anyone out there experienced post vars disappearing like this?
request.form.count is 0 :(

news
Mon Nov 10 05:06:25 CST 2003

"Tom Kaminski [MVP]" <tomk (A@T) mvps (D.O.T) org> wrote in message news:<bogjuh$568@kcweb01.netnews.att.com>...
> "MikeT" <news@chthonic.f9.co.uk> wrote in message
> news:af4a582c.0311070904.3588ae04@posting.google.com...
> >
> > b) when Windows Authentication is turned off, the page can access the
> > directories, but it receives an empty request.form collection
> > (request.form.count) is empty. If I change the form to method="GET"
> > instead of method="POST" everything works fine. But I need to POST
> > this information.
> >

>
> b) not sure why the post vars are dropped ...

I've fixed the problem by making a copy of the page, applying the
same login rights to it and then deleting the original. It appears
something got out of whack in IIS, no idea what. Not good.

David
Mon Nov 10 01:31:04 CST 2003

(b)
Does this apply to your situation?

http://support.microsoft.com/default.aspx?scid=kb;en-us;251404

It happens when your website has a mix of authenticated an non-authenticated
pages and affects only POST requests to anonymous pages after IE has visited
an authenticated page on that website.

If this applies, then there is no server-side solution other than to make
the entire website uniform in authentication -- since the problem is with IE
not sending the POST in the first place.

--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Tom Kaminski [MVP]" <tomk (A@T) mvps (D.O.T) org> wrote in message
news:bogjuh$568@kcweb01.netnews.att.com...
"MikeT" <news@chthonic.f9.co.uk> wrote in message
news:af4a582c.0311070904.3588ae04@posting.google.com...
> I have a page that needs to access the file system on another server
> to read the files in various directories.
>
> It works absolutely fine on our old web server running NT4.0/IIS4 as
> long as windows authentication is turned off and the Anonymous login
> account is changed to a special domain account that has read access to
> these directories.
>
> Copying the .asp file to our new NT5.0/IIS5 server exhibits really odd
> behaviour:
>
> a) when Windows Authentication is turned on, the page can't read the
> contents of the directories (it tries to use the logged in user's
> account, which won't work). The code correctly detects and reports
> this error condition (the FileSystemObject's GetFolder method returns
> an error code).
>
> b) when Windows Authentication is turned off, the page can access the
> directories, but it receives an empty request.form collection
> (request.form.count) is empty. If I change the form to method="GET"
> instead of method="POST" everything works fine. But I need to POST
> this information.
>
> The logs show only a single POST request for the page (so it isn't
> being redirected or re-requested to sort out log in information).
>
> Why does this work on IIS4 and not IIS5? In what circumstances do the
> contents of a POSTed form get dropped?

a) it's a delegation issue - IIS does not have the user's password when
Windows Integrated authentication is used so it is unable to authenticate
the user to the other server.

b) not sure why the post vars are dropped ...

--
Tom Kaminski IIS MVP
http://www.iistoolshed.com/ - tools, scripts, and utilities for running IIS
http://mvp.support.microsoft.com/
http://www.microsoft.com/windowsserver2003/community/centers/iis/

news
Tue Nov 11 03:33:27 CST 2003

"David Wang [Msft]" <someone@online.microsoft.com> wrote in message news:<eUwVvdAqDHA.2188@TK2MSFTNGP11.phx.gbl>...
> (b)
> Does this apply to your situation?
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;251404
>
> It happens when your website has a mix of authenticated an non-authenticated
> pages and affects only POST requests to anonymous pages after IE has visited
> an authenticated page on that website.
>
> If this applies, then there is no server-side solution other than to make
> the entire website uniform in authentication -- since the problem is with IE
> not sending the POST in the first place.
>

AH - that probably is it, you know... the folder the page is in
(temporarily) is our development folder that has no anonymous access.
OK now I understand what is happening.

The behaviour is that IE makes a POST request, but sends no data -
not quite what you describe, but it corresponds to that knowledge base
article. Thanks.

David
Tue Nov 11 00:26:35 CST 2003

(b)
Does this apply to your situation?

http://support.microsoft.com/default.aspx?scid=kb;en-us;251404

It happens when your website has a mix of authenticated an non-authenticated
pages and affects only POST requests to anonymous pages after IE has visited
an authenticated page on that website.

If this applies, then there is no server-side solution other than to make
the entire website uniform in authentication -- since the problem is with IE
not sending the POST in the first place.

Did you somehow configure authentication differently on that page???

--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"MikeT" <news@chthonic.f9.co.uk> wrote in message
news:af4a582c.0311100306.4de7cacb@posting.google.com...
"Tom Kaminski [MVP]" <tomk (A@T) mvps (D.O.T) org> wrote in message
news:<bogjuh$568@kcweb01.netnews.att.com>...
> "MikeT" <news@chthonic.f9.co.uk> wrote in message
> news:af4a582c.0311070904.3588ae04@posting.google.com...
> >
> > b) when Windows Authentication is turned off, the page can access the
> > directories, but it receives an empty request.form collection
> > (request.form.count) is empty. If I change the form to method="GET"
> > instead of method="POST" everything works fine. But I need to POST
> > this information.
> >

>
> b) not sure why the post vars are dropped ...

I've fixed the problem by making a copy of the page, applying the
same login rights to it and then deleting the original. It appears
something got out of whack in IIS, no idea what. Not good.

news
Wed Nov 12 04:24:38 CST 2003

"David Wang [Msft]" <someone@online.microsoft.com> wrote in message news:<u9iEBMLqDHA.2808@TK2MSFTNGP10.phx.gbl>...
> (b)
> Does this apply to your situation?
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;251404
>
> It happens when your website has a mix of authenticated an non-authenticated
> pages and affects only POST requests to anonymous pages after IE has visited
> an authenticated page on that website.
>
> If this applies, then there is no server-side solution other than to make
> the entire website uniform in authentication -- since the problem is with IE
> not sending the POST in the first place.
>
> Did you somehow configure authentication differently on that page???
>

Actually, no - I moved the file to another directory, applied the
correct rights then moved it back again. Possibly the reason it worked
is that IE didn't encounter the integrated-only directory in that
particular session. It's academic now as I've added anonymous login
back to the directory in question since it wasn't actually protecting
anything, and it was also causing problems.

The upshot of all this is that integrated authentication is more
trouble than it is worth :) Hooray.

Thanks for your help.

David
Thu Nov 13 23:45:59 CST 2003

Um, not really. Integrated Authentication has its place. It's just really
easy for users to misuse it, like any other tool.

People love to design custom authentication and authorization schemes, but
to say the truth, those things are HARD to get correct. I'd wager that 99%
of the schemes in the world have bugs/flaws in them; it's just that no one
has taken the time to exploit them since they are non-uniform.

The ones with names by them have stood the test of time.

--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"MikeT" <news@chthonic.f9.co.uk> wrote in message
news:af4a582c.0311120224.5335a0ce@posting.google.com...
"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:<u9iEBMLqDHA.2808@TK2MSFTNGP10.phx.gbl>...
> (b)
> Does this apply to your situation?
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;251404
>
> It happens when your website has a mix of authenticated an
non-authenticated
> pages and affects only POST requests to anonymous pages after IE has
visited
> an authenticated page on that website.
>
> If this applies, then there is no server-side solution other than to make
> the entire website uniform in authentication -- since the problem is with
IE
> not sending the POST in the first place.
>
> Did you somehow configure authentication differently on that page???
>

Actually, no - I moved the file to another directory, applied the
correct rights then moved it back again. Possibly the reason it worked
is that IE didn't encounter the integrated-only directory in that
particular session. It's academic now as I've added anonymous login
back to the directory in question since it wasn't actually protecting
anything, and it was also causing problems.

The upshot of all this is that integrated authentication is more
trouble than it is worth :) Hooray.

Thanks for your help.